From c5c7efb19bf15cd7d191b2c917884bab0fad64e8 Mon Sep 17 00:00:00 2001 From: Nguyễn Gia Phong Date: Fri, 12 Jan 2024 02:49:13 +0900 Subject: Split user access control to separate module --- access.nix | 56 +++++++++++++++++++++++++++++++++++++++++++++ configuration.nix | 68 +------------------------------------------------------ 2 files changed, 57 insertions(+), 67 deletions(-) create mode 100644 access.nix diff --git a/access.nix b/access.nix new file mode 100644 index 0000000..adb1a83 --- /dev/null +++ b/access.nix @@ -0,0 +1,56 @@ +# Access configuration +# Copyright (C) 2024 Nguyễn Gia Phong +# +# This file is part of loang configuration. +# +# Loang configuration is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published +# by the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Loang configuration is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with loang configuration. If not, see . + +{ config, ... }: +let + admins = [ "cnx" "xarvos" ]; + normalUser = user: { + name = user; + value = { + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ "/etc/ssh/${user}.pub" ]; + }; + }; + members = admins ++ [ + "axl" + "ckie" + "epoch" + "int2k" + "mingnho" + "ooze" + "owocean" + "vnpower" + ]; +in { + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + + services.openssh = { + enable = true; + openFirewall = true; + settings.PasswordAuthentication = false; + ports = [ 2211 ]; + }; + + users = { + groups.wheel.members = admins; + users = builtins.listToAttrs (map normalUser members); + }; +} diff --git a/configuration.nix b/configuration.nix index 0972cad..3e6ad48 100644 --- a/configuration.nix +++ b/configuration.nix @@ -30,6 +30,7 @@ }; imports = [ + ./access.nix ./automation.nix ./dbms.nix ./dns.nix @@ -86,18 +87,6 @@ }; }; - security.sudo = { - enable = true; - wheelNeedsPassword = false; - }; - - services.openssh = { - enable = true; - openFirewall = true; - settings.PasswordAuthentication = false; - ports = [ 2211 ]; - }; - system.stateVersion = "22.05"; systemd.extraConfig = '' @@ -105,59 +94,4 @@ ''; time.timeZone = "UTC"; - - users.users = { - axl = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/axl.pub" ]; - }; - - ckie = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ckie.pub" ]; - }; - - cnx = { - extraGroups = [ "wheel" ]; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ]; - packages = with pkgs; [ stow ]; - }; - - epoch = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/epoch.pub" ]; - }; - - int2k = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/int2k.pub" ]; - }; - - mingnho = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/mingnho.pub" ]; - }; - - ooze = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ooze.pub" ]; - }; - - owocean = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/owocean.pub" ]; - }; - - vnpower = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/vnpower.pub" ]; - }; - - xarvos = { - extraGroups = [ "wheel" ]; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ "/etc/ssh/xarvos.pub" ]; - }; - }; } -- cgit 1.4.1