jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

added isPrincipleUser to users

Browse source
This commit is contained in:
Leyla Becker 2024-11-24 12:43:12 -06:00
parent ddc087a548
commit aa7c2a2a15
5 changed files with 148 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
enviroments/common/default.nix
View file

@ -4,7 +4,6 @@
nix = { nix = {
settings = { settings = {
experimental-features = ["nix-command" "flakes"]; experimental-features = ["nix-command" "flakes"];
trusted-users = ["leyla"];
}; };
gc = { gc = {
automatic = true; automatic = true;
@ -44,40 +43,9 @@
ports = [22]; ports = [22];
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
AllowUsers = ["leyla"]; # Allows all users by default. Can be [ "user1" "user2" ]
UseDns = true; UseDns = true;
X11Forwarding = false; X11Forwarding = false;
}; };
}; };
}; };
environment = {
# List packages installed in system profile.
systemPackages = with pkgs; [
wget
# version control
git
# system debuging tools
iputils
dnsutils
];
sessionVariables = rec {
SOPS_AGE_KEY_DIRECTORY = import ../../const/sops_age_key_directory.nix;
SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
};
};
sops = {
defaultSopsFormat = "yaml";
gnupg.sshKeyPaths = [];
age = {
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [];
# generateKey = true;
};
};
} }

3
hosts/defiant/configuration.nix
View file

@ -17,8 +17,9 @@
host = { host = {
users = { users = {
leyla = { leyla = {
isTerminalUser = true;
isDesktopUser = true; isDesktopUser = true;
isTerminalUser = true;
isPrincipleUser = true;
}; };
ester.isNormalUser = false; ester.isNormalUser = false;
eve.isNormalUser = false; eve.isNormalUser = false;

1
hosts/horizon/configuration.nix
View file

@ -14,6 +14,7 @@
leyla = { leyla = {
isDesktopUser = true; isDesktopUser = true;
isTerminalUser = true; isTerminalUser = true;
isPrincipleUser = true;
}; };
ester.isDesktopUser = true; ester.isDesktopUser = true;
eve.isDesktopUser = true; eve.isDesktopUser = true;

6
hosts/twilight/configuration.nix
View file

@ -10,7 +10,11 @@
host = { host = {
users = { users = {
leyla.isDesktopUser = true; leyla = {
isDesktopUser = true;
isTerminalUser = true;
isPrincipleUser = true;
};
ester.isDesktopUser = true; ester.isDesktopUser = true;
eve.isDesktopUser = true; eve.isDesktopUser = true;
}; };

