all: initial bits for moving users passwords to the pw store

2024-03-12 11:18:29 -06:00 · 2024-03-12 11:18:29 -06:00 · 1e81d1b296
commit 1e81d1b296
parent f2f80defc8
3 changed files with 60 additions and 24 deletions
--- a/default.nix
+++ b/default.nix
@ -60,17 +60,20 @@ in
  };

  config = {
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    sops = {
+      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

-    sops.secrets = {
-      xin_secrets_deploy_key = {
-        sopsFile = config.xin-secrets.deploy;
-        owner = "root";
-        group = "wheel";
-        mode = "400";
+      secrets = {
+        xin_secrets_deploy_key = {
+          sopsFile = config.xin-secrets.deploy;
+          owner = "root";
+          group = "wheel";
+          mode = "400";
+        };
      };
    };

+
    security.pki.certificates = [
      ''
        -----BEGIN CERTIFICATE-----
--- a/hosts/stan/default.nix
+++ b/hosts/stan/default.nix
@ -14,6 +14,7 @@ let

  userBase = {
    openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
+    shell = pkgs.zsh;
  };
  peerixUser =
    if builtins.hasAttr "peerix" config.users.users
@ -152,17 +153,26 @@ in
      owner = "root";
      mode = "400";
    };
+    abieber_hash = {
+      sopsFile = config.xin-secrets.user_passwords;
+      owner = "root";
+      mode = "400";
+      neededForUsers = true;
+    };
  };

-  users.users.root = userBase;
-  users.users.abieber =
-    {
-      isNormalUser = true;
-      description = "Aaron Bieber";
-      shell = pkgs.zsh;
-      extraGroups = [ "networkmanager" "wheel" "libvirtd" ];
-    }
-    // userBase;
+  users = {
+    mutableUsers = false;
+    users = {
+      root = userBase;
+      abieber = userBase // {
+        isNormalUser = true;
+        description = "Aaron Bieber";
+        extraGroups = [ "networkmanager" "wheel" "libvirtd" ];
+        hashedPasswordFile = config.sops.secrets.abieber_hash.path;
+      };
+    };
+  };

  nixpkgs.config.allowUnfree = true;

--- a/users/default.nix
+++ b/users/default.nix
@ -25,15 +25,38 @@ in
  };

  config = mkIf config.defaultUsers.enable {
-    users.users.root = userBase;
-    users.users.qbit =
-      userBase
-      // {
-        isNormalUser = true;
-        description = "Aaron Bieber";
-        home = "/home/qbit";
-        extraGroups = [ "wheel" ];
+    sops = {
+      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      secrets = {
+        "${config.networking.hostName}_hash" = {
+          sopsFile = config.xin-secrets.root_passwords;
+          owner = "root";
+          mode = "400";
+          neededForUsers = true;
+        };
+        qbit_hash = {
+          sopsFile = config.xin-secrets.user_passwords;
+          owner = "root";
+          mode = "400";
+          neededForUsers = true;
+        };
      };
+    };
+    users = {
+      mutableUsers = false;
+      users = {
+        root = userBase // {
+          hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path;
+        };
+        qbit = userBase // {
+          isNormalUser = true;
+          description = "Aaron Bieber";
+          home = "/home/qbit";
+          extraGroups = [ "wheel" ];
+          hashedPasswordFile = config.sops.secrets.qbit_hash.path;
+        };
+      };
+    };

    environment.systemPackages =
      if isUnstable