diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix index f6ea992..51ae55b 100644 --- a/hosts/hel1-a/configuration.nix +++ b/hosts/hel1-a/configuration.nix @@ -19,6 +19,11 @@ in { timeZone = "UTC"; base = { + users.passwd = { + root.passwordFile = config.age.secrets.root-passwd-hash.path; + motiejus.passwordFile = config.age.secrets.motiejus-passwd-hash.path; + }; + initrd = { enable = true; authorizedKeys = builtins.attrValues myData.ssh_pubkeys; @@ -32,7 +37,7 @@ in { zfsborg = { enable = true; repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst"; - passwdPath = config.age.secrets.borgbackup-password.path; + passwordPath = config.age.secrets.borgbackup-password.path; mountpoints = { "/var/lib" = { paths = [ diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix index c0eeaf3..f35cac2 100644 --- a/hosts/vm/configuration.nix +++ b/hosts/vm/configuration.nix @@ -9,7 +9,10 @@ in { mj = { stateVersion = "23.05"; timeZone = "UTC"; - stubPasswords = true; + + base.users.passwd = { + root.initialPassword = "live"; + }; }; environment = { diff --git a/modules/base/default.nix b/modules/base/default.nix index ca57d1e..c5e9eba 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -10,25 +10,22 @@ ./snapshot ./sshd ./unitstatus + ./users ./zfsborg ]; - options.mj = { + options.mj = with lib.types; { stateVersion = lib.mkOption { - type = lib.types.str; + type = str; example = "22.11"; description = "The NixOS state version to use for this system"; }; + timeZone = lib.mkOption { - type = lib.types.str; + type = str; example = "Europe/Vilnius"; description = "Time zone for this system"; }; - - stubPasswords = lib.mkOption { - type = lib.types.bool; - default = false; - }; }; config = { @@ -63,33 +60,6 @@ }; }; - users = let - withPasswordFile = file: attrs: - ( - if config.mj.stubPasswords - then { - initialPassword = "live"; - } - else { - passwordFile = file; - } - ) - // attrs; - in { - mutableUsers = false; - - users = { - motiejus = withPasswordFile config.age.secrets.motiejus-passwd-hash.path { - isNormalUser = true; - extraGroups = ["wheel"]; - uid = 1000; - openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus]; - }; - - root = withPasswordFile config.age.secrets.root-passwd-hash.path {}; - }; - }; - environment = { systemPackages = with pkgs; [ jc # parse different formats and command outputs to json diff --git a/modules/base/users/default.nix b/modules/base/users/default.nix new file mode 100644 index 0000000..03ffaa8 --- /dev/null +++ b/modules/base/users/default.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + myData, + ... +}: { + options.mj.base.users = with lib.types; { + passwd = lib.mkOption { + type = attrsOf (submodule ( + {...}: { + options = { + passwordFile = lib.mkOption { + type = nullOr path; + default = null; + }; + initialPassword = lib.mkOption { + type = nullOr str; + default = null; + }; + }; + } + )); + }; + }; + + config = { + users = { + mutableUsers = false; + + users = with config.mj.base.users; { + motiejus = + { + isNormalUser = true; + extraGroups = ["wheel"]; + uid = 1000; + openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus]; + } + // lib.filterAttrs (n: v: v != null) passwd.motiejus or {}; + + root = assert lib.assertMsg (passwd ? root) "root password needs to be defined"; + lib.filterAttrs (n: v: v != null) passwd.root; + }; + }; + }; +} diff --git a/modules/base/zfsborg/default.nix b/modules/base/zfsborg/default.nix index c9c6bb3..56823f6 100644 --- a/modules/base/zfsborg/default.nix +++ b/modules/base/zfsborg/default.nix @@ -19,7 +19,7 @@ in { enable = lib.mkEnableOption "backup zfs snapshots with borg"; repo = lib.mkOption {type = str;}; - passwdPath = lib.mkOption {type = str;}; + passwordPath = lib.mkOption {type = str;}; mountpoints = lib.mkOption { default = {}; @@ -68,7 +68,7 @@ in { repo = config.mj.base.zfsborg.repo; encryption = { mode = "repokey-blake2"; - passCommand = "cat ${config.mj.base.zfsborg.passwdPath}"; + passCommand = "cat ${config.mj.base.zfsborg.passwordPath}"; }; paths = attrs.paths; extraArgs = "--remote-path=borg1";