forked from DGNum/infrastructure
feat(users): Add root passwords and deactivate mutableUsers
This commit is contained in:
parent
7bdc70632c
commit
1e71ef3636
SSH key fingerprint:
SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
5 changed files with 50 additions and 8 deletions
|
|
@ -65,7 +65,6 @@ lib.extra.mkConfig {
|
||||||
extraLibraries = [ config.hardware.nvidia.package ];
|
extraLibraries = [ config.hardware.nvidia.package ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
root = ./.;
|
root = ./.;
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,10 @@ lib.extra.mkConfig {
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
|
users.users.test = {
|
||||||
|
isNormalUser = true;
|
||||||
|
password = "totoro";
|
||||||
|
};
|
||||||
# Restrict access to this node
|
# Restrict access to this node
|
||||||
dgn-access-control.users.root = [ "thubrecht" ];
|
dgn-access-control.users.root = [ "thubrecht" ];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,8 @@
|
||||||
bridge01 = {
|
bridge01 = {
|
||||||
site = "hyp01";
|
site = "hyp01";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
|
||||||
|
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
|
|
||||||
adminGroups = [ "fai" ];
|
adminGroups = [ "fai" ];
|
||||||
|
|
@ -40,6 +42,8 @@
|
||||||
|
|
||||||
deployment.tags = [ "web" ];
|
deployment.tags = [ "web" ];
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
|
||||||
|
|
||||||
stateVersion = "23.05";
|
stateVersion = "23.05";
|
||||||
vm-cluster = "Hyperviseur NPS";
|
vm-cluster = "Hyperviseur NPS";
|
||||||
|
|
||||||
|
|
@ -49,6 +53,8 @@
|
||||||
compute01 = {
|
compute01 = {
|
||||||
site = "pav01";
|
site = "pav01";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
|
||||||
|
|
||||||
stateVersion = "23.05";
|
stateVersion = "23.05";
|
||||||
nix-modules = [ "services/stirling-pdf" ];
|
nix-modules = [ "services/stirling-pdf" ];
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
|
|
@ -58,6 +64,8 @@
|
||||||
site = "oik01";
|
site = "oik01";
|
||||||
deployment.tags = [ "geo" ];
|
deployment.tags = [ "geo" ];
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
|
||||||
|
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
};
|
};
|
||||||
|
|
@ -66,6 +74,8 @@
|
||||||
site = "oik01";
|
site = "oik01";
|
||||||
deployment.tags = [ "geo" ];
|
deployment.tags = [ "geo" ];
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
|
||||||
|
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
};
|
};
|
||||||
|
|
@ -73,12 +83,17 @@
|
||||||
krz01 = {
|
krz01 = {
|
||||||
site = "pav01";
|
site = "pav01";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
||||||
|
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
nixpkgs = "unstable";
|
nixpkgs = "unstable";
|
||||||
};
|
};
|
||||||
|
|
||||||
storage01 = {
|
storage01 = {
|
||||||
site = "pav01";
|
site = "pav01";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
|
||||||
|
|
||||||
stateVersion = "23.11";
|
stateVersion = "23.11";
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
|
|
||||||
|
|
@ -89,6 +104,8 @@
|
||||||
site = "hyp01";
|
site = "hyp01";
|
||||||
deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
|
deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
|
||||||
|
|
||||||
stateVersion = "23.11";
|
stateVersion = "23.11";
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
|
|
||||||
|
|
@ -98,6 +115,8 @@
|
||||||
web02 = {
|
web02 = {
|
||||||
site = "rat01";
|
site = "rat01";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
|
||||||
|
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
vm-cluster = "Hyperviseur NPS";
|
vm-cluster = "Hyperviseur NPS";
|
||||||
|
|
@ -108,6 +127,8 @@
|
||||||
|
|
||||||
deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
|
deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
|
||||||
|
|
||||||
|
hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
|
||||||
|
|
||||||
stateVersion = "23.11";
|
stateVersion = "23.11";
|
||||||
vm-cluster = "Hyperviseur Luj";
|
vm-cluster = "Hyperviseur Luj";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -139,6 +139,13 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
hashedPassword = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = ''
|
||||||
|
The hashed password for the root account.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
admins = mkOption {
|
admins = mkOption {
|
||||||
type = listOf str;
|
type = listOf str;
|
||||||
default = [ ];
|
default = [ ];
|
||||||
|
|
|
||||||
|
|
@ -45,6 +45,7 @@ let
|
||||||
mkDefault
|
mkDefault
|
||||||
mkEnableOption
|
mkEnableOption
|
||||||
mkIf
|
mkIf
|
||||||
|
mkMerge
|
||||||
mkOption
|
mkOption
|
||||||
|
|
||||||
types
|
types
|
||||||
|
|
@ -79,12 +80,22 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable (mkMerge [
|
||||||
# Admins have root access to the node
|
{
|
||||||
dgn-access-control.users.root = mkDefault admins;
|
# Admins have root access to the node
|
||||||
|
dgn-access-control.users.root = mkDefault admins;
|
||||||
|
|
||||||
users.users = builtins.mapAttrs (_: members: {
|
users.users = builtins.mapAttrs (_: members: {
|
||||||
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
||||||
}) cfg.users;
|
}) cfg.users;
|
||||||
};
|
}
|
||||||
|
{
|
||||||
|
users = {
|
||||||
|
mutableUsers = false;
|
||||||
|
users.root = {
|
||||||
|
inherit (nodeMeta) hashedPassword;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue