qbit/xin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

all: initial bits for moving users passwords to the pw store

Browse Source
This commit is contained in:
Aaron Bieber 2024-03-12 11:18:29 -06:00
parent f2f80defc8
commit 1e81d1b296
No known key found for this signature in database
3 changed files with 60 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
default.nix
View File

@ -60,9 +60,10 @@ in
}; };
config = { config = {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = { secrets = {
xin_secrets_deploy_key = { xin_secrets_deploy_key = {
sopsFile = config.xin-secrets.deploy; sopsFile = config.xin-secrets.deploy;
owner = "root"; owner = "root";
@ -70,6 +71,8 @@ in
mode = "400"; mode = "400";
}; };
}; };
};
security.pki.certificates = [ security.pki.certificates = [
'' ''

22
hosts/stan/default.nix
View File

@ -14,6 +14,7 @@ let
userBase = { userBase = {
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys; openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
shell = pkgs.zsh;
}; };
peerixUser = peerixUser =
if builtins.hasAttr "peerix" config.users.users if builtins.hasAttr "peerix" config.users.users
@ -152,17 +153,26 @@ in
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
abieber_hash = {
sopsFile = config.xin-secrets.user_passwords;
owner = "root";
mode = "400";
neededForUsers = true;
};
}; };
users.users.root = userBase; users = {
users.users.abieber = mutableUsers = false;
{ users = {
root = userBase;
abieber = userBase // {
isNormalUser = true; isNormalUser = true;
description = "Aaron Bieber"; description = "Aaron Bieber";
shell = pkgs.zsh;
extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; extraGroups = [ "networkmanager" "wheel" "libvirtd" ];
} hashedPasswordFile = config.sops.secrets.abieber_hash.path;
// userBase; };
};
};
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

31
users/default.nix
View File

@ -25,14 +25,37 @@ in
}; };
config = mkIf config.defaultUsers.enable { config = mkIf config.defaultUsers.enable {
users.users.root = userBase; sops = {
users.users.qbit = age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
userBase secrets = {
// { "${config.networking.hostName}_hash" = {
sopsFile = config.xin-secrets.root_passwords;
owner = "root";
mode = "400";
neededForUsers = true;
};
qbit_hash = {
sopsFile = config.xin-secrets.user_passwords;
owner = "root";
mode = "400";
neededForUsers = true;
};
};
};
users = {
mutableUsers = false;
users = {
root = userBase // {
hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path;
};
qbit = userBase // {
isNormalUser = true; isNormalUser = true;
description = "Aaron Bieber"; description = "Aaron Bieber";
home = "/home/qbit"; home = "/home/qbit";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
hashedPasswordFile = config.sops.secrets.qbit_hash.path;
};
};
}; };
environment.systemPackages = environment.systemPackages =