diff options
| author | ene <ene@sils.li> | 2023-01-19 14:02:04 +0100 |
|---|---|---|
| committer | ene <ene@sils.li> | 2023-01-19 14:02:04 +0100 |
| commit | 211ab56adf2dd91732feb0c75332321206e0d499 (patch) | |
| tree | 6b595097bc5a92138f04d696b00cfec68998ae3e | |
| parent | Merge pull request 'Feat: Added /boot as persistent subvolume' (#10) from ser... (diff) | |
| download | nixos-server-211ab56adf2dd91732feb0c75332321206e0d499.tar.gz nixos-server-211ab56adf2dd91732feb0c75332321206e0d499.zip | |
Feat: User configuration, with secure passwords
The passwords will be stored in a specific password file, which because it isn't part of this repository is secure. Refs: #9
| -rw-r--r-- | configuration.nix | 6 | ||||
| -rw-r--r-- | users.nix | 64 |
2 files changed, 66 insertions, 4 deletions
diff --git a/configuration.nix b/configuration.nix index 600201d..baf982a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,7 +3,9 @@ ./hardware-configuration.nix ./packages.nix ./networking.nix # network configuration that just works + ./users.nix ./services/minecraft.nix + ]; boot.cleanTmpDir = true; @@ -17,10 +19,6 @@ passwordAuthentication = false; extraConfig = "PrintMotd yes\n"; # this could be done with pam }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; system.stateVersion = "22.11"; } diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..dcf06e8 --- /dev/null +++ b/users.nix @@ -0,0 +1,64 @@ +{ + cfg, + lib, + pkgs, + list, + ... +}: { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + # Persisting user passwords + fileSystems."/srv".neededForBoot = true; + + users.users = { + root = { + passwordFile = "/srv/users/root/password"; + #uid = 0; + #hashedPassword = null; # to lock root + }; + + sils = { + name = "sils"; + isNormalUser = true; + home = "/srv/users/sils/home"; + passwordFile = "/srv/users/sils/password"; + uid = 1000; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + ]; + }; + + soispha = { + name = "soispha"; + isNormalUser = true; + home = "/srv/users/soispha/home"; + passwordFile = "/srv/users/soispha/password"; + uid = 1001; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + nightingale = { + name = "nightingale"; + isNormalUser = true; + home = "/srv/users/nightingale/home"; + passwordFile = "/srv/users/nightingale/password"; + uid = 1002; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + ]; + }; + }; +} +# vim: ts=2 + |