forked from DGNum/infrastructure
feat(users): Add root passwords and deactivate mutableUsers
This commit is contained in:
parent
7bdc70632c
commit
1e71ef3636
SSH key fingerprint:
SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
5 changed files with 50 additions and 8 deletions
|
|
@ -65,7 +65,6 @@ lib.extra.mkConfig {
|
|||
extraLibraries = [ config.hardware.nvidia.package ];
|
||||
};
|
||||
};
|
||||
users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
|
|
|
|||
|
|
@ -13,6 +13,10 @@ lib.extra.mkConfig {
|
|||
];
|
||||
|
||||
extraConfig = {
|
||||
users.users.test = {
|
||||
isNormalUser = true;
|
||||
password = "totoro";
|
||||
};
|
||||
# Restrict access to this node
|
||||
dgn-access-control.users.root = [ "thubrecht" ];
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@
|
|||
bridge01 = {
|
||||
site = "hyp01";
|
||||
|
||||
hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
|
||||
|
||||
stateVersion = "24.05";
|
||||
|
||||
adminGroups = [ "fai" ];
|
||||
|
|
@ -40,6 +42,8 @@
|
|||
|
||||
deployment.tags = [ "web" ];
|
||||
|
||||
hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
|
||||
|
||||
stateVersion = "23.05";
|
||||
vm-cluster = "Hyperviseur NPS";
|
||||
|
||||
|
|
@ -49,6 +53,8 @@
|
|||
compute01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
|
||||
|
||||
stateVersion = "23.05";
|
||||
nix-modules = [ "services/stirling-pdf" ];
|
||||
nixpkgs = "24.05";
|
||||
|
|
@ -58,6 +64,8 @@
|
|||
site = "oik01";
|
||||
deployment.tags = [ "geo" ];
|
||||
|
||||
hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
|
|
@ -66,6 +74,8 @@
|
|||
site = "oik01";
|
||||
deployment.tags = [ "geo" ];
|
||||
|
||||
hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
|
|
@ -73,12 +83,17 @@
|
|||
krz01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
|
||||
storage01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
|
||||
|
||||
stateVersion = "23.11";
|
||||
nixpkgs = "24.05";
|
||||
|
||||
|
|
@ -89,6 +104,8 @@
|
|||
site = "hyp01";
|
||||
deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
|
||||
|
||||
hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
|
||||
|
||||
stateVersion = "23.11";
|
||||
nixpkgs = "24.05";
|
||||
|
||||
|
|
@ -98,6 +115,8 @@
|
|||
web02 = {
|
||||
site = "rat01";
|
||||
|
||||
hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
vm-cluster = "Hyperviseur NPS";
|
||||
|
|
@ -108,6 +127,8 @@
|
|||
|
||||
deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
|
||||
|
||||
hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
|
||||
|
||||
stateVersion = "23.11";
|
||||
vm-cluster = "Hyperviseur Luj";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -139,6 +139,13 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
hashedPassword = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
The hashed password for the root account.
|
||||
'';
|
||||
};
|
||||
|
||||
admins = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ let
|
|||
mkDefault
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkMerge
|
||||
mkOption
|
||||
|
||||
types
|
||||
|
|
@ -79,12 +80,22 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Admins have root access to the node
|
||||
dgn-access-control.users.root = mkDefault admins;
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{
|
||||
# Admins have root access to the node
|
||||
dgn-access-control.users.root = mkDefault admins;
|
||||
|
||||
users.users = builtins.mapAttrs (_: members: {
|
||||
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
||||
}) cfg.users;
|
||||
};
|
||||
users.users = builtins.mapAttrs (_: members: {
|
||||
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
||||
}) cfg.users;
|
||||
}
|
||||
{
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users.root = {
|
||||
inherit (nodeMeta) hashedPassword;
|
||||
};
|
||||
};
|
||||
}
|
||||
]);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue