2023-01-10 02:38:06 +01:00
|
|
|
{
|
2024-08-26 17:38:47 +02:00
|
|
|
pkgs,
|
|
|
|
outputs,
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
{
|
2024-08-27 23:28:37 +02:00
|
|
|
# This is it's own attribute in order to prevent infinite recursion
|
|
|
|
# in certain places.
|
2024-08-26 17:38:47 +02:00
|
|
|
satellite.pilot.name = lib.mkDefault "adrielus";
|
2024-05-21 01:37:39 +02:00
|
|
|
|
2024-08-27 23:28:37 +02:00
|
|
|
# {{{ Password handling
|
2024-05-21 01:37:39 +02:00
|
|
|
sops.secrets.pilot_password = {
|
2024-01-31 20:03:00 +01:00
|
|
|
sopsFile = ../secrets.yaml;
|
|
|
|
neededForUsers = true;
|
|
|
|
};
|
2024-08-27 23:28:37 +02:00
|
|
|
# }}}
|
2023-01-10 02:38:06 +01:00
|
|
|
|
|
|
|
users = {
|
|
|
|
# Configure users through nix only
|
|
|
|
mutableUsers = false;
|
|
|
|
|
2024-08-27 23:28:37 +02:00
|
|
|
# {{{ Create pilot user
|
2024-05-21 01:37:39 +02:00
|
|
|
users.pilot = {
|
|
|
|
inherit (config.satellite.pilot) name;
|
|
|
|
|
2024-07-08 03:18:36 +02:00
|
|
|
# This gets referenced in other parts of the config
|
|
|
|
uid = 1000;
|
|
|
|
|
2024-08-26 17:38:47 +02:00
|
|
|
# Adds me to some default groups, and creates the home dir
|
2023-05-28 02:00:10 +02:00
|
|
|
isNormalUser = true;
|
2023-01-12 20:49:08 +01:00
|
|
|
|
2023-12-12 14:32:06 +01:00
|
|
|
# Picked up by our persistence module
|
2024-05-21 01:37:39 +02:00
|
|
|
homeMode = "700";
|
2023-12-12 14:32:06 +01:00
|
|
|
|
2023-01-10 02:38:06 +01:00
|
|
|
# Add user to the following groups
|
|
|
|
extraGroups = [
|
2023-05-28 02:00:10 +02:00
|
|
|
"wheel" # Access to sudo
|
|
|
|
"lp" # Printers
|
|
|
|
"audio" # Audio devices
|
|
|
|
"video" # Webcam and the like
|
2023-07-06 21:34:24 +02:00
|
|
|
"network" # wpa_supplicant
|
2023-07-17 16:50:07 +02:00
|
|
|
"syncthing" # syncthing!
|
2023-01-10 02:38:06 +01:00
|
|
|
];
|
|
|
|
|
2024-05-21 01:37:39 +02:00
|
|
|
hashedPasswordFile = config.sops.secrets.pilot_password.path;
|
2024-01-31 20:03:00 +01:00
|
|
|
shell = pkgs.fish;
|
|
|
|
|
2024-08-31 18:38:31 +02:00
|
|
|
# {{{ Authorize ssh keys
|
|
|
|
openssh.authorizedKeys.keyFiles =
|
|
|
|
let
|
|
|
|
# Record containing all the hosts
|
|
|
|
hosts = outputs.nixosConfigurations;
|
|
|
|
|
|
|
|
# Function from hostname to relative path to public ssh key
|
|
|
|
idKey = host: ../../${host}/keys/id_ed25519.pub;
|
|
|
|
in
|
|
|
|
lib.pipe hosts [
|
|
|
|
# attrsetof host -> attrsetof path
|
|
|
|
(builtins.mapAttrs (name: _: idKey name)) # string -> host -> path
|
|
|
|
|
|
|
|
# attrsetof path -> path[]
|
|
|
|
builtins.attrValues
|
|
|
|
|
|
|
|
# path[] -> path[]
|
|
|
|
(builtins.filter builtins.pathExists)
|
|
|
|
];
|
|
|
|
# }}}
|
2023-01-12 20:49:08 +01:00
|
|
|
};
|
2024-08-27 23:28:37 +02:00
|
|
|
# }}}
|
2023-01-10 02:38:06 +01:00
|
|
|
};
|
2024-08-27 23:28:37 +02:00
|
|
|
|
|
|
|
# {{{ Set user-specific ssh permissions
|
|
|
|
# This is mainly useful because home-manager can often fail if the perms on
|
|
|
|
# `~/.ssh` are incorrect.
|
|
|
|
systemd.tmpfiles.rules =
|
|
|
|
let
|
|
|
|
user = config.users.users.pilot;
|
2024-08-27 23:35:21 +02:00
|
|
|
root = "/persist/state/${user.home}/ssh";
|
2024-08-27 23:28:37 +02:00
|
|
|
in
|
|
|
|
[
|
2024-08-28 00:18:45 +02:00
|
|
|
"d ${root} 0755 ${user.name} ${user.group}"
|
|
|
|
"d ${root}/.ssh 0755 ${user.name} ${user.group}"
|
|
|
|
"z ${root}/.ssh/id_*.pub 0755 ${user.name} ${user.group}"
|
|
|
|
"z ${root}/.ssh/id_rsa 0700 ${user.name} ${user.group}"
|
2024-08-28 00:10:02 +02:00
|
|
|
"z ${root}/.ssh/id_ed25519 0700 ${user.name} ${user.group}"
|
2024-08-27 23:28:37 +02:00
|
|
|
];
|
|
|
|
# }}}
|
2023-01-10 02:38:06 +01:00
|
|
|
}
|