Verified Commit 33512d62 authored by Tim Schubert's avatar Tim Schubert
Browse files

move admin config to TOML file

parent a440564d
[y0067212]
shell = "zsh"
keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdKj2QHaSqI36pT+kEIjJV017jC71oyJS9gtqeXzh1i y0067212 <y0067212@tu-bs.de>" ]
[y0067179]
shell = "bash"
keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDY3rC6bAFpRM9TdCjMTMshcOY3uGQup2wBc02PuPeWSXgJx6Rb+jPY/CnARRnbku6d78kh59Jp8trZgj5ov33Sr0DzzGKdhK67glGx1M9W0kuP8wAgdA6eNJudiXkf2BAaKrrrjdEzKU/S4lNx6eV/uqLvUrokdJZm/4zgcztH3Ltnt6zY/7/qAasU9B6IAn6hi8TaJVaDTOalGui13/koSyDPaahkvLyXWbaq8epTEaRupOVMAsKB16eFRZWphJ3GErxJjqOSDKKOK3BUP5qzvQjnmbAV7dN6IBcso5FYVVAhDVojST0LM13KDkI6LiKZeB5OwIqoH8fEpySmcsyWgeJtDcH7G5arCgWfc+EAG4V+/achGMEN3oROWEspyeHFEaTFMEaEMcoNM8/ZSifq5nipjjf3TgVem/ke2DdGPBbWdR5Ncfd8ejbq2zutT2naQKnmyr0P/b/egfCL5czDy1cW72oYbnDrbaYX6cP5q63LFm6A3zDax/2/2FOQg4EHWR3OYucUE5j0BCSqHbUGMpAQt61anOqkWtVbFh/ZTxFNQTc2LIA23vwJeDW60rGKm9ywsWnEnRCU7o6tRTjGZVNKiQc3dobQORhz0K9d6aS0paVL5xa7LV/oXG4HoQDxA5wZbt7SADG7V6my2KBJBm7ikarESY+M68u5kVEiQ== y0067179@tu-bs.de" ]
[y0083094]
shell = "bash"
keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCjw+wt9Zb0u8i5qRmDgiLrfIaBkg+mupB6JojJNWchyT6sWAKM+/P8aig+IpdO0vgZBT7IN5PefceaOG2RO3uK/qHPJTgNZGKNRZH3Ggz6iZ85pNF8WwS4fWjOg//odleeP+N+b6UivP81ZpT3CE9icgFwDIHz6oGiXCFY0y5/NpTi4G7J188/rvXRW8/zkn2mFPJBLfF50KhTo7sFV7OdoL0AreE/3XRCUTwVuSJf44z9ootdioWPa7Gw7tSXRdy7yShedhTvDh8ifwOGX9FKMvnJZTjJcjyoRljj0aR90xsxV8M+ujpep6qlHmfdWW4x6yW4fZKuUuzeYc5ty2d/YhhvIm+zCHdQUHYsQenai38cACx//2Vfqwkzzm1FFo1/JYGj2EZDR2/DQSiDaoxL3vHA8OGBbzPi6/S1Ogb1ZnIBE70XuhHkNwNfF9yOrIfstHCSq5uYdCmuyu4OLnkI0MaqBD13VgUowjQV2uGvAN97t1t0sIzwsIqZlTl+PrjnHFdHU/zPTMuzm0rR93l6fRUyUFEXZ/sVZeMK62trZ5L9NthnO6Z+1S3B/K+xGZY9YTlSchQ8hBq0kMctQT5JAt4TBhQ46s4xSKXLlNvFcucE9Wx4AsavAKoTXJdt32FyxmIgn9lycpm8mz414WRP1UoDgbYU7bv19ukaXI5+w== y0083094@tu-bs.de" ]
......@@ -63,6 +63,7 @@
nixosConfigurations = import ./nixos/configurations.nix {
nixosSystem = nixpkgs.lib.nixosSystem;
fginfo-keys = import ./keys.nix;
fginfo-admins = builtins.fromTOML (builtins.readFile ./Admins.toml);
secretsPath = ./secrets;
inherit self nixpkgs dadada nixos-generators agenix;
};
......
......@@ -5,6 +5,7 @@
, nixosSystem
, nixos-generators
, fginfo-keys
, fginfo-admins
, secretsPath
, ...
}:
......@@ -13,7 +14,7 @@ let
in {
fginfo = nixosSystem rec {
system = "x86_64-linux";
specialArgs = { inherit self secretsPath system fginfo-keys; };
specialArgs = { inherit self secretsPath system fginfo-keys fginfo-admins; };
modules = (lib.attrValues self.nixosModules) ++ [
{
nixpkgs.overlays = [ self.overlays.dokuwiki ];
......@@ -27,8 +28,9 @@ in {
fginfo-installer = nixosSystem rec {
system = "x86_64-linux";
specialArgs = { inherit self system fginfo-keys; };
specialArgs = { inherit self system fginfo-keys fginfo-admins; };
modules = [
self.nixosModules.admin
self.nixosModules.profile-fginfo
nixos-generators.nixosModules.install-iso
];
......@@ -36,7 +38,7 @@ in {
zion = nixosSystem rec {
system = "x86_64-linux";
specialArgs = { inherit self secretsPath system fginfo-keys ; };
specialArgs = { inherit self secretsPath system fginfo-keys fginfo-admins; };
modules = (lib.attrValues self.nixosModules) ++ [
agenix.nixosModule
dadada.nixosModules.backup
......
