diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/default.nix b/nix/modules/nixos/infrastructure/vault-server-approle/default.nix index a2ec5f3..b9fa4a5 100644 --- a/nix/modules/nixos/infrastructure/vault-server-approle/default.nix +++ b/nix/modules/nixos/infrastructure/vault-server-approle/default.nix @@ -57,8 +57,6 @@ in }; }; - imports = [ ./unix-user.nix ]; - config = lib.mkIf cfg.enable { khscodes.services.read-vault-auth-from-userdata.enable = cfg.stage == "pre"; khscodes.services.vault-agent.enable = true; diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix deleted file mode 100644 index 7ab1b39..0000000 --- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -let - cfg = config.khscodes.infrastructure.vault-server-approle.enable; - userExists = username: builtins.hasAttr username config.users.users && config.users.users.enable; - setKhsPassword = pkgs.writeShellApplication { - name = "set-khs-password"; - runtimeInputs = [ - pkgs.su - pkgs.uutils-coreutils-noprefix - ]; - text = '' - hashed_passwd="$(cat /run/unix-users/khs)" - usermod --password "$hashed_password" khs - ''; - }; -in -{ - config = lib.mkIf cfg.enable { - khscodes.infrastructure.vault-server-approle.policy = lib.mkIf (userExists "khs") { - "unix-users/data/khs/password" = { - capabilities = [ "read" ]; - }; - }; - khscodes.services.vault-agent.templates = [ - { - contents = '' - {{- with secret "unix-users/data/khs/password" -}} - {{ .Data.data.hashedPassword }} - {{- end -}} - ''; - destination = "/run/unix-users/khs"; - perms = "0600"; - owner = "root"; - group = "root"; - exec = lib.getExe setKhsPassword; - } - ]; - }; -} diff --git a/nix/modules/nixos/users/khs/default.nix b/nix/modules/nixos/users/khs/default.nix index 097f630..527be3e 100644 --- a/nix/modules/nixos/users/khs/default.nix +++ b/nix/modules/nixos/users/khs/default.nix @@ -8,8 +8,10 @@ in }; config = lib.mkIf cfg.enable { - snowfallorg.users.khs.admin = lib.mkDefault true; + snowfallorg.users.khs.admin = true; users.users.khs = { + # TODO: What should I do wrt. ensuring the passwords are consistent? + # Maybe set them through OpenBAO and some service? initialPassword = "changeme"; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" diff --git a/nix/profiles/nixos/khs-base.nix b/nix/profiles/nixos/khs-base.nix index aa27539..5fa7b73 100644 --- a/nix/profiles/nixos/khs-base.nix +++ b/nix/profiles/nixos/khs-base.nix @@ -1,11 +1,19 @@ { pkgs, config, + lib, ... }: { imports = [ ./nix-base.nix ]; - khscodes.users.khs.enable = true; + snowfallorg.users.khs.admin = lib.mkDefault true; + users.users.khs = { + # TODO: Figure out how to provision password changes to servers from VAULT + initialPassword = "changeme"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" + ]; + }; time.timeZone = "Europe/Copenhagen"; environment = { systemPackages = [ pkgs.openbao ]; diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix index d77f0e3..3413105 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix @@ -31,6 +31,12 @@ in khscodes.infrastructure.provisioning.post.secretsSource = "bitwarden"; khscodes.infrastructure.vault-server-approle.stage = "post"; khscodes.networking.fqdn = "security.kaareskovgaard.net"; + users.users.khs = { + initialPassword = "changeme"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" + ]; + }; khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net"; system.stateVersion = "25.05"; }; diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix index 5bbb726..bbeb301 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix @@ -4,7 +4,6 @@ ./ssh-host.nix ./loki-mtls.nix ./prometheus-mtls.nix - ./unix-users.nix ]; khscodes.infrastructure.vault-server-approle.path = "\${ vault_auth_backend.approle.path }"; khscodes.infrastructure.provisioning.post.modules = [ diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix deleted file mode 100644 index ce8fc54..0000000 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - khscodes.infrastructure.provisioning.post.modules = [ - { - khscodes.vault.mount.unix-users = { - type = "kv"; - path = "unix-users"; - options = { - version = "2"; - }; - description = "Secrets used for forgejo"; - }; - } - ]; -} diff --git a/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix b/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix index 48e5dcf..b66eb59 100644 --- a/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix +++ b/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix @@ -10,6 +10,11 @@ device = "/dev/sda"; diskName = "nixos"; }; - khscodes.users.khs.enable = true; + users.users.khs = { + initialPassword = "changeme"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" + ]; + }; system.stateVersion = "25.05"; } diff --git a/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix index 37e82d5..f11e16b 100644 --- a/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix +++ b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix @@ -213,6 +213,13 @@ in }; }; }; + snowfallorg.users.khs.admin = true; + users.users.khs = { + initialPassword = "changeme"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" + ]; + }; khscodes.networking.fqdn = "monitoring.kaareskovgaard.net"; system.stateVersion = "25.05"; }