From 211ab56adf2dd91732feb0c75332321206e0d499 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Thu, 19 Jan 2023 14:02:04 +0100
Subject: Feat: User configuration, with secure passwords

The passwords will be stored in a specific password file, which because it
isn't part of this repository is secure.

Refs: #9
---
 users.nix | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 users.nix

(limited to 'users.nix')

diff --git a/users.nix b/users.nix
new file mode 100644
index 0000000..dcf06e8
--- /dev/null
+++ b/users.nix
@@ -0,0 +1,64 @@
+{
+  cfg,
+  lib,
+  pkgs,
+  list,
+  ...
+}: {
+  users.mutableUsers = false;
+  users.defaultUserShell = pkgs.zsh;
+
+  # Persisting user passwords
+  fileSystems."/srv".neededForBoot = true;
+
+  users.users = {
+    root = {
+      passwordFile = "/srv/users/root/password";
+      #uid = 0;
+      #hashedPassword = null; # to lock root
+    };
+
+    sils = {
+      name = "sils";
+      isNormalUser = true;
+      home = "/srv/users/sils/home";
+      passwordFile = "/srv/users/sils/password";
+      uid = 1000;
+      extraGroups = [
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
+      ];
+    };
+
+    soispha = {
+      name = "soispha";
+      isNormalUser = true;
+      home = "/srv/users/soispha/home";
+      passwordFile = "/srv/users/soispha/password";
+      uid = 1001;
+      extraGroups = [
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
+      ];
+    };
+
+    nightingale = {
+      name = "nightingale";
+      isNormalUser = true;
+      home = "/srv/users/nightingale/home";
+      passwordFile = "/srv/users/nightingale/password";
+      uid = 1002;
+      extraGroups = [
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+      ];
+    };
+  };
+}
+# vim: ts=2
+
-- 
cgit 1.4.1


From 19f0808084826a8a46492fcd8fe34833b9ed9a81 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 21 Jan 2023 07:59:44 +0100
Subject: Feat: Save passwords in hashed form directly

Saving hashed passwords should be relatively safe, as long as the hashing
algorithm isn't flawed. Considering, that we use yescrypt with higher
than average parameters ('jFT' instead of 'j9T'), we should be safe for
now.
---
 users.nix | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

(limited to 'users.nix')

diff --git a/users.nix b/users.nix
index dcf06e8..ac8cf5d 100644
--- a/users.nix
+++ b/users.nix
@@ -1,28 +1,23 @@
-{
-  cfg,
-  lib,
-  pkgs,
-  list,
-  ...
-}: {
+{pkgs, ...}: {
   users.mutableUsers = false;
   users.defaultUserShell = pkgs.zsh;
 
-  # Persisting user passwords
-  fileSystems."/srv".neededForBoot = true;
-
   users.users = {
     root = {
-      passwordFile = "/srv/users/root/password";
       #uid = 0;
-      #hashedPassword = null; # to lock root
+      #initialHashedPassword = null; # to lock root
+      # Backup, if something happens. TODO remove this later
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
+      ];
     };
 
     sils = {
       name = "sils";
       isNormalUser = true;
-      home = "/srv/users/sils/home";
-      passwordFile = "/srv/users/sils/password";
+      home = "/srv/home/sils";
+      initialHashedPassword = null; # TODO CHANGE
       uid = 1000;
       extraGroups = [
         "wheel"
@@ -35,8 +30,8 @@
     soispha = {
       name = "soispha";
       isNormalUser = true;
-      home = "/srv/users/soispha/home";
-      passwordFile = "/srv/users/soispha/password";
+      home = "/srv/home/soispha";
+      initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1";
       uid = 1001;
       extraGroups = [
         "wheel"
@@ -49,8 +44,8 @@
     nightingale = {
       name = "nightingale";
       isNormalUser = true;
-      home = "/srv/users/nightingale/home";
-      passwordFile = "/srv/users/nightingale/password";
+      home = "/srv/home/nightingale";
+      initialHashedPassword = null; # TODO CHANGE
       uid = 1002;
       extraGroups = [
         "wheel"
-- 
cgit 1.4.1


From 00f404a100c9e2a5c1802cc0ed62855f5217fb9b Mon Sep 17 00:00:00 2001
From: sils <sils@sils.li>
Date: Mon, 23 Jan 2023 21:09:41 +0100
Subject: Update: Save hashed password for sils

---
 users.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'users.nix')

diff --git a/users.nix b/users.nix
index ac8cf5d..34e1648 100644
--- a/users.nix
+++ b/users.nix
@@ -17,7 +17,7 @@
       name = "sils";
       isNormalUser = true;
       home = "/srv/home/sils";
-      initialHashedPassword = null; # TODO CHANGE
+      initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE
       uid = 1000;
       extraGroups = [
         "wheel"
-- 
cgit 1.4.1