nix/modules/nixos/infrastructure/vault-server-approle/default.nix

@@ -57,8 +57,6 @@ in
     };
   };
 
-  imports = [ ./unix-user.nix ];
-
   config = lib.mkIf cfg.enable {
     khscodes.services.read-vault-auth-from-userdata.enable = cfg.stage == "pre";
     khscodes.services.vault-agent.enable = true;

nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix

@@ -1,44 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.khscodes.infrastructure.vault-server-approle.enable;
-  userExists = username: builtins.hasAttr username config.users.users && config.users.users.enable;
-  setKhsPassword = pkgs.writeShellApplication {
-    name = "set-khs-password";
-    runtimeInputs = [
-      pkgs.su
-      pkgs.uutils-coreutils-noprefix
-    ];
-    text = ''
-      hashed_passwd="$(cat /run/unix-users/khs)"
-      usermod --password "$hashed_password" khs
-    '';
-  };
-in
-{
-  config = lib.mkIf cfg.enable {
-    khscodes.infrastructure.vault-server-approle.policy = lib.mkIf (userExists "khs") {
-      "unix-users/data/khs/password" = {
-        capabilities = [ "read" ];
-      };
-    };
-    khscodes.services.vault-agent.templates = [
-      {
-        contents = ''
-          {{- with secret "unix-users/data/khs/password" -}}
-          {{ .Data.data.hashedPassword }}
-          {{- end -}}
-        '';
-        destination = "/run/unix-users/khs";
-        perms = "0600";
-        owner = "root";
-        group = "root";
-        exec = lib.getExe setKhsPassword;
-      }
-    ];
-  };
-}

nix/modules/nixos/users/khs/default.nix

@@ -8,8 +8,10 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    snowfallorg.users.khs.admin = lib.mkDefault true;
+    snowfallorg.users.khs.admin = true;
     users.users.khs = {
+      # TODO: What should I do wrt. ensuring the passwords are consistent?
+      #       Maybe set them through OpenBAO and some service?
       initialPassword = "changeme";
       openssh.authorizedKeys.keys = [
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="

nix/profiles/nixos/khs-base.nix

@@ -1,11 +1,19 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }:
 {
   imports = [ ./nix-base.nix ];
-  khscodes.users.khs.enable = true;
+  snowfallorg.users.khs.admin = lib.mkDefault true;
+  users.users.khs = {
+    # TODO: Figure out how to provision password changes to servers from VAULT
+    initialPassword = "changeme";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
+    ];
+  };
   time.timeZone = "Europe/Copenhagen";
   environment = {
     systemPackages = [ pkgs.openbao ];

nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix

@@ -31,6 +31,12 @@ in
     khscodes.infrastructure.provisioning.post.secretsSource = "bitwarden";
     khscodes.infrastructure.vault-server-approle.stage = "post";
     khscodes.networking.fqdn = "security.kaareskovgaard.net";
+    users.users.khs = {
+      initialPassword = "changeme";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
+      ];
+    };
     khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net";
     system.stateVersion = "25.05";
   };

nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix

@@ -4,7 +4,6 @@
     ./ssh-host.nix
     ./loki-mtls.nix
     ./prometheus-mtls.nix
-    ./unix-users.nix
   ];
   khscodes.infrastructure.vault-server-approle.path = "\${ vault_auth_backend.approle.path }";
   khscodes.infrastructure.provisioning.post.modules = [

nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix

@@ -1,14 +0,0 @@
-{
-  khscodes.infrastructure.provisioning.post.modules = [
-    {
-      khscodes.vault.mount.unix-users = {
-        type = "kv";
-        path = "unix-users";
-        options = {
-          version = "2";
-        };
-        description = "Secrets used for forgejo";
-      };
-    }
-  ];
-}

nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix

@@ -10,6 +10,11 @@
     device = "/dev/sda";
     diskName = "nixos";
   };
-  khscodes.users.khs.enable = true;
+  users.users.khs = {
+    initialPassword = "changeme";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
+    ];
+  };
   system.stateVersion = "25.05";
 }

nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix

@@ -213,6 +213,13 @@ in
       };
     };
   };
+  snowfallorg.users.khs.admin = true;
+  users.users.khs = {
+    initialPassword = "changeme";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
+    ];
+  };
   khscodes.networking.fqdn = "monitoring.kaareskovgaard.net";
   system.stateVersion = "25.05";
 }