diff --git a/machines/krz01/_configuration.nix b/machines/krz01/_configuration.nix index 3f4d96a..b3138e2 100644 --- a/machines/krz01/_configuration.nix +++ b/machines/krz01/_configuration.nix @@ -65,7 +65,6 @@ lib.extra.mkConfig { extraLibraries = [ config.hardware.nvidia.package ]; }; }; - users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/"; }; root = ./.; diff --git a/machines/web02/_configuration.nix b/machines/web02/_configuration.nix index 898f7f6..0401986 100644 --- a/machines/web02/_configuration.nix +++ b/machines/web02/_configuration.nix @@ -13,6 +13,10 @@ lib.extra.mkConfig { ]; extraConfig = { + users.users.test = { + isNormalUser = true; + password = "totoro"; + }; # Restrict access to this node dgn-access-control.users.root = [ "thubrecht" ]; diff --git a/meta/nodes.nix b/meta/nodes.nix index 5715c0c..0d96a2a 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -22,6 +22,8 @@ bridge01 = { site = "hyp01"; + hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5"; + stateVersion = "24.05"; adminGroups = [ "fai" ]; @@ -40,6 +42,8 @@ deployment.tags = [ "web" ]; + hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2"; + stateVersion = "23.05"; vm-cluster = "Hyperviseur NPS"; @@ -49,6 +53,8 @@ compute01 = { site = "pav01"; + hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C"; + stateVersion = "23.05"; nix-modules = [ "services/stirling-pdf" ]; nixpkgs = "24.05"; @@ -58,6 +64,8 @@ site = "oik01"; deployment.tags = [ "geo" ]; + hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8"; + stateVersion = "24.05"; nixpkgs = "24.05"; }; @@ -66,6 +74,8 @@ site = "oik01"; deployment.tags = [ "geo" ]; + hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA"; + stateVersion = "24.05"; nixpkgs = "24.05"; }; @@ -73,12 +83,17 @@ krz01 = { site = "pav01"; + hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/"; + stateVersion = "24.05"; nixpkgs = "unstable"; }; storage01 = { site = "pav01"; + + hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8"; + stateVersion = "23.11"; nixpkgs = "24.05"; @@ -89,6 +104,8 @@ site = "hyp01"; deployment.targetHost = "vault01.hyp01.infra.dgnum.eu"; + hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1"; + stateVersion = "23.11"; nixpkgs = "24.05"; @@ -98,6 +115,8 @@ web02 = { site = "rat01"; + hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5"; + stateVersion = "24.05"; nixpkgs = "24.05"; vm-cluster = "Hyperviseur NPS"; @@ -108,6 +127,8 @@ deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu"; + hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC"; + stateVersion = "23.11"; vm-cluster = "Hyperviseur Luj"; }; diff --git a/meta/options.nix b/meta/options.nix index cf7476b..e8f4e6a 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -139,6 +139,13 @@ in ''; }; + hashedPassword = mkOption { + type = str; + description = '' + The hashed password for the root account. + ''; + }; + admins = mkOption { type = listOf str; default = [ ]; diff --git a/modules/dgn-access-control.nix b/modules/dgn-access-control.nix index df618f2..9e6db4a 100644 --- a/modules/dgn-access-control.nix +++ b/modules/dgn-access-control.nix @@ -45,6 +45,7 @@ let mkDefault mkEnableOption mkIf + mkMerge mkOption types @@ -79,12 +80,22 @@ in }; }; - config = mkIf cfg.enable { - # Admins have root access to the node - dgn-access-control.users.root = mkDefault admins; + config = mkIf cfg.enable (mkMerge [ + { + # Admins have root access to the node + dgn-access-control.users.root = mkDefault admins; - users.users = builtins.mapAttrs (_: members: { - openssh.authorizedKeys.keys = dgn-keys.getKeys members; - }) cfg.users; - }; + users.users = builtins.mapAttrs (_: members: { + openssh.authorizedKeys.keys = dgn-keys.getKeys members; + }) cfg.users; + } + { + users = { + mutableUsers = false; + users.root = { + inherit (nodeMeta) hashedPassword; + }; + }; + } + ]); }