Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests 1 Projects 1 Wiki Activity

nerf/defaultRoles #12

Merged
nerf merged 10 commits from nerf/nixConfig:nerf/defaultRoles into main 2023-10-05 21:15:32 +00:00
Conversation 0 Commits 10 Files changed 3 +30
1 changed files with 30 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit d7b8d63f83 - Show all commits

30
nixos/roles/admins.nix Normal file
View file

@ -0,0 +1,30 @@
{lib, ...} :
with lib;
let
admins = {
nerf = {
hashedPassword =
"$6$rounds=424242$FaEtIXMUScxgAYyF$Fl8GbPFgiEv.1iwrhtVpTixG1BTJys3aIfLyTzocQYZV4JymrYEXtnyCTURmVDe8stxbxgDutmtlyElfn1DQc/";
Gonne marked this conversation as resolved
Gonne commented 2023-10-02 05:58:22 +00:00
Review
Copy link

Why does this user get a password? We didn't do that on our Debian machines with individual user accounts.

Why does this user get a password? We didn't do that on our Debian machines with individual user accounts.
nerf commented 2023-10-02 09:31:13 +00:00
Review
Copy link

Basically my paranoia, makes privilege escalation on that machine harder.

It also makes sane user based console log ins possible. You might have noticed I disabled root
console (technically password) login.

Basically my paranoia, makes privilege escalation on that machine harder. It also makes sane user based console log ins possible. You might have noticed I disabled root console (technically password) login.
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
];
};
};
mkAdmin = name :
{hashedPassword, keys}: {
"${name}" = {
isNormalUser = true;
createHome = true;
Gonne marked this conversation as resolved
Gonne commented 2023-10-02 05:59:23 +00:00
Review
Copy link

Why do they get a home directory? I would expect them to have about no personal data.

Why do they get a home directory? I would expect them to have about no personal data.
nerf commented 2023-10-02 09:25:33 +00:00
Review
Copy link

The home directory is not persistent anyway, but it will give a lot of programs that you might use a safe to throw their stuff.
For example bash starts to write things to disk the moment you use it. All in all I think it is convenient and not persistent anyway.
But I also don't think it matters too much. So I can change it if you think that is blocking

The home directory is not persistent anyway, but it will give a lot of programs that you might use a safe to throw their stuff. For example bash starts to write things to disk the moment you use it. All in all I think it is convenient and not persistent anyway. But I also don't think it matters too much. So I can change it if you think that is blocking
Gonne commented 2023-10-03 20:18:45 +00:00
Review
Copy link

I don't really care.

I don't really care.
extraGroups = [ "wheel" ];
group = "users";
home = "/home/${name}";
openssh.authorizedKeys = { inherit keys; };
inherit hashedPassword;
};
};
in {
users.users = mkMerge (mapAttrsToList mkAdmin admins);
}