From 1e81d1b296bc049d156eb2308b13fb803c17457a Mon Sep 17 00:00:00 2001 From: Aaron Bieber Date: Tue, 12 Mar 2024 11:18:29 -0600 Subject: [PATCH] all: initial bits for moving users passwords to the pw store --- default.nix | 17 ++++++++++------- hosts/stan/default.nix | 28 +++++++++++++++++++--------- users/default.nix | 39 +++++++++++++++++++++++++++++++-------- 3 files changed, 60 insertions(+), 24 deletions(-) diff --git a/default.nix b/default.nix index 74733f8..d0ee175 100644 --- a/default.nix +++ b/default.nix @@ -60,17 +60,20 @@ in }; config = { - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets = { - xin_secrets_deploy_key = { - sopsFile = config.xin-secrets.deploy; - owner = "root"; - group = "wheel"; - mode = "400"; + secrets = { + xin_secrets_deploy_key = { + sopsFile = config.xin-secrets.deploy; + owner = "root"; + group = "wheel"; + mode = "400"; + }; }; }; + security.pki.certificates = [ '' -----BEGIN CERTIFICATE----- diff --git a/hosts/stan/default.nix b/hosts/stan/default.nix index ee55f47..027e392 100644 --- a/hosts/stan/default.nix +++ b/hosts/stan/default.nix @@ -14,6 +14,7 @@ let userBase = { openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys; + shell = pkgs.zsh; }; peerixUser = if builtins.hasAttr "peerix" config.users.users @@ -152,17 +153,26 @@ in owner = "root"; mode = "400"; }; + abieber_hash = { + sopsFile = config.xin-secrets.user_passwords; + owner = "root"; + mode = "400"; + neededForUsers = true; + }; }; - users.users.root = userBase; - users.users.abieber = - { - isNormalUser = true; - description = "Aaron Bieber"; - shell = pkgs.zsh; - extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; - } - // userBase; + users = { + mutableUsers = false; + users = { + root = userBase; + abieber = userBase // { + isNormalUser = true; + description = "Aaron Bieber"; + extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; + hashedPasswordFile = config.sops.secrets.abieber_hash.path; + }; + }; + }; nixpkgs.config.allowUnfree = true; diff --git a/users/default.nix b/users/default.nix index a2031c8..656b70a 100644 --- a/users/default.nix +++ b/users/default.nix @@ -25,15 +25,38 @@ in }; config = mkIf config.defaultUsers.enable { - users.users.root = userBase; - users.users.qbit = - userBase - // { - isNormalUser = true; - description = "Aaron Bieber"; - home = "/home/qbit"; - extraGroups = [ "wheel" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + "${config.networking.hostName}_hash" = { + sopsFile = config.xin-secrets.root_passwords; + owner = "root"; + mode = "400"; + neededForUsers = true; + }; + qbit_hash = { + sopsFile = config.xin-secrets.user_passwords; + owner = "root"; + mode = "400"; + neededForUsers = true; + }; }; + }; + users = { + mutableUsers = false; + users = { + root = userBase // { + hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path; + }; + qbit = userBase // { + isNormalUser = true; + description = "Aaron Bieber"; + home = "/home/qbit"; + extraGroups = [ "wheel" ]; + hashedPasswordFile = config.sops.secrets.qbit_hash.path; + }; + }; + }; environment.systemPackages = if isUnstable