summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorene <ene@sils.li>2023-01-21 07:59:44 +0100
committerene <ene@sils.li>2023-01-21 07:59:44 +0100
commit19f0808084826a8a46492fcd8fe34833b9ed9a81 (patch)
tree17a4c4e50bee2039f42c0cd2e23bc58fdffcfbe9
parentFix: Resolve merge conflicts (diff)
downloadnixos-server-19f0808084826a8a46492fcd8fe34833b9ed9a81.tar.gz
nixos-server-19f0808084826a8a46492fcd8fe34833b9ed9a81.zip
Feat: Save passwords in hashed form directly
Saving hashed passwords should be relatively safe, as long as the hashing
algorithm isn't flawed. Considering, that we use yescrypt with higher
than average parameters ('jFT' instead of 'j9T'), we should be safe for
now.
Diffstat
-rw-r--r--users.nix31
1 files changed, 13 insertions, 18 deletions
diff --git a/users.nix b/users.nix
index dcf06e8..ac8cf5d 100644
--- a/users.nix
+++ b/users.nix
@@ -1,28 +1,23 @@
-{
-  cfg,
-  lib,
-  pkgs,
-  list,
-  ...
-}: {
+{pkgs, ...}: {
   users.mutableUsers = false;
   users.defaultUserShell = pkgs.zsh;
 
-  # Persisting user passwords
-  fileSystems."/srv".neededForBoot = true;
-
   users.users = {
     root = {
-      passwordFile = "/srv/users/root/password";
       #uid = 0;
-      #hashedPassword = null; # to lock root
+      #initialHashedPassword = null; # to lock root
+      # Backup, if something happens. TODO remove this later
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
+      ];
     };
 
     sils = {
       name = "sils";
       isNormalUser = true;
-      home = "/srv/users/sils/home";
-      passwordFile = "/srv/users/sils/password";
+      home = "/srv/home/sils";
+      initialHashedPassword = null; # TODO CHANGE
       uid = 1000;
       extraGroups = [
         "wheel"
@@ -35,8 +30,8 @@
     soispha = {
       name = "soispha";
       isNormalUser = true;
-      home = "/srv/users/soispha/home";
-      passwordFile = "/srv/users/soispha/password";
+      home = "/srv/home/soispha";
+      initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1";
       uid = 1001;
       extraGroups = [
         "wheel"
@@ -49,8 +44,8 @@
     nightingale = {
       name = "nightingale";
       isNormalUser = true;
-      home = "/srv/users/nightingale/home";
-      passwordFile = "/srv/users/nightingale/password";
+      home = "/srv/home/nightingale";
+      initialHashedPassword = null; # TODO CHANGE
       uid = 1002;
       extraGroups = [
         "wheel"
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-29 12:49:53 +0000