From dd5ce78dbdf88bcdafc46c7e77fc58b1973ba617 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Thu, 17 Feb 2022 12:16:09 +0300 Subject: [PATCH] refactor(ops/modules): Move user configuration into module Rather than defining all system users inline on whitby, move them into a module that can be imported on multiple machines. Configuration for terminfos that we've added follows along. Note that while doing this I've disabled logins for riking and isomer since they are currently inactive in TVL. Change-Id: Id18031d355afc34079c5e6e49dc6943e61809a8f Reviewed-on: https://cl.tvl.fyi/c/depot/+/5298 Tested-by: BuildkiteCI Reviewed-by: sterni Autosubmit: tazjin --- ops/machines/whitby/default.nix | 81 +--------------------------- ops/modules/tvl-users.nix | 94 +++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 80 deletions(-) create mode 100644 ops/modules/tvl-users.nix diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 1965a661f..e9ec50da1 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -24,6 +24,7 @@ in "${depot.path}/ops/modules/sourcegraph.nix" "${depot.path}/ops/modules/tvl-buildkite.nix" "${depot.path}/ops/modules/tvl-slapd/default.nix" + "${depot.path}/ops/modules/tvl-users.nix" "${depot.path}/ops/modules/www/atward.tvl.fyi.nix" "${depot.path}/ops/modules/www/auth.tvl.fyi.nix" "${depot.path}/ops/modules/www/b.tvl.fyi.nix" @@ -456,24 +457,19 @@ in services.fail2ban.enable = true; environment.systemPackages = (with pkgs; [ - alacritty.terminfo bat bb curl direnv emacs-nox fd - foot.terminfo git htop hyperfine jq - # TODO(sterni): re-enable when the kitty build is fixed upstreams - # kitty.terminfo nano nvd ripgrep - rxvt_unicode.terminfo tree unzip vim @@ -645,81 +641,6 @@ in ]; users = { - users.tazjin = { - isNormalUser = true; - extraGroups = [ "git" "wheel" ]; - shell = pkgs.fish; - openssh.authorizedKeys.keys = depot.users.tazjin.keys.all; - }; - - users.lukegb = { - isNormalUser = true; - extraGroups = [ "git" "wheel" ]; - openssh.authorizedKeys.keys = depot.users.lukegb.keys.all; - }; - - users.grfn = { - isNormalUser = true; - extraGroups = [ "git" "wheel" ]; - openssh.authorizedKeys.keys = [ - depot.users.grfn.keys.whitby - ]; - }; - - users.isomer = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.isomer.keys.all; - }; - - users.riking = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.riking.keys.u2f ++ depot.users.riking.keys.passworded; - }; - - users.edef = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.edef.keys.all; - }; - - users.qyliss = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.qyliss.keys.all; - }; - - users.eta = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.eta.keys.whitby; - }; - - users.cynthia = { - isNormalUser = true; # I'm normal OwO :3 - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.cynthia.keys.all; - }; - - users.firefly = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.firefly.keys.whitby; - }; - - users.sterni = { - isNormalUser = true; - extraGroups = [ "git" "wheel" ]; - openssh.authorizedKeys.keys = depot.users.sterni.keys.all; - }; - - users.flokli = { - isNormalUser = true; - extraGroups = [ "git" ]; - openssh.authorizedKeys.keys = depot.users.flokli.keys.all; - }; - # Set up a user & group for git shenanigans groups.git = { }; users.git = { diff --git a/ops/modules/tvl-users.nix b/ops/modules/tvl-users.nix new file mode 100644 index 000000000..a4b4a1151 --- /dev/null +++ b/ops/modules/tvl-users.nix @@ -0,0 +1,94 @@ +# Standard NixOS users for TVL machines, as well as configuration that +# should following along when they are added to a machine. +{ depot, pkgs, ... }: + +{ + users = { + users.tazjin = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = depot.users.tazjin.keys.all; + }; + + users.lukegb = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + openssh.authorizedKeys.keys = depot.users.lukegb.keys.all; + }; + + users.grfn = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + openssh.authorizedKeys.keys = [ + depot.users.grfn.keys.whitby + ]; + }; + + users.edef = { + isNormalUser = true; + extraGroups = [ "git" ]; + openssh.authorizedKeys.keys = depot.users.edef.keys.all; + }; + + users.qyliss = { + isNormalUser = true; + extraGroups = [ "git" ]; + openssh.authorizedKeys.keys = depot.users.qyliss.keys.all; + }; + + users.eta = { + isNormalUser = true; + extraGroups = [ "git" ]; + openssh.authorizedKeys.keys = depot.users.eta.keys.whitby; + }; + + users.cynthia = { + isNormalUser = true; # I'm normal OwO :3 + extraGroups = [ "git" ]; + openssh.authorizedKeys.keys = depot.users.cynthia.keys.all; + }; + + users.firefly = { + isNormalUser = true; + extraGroups = [ "git" ]; + openssh.authorizedKeys.keys = depot.users.firefly.keys.whitby; + }; + + users.sterni = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + openssh.authorizedKeys.keys = depot.users.sterni.keys.all; + }; + + users.flokli = { + isNormalUser = true; + extraGroups = [ "git" ]; + openssh.authorizedKeys.keys = depot.users.flokli.keys.all; + }; + + # Temporarily disabled (inactive) users. + users.isomer = { + isNormalUser = true; + extraGroups = [ "git" ]; + shell = "${pkgs.nologin}/bin/nologin"; + openssh.authorizedKeys.keys = depot.users.isomer.keys.all; + }; + + users.riking = { + isNormalUser = true; + extraGroups = [ "git" ]; + shell = "${pkgs.nologin}/bin/nologin"; + openssh.authorizedKeys.keys = depot.users.riking.keys.u2f ++ depot.users.riking.keys.passworded; + }; + }; + + environment.systemPackages = with pkgs; [ + alacritty.terminfo + foot.terminfo + rxvt_unicode.terminfo + + # TODO(sterni): re-enable when the kitty build is fixed upstreams + # kitty.terminfo + ]; +}