feat(users): Add root passwords and deactivate mutableUsers

machines/krz01/_configuration.nix

@@ -65,7 +65,6 @@ lib.extra.mkConfig {
         extraLibraries = [ config.hardware.nvidia.package ];
       };
     };
-    users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
   };
 
   root = ./.;

machines/web02/_configuration.nix

@@ -13,6 +13,10 @@ lib.extra.mkConfig {
   ];
 
   extraConfig = {
+    users.users.test = {
+      isNormalUser = true;
+      password = "totoro";
+    };
     # Restrict access to this node
     dgn-access-control.users.root = [ "thubrecht" ];
 

meta/nodes.nix

@@ -22,6 +22,8 @@
   bridge01 = {
     site = "hyp01";
 
+    hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
+
     stateVersion = "24.05";
 
     adminGroups = [ "fai" ];
@@ -40,6 +42,8 @@
 
     deployment.tags = [ "web" ];
 
+    hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
+
     stateVersion = "23.05";
     vm-cluster = "Hyperviseur NPS";
 
@@ -49,6 +53,8 @@
   compute01 = {
     site = "pav01";
 
+    hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
+
     stateVersion = "23.05";
     nix-modules = [ "services/stirling-pdf" ];
     nixpkgs = "24.05";
@@ -58,6 +64,8 @@
     site = "oik01";
     deployment.tags = [ "geo" ];
 
+    hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
+
     stateVersion = "24.05";
     nixpkgs = "24.05";
   };
@@ -66,6 +74,8 @@
     site = "oik01";
     deployment.tags = [ "geo" ];
 
+    hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
+
     stateVersion = "24.05";
     nixpkgs = "24.05";
   };
@@ -73,12 +83,17 @@
   krz01 = {
     site = "pav01";
 
+    hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
+
     stateVersion = "24.05";
     nixpkgs = "unstable";
   };
 
   storage01 = {
     site = "pav01";
+
+    hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
+
     stateVersion = "23.11";
     nixpkgs = "24.05";
 
@@ -89,6 +104,8 @@
     site = "hyp01";
     deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
 
+    hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
+
     stateVersion = "23.11";
     nixpkgs = "24.05";
 
@@ -98,6 +115,8 @@
   web02 = {
     site = "rat01";
 
+    hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
+
     stateVersion = "24.05";
     nixpkgs = "24.05";
     vm-cluster = "Hyperviseur NPS";
@@ -108,6 +127,8 @@
 
     deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
 
+    hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
+
     stateVersion = "23.11";
     vm-cluster = "Hyperviseur Luj";
   };

meta/options.nix

@@ -139,6 +139,13 @@ in
                 '';
               };
 
+              hashedPassword = mkOption {
+                type = str;
+                description = ''
+                  The hashed password for the root account.
+                '';
+              };
+
               admins = mkOption {
                 type = listOf str;
                 default = [ ];

modules/dgn-access-control.nix

@@ -45,6 +45,7 @@ let
     mkDefault
     mkEnableOption
     mkIf
+    mkMerge
     mkOption
 
     types
@@ -79,12 +80,22 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [
+    {
       # Admins have root access to the node
       dgn-access-control.users.root = mkDefault admins;
 
       users.users = builtins.mapAttrs (_: members: {
         openssh.authorizedKeys.keys = dgn-keys.getKeys members;
       }) cfg.users;
+    }
+    {
+      users = {
+        mutableUsers = false;
+        users.root = {
+          inherit (nodeMeta) hashedPassword;
         };
+      };
+    }
+  ]);
 }