189
modules/users.nix
View file

@ -4,6 +4,15 @@
inputs, inputs,
... ...
}: let }: let
SOPS_AGE_KEY_DIRECTORY = import ../const/sops_age_key_directory.nix;
host = config.host;
hostUsers = host.hostUsers;
principleUsers = host.principleUsers;
terminalUsers = host.terminalUsers;
normalUsers = host.normalUsers;
uids = { uids = {
leyla = 1000; leyla = 1000;
ester = 1001; ester = 1001;
@ -35,51 +44,129 @@
ester = users.ester.name; ester = users.ester.name;
eve = users.eve.name; eve = users.eve.name;
in { in {
options.host.users = lib.mkOption { options.host = {
type = lib.types.attrsOf (lib.types.submodule ({config, ...}: { users = lib.mkOption {
options = { type = lib.types.attrsOf (lib.types.submodule ({
isDesktopUser = lib.mkOption { config,
type = lib.types.bool; name,
default = false; ...
description = '' }: {
User should install their desktop applications options = {
''; name = lib.mkOption {
defaultText = lib.literalExpression "config.host.users.\${name}.isDesktopUser"; type = lib.types.string;
default = name;
description = ''
What should this users name on the system be
'';
defaultText = lib.literalExpression "config.host.users.\${name}.name";
};
isPrincipleUser = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
User should be configured as root and have ssh access
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isPrincipleUser";
};
isDesktopUser = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
User should install their desktop applications
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isDesktopUser";
};
isTerminalUser = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
User should install their terminal applications
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isTerminalUser";
};
isNormalUser = lib.mkOption {
type = lib.types.bool;
default = config.isDesktopUser || config.isTerminalUser;
description = ''
User should install their applications
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isNormalUser";
};
}; };
isTerminalUser = lib.mkOption { }));
type = lib.types.bool; };
default = false; hostUsers = lib.mkOption {
description = '' default = lib.attrsets.mapAttrsToList (_: user: user) host.users;
User should install their terminal applications };
''; principleUsers = lib.mkOption {
defaultText = lib.literalExpression "config.host.users.\${name}.isTerminalUser"; default = lib.lists.filter (user: user.isPrincipleUser) hostUsers;
}; };
isNormalUser = lib.mkOption { normalUsers = lib.mkOption {
type = lib.types.bool; default = lib.lists.filter (user: user.isTerminalUser) hostUsers;
default = config.isDesktopUser || config.isTerminalUser; };
description = '' terminalUsers = lib.mkOption {
User should install their applications default = lib.lists.filter (user: user.isNormalUser) hostUsers;
''; };
defaultText = lib.literalExpression "config.host.users.\${name}.isNormalUser";
};
};
}));
}; };
config = { config = {
assertions =
(
builtins.map (user: {
assertion = !(user.isPrincipleUser && !user.isNormalUser);
message = ''
Non normal user ${user.name} can not be a principle user.
'';
})
hostUsers
)
++ [
{
assertion = (builtins.length principleUsers) > 0;
message = ''
At least one user must be a principle user.
'';
}
];
# principle users are by definition trusted
nix.settings.trusted-users = builtins.map (user: user.name) principleUsers;
# we should only be able to ssh into principle users of a computer who are also set up for terminal access
services.openssh.settings.AllowUsers = builtins.map (user: user.name) (lib.lists.intersectLists terminalUsers principleUsers);
# we need to set up env variables to nix can find keys to decrypt passwords on rebuild
environment = {
sessionVariables = {
SOPS_AGE_KEY_DIRECTORY = SOPS_AGE_KEY_DIRECTORY;
SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
};
};
# set up user passwords # set up user passwords
sops.secrets = { sops = {
"passwords/leyla" = { defaultSopsFormat = "yaml";
neededForUsers = true; gnupg.sshKeyPaths = [];
sopsFile = "${inputs.secrets}/user-passwords.yaml";
age = {
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [];
# generateKey = true;
}; };
"passwords/ester" = {
neededForUsers = true; secrets = {
sopsFile = "${inputs.secrets}/user-passwords.yaml"; "passwords/leyla" = {
}; neededForUsers = true;
"passwords/eve" = { sopsFile = "${inputs.secrets}/user-passwords.yaml";
neededForUsers = true; };
sopsFile = "${inputs.secrets}/user-passwords.yaml"; "passwords/ester" = {
neededForUsers = true;
sopsFile = "${inputs.secrets}/user-passwords.yaml";
};
"passwords/eve" = {
neededForUsers = true;
sopsFile = "${inputs.secrets}/user-passwords.yaml";
};
}; };
}; };
@ -88,33 +175,37 @@ in {
users = { users = {
leyla = { leyla = {
uid = lib.mkForce uids.leyla; uid = lib.mkForce uids.leyla;
name = lib.mkForce host.users.leyla.name;
description = "Leyla"; description = "Leyla";
extraGroups = extraGroups =
(lib.lists.optionals config.host.users.leyla.isNormalUser ["networkmanager" "wheel" "dialout"]) (lib.lists.optionals host.users.leyla.isNormalUser ["networkmanager"])
++ (lib.lists.optionals config.host.users.leyla.isDesktopUser ["adbusers"]); ++ (lib.lists.optionals host.users.leyla.isPrincipleUser ["wheel" "dialout"])
++ (lib.lists.optionals host.users.leyla.isDesktopUser ["adbusers"]);
hashedPasswordFile = config.sops.secrets."passwords/leyla".path; hashedPasswordFile = config.sops.secrets."passwords/leyla".path;
isNormalUser = config.host.users.leyla.isNormalUser; isNormalUser = host.users.leyla.isNormalUser;
isSystemUser = !config.host.users.leyla.isNormalUser; isSystemUser = !host.users.leyla.isNormalUser;
group = config.users.users.leyla.name; group = config.users.users.leyla.name;
}; };
ester = { ester = {
uid = lib.mkForce uids.ester; uid = lib.mkForce uids.ester;
name = lib.mkForce host.users.ester.name;
description = "Ester"; description = "Ester";
extraGroups = lib.optionals config.host.users.ester.isNormalUser ["networkmanager"]; extraGroups = lib.optionals host.users.ester.isNormalUser ["networkmanager"];
hashedPasswordFile = config.sops.secrets."passwords/ester".path; hashedPasswordFile = config.sops.secrets."passwords/ester".path;
isNormalUser = config.host.users.ester.isNormalUser; isNormalUser = host.users.ester.isNormalUser;
isSystemUser = !config.host.users.ester.isNormalUser; isSystemUser = !host.users.ester.isNormalUser;
group = config.users.users.ester.name; group = config.users.users.ester.name;
}; };
eve = { eve = {
uid = lib.mkForce uids.eve; uid = lib.mkForce uids.eve;
name = lib.mkForce host.users.eve.name;
description = "Eve"; description = "Eve";
extraGroups = lib.optionals config.host.users.eve.isNormalUser ["networkmanager"]; extraGroups = lib.optionals host.users.eve.isNormalUser ["networkmanager"];
hashedPasswordFile = config.sops.secrets."passwords/eve".path; hashedPasswordFile = config.sops.secrets."passwords/eve".path;
isNormalUser = config.host.users.eve.isNormalUser; isNormalUser = host.users.eve.isNormalUser;
isSystemUser = !config.host.users.eve.isNormalUser; isSystemUser = !host.users.eve.isNormalUser;
group = config.users.users.eve.name; group = config.users.users.eve.name;
}; };