From 1e71ef36364e5d7bee20772796c7430f402d00fc Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Thu, 10 Oct 2024 09:23:09 +0200
Subject: [PATCH] feat(users): Add root passwords and deactivate mutableUsers

---
 machines/krz01/_configuration.nix |  1 -
 machines/web02/_configuration.nix |  4 ++++
 meta/nodes.nix                    | 21 +++++++++++++++++++++
 meta/options.nix                  |  7 +++++++
 modules/dgn-access-control.nix    | 25 ++++++++++++++++++-------
 5 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/machines/krz01/_configuration.nix b/machines/krz01/_configuration.nix
index 3f4d96a..b3138e2 100644
--- a/machines/krz01/_configuration.nix
+++ b/machines/krz01/_configuration.nix
@@ -65,7 +65,6 @@ lib.extra.mkConfig {
         extraLibraries = [ config.hardware.nvidia.package ];
       };
     };
-    users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
   };
 
   root = ./.;
diff --git a/machines/web02/_configuration.nix b/machines/web02/_configuration.nix
index 898f7f6..0401986 100644
--- a/machines/web02/_configuration.nix
+++ b/machines/web02/_configuration.nix
@@ -13,6 +13,10 @@ lib.extra.mkConfig {
   ];
 
   extraConfig = {
+    users.users.test = {
+      isNormalUser = true;
+      password = "totoro";
+    };
     # Restrict access to this node
     dgn-access-control.users.root = [ "thubrecht" ];
 
diff --git a/meta/nodes.nix b/meta/nodes.nix
index 5715c0c..0d96a2a 100644
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@@ -22,6 +22,8 @@
   bridge01 = {
     site = "hyp01";
 
+    hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
+
     stateVersion = "24.05";
 
     adminGroups = [ "fai" ];
@@ -40,6 +42,8 @@
 
     deployment.tags = [ "web" ];
 
+    hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
+
     stateVersion = "23.05";
     vm-cluster = "Hyperviseur NPS";
 
@@ -49,6 +53,8 @@
   compute01 = {
     site = "pav01";
 
+    hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
+
     stateVersion = "23.05";
     nix-modules = [ "services/stirling-pdf" ];
     nixpkgs = "24.05";
@@ -58,6 +64,8 @@
     site = "oik01";
     deployment.tags = [ "geo" ];
 
+    hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
+
     stateVersion = "24.05";
     nixpkgs = "24.05";
   };
@@ -66,6 +74,8 @@
     site = "oik01";
     deployment.tags = [ "geo" ];
 
+    hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
+
     stateVersion = "24.05";
     nixpkgs = "24.05";
   };
@@ -73,12 +83,17 @@
   krz01 = {
     site = "pav01";
 
+    hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
+
     stateVersion = "24.05";
     nixpkgs = "unstable";
   };
 
   storage01 = {
     site = "pav01";
+
+    hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
+
     stateVersion = "23.11";
     nixpkgs = "24.05";
 
@@ -89,6 +104,8 @@
     site = "hyp01";
     deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
 
+    hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
+
     stateVersion = "23.11";
     nixpkgs = "24.05";
 
@@ -98,6 +115,8 @@
   web02 = {
     site = "rat01";
 
+    hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
+
     stateVersion = "24.05";
     nixpkgs = "24.05";
     vm-cluster = "Hyperviseur NPS";
@@ -108,6 +127,8 @@
 
     deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
 
+    hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
+
     stateVersion = "23.11";
     vm-cluster = "Hyperviseur Luj";
   };
diff --git a/meta/options.nix b/meta/options.nix
index cf7476b..e8f4e6a 100644
--- a/meta/options.nix
+++ b/meta/options.nix
@@ -139,6 +139,13 @@ in
                 '';
               };
 
+              hashedPassword = mkOption {
+                type = str;
+                description = ''
+                  The hashed password for the root account.
+                '';
+              };
+
               admins = mkOption {
                 type = listOf str;
                 default = [ ];
diff --git a/modules/dgn-access-control.nix b/modules/dgn-access-control.nix
index df618f2..9e6db4a 100644
--- a/modules/dgn-access-control.nix
+++ b/modules/dgn-access-control.nix
@@ -45,6 +45,7 @@ let
     mkDefault
     mkEnableOption
     mkIf
+    mkMerge
     mkOption
 
     types
@@ -79,12 +80,22 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
-    # Admins have root access to the node
-    dgn-access-control.users.root = mkDefault admins;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      # Admins have root access to the node
+      dgn-access-control.users.root = mkDefault admins;
 
-    users.users = builtins.mapAttrs (_: members: {
-      openssh.authorizedKeys.keys = dgn-keys.getKeys members;
-    }) cfg.users;
-  };
+      users.users = builtins.mapAttrs (_: members: {
+        openssh.authorizedKeys.keys = dgn-keys.getKeys members;
+      }) cfg.users;
+    }
+    {
+      users = {
+        mutableUsers = false;
+        users.root = {
+          inherit (nodeMeta) hashedPassword;
+        };
+      };
+    }
+  ]);
 }