modules/darwin: authorizedKeys updates

This commit is contained in:
zowoq 2024-06-21 09:49:19 +10:00
parent ae0b084795
commit 7c6405c49c
4 changed files with 48 additions and 14 deletions
hosts
modules/darwin
common
community-builder

View file

@ -8,7 +8,6 @@
inputs.self.darwinModules.remote-builder inputs.self.darwinModules.remote-builder
]; ];
# on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"; nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
nix.settings.sandbox = "relaxed"; nix.settings.sandbox = "relaxed";

View file

@ -8,7 +8,6 @@
inputs.self.darwinModules.remote-builder inputs.self.darwinModules.remote-builder
]; ];
# on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"; nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
nix.settings.sandbox = "relaxed"; nix.settings.sandbox = "relaxed";

View file

@ -19,7 +19,6 @@ in
]; ];
# TODO: refactor this to share /users with nixos # TODO: refactor this to share /users with nixos
# if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
users.users = { users.users = {
customer.openssh = { inherit authorizedKeys; }; customer.openssh = { inherit authorizedKeys; };
hetzner.openssh = { inherit authorizedKeys; }; hetzner.openssh = { inherit authorizedKeys; };
@ -68,15 +67,12 @@ in
# disable application layer firewall, telegraf needs an incoming connection # disable application layer firewall, telegraf needs an incoming connection
system.defaults.alf.globalstate = 0; system.defaults.alf.globalstate = 0;
# srvos
services.openssh.authorizedKeysFiles = pkgs.lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
# srvos # srvos
environment.etc."ssh/sshd_config.d/darwin.conf".text = '' environment.etc."ssh/sshd_config.d/darwin.conf".text = ''
AuthorizedKeysFile none
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
KbdInteractiveAuthentication no KbdInteractiveAuthentication no
PasswordAuthentication no PasswordAuthentication no
StrictModes no
''; '';
# Make sure to disable netbios on activation # Make sure to disable netbios on activation

