forked from colin/nix-files
guest: enable access to shelvacu
This commit is contained in:
parent
9be5604c40
commit
dbd312e9bd
|
@ -4,6 +4,8 @@
|
|||
./fs.nix
|
||||
];
|
||||
|
||||
sane.guest.enable = true;
|
||||
|
||||
# TODO: make sure this plays nice with impermanence
|
||||
services.distccd.enable = true;
|
||||
sane.programs.distcc.enableFor.user.guest = true;
|
||||
|
|
|
@ -29,14 +29,18 @@
|
|||
|
||||
let
|
||||
inherit (lib.strings) hasSuffix removeSuffix;
|
||||
secretsForHost = host: sane-lib.joinAttrsets (
|
||||
secretsForHost = host: let
|
||||
extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path) {
|
||||
owner = "guest";
|
||||
};
|
||||
in sane-lib.joinAttrsets (
|
||||
map
|
||||
(path: lib.optionalAttrs (hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
|
||||
name = removeSuffix ".bin" path;
|
||||
value = {
|
||||
sopsFile = ../../secrets/${host}/${path};
|
||||
format = "binary";
|
||||
};
|
||||
} // (extraAttrsForPath path);
|
||||
}))
|
||||
(sane-lib.enumerateFilePaths ../../secrets/${host})
|
||||
);
|
||||
|
|
|
@ -9,15 +9,6 @@ in
|
|||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
sane.guest.authorizedKeys = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
list of "<key-type> <pubkey> <hostname>" keys.
|
||||
e.g.
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
@ -30,9 +21,10 @@ in
|
|||
group = "users";
|
||||
initialPassword = lib.mkDefault "";
|
||||
shell = pkgs.zsh;
|
||||
openssh.authorizedKeys.keys = cfg.authorizedKeys;
|
||||
};
|
||||
|
||||
sane.users.guest.fs.".ssh/authorized_keys".symlink.target = config.sops.secrets."guest/authorized_keys".path or "/dev/null";
|
||||
|
||||
sane.persist.sys.plaintext = lib.mkIf cfg.enable [
|
||||
# intentionally allow other users to write to the guest folder
|
||||
{ directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
|
||||
|
|
|
@ -24,6 +24,8 @@ let path = rec {
|
|||
# return the last path component; error on the empty path
|
||||
leaf = str: lib.last (split str);
|
||||
|
||||
# XXX: this is bugged in that
|
||||
# from "/foo/bar" "/foo/barbag" => "/bag"
|
||||
from = start: end: let
|
||||
s = path.norm start;
|
||||
e = path.norm end;
|
||||
|
@ -32,6 +34,12 @@ let path = rec {
|
|||
"/" + (lib.removePrefix s e)
|
||||
);
|
||||
|
||||
isChild = parent: child:
|
||||
lib.any
|
||||
(p: p == norm parent)
|
||||
(walk "/" child)
|
||||
;
|
||||
|
||||
# yield every node between start and end, including each the endpoints
|
||||
# e.g. walk "/foo" "/foo/bar/baz" => [ "/foo" "/foo/bar" "/foo/bar/baz" ]
|
||||
# XXX: assumes input paths are normalized
|
||||
|
|
|
@ -4,3 +4,5 @@
|
|||
- see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
