users and passwords

This commit is contained in:
Motiejus Jakštys 2023-07-20 15:02:38 +03:00
parent 16a8eff543
commit 5313a3ffeb
5 changed files with 62 additions and 39 deletions

View File

@ -19,6 +19,11 @@ in {
timeZone = "UTC";
base = {
users.passwd = {
root.passwordFile = config.age.secrets.root-passwd-hash.path;
motiejus.passwordFile = config.age.secrets.motiejus-passwd-hash.path;
};
initrd = {
enable = true;
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
@ -32,7 +37,7 @@ in {
zfsborg = {
enable = true;
repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst";
passwdPath = config.age.secrets.borgbackup-password.path;
passwordPath = config.age.secrets.borgbackup-password.path;
mountpoints = {
"/var/lib" = {
paths = [

View File

@ -9,7 +9,10 @@ in {
mj = {
stateVersion = "23.05";
timeZone = "UTC";
stubPasswords = true;
base.users.passwd = {
root.initialPassword = "live";
};
};
environment = {

View File

@ -10,25 +10,22 @@
./snapshot
./sshd
./unitstatus
./users
./zfsborg
];
options.mj = {
options.mj = with lib.types; {
stateVersion = lib.mkOption {
type = lib.types.str;
type = str;
example = "22.11";
description = "The NixOS state version to use for this system";
};
timeZone = lib.mkOption {
type = lib.types.str;
type = str;
example = "Europe/Vilnius";
description = "Time zone for this system";
};
stubPasswords = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = {
@ -63,33 +60,6 @@
};
};
users = let
withPasswordFile = file: attrs:
(
if config.mj.stubPasswords
then {
initialPassword = "live";
}
else {
passwordFile = file;
}
)
// attrs;
in {
mutableUsers = false;
users = {
motiejus = withPasswordFile config.age.secrets.motiejus-passwd-hash.path {
isNormalUser = true;
extraGroups = ["wheel"];
uid = 1000;
openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus];
};
root = withPasswordFile config.age.secrets.root-passwd-hash.path {};
};
};
environment = {
systemPackages = with pkgs; [
jc # parse different formats and command outputs to json

View File

@ -0,0 +1,45 @@
{
config,
lib,
myData,
...
}: {
options.mj.base.users = with lib.types; {
passwd = lib.mkOption {
type = attrsOf (submodule (
{...}: {
options = {
passwordFile = lib.mkOption {
type = nullOr path;
default = null;
};
initialPassword = lib.mkOption {
type = nullOr str;
default = null;
};
};
}
));
};
};
config = {
users = {
mutableUsers = false;
users = with config.mj.base.users; {
motiejus =
{
isNormalUser = true;
extraGroups = ["wheel"];
uid = 1000;
openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus];
}
// lib.filterAttrs (n: v: v != null) passwd.motiejus or {};
root = assert lib.assertMsg (passwd ? root) "root password needs to be defined";
lib.filterAttrs (n: v: v != null) passwd.root;
};
};
};
}

View File

@ -19,7 +19,7 @@ in {
enable = lib.mkEnableOption "backup zfs snapshots with borg";
repo = lib.mkOption {type = str;};
passwdPath = lib.mkOption {type = str;};
passwordPath = lib.mkOption {type = str;};
mountpoints = lib.mkOption {
default = {};
@ -68,7 +68,7 @@ in {
repo = config.mj.base.zfsborg.repo;
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.mj.base.zfsborg.passwdPath}";
passCommand = "cat ${config.mj.base.zfsborg.passwordPath}";
};
paths = attrs.paths;
extraArgs = "--remote-path=borg1";