diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/default.nix b/nix/modules/nixos/infrastructure/vault-server-approle/default.nix index b9fa4a5..a2ec5f3 100644 --- a/nix/modules/nixos/infrastructure/vault-server-approle/default.nix +++ b/nix/modules/nixos/infrastructure/vault-server-approle/default.nix @@ -57,6 +57,8 @@ in }; }; + imports = [ ./unix-user.nix ]; + config = lib.mkIf cfg.enable { khscodes.services.read-vault-auth-from-userdata.enable = cfg.stage == "pre"; khscodes.services.vault-agent.enable = true; diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix new file mode 100644 index 0000000..7ab1b39 --- /dev/null +++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix @@ -0,0 +1,44 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.khscodes.infrastructure.vault-server-approle.enable; + userExists = username: builtins.hasAttr username config.users.users && config.users.users.enable; + setKhsPassword = pkgs.writeShellApplication { + name = "set-khs-password"; + runtimeInputs = [ + pkgs.su + pkgs.uutils-coreutils-noprefix + ]; + text = '' + hashed_passwd="$(cat /run/unix-users/khs)" + usermod --password "$hashed_password" khs + ''; + }; +in +{ + config = lib.mkIf cfg.enable { + khscodes.infrastructure.vault-server-approle.policy = lib.mkIf (userExists "khs") { + "unix-users/data/khs/password" = { + capabilities = [ "read" ]; + }; + