From dd05418887af3fb4d76a0a940859d7aeeef39289 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Sun, 16 Jan 2022 12:25:04 +0100 Subject: [PATCH] Refactor k-ot user --- hosts/containers/deployer/configuration.nix | 8 ++---- hosts/containers/hydra/default.nix | 8 ------ hosts/containers/nix-build/default.nix | 2 -- hosts/dacbert/default.nix | 6 +--- hosts/glotzbert/default.nix | 12 ++------ hosts/pulsebert/default.nix | 6 +--- hosts/storage-ng/default.nix | 2 +- modules/c3d2.nix | 32 +++++++++++++++------ 8 files changed, 31 insertions(+), 45 deletions(-) diff --git a/hosts/containers/deployer/configuration.nix b/hosts/containers/deployer/configuration.nix index d7339c8f..7f35b77a 100644 --- a/hosts/containers/deployer/configuration.nix +++ b/hosts/containers/deployer/configuration.nix @@ -8,6 +8,8 @@ ../../../config/admins.nix ]; + c3d2.k-ot.enable = true; + environment.systemPackages = with pkgs; [ nixops pass @@ -60,12 +62,6 @@ autoOptimiseStore = true; }; - users.extraUsers.k-ot = { - isNormalUser = true; - uid = 1000; - extraGroups = [ "wheel" ]; - }; - security.sudo.wheelNeedsPassword = false; system.stateVersion = "19.09"; # Did you read the comment? diff --git a/hosts/containers/hydra/default.nix b/hosts/containers/hydra/default.nix index 3e210e7b..a3c2f76b 100644 --- a/hosts/containers/hydra/default.nix +++ b/hosts/containers/hydra/default.nix @@ -7,14 +7,6 @@ ./updater.nix ]; - c3d2 = { - users = { - emery = true; - windsleep = true; - }; - # hq.statistics.enable = true; - }; - nixpkgs.config.allowUnfree = true; security.pam.enableSSHAgentAuth = true; diff --git a/hosts/containers/nix-build/default.nix b/hosts/containers/nix-build/default.nix index aaaaf905..bda8a33e 100644 --- a/hosts/containers/nix-build/default.nix +++ b/hosts/containers/nix-build/default.nix @@ -14,8 +14,6 @@ networking.firewall.allowedTCPPorts = [ 22 ]; networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; - c3d2.users.polygon = true; - imports = [ ./hardware-configuration.nix ]; diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index 2583dbeb..8ef87e61 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -115,12 +115,8 @@ wheelNeedsPassword = false; }; - users.users.k-ot = { - isNormalUser = true; - extraGroups = [ "wheel" "audio" "video" ]; - }; - c3d2.audioServer.enable = true; + c3d2.k-ot.enable = true; # Select internationalisation properties. console = { diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index 9248b3a2..09072f44 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -7,11 +7,9 @@ isInHq = true; hq.interface = "eno1"; hq.enableBinaryCache = false; - users.k-ot = true; - users.emery = true; + k-ot.enable = true; mountCeph = "/mnt/storage"; }; - users.users.emery.cryptHomeLuks = "/home/emery.luks.img"; nixpkgs.config.allowUnfree = true; nix = { @@ -108,16 +106,10 @@ wheelNeedsPassword = false; }; - # Define a user account. Don't forget to set a password with ‘passwd’. users.groups."k-ot" = { gid = 1000; }; users.users."k-ot" = { - isNormalUser = true; - uid = 1000; group = "k-ot"; - extraGroups = [ "wheel" "networkmanager" "audio" "video" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJJTSJdpDh82486uPiMhhyhnci4tScp5uUe7156MBC8 astro" - ]; + extraGroups = [ "networkmanager" ]; }; # This value determines the NixOS release with which your system is to be diff --git a/hosts/pulsebert/default.nix b/hosts/pulsebert/default.nix index 24200a6c..70b95454 100644 --- a/hosts/pulsebert/default.nix +++ b/hosts/pulsebert/default.nix @@ -82,12 +82,8 @@ in wheelNeedsPassword = false; }; - users.users.k-ot = { - isNormalUser = true; - extraGroups = [ "wheel" "audio" ]; - }; - c3d2.audioServer.enable = true; + c3d2.k-ot.enable = true; services.nginx = { enable = true; diff --git a/hosts/storage-ng/default.nix b/hosts/storage-ng/default.nix index 6b970a6e..186e06b7 100644 --- a/hosts/storage-ng/default.nix +++ b/hosts/storage-ng/default.nix @@ -13,7 +13,7 @@ in ]; c3d2 = { - users.k-ot = true; + k-ot.enable = true; isInHq = true; mapHqHosts = true; hq.interface = eth0; diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 5841eb8a..636ff6ee 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -1,6 +1,6 @@ # This module defines options for use by all C3D2 machines. -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.c3d2; in @@ -49,6 +49,11 @@ in ''; }; + k-ot.enable = mkEnableOption '' + Add k-ot user to this machine. Anyone with an SSH key listed in + c3d2.users can log in as this user. + ''; + hq = { interface = mkOption { @@ -88,16 +93,27 @@ in }; }; - config = { - - users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd); - - users.users.root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot - (with builtins; lib.lists.flatten ( + config = + let + adminKeys = (with builtins; lib.lists.flatten ( map (getAttr "sshKeys") (attrValues cfg.users) )); + in + { + users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd); - }; + users.users.k-ot = lib.mkIf cfg.k-ot.enable { + packages = with pkgs; [ screen tmux ]; + createHome = true; + isNormalUser = true; + uid = 1000; + extraGroups = [ "audio" "video" "wheel" ]; + password = "k-otk-ot"; + openssh.authorizedKeys.keys = adminKeys; + }; + + users.users.root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot adminKeys; + }; }