configs/manager: switch to isolated user.. WIP

This commit is contained in:
Aaron Bieber 2023-10-30 07:22:51 -06:00
parent b55d0f9b21
commit 315f5824e0
No known key found for this signature in database
3 changed files with 29 additions and 26 deletions

View File

@ -5,6 +5,7 @@
, ...
}:
let
cfg = config.nixManager;
microcaBin = "${pkgs.microca}/bin/microca";
microca = pkgs.writeScriptBin "microca" ''
#!/usr/bin/env sh
@ -17,7 +18,7 @@ with lib; {
enable = mkEnableOption "Configure host as nix-conf manager.";
user = mkOption {
type = types.str;
default = "root";
default = "mgr";
description = ''
User who will own the private key.
'';
@ -27,16 +28,23 @@ with lib; {
#imports = [ ./tailnet.nix ];
config = mkIf config.nixManager.enable {
config = mkIf cfg.enable {
users.users.mgr = {
isNormalUser = true;
description = "Nix Manager";
home = "/home/mgr";
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
};
sops.defaultSopsFile = config.xin-secrets.manager;
sops.secrets = {
xin_status_key = { owner = config.nixManager.user; };
xin_status_pubkey = { owner = config.nixManager.user; };
manager_key = { owner = config.nixManager.user; };
manager_pubkey = { owner = config.nixManager.user; };
ca_key = { owner = config.nixManager.user; };
ca_cert = { owner = config.nixManager.user; };
po_env = { owner = config.nixManager.user; };
xin_status_key = { owner = cfg.user; };
xin_status_pubkey = { owner = cfg.user; };
manager_key = { owner = cfg.user; };
manager_pubkey = { owner = cfg.user; };
ca_key = { owner = cfg.user; };
ca_cert = { owner = cfg.user; };
po_env = { owner = cfg.user; };
};
environment.systemPackages = [

View File

@ -122,7 +122,7 @@ in
nixManager = {
enable = lib.mkDefault true;
user = "qbit";
user = "mgr";
};
kde.enable = lib.mkDefault true;

View File

@ -1,7 +1,6 @@
{ config
, lib
, pkgs
, isUnstable
, ...
}:
with lib; let
@ -24,20 +23,16 @@ in
};
};
config = mkIf config.defaultUsers.enable {
users.users.root = userBase;
users.users.qbit =
userBase
// {
config = mkIf config.defaultUsers.enable
{
users.users = {
root = userBase;
qbit = userBase // {
isNormalUser = true;
description = "Aaron Bieber";
home = "/home/qbit";
extraGroups = [ "wheel" ];
};
environment.systemPackages =
if isUnstable
then [ pkgs.yash pkgs.go ]
else [ pkgs.go ];
};
};
}