minion@greylag, coded@shorthair change password
Originally we were using initialPassword in modules/nixos/users
to set our passwords. Now we are setting them with hashed password
files. The files are stored in respective system directories and use
sops to encrypt them in place.
Finally, for this to be set for anything but the inital account creation
we need to disable mutableUsers (which is on by default), so let's do
that too.
Change-Id: I52c3658e7318d7d0c4ce0156582b754ea0b337c6
Reviewed-on: https://git.clicks.codes/c/Chimera/NixFiles/+/424
Reviewed-by: Samuel Shuert <coded@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Skyler Grey <minion@clicks.codes>
diff --git a/TODO.md b/TODO.md
index f047112..54416b5 100644
--- a/TODO.md
+++ b/TODO.md
@@ -5,4 +5,5 @@
- [ ] hyprland-per-window-layout
- [ ] hy3
- [ ] anyrun
- - [ ] hypr-empty
\ No newline at end of file
+ - [ ] hypr-empty
+- [ ] Yubikey Auth over SSH
\ No newline at end of file
diff --git a/modules/nixos/users/default.nix b/modules/nixos/users/default.nix
index a4a9548..7d81bfb 100644
--- a/modules/nixos/users/default.nix
+++ b/modules/nixos/users/default.nix
@@ -1,5 +1,7 @@
{ pkgs, ... }:
{
+ users.mutableUsers = false;
+
users.users.minion = {
isNormalUser = true;
extraGroups = [
@@ -11,7 +13,6 @@
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJRzQbQjXFpHKtt8lpNKmoNx57+EJ/z3wnKOn3/LjM6cAAAAFXNzaDppeXViaWtleV9yZXNpZGVudA== iyubikey_resident"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOhzJ0p9bFRSURUjV05rrt5jCbxPXke7juNbEC9ZJXS/AAAAGXNzaDp0aW55X3l1YmlrZXlfcmVzaWRlbnQ= tiny_yubikey_resident"
];
- initialPassword = "nixos";
};
users.users.coded = {
@@ -20,11 +21,8 @@
"wheel"
];
openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZGErwcw5YUlJS9tAfIYOSqkiuDRZZRTJjMlrDaAiNwTjqUML/Lrcau/1KA6a0+sXCM8DhQ1e0qhh2Qxmh/kxZWO6XMVK2EB7ELPNojqFI16T8Bbhq2t7yVAqbPUhXLQ4xKGvWMCPWOCo/dY72P9yu7kkMV0kTW3nq25+8nvqIvvuQOlOUx1uyR7qEfO706O86wjVTIuwfZKyzMDIC909vyg0xS+SfFlD7MkBuGzevQnOAV3U6tyafg6XW4PaJuDLyGXwpKz6asY08F7gRL/7/GhlMB09nfFfT4sZggmqPdGAtxwsFuwHPjNSlktHz5nlHtpS0LjefR9mWiGIhw5Hw1z33lxP0rfmiEU9J7kFcXv9B8QAWFwWfNEZfeqB7h7DJruo+QRStGeDz4SwRG3GR+DB4iNJLt7n0ALkVFJpOpskeo8TV4+Fwok+hYs2GsvdEmh9Cj7dC/9CyRhJeam9iLIi/iVGZhXEE3tIiqEktZPjiK7JwQyr97zhGJ7Rj4oE= samue@SamuelDesktop"
- "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH+TJRuMpDPgh6Wp2h+E+O/WoyEAVyWo6SN8oxm2JZNVAAAABHNzaDo= samue@SamuelDesktop"
- "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrwKN4dJQ0BiLmjsA/66QHhu06+JyokWtHkLcjhWU79AAAABHNzaDo= coded-sk-resident-1"
+ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrwKN4dJQ0BiLmjsA/66QHhu06+JyokWtHkLcjhWU79AAAABHNzaDo= coded-yk5c-resident"
];
- initialPassword = "nixos";
};
security.pam.services.waylock = { };
diff --git a/systems/x86_64-linux/greylag/default.nix b/systems/x86_64-linux/greylag/default.nix
index 79563b3..b611c0e 100644
--- a/systems/x86_64-linux/greylag/default.nix
+++ b/systems/x86_64-linux/greylag/default.nix
@@ -6,5 +6,6 @@
./console
./cpu
./networking
+ ./users
];
}
diff --git a/systems/x86_64-linux/greylag/users/default.nix b/systems/x86_64-linux/greylag/users/default.nix
new file mode 100644
index 0000000..6b9b998
--- /dev/null
+++ b/systems/x86_64-linux/greylag/users/default.nix
@@ -0,0 +1,13 @@
+{ config, ... }: {
+ users.users.minion.hashedPasswordFile = config.sops.secrets."systems/x86_64-linux/greylag/users/passwords.sops.minion.json:minion".path;
+
+ sops.secrets."systems/x86_64-linux/greylag/users/passwords.sops.minion.json:minion" = {
+ mode = "0400";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
+ sopsFile = ./passwords.sops.minion.json;
+ format = "json";
+ key = "minion";
+ neededForUsers = true;
+ };
+}
\ No newline at end of file
diff --git a/systems/x86_64-linux/greylag/users/passwords.sops.minion.json b/systems/x86_64-linux/greylag/users/passwords.sops.minion.json
new file mode 100644
index 0000000..8f2c2da
--- /dev/null
+++ b/systems/x86_64-linux/greylag/users/passwords.sops.minion.json
@@ -0,0 +1,26 @@
+{
+ "minion": "ENC[AES256_GCM,data:W438chfkImr9i9r/GT1bcasw7TMiBGvhcFRUEgabyLJPALxRvbVKqKk8JBDHHPCYfLwSSAJtxQwCGDpQ,iv:e5X2ULdvN2vpFFijX86uMn6UtLKW/js2Mtg5BQEY60E=,tag:fFaD5karNCrqmeXNBD0nlA==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2024-02-23T22:48:57Z",
+ "mac": "ENC[AES256_GCM,data:TqB9DckQfhSQ5BoN1oPbdmFwaPCoJ+x8CAV0BkKewaCGKyNYPWZPe0offzY+yAYhl3qLDQXz4q3IFplr0lnsvbfY2R0NAjd81Dlt69NZfedAFlVbDMxAuNKn2HXzXGUgsL+vLhXF3+yQ6JvvVb4wuRbFZ2JBjWf6UmMtmOvdgbU=,iv:fBeWuFRshGNyBhUoaqlp1+r6Mdtctoyvx8j102CRcqw=,tag:OEy6qjXW1wTSPaIvVERw2w==,type:str]",
+ "pgp": [
+ {
+ "created_at": "2024-02-23T18:06:19Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DN4EYND8+bNUSAQdA8pFYYfE5EV/Ka9WKLYZPaHhXIRcIg8tLPY8uerr/jBow\nfdfl6DuGcjO/OIdbBsJtkHug+6cOVJWc4nqeHmqnhk/IEVCgU2KbXdWCPRyctKOD\n0l4BEbgt12B6TgNVZbb1mPBweS3fpJEa6NkhY3ealZpSuXUdDRf+AWAQHwryr+O+\nGE8HIDtRQNL//Ixx/d5bMz/KMwE5Klnw3zHf0hQqnfD3RtX1czXuMok5pFIlecLu\n=ipal\n-----END PGP MESSAGE-----",
+ "fp": "76E0B09A741C4089522111E5F27E3E5922772E7A"
+ },
+ {
+ "created_at": "2024-02-23T18:06:19Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA1IsbSgNVFwAAQ//fUeV72l++lfcpsbDIPmZiwtY3z+hT5Np49sONraSkIt/\nOryackUmolqw4zq0rJW07VsieYwRY9MiKP07CWL+f9pG2EEDs/NYs5vpKYWugeP6\n/HU8Ys30BaZU3QFo2se3qpfJduVB7pONvtneGRtwMAzYU7QebzOE7xpc/xLn5Xvk\n4GpPV0GUZlSUbz4zrBurfgAje1K50a0cisRSa/L7NPo4SY7iYAtuoFRp5EG/L1Mg\n9SsRQSEmY4ZnL5loy3uE/wvw3SnAmmrOgkPWHuNjMKmbhK4AIOtIwkrf8ZilHj2H\nM3X37P7QeB0NoY7+O2skuvEjxPV/WS9siDuQng7Gs9Ecwq8EW3UxGEj8JTclnumi\nLFLG35ldoySia0AEqLk2GJ6aJz+7xUuBPwhfqp02xvR0P34sqU8xrgWkdtToUPGa\nUUkfQtNh6f3LNUZK1o+oLU9X+rPwd3MONkRpVBDCnr2+k7p2ZxJy59/XXjgHO09I\nPevIKGjODgB93tHstX5NfAawYEzG4t9N5/yiAbLgbdQwkmuDLbeyQ7cn7vSlD0kH\nD07FSpAtuVmc4mMkKl+J4T7J+/M8dAAxu2EexhOg8sU0v+gLbZJdOSVs3Nlvd0hD\n/0aL6A+nfG34BYKsIVF4vvKg0UIa0TuR56muAjCJgFx4aBd8lk2z6VzjdQEHGKrS\nWAGrD6b+pTMHYVLXXBmrJ5O4kKFX/ohjxQiz4bcI1JYrWbct/79/Q+IWe4jWwdqh\nH0dBqnBAcuNxBZnAv+eMmSWrieq9pngP64PRQ4o/z579ucxH0vCPGyM=\n=5vi0\n-----END PGP MESSAGE-----",
+ "fp": "047bf8897df877fe86133e98522c6d280d545c00"
+ }
+ ],
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.1"
+ }
+}
\ No newline at end of file
diff --git a/systems/x86_64-linux/shorthair/default.nix b/systems/x86_64-linux/shorthair/default.nix
index 94f3150..5eb504b 100644
--- a/systems/x86_64-linux/shorthair/default.nix
+++ b/systems/x86_64-linux/shorthair/default.nix
@@ -7,5 +7,6 @@
./console
./networking
./openrgb
+ ./users
];
}
diff --git a/systems/x86_64-linux/shorthair/users/default.nix b/systems/x86_64-linux/shorthair/users/default.nix
new file mode 100644
index 0000000..c872ce9
--- /dev/null
+++ b/systems/x86_64-linux/shorthair/users/default.nix
@@ -0,0 +1,13 @@
+{ config, ... }: {
+ users.users.coded.hashedPasswordFile = config.sops.secrets."systems/x86_64-linux/shorthair/users/passwords.sops.coded.json:coded".path;
+
+ sops.secrets."systems/x86_64-linux/shorthair/users/passwords.sops.coded.json:coded" = {
+ mode = "0400";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
+ sopsFile = ./passwords.sops.coded.json;
+ format = "json";
+ key = "coded";
+ neededForUsers = true;
+ };
+}
\ No newline at end of file
diff --git a/systems/x86_64-linux/shorthair/users/passwords.sops.coded.json b/systems/x86_64-linux/shorthair/users/passwords.sops.coded.json
new file mode 100644
index 0000000..829dba9
--- /dev/null
+++ b/systems/x86_64-linux/shorthair/users/passwords.sops.coded.json
@@ -0,0 +1,26 @@
+{
+ "coded": "ENC[AES256_GCM,data:QDdaWHPHSsNZTLMQRbedYRDShLXcsbeCcwtD1WJmuEdL8zh10itf8VdoaohNPeogCUY2/1K+v/fxinEW,iv:1ijH0F3RWSutrk+6pd7ZIByY4NFe6LpdchoIe6BdpJA=,tag:rBM1nT204lZOzWyTPCmdDg==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2024-02-23T18:16:34Z",
+ "mac": "ENC[AES256_GCM,data:5iVohVG0QQPqWpV54UaxvkUsVxw31kDQVDWhLk/Qsudrpd1AdiZh5G4YSR6RdzZ4V4ny9IvMLyYK5GMPn6pEnBhq/JaqkxUzcm856wrNrjHy0dNaGLTouGhqU9gwGDgmRpCTC92xn+Fih3qvh3DgMC6UEoky5uCcXLg5cBc4qRA=,iv:JiPhf7hyNKOnHdxJii9rZ6u9b5zWywzYGtYAu33/N8Q=,tag:HGVTLd+8a86ppcEIBfbwxw==,type:str]",
+ "pgp": [
+ {
+ "created_at": "2024-02-23T18:09:34Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4D6MHlIv4I/7ASAQdAsTcpTF2Iz/MYtczqSF8T5miCFXVA6ZGEfzxXCchtbHow\nQIMqMFQGWWO2JILCJsUUAor+BcyFMHY767Sh/SGf7UzMF1MjwC/aWXzINFF6zGIu\n0l4BvlcUvhfJoQWlJZuN4FiNE9uHBkjPg71j4/nbroVhLLIQbvQsqPILXFx/tpfn\nU2R97Vo5aWU9EoNu1VCsf8RY2b2x35e2hQZIJzkS1qSteGE1yqoLj192NWUGs4oj\n=klM2\n-----END PGP MESSAGE-----",
+ "fp": "BC82DF237610AE9113EB075900E944BFBE99ADB5"
+ },
+ {
+ "created_at": "2024-02-23T18:09:34Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA+Wu2Xdd0hVDAQ/+MF+bjVpkXOOD+HHC491BA58NMryiNhuetf9tH33p/dyR\nmyM8HomXuGd6r+DD3B52d5fPySo+XMVLp4X+T+fUuVRk1Novepi1UhFkM01QA0VV\nqrnLnXWjIUZqz8L6WpGK+zU9UBtCPTJ5+FF1zD0aR+pTY/BMhBHEEUR2PxqHZedj\n4DwNwzp2I7+jw84nMOrmXH4zHaC+ISDK05w+vqqY2xbUJDjB9dn4BP42UrCbPnM0\nscDeCbRm5KbrjAIRS1C5UTbEebVZv6/+GwN9cM3Avzi7so+8q2oWoxUrZ81Brwoi\n05RqQcm52B0zMQEiKoxPoacXdJaNFuMllA6t3Ni4r2UbBwey9log0RUviN1T1WBu\n1dqO1uuPlxnK9Or7wq4gLw8VMawCdjj3aPjKaDRzRmDsYOsxJflUKQa/tKnUhWgt\nN+EQkpAo2Tyr7bhfFoz+xnyahrYzSvKV+NRz9Cl24pqDsxa/LAdUtP5UyKTvOxsg\nEXi44LnT2g5cOPE+dXXY8CT8E1HDyHxUcr4+exVyXegdLZUH4/ejNljBUiofLlNK\nWv6m/r4N3Jgt9q1M1KpqJA5ISsPXySWDkOOwL1IBxrDv7BeumPlFUD18Tqqme1my\nXQDh5+A47HKhM+8kRbm55VITSjzc+nrUhLzbo2sKzZakwAdVIJ7viIeXsLAAjDbS\nWAFjYcezk4qUP+rBbJCZRQDsVnn2gDjMW7lFyYEHW/Ff980nwiG0CWWcNJjMaN32\n/idh1yZgAUJjjlZHdfCj5eD6F1PI1vsVE1gwN6ARf7vjspiabXeUY1Q=\n=mr1k\n-----END PGP MESSAGE-----",
+ "fp": "B5237D6B63AB2E13FDA07170E5AED9775DD21543"
+ }
+ ],
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.1"
+ }
+}
\ No newline at end of file