|
||||
- update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow
|
||||
- N.B.: you MUST do `sudo passwd colin` instead of just `passwd`, i guess because of immutable users or something
|
||||
- guest/authorized_keys.bin
|
||||
- who's allowed to login to the guest account
|
||||
|
|
28
secrets/desko/guest/authorized_keys.bin
Normal file
28
secrets/desko/guest/authorized_keys.bin
Normal file
|
@ -0,0 +1,28 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:Ny0DzkX975vtS9IY9a0pzmq99RqYquwV8SBDXpDh2dhJo9gW0vbtyvww8zdHN+vtMSL7oriDIORdNa1kpQnppo6mIto0mIh2ZolRRbIySm6ppIrWP+I+P3XMpYH1jwY0RfeHwSHcPXBmL7XFhIdSPu+LwYAfPw9AVzIFDBLMNZUeKpxYqcLtXG0SVDTVzAV1KBrSrFKpz54Rw9rs4dBtj28ZiejGGrI3zBly423vDtuthkMB1R/uI7mxXWVNbufBYwGn97WiVWfu68kL13Q/js3rX4QcO4jccVwf7BYgKV3wSLBACUbl9h9eebxKLNf+UncrWf3wIAywjYYD2ElMMQ0Kn+cjd2FOzuN0E84HMgfFD/EXB010bSUhggwelH4qrmky5DvnS9QtHm4vRAdDfv+5+j98hl+Lcct7h7cKME5RLCZ4OmCo/U7RIjMqgUhSgWCAKVC4uVkhp8WJUH5IETAY8w2CqCN92H9bH0rz7ngdGzlh084vQXLt4hZzZ45cv2wsPUiL2ASy7MQMBcuU2IKKxpHlPMunzbeOD9QpdjOkZLN6m6ySO+7KmwE08LZf4qTiV6JdMpBsuDySJQRCalbHf9gHgdVGnTN9u3NdaHh2gm0Sn6KOxyMktAwmiqLZBbwmKBLtYbyHWTG5qVOP5JIy,iv:hz1CO7t8as7G3oYbHKp412lPqJoUeb+A/Y36g/yAktk=,tag:AkEEapeEAjsFJok42Aq+tw==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MU5TbTFMSFlmTG0xK0hi\nQmtialJRV21XbWpuYVJXOWFiVkZMNXkrRERnCkRpK1R2K0p2dzdvV0dUcEpzaFBL\nbWx2WDVRSlNoL0ErOXdqV1lFYU4zVVUKLS0tIFQxZUwyS0JVRVN3aTlEa3JQdTA5\nSjQ3cjhyYitvRkI0dVBoZk41cXAxb0EKmnP7UrqX57nLfD+6FNT29nPqHyk/O9Tg\n7Jut7DD1S9yZu0C4FW/iuNspjV3kVbtZ4B0h2AYBwl1EFEv7mL65Gw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMWF5VnZRQVhLYnREOUV2\nUDJkQWxJSGEweXRNU2xMUEVqb0NOSVlZTjNRCjlMUWxhMmtrODNtbms1VitwbnpZ\nOCtOMnZ1bEtWb1FIVDVEQzRlQS9IbVUKLS0tIEtZL2ZqNHRJNmFXM3BsbnhUbHYw\nQTNKUTZZWFZPUko5TFBZek9MMHBEZlUKyzrEJjTnMcnuyYrVAwb36WDVBRCDKLMe\n5eiKYepLa1+AH93wHAgoAW9kv1pmFfMOLfGhV1CALb2v8yabHmlVMg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByakhjME1WcTU5U241aTdu\nMzg1QlViTUEvcGtBNVFPTHV5ZWNyS3FEVm1BCjFicDFwcDY2N3orQjB0UFd2eEF0\nUVBodnBPSThtbUFUcmxnWG5RWDluNVkKLS0tIHJCWXNxdDdqMlRsY3o5Q2dWVlB2\na3BtQjBzc1MyeTNLcEcyTWFWTytlMjQKs74/B41lR4FXuUomschiy9pgvsO7RKQ6\nVESvelgDNWvB4HikXj0CCC7vWR43X0dggFsxoDaQhU87CI6g3mauNQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2023-06-29T02:50:40Z",
|
||||
"mac": "ENC[AES256_GCM,data:wNgxe6nBYoT00Sg28VOOzvgoGbcXUvtEfsqx+mxGviSidDrMImvBkOgEs/eKNdXvZyRj2TjKEFBLWLZfqpPCczKQbPUMmAQD8SQjWIBOotiMgKLHfLzC+cGM6uPxcrJruXKJJv8U1QmznV+X+x2uaQjqDvtnGJFwl8X1qHy2uCQ=,iv:KpUPOpS45/K8zONOFoeZUQ7rdPDBJyOGlpjVMCLcdic=,tag:uvBu+bnG2nVO79n8IsMZDQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.7.3"
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user