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.fginfo.admin;
shells = {
"bash" = pkgs.bashInteractive;
"zsh" = pkgs.zsh;
"fish" = pkgs.fish;
};
shellNames = builtins.attrNames shells;
extraGroups = [ "wheel" ];
adminOpts = { name, config, ... }: {
options = {
keys = mkOption {
type = types.listOf types.str;
default = [];
apply = x: assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in"); x;
description = ''
The keys that should be able to access the account.
'';
};
shell = mkOption {
type = types.nullOr types.str;
apply = x: assert (builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"); x;
default = "bash";
defaultText = literalExpression "bash";
example = literalExpression "bash";
description = ''
One of ${builtins.toString shellNames}
'';
};
};
};
in
{
options = {
fginfo.admin = {
enable = mkEnableOption "Enable admin access";
users = mkOption {
type = with types; attrsOf (submodule adminOpts);
default = { };
description = ''
Admin user configuration
'';
example = literalExample "\"dadada\" = { shell = \"zsh\"; keys = [ ]; }";
};
};
};
config = mkIf cfg.enable {
services.sshd.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.openFirewall = true;
security.sudo.wheelNeedsPassword = false;
programs.zsh.enable = true;
# Trust closures that are copied to the store by admin users
nix.trustedUsers = builtins.attrNames cfg.users;
users.users = mapAttrs (user: keys: ({
shell = shells."${keys.shell}";
extraGroups = extraGroups;
isNormalUser = true;
openssh.authorizedKeys.keys = keys.keys;
})) cfg.users;
users.mutableUsers = mkDefault false;
environment.systemPackages = with pkgs; [
vim
tmux
];
};
}
{
admin = import ./admin.nix;
gitea = import ./gitea;
gitlab = import ./gitlab;
profile-fginfo = import ./profiles/fginfo.nix;
......
......@@ -4,6 +4,7 @@
, lib
, system
, fginfo-keys
, fginfo-admins
, ... }:
let
mapAttrs = lib.mapAttrs;
......@@ -11,6 +12,11 @@ let
keys = fginfo-keys;
in
{
fginfo.admin = {
enable = true;
users = fginfo-admins;
};
nix = {
extraOptions = ''
experimental-features = nix-command flakes
......@@ -37,25 +43,6 @@ in
allowPing = true;
};
services.sshd.enable = true;
services.openssh.passwordAuthentication = false;
security.sudo.wheelNeedsPassword = false;
users.users = mapAttrs (user: keys: ({
extraGroups = [
"wheel"
"libvirtd"
];
isNormalUser = true;
openssh.authorizedKeys.keys = keys;
})) {
"y0067179" = [ keys.y0067179 ];
"y0067212" = [ keys.y0067212 ];
"y0083094" = [ keys.y0083094 ];
};
users.mutableUsers = mkDefault false;
environment.noXlibs = mkDefault true;
documentation.enable = mkDefault false;
documentation.nixos.enable = mkDefault false;
......
age-encryption.org/v1
-> ssh-ed25519 YCDJ8w dg83CtkNIo/Uw9mzO2jn432oR7dvPWXGwg+CWKvVzWM
/cJBpYyVXdpTDFnBf/WoqtzG5y4qvZhzteOa+w2pQa4
-> ssh-ed25519 cIlzfQ wMKYefGdSYgfOqwrFwBPci+Uiws3C3VDr0UBEf6xo2s
HvMdyXtmsWKdCgpT9dMstK0yCPIpj7VAj7JMmpYCTWw
-> W#+uh-grease o07|P_Z (%;v
yN5CpsrE40chPGx/l17AXuT5v6wJ3YMQxG48b+ow1CZ4GEG/9ifhiN0C05TdFu+h
GmY1BtP8f+4oFStAJMd/l3x/Z1pZ8wbEJBtd0XVAJVE
--- iJ0FP0Soo8RmgvxVq+6mnqFsphTo/vNTPxI1oUrLY9Q
kfpBQjT:'7dek
PjKy
\ No newline at end of file
-> ssh-ed25519 cIlzfQ 3C541bsAOk7Uu1MzFZAuxA59J/rAm8Z6cLpLhSmnVmI
lQsjx7x1y445Lwtn7JtABrzGHtE1Kvglfr+QqvSu7KI
-> ssh-ed25519 YCDJ8w X+DrXxqLt23Ff2uqFGUw82bvtMkRSGqWwDWel3sZuQQ
NMAWaFqYExWVp0b7cAfkDidzzw1K9x9KQ/vVhJ289Po
-> 8z<<9L0-grease *8 ],c(3
mnTjuoNn1g0
--- 7uo/FhRdlQ+TPHzMiqVSBbMa6qMct/qMOsPBiNwduKc
Qk~g
+Bԕ~@ycn+|L7Z-H{S- ש{7R
\ No newline at end of file
let
# Admin SSH keys
fginfo-keys = import ../keys.nix;
fginfo-admins = builtins.fromTOML (builtins.readFile ../Admins.toml);
# TODO add gemerated id_ed25519 keys
systems = {
fginfo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCBAg2IlpsI2rNIxLyr0YOBlgFIs8u34q7SRpNFcScA root@fginfo";
};
in {
"fginfo-backup-passphrase.age".publicKeys = [
fginfo-keys.y0067212
systems.fginfo
];
] ++ fginfo-admins.y0067212.keys;
"wiki.fginfo.tu-bs.de.key.age".publicKeys = [
fginfo-keys.y0067212
systems.fginfo
];
] ++ fginfo-admins.y0067212.keys;
"tickets.fginfo.tu-bs.de.key.age".publicKeys = [
fginfo-keys.y0067212
];
] ++ fginfo-admins.y0067212.keys;
"fginfo-backup-ssh-key.age".publicKeys = [
fginfo-keys.y0067212
systems.fginfo
];
] ++ fginfo-admins.y0067212.keys;
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment