Refactor k-ot user
This commit is contained in:
parent
c2fbfef90f
commit
dd05418887
|
@ -8,6 +8,8 @@
|
||||||
../../../config/admins.nix
|
../../../config/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
c3d2.k-ot.enable = true;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
nixops
|
nixops
|
||||||
pass
|
pass
|
||||||
|
@ -60,12 +62,6 @@
|
||||||
autoOptimiseStore = true;
|
autoOptimiseStore = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.extraUsers.k-ot = {
|
|
||||||
isNormalUser = true;
|
|
||||||
uid = 1000;
|
|
||||||
extraGroups = [ "wheel" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
system.stateVersion = "19.09"; # Did you read the comment?
|
system.stateVersion = "19.09"; # Did you read the comment?
|
||||||
|
|
|
@ -7,14 +7,6 @@
|
||||||
./updater.nix
|
./updater.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
c3d2 = {
|
|
||||||
users = {
|
|
||||||
emery = true;
|
|
||||||
windsleep = true;
|
|
||||||
};
|
|
||||||
# hq.statistics.enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
security.pam.enableSSHAgentAuth = true;
|
security.pam.enableSSHAgentAuth = true;
|
||||||
|
|
|
@ -14,8 +14,6 @@
|
||||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||||
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||||
|
|
||||||
c3d2.users.polygon = true;
|
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -115,12 +115,8 @@
|
||||||
wheelNeedsPassword = false;
|
wheelNeedsPassword = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.k-ot = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel" "audio" "video" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
c3d2.audioServer.enable = true;
|
c3d2.audioServer.enable = true;
|
||||||
|
c3d2.k-ot.enable = true;
|
||||||
|
|
||||||
# Select internationalisation properties.
|
# Select internationalisation properties.
|
||||||
console = {
|
console = {
|
||||||
|
|
|
@ -7,11 +7,9 @@
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
hq.interface = "eno1";
|
hq.interface = "eno1";
|
||||||
hq.enableBinaryCache = false;
|
hq.enableBinaryCache = false;
|
||||||
users.k-ot = true;
|
k-ot.enable = true;
|
||||||
users.emery = true;
|
|
||||||
mountCeph = "/mnt/storage";
|
mountCeph = "/mnt/storage";
|
||||||
};
|
};
|
||||||
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
|
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
nix = {
|
nix = {
|
||||||
|
@ -108,16 +106,10 @@
|
||||||
wheelNeedsPassword = false;
|
wheelNeedsPassword = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
|
||||||
users.groups."k-ot" = { gid = 1000; };
|
users.groups."k-ot" = { gid = 1000; };
|
||||||
users.users."k-ot" = {
|
users.users."k-ot" = {
|
||||||
isNormalUser = true;
|
|
||||||
uid = 1000;
|
|
||||||
group = "k-ot";
|
group = "k-ot";
|
||||||
extraGroups = [ "wheel" "networkmanager" "audio" "video" ];
|
extraGroups = [ "networkmanager" ];
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJJTSJdpDh82486uPiMhhyhnci4tScp5uUe7156MBC8 astro"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
|
|
|
@ -82,12 +82,8 @@ in
|
||||||
wheelNeedsPassword = false;
|
wheelNeedsPassword = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.k-ot = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel" "audio" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
c3d2.audioServer.enable = true;
|
c3d2.audioServer.enable = true;
|
||||||
|
c3d2.k-ot.enable = true;
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -13,7 +13,7 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
users.k-ot = true;
|
k-ot.enable = true;
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
mapHqHosts = true;
|
mapHqHosts = true;
|
||||||
hq.interface = eth0;
|
hq.interface = eth0;
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# This module defines options for use by all C3D2 machines.
|
# This module defines options for use by all C3D2 machines.
|
||||||
|
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let cfg = config.c3d2;
|
let cfg = config.c3d2;
|
||||||
in
|
in
|
||||||
|
@ -49,6 +49,11 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
k-ot.enable = mkEnableOption ''
|
||||||
|
Add k-ot user to this machine. Anyone with an SSH key listed in
|
||||||
|
<literal>c3d2.users</literal> can log in as this user.
|
||||||
|
'';
|
||||||
|
|
||||||
hq = {
|
hq = {
|
||||||
|
|
||||||
interface = mkOption {
|
interface = mkOption {
|
||||||
|
@ -88,16 +93,27 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
config = {
|
config =
|
||||||
|
let
|
||||||
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
|
adminKeys = (with builtins; lib.lists.flatten (
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot
|
|
||||||
(with builtins; lib.lists.flatten (
|
|
||||||
map
|
map
|
||||||
(getAttr "sshKeys")
|
(getAttr "sshKeys")
|
||||||
(attrValues cfg.users)
|
(attrValues cfg.users)
|
||||||
));
|
));
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
|
||||||
|
|
||||||
};
|
users.users.k-ot = lib.mkIf cfg.k-ot.enable {
|
||||||
|
packages = with pkgs; [ screen tmux ];
|
||||||
|
createHome = true;
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = 1000;
|
||||||
|
extraGroups = [ "audio" "video" "wheel" ];
|
||||||
|
password = "k-otk-ot";
|
||||||
|
openssh.authorizedKeys.keys = adminKeys;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot adminKeys;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue