refactor(ops/modules): Move user configuration into module

Rather than defining all system users inline on whitby, move them into
a module that can be imported on multiple machines.

Configuration for terminfos that we've added follows along.

Note that while doing this I've disabled logins for riking and isomer
since they are currently inactive in TVL.

Change-Id: Id18031d355afc34079c5e6e49dc6943e61809a8f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5298
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
This commit is contained in:
Vincent Ambo 2022-02-17 12:16:09 +03:00 committed by clbot
parent c72c1efdeb
commit dd5ce78dbd
2 changed files with 95 additions and 80 deletions

View file

@ -24,6 +24,7 @@ in
"${depot.path}/ops/modules/sourcegraph.nix" "${depot.path}/ops/modules/sourcegraph.nix"
"${depot.path}/ops/modules/tvl-buildkite.nix" "${depot.path}/ops/modules/tvl-buildkite.nix"
"${depot.path}/ops/modules/tvl-slapd/default.nix" "${depot.path}/ops/modules/tvl-slapd/default.nix"
"${depot.path}/ops/modules/tvl-users.nix"
"${depot.path}/ops/modules/www/atward.tvl.fyi.nix" "${depot.path}/ops/modules/www/atward.tvl.fyi.nix"
"${depot.path}/ops/modules/www/auth.tvl.fyi.nix" "${depot.path}/ops/modules/www/auth.tvl.fyi.nix"
"${depot.path}/ops/modules/www/b.tvl.fyi.nix" "${depot.path}/ops/modules/www/b.tvl.fyi.nix"
@ -456,24 +457,19 @@ in
services.fail2ban.enable = true; services.fail2ban.enable = true;
environment.systemPackages = (with pkgs; [ environment.systemPackages = (with pkgs; [
alacritty.terminfo
bat bat
bb bb
curl curl
direnv direnv
emacs-nox emacs-nox
fd fd
foot.terminfo
git git
htop htop
hyperfine hyperfine
jq jq
# TODO(sterni): re-enable when the kitty build is fixed upstreams
# kitty.terminfo
nano nano
nvd nvd
ripgrep ripgrep
rxvt_unicode.terminfo
tree tree
unzip unzip
vim vim
@ -645,81 +641,6 @@ in
]; ];
users = { users = {
users.tazjin = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
};
users.lukegb = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
openssh.authorizedKeys.keys = depot.users.lukegb.keys.all;
};
users.grfn = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
openssh.authorizedKeys.keys = [
depot.users.grfn.keys.whitby
];
};
users.isomer = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.isomer.keys.all;
};
users.riking = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.riking.keys.u2f ++ depot.users.riking.keys.passworded;
};
users.edef = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.edef.keys.all;
};
users.qyliss = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.qyliss.keys.all;
};
users.eta = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.eta.keys.whitby;
};
users.cynthia = {
isNormalUser = true; # I'm normal OwO :3
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.cynthia.keys.all;
};
users.firefly = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.firefly.keys.whitby;
};
users.sterni = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
openssh.authorizedKeys.keys = depot.users.sterni.keys.all;
};
users.flokli = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.flokli.keys.all;
};
# Set up a user & group for git shenanigans # Set up a user & group for git shenanigans
groups.git = { }; groups.git = { };
users.git = { users.git = {

94
ops/modules/tvl-users.nix Normal file
View file

@ -0,0 +1,94 @@
# Standard NixOS users for TVL machines, as well as configuration that
# should following along when they are added to a machine.
{ depot, pkgs, ... }:
{
users = {
users.tazjin = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
};
users.lukegb = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
openssh.authorizedKeys.keys = depot.users.lukegb.keys.all;
};
users.grfn = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
openssh.authorizedKeys.keys = [
depot.users.grfn.keys.whitby
];
};
users.edef = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.edef.keys.all;
};
users.qyliss = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.qyliss.keys.all;
};
users.eta = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.eta.keys.whitby;
};
users.cynthia = {
isNormalUser = true; # I'm normal OwO :3
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.cynthia.keys.all;
};
users.firefly = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.firefly.keys.whitby;
};
users.sterni = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
openssh.authorizedKeys.keys = depot.users.sterni.keys.all;
};
users.flokli = {
isNormalUser = true;
extraGroups = [ "git" ];
openssh.authorizedKeys.keys = depot.users.flokli.keys.all;
};
# Temporarily disabled (inactive) users.
users.isomer = {
isNormalUser = true;
extraGroups = [ "git" ];
shell = "${pkgs.nologin}/bin/nologin";
openssh.authorizedKeys.keys = depot.users.isomer.keys.all;
};
users.riking = {
isNormalUser = true;
extraGroups = [ "git" ];
shell = "${pkgs.nologin}/bin/nologin";
openssh.authorizedKeys.keys = depot.users.riking.keys.u2f ++ depot.users.riking.keys.passworded;
};
};
environment.systemPackages = with pkgs; [
alacritty.terminfo
foot.terminfo
rxvt_unicode.terminfo
# TODO(sterni): re-enable when the kitty build is fixed upstreams
# kitty.terminfo
];
}