commit 5313a3ffebccdf1e745b97d8330ed3ece5b86d2a (tree)
parent 16a8eff5435a2a944488024e704872facc78fe3e
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date: Thu, 20 Jul 2023 15:02:38 +0300
users and passwords
Diffstat:
5 files changed, 62 insertions(+), 39 deletions(-)
diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix
@@ -19,6 +19,11 @@ in {
timeZone = "UTC";
base = {
+ users.passwd = {
+ root.passwordFile = config.age.secrets.root-passwd-hash.path;
+ motiejus.passwordFile = config.age.secrets.motiejus-passwd-hash.path;
+ };
+
initrd = {
enable = true;
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
@@ -32,7 +37,7 @@ in {
zfsborg = {
enable = true;
repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst";
- passwdPath = config.age.secrets.borgbackup-password.path;
+ passwordPath = config.age.secrets.borgbackup-password.path;
mountpoints = {
"/var/lib" = {
paths = [
diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix
@@ -9,7 +9,10 @@ in {
mj = {
stateVersion = "23.05";
timeZone = "UTC";
- stubPasswords = true;
+
+ base.users.passwd = {
+ root.initialPassword = "live";
+ };
};
environment = {
diff --git a/modules/base/default.nix b/modules/base/default.nix
@@ -10,25 +10,22 @@
./snapshot
./sshd
./unitstatus
+ ./users
./zfsborg
];
- options.mj = {
+ options.mj = with lib.types; {
stateVersion = lib.mkOption {
- type = lib.types.str;
+ type = str;
example = "22.11";
description = "The NixOS state version to use for this system";
};
+
timeZone = lib.mkOption {
- type = lib.types.str;
+ type = str;
example = "Europe/Vilnius";
description = "Time zone for this system";
};
-
- stubPasswords = lib.mkOption {
- type = lib.types.bool;
- default = false;
- };
};
config = {
@@ -63,33 +60,6 @@
};
};
- users = let
- withPasswordFile = file: attrs:
- (
- if config.mj.stubPasswords
- then {
- initialPassword = "live";
- }
- else {
- passwordFile = file;
- }
- )
- // attrs;
- in {
- mutableUsers = false;
-
- users = {
- motiejus = withPasswordFile config.age.secrets.motiejus-passwd-hash.path {
- isNormalUser = true;
- extraGroups = ["wheel"];
- uid = 1000;
- openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus];
- };
-
- root = withPasswordFile config.age.secrets.root-passwd-hash.path {};
- };
- };
-
environment = {
systemPackages = with pkgs; [
jc # parse different formats and command outputs to json
diff --git a/modules/base/users/default.nix b/modules/base/users/default.nix
@@ -0,0 +1,45 @@
+{
+ config,
+ lib,
+ myData,
+ ...
+}: {
+ options.mj.base.users = with lib.types; {
+ passwd = lib.mkOption {
+ type = attrsOf (submodule (
+ {...}: {
+ options = {
+ passwordFile = lib.mkOption {
+ type = nullOr path;
+ default = null;
+ };
+ initialPassword = lib.mkOption {
+ type = nullOr str;
+ default = null;
+ };
+ };
+ }
+ ));
+ };
+ };
+
+ config = {
+ users = {
+ mutableUsers = false;
+
+ users = with config.mj.base.users; {
+ motiejus =
+ {
+ isNormalUser = true;
+ extraGroups = ["wheel"];
+ uid = 1000;
+ openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus];
+ }
+ // lib.filterAttrs (n: v: v != null) passwd.motiejus or {};
+
+ root = assert lib.assertMsg (passwd ? root) "root password needs to be defined";
+ lib.filterAttrs (n: v: v != null) passwd.root;
+ };
+ };
+ };
+}
diff --git a/modules/base/zfsborg/default.nix b/modules/base/zfsborg/default.nix
@@ -19,7 +19,7 @@ in {
enable = lib.mkEnableOption "backup zfs snapshots with borg";
repo = lib.mkOption {type = str;};
- passwdPath = lib.mkOption {type = str;};
+ passwordPath = lib.mkOption {type = str;};
mountpoints = lib.mkOption {
default = {};
@@ -68,7 +68,7 @@ in {
repo = config.mj.base.zfsborg.repo;
encryption = {
mode = "repokey-blake2";
- passCommand = "cat ${config.mj.base.zfsborg.passwdPath}";
+ passCommand = "cat ${config.mj.base.zfsborg.passwordPath}";
};
paths = attrs.paths;
extraArgs = "--remote-path=borg1";