View file

@ -10,228 +10,272 @@ let
name = "winter"; name = "winter";
trusted = true; trusted = true;
uid = 502; uid = 502;
keys = ./keys/winter;
} }
{ {
name = "stephank"; name = "stephank";
trusted = true; trusted = true;
uid = 503; uid = 503;
keys = ./keys/stephank;
} }
{ {
name = "hexa"; name = "hexa";
trusted = true; trusted = true;
uid = 504; uid = 504;
keys = ./keys/hexa;
} }
{ {
name = "0x4A6F"; name = "0x4A6F";
trusted = true; trusted = true;
uid = 505; uid = 505;
keys = ./keys/0x4A6F;
} }
{ {
name = "artturin"; name = "artturin";
trusted = true; trusted = true;
uid = 506; uid = 506;
keys = ./keys/artturin;
} }
{ {
name = "figsoda"; name = "figsoda";
trusted = true; trusted = true;
uid = 507; uid = 507;
keys = ./keys/figsoda;
} }
{ {
name = "raitobezarius"; name = "raitobezarius";
trusted = true; trusted = true;
uid = 508; uid = 508;
keys = ./keys/raitobezarius;
} }
{ {
name = "k900"; name = "k900";
trusted = true; trusted = true;
uid = 509; uid = 509;
keys = ./keys/k900;
} }
{ {
name = "julienmalka"; name = "julienmalka";
trusted = true; trusted = true;
uid = 510; uid = 510;
keys = ./keys/julienmalka;
} }
{ {
name = "dotlambda"; name = "dotlambda";
trusted = true; trusted = true;
uid = 511; uid = 511;
keys = ./keys/dotlambda;
} }
{ {
name = "lily"; name = "lily";
trusted = true; trusted = true;
uid = 512; uid = 512;
keys = ./keys/lily;
} }
{ {
name = "ma27"; name = "ma27";
trusted = true; trusted = true;
uid = 513; uid = 513;
keys = ./keys/ma27;
} }
{ {
name = "fab"; name = "fab";
trusted = true; trusted = true;
uid = 514; uid = 514;
keys = ./keys/fab;
} }
{ {
name = "phaer"; name = "phaer";
trusted = true; trusted = true;
uid = 515; uid = 515;
keys = ./keys/phaer;
} }
{ {
name = "emilylange"; name = "emilylange";
trusted = true; trusted = true;
uid = 516; uid = 516;
keys = ./keys/emilylange;
} }
{ {
name = "emilytrau"; name = "emilytrau";
trusted = true; trusted = true;
uid = 517; uid = 517;
keys = ./keys/emilytrau;
} }
{ {
name = "janik"; name = "janik";
trusted = true; trusted = true;
uid = 518; uid = 518;
keys = ./keys/janik;
} }
{ {
name = "delroth"; name = "delroth";
trusted = true; trusted = true;
uid = 519; uid = 519;
keys = ./keys/delroth;
} }
{ {
name = "toonn"; name = "toonn";
trusted = true; trusted = true;
uid = 520; uid = 520;
keys = ./keys/toonn;
} }
{ {
name = "glepage"; name = "glepage";
trusted = true; trusted = true;
uid = 521; uid = 521;
keys = ./keys/glepage;
} }
{ {
name = "anthonyroussel"; name = "anthonyroussel";
trusted = true; trusted = true;
uid = 522; uid = 522;
keys = ./keys/anthonyroussel;
} }
{ {
name = "sgo"; name = "sgo";
trusted = true; trusted = true;
uid = 523; uid = 523;
keys = ./keys/sgo;
} }
{ {
name = "chayleaf"; name = "chayleaf";
trusted = true; trusted = true;
uid = 524; uid = 524;
keys = ./keys/chayleaf;
} }
{ {
# https://github.com/lf- # https://github.com/lf-
name = "jade"; name = "jade";
trusted = true; trusted = true;
uid = 525; uid = 525;
keys = ./keys/jade;
} }
{ {
name = "kranzes"; name = "kranzes";
trusted = true; trusted = true;
uid = 526; uid = 526;
keys = ./keys/kranzes;
} }
{ {
name = "sternenseemann"; name = "sternenseemann";
trusted = true; trusted = true;
uid = 527; uid = 527;
keys = ./keys/sternenseemann;
} }
{ {
name = "jtojnar"; name = "jtojnar";
trusted = true; trusted = true;
uid = 528; uid = 528;
keys = ./keys/jtojnar;
} }
{ {
name = "corngood"; name = "corngood";
trusted = true; trusted = true;
uid = 529; uid = 529;
keys = ./keys/corngood;
} }
{ {
name = "teto"; name = "teto";
trusted = true; trusted = true;
uid = 530; uid = 530;
keys = ./keys/teto;
} }
{ {
name = "matthewcroughan"; name = "matthewcroughan";
trusted = true; trusted = true;
uid = 531; uid = 531;
keys = ./keys/matthewcroughan;
} }
{ {
name = "pennae"; name = "pennae";
trusted = true; trusted = true;
uid = 532; uid = 532;
keys = ./keys/pennae;
} }
{ {
name = "jopejoe1"; name = "jopejoe1";
trusted = true; trusted = true;
uid = 533; uid = 533;
keys = ./keys/jopejoe1;
} }
{ {
name = "puckipedia"; name = "puckipedia";
trusted = true; trusted = true;
uid = 534; uid = 534;
keys = ./keys/puckipedia;
} }
{ {
name = "kenji"; name = "kenji";
trusted = true; trusted = true;
uid = 535; uid = 535;
keys = ./keys/kenji;
} }
{ {
name = "pinpox"; name = "pinpox";
trusted = true; trusted = true;
uid = 536; uid = 536;
keys = ./keys/pinpox;
} }
{ {
# https://github.com/n0emis # https://github.com/n0emis
name = "ember"; name = "ember";
trusted = true; trusted = true;
uid = 537; uid = 537;
keys = ./keys/ember;
} }
{ {
# lib.maintainers.nicoo, @nbraud on github.com # lib.maintainers.nicoo, @nbraud on github.com
name = "nicoo"; name = "nicoo";
trusted = true; trusted = true;
uid = 538; uid = 538;
keys = ./keys/nicoo;
} }
{ {
name = "imincik"; name = "imincik";
trusted = true; trusted = true;
uid = 539; uid = 539;
keys = ./keys/imincik;
} }
{ {
name = "wolfgangwalther"; name = "wolfgangwalther";
trusted = true; trusted = true;
uid = 540; uid = 540;
keys = ./keys/wolfgangwalther;
} }
{ {
name = "tnias"; name = "tnias";
trusted = true; trusted = true;
uid = 541; uid = 541;
keys = ./keys/tnias;
} }
{ {
# lib.maintainers.emily, https://github.com/emilazy # lib.maintainers.emily, https://github.com/emilazy
name = "emily"; name = "emily";
trusted = true; trusted = true;
uid = 542; uid = 542;
keys = ./keys/emily;
} }
{ {
# lib.maintainers.johnrtitor, https://github.com/JohnRTitor # lib.maintainers.johnrtitor, https://github.com/JohnRTitor
name = "johnrtitor"; name = "johnrtitor";
trusted = true; trusted = true;
uid = 543; uid = 543;
keys = ./keys/johnrtitor;
} }
{ {
# lib.maintainers.kashw2, https://github.com/kashw2 # lib.maintainers.kashw2, https://github.com/kashw2
name = "kashw2"; name = "kashw2";
trusted = true; trusted = true;
uid = 544; uid = 544;
keys = ./keys/kashw2;
} }
{ {
# lib.maintainers.superherointj, https://github.com/superherointj # lib.maintainers.superherointj, https://github.com/superherointj
name = "superherointj"; name = "superherointj";
trusted = true; trusted = true;
uid = 545; uid = 545;
keys = ./keys/superherointj;
} }
]; ];
in in
@ -244,6 +288,9 @@ in
home = "/Users/${u.name}"; home = "/Users/${u.name}";
createHome = true; createHome = true;
shell = "/bin/zsh"; shell = "/bin/zsh";
openssh.authorizedKeys.keyFiles = [
u.keys
];
}; };
}) })
users); users);
@ -252,12 +299,5 @@ in
users.forceRecreate = true; users.forceRecreate = true;
environment.etc = builtins.listToAttrs (builtins.map
(u: {
name = "ssh/authorized_keys.d/${u.name}";
value = { source = ./keys/${u.name}; };
})
users);
nix.settings.trusted-users = builtins.map (u: u.name) (builtins.filter (u: u.trusted) users); nix.settings.trusted-users = builtins.map (u: u.name) (builtins.filter (u: u.trusted) users);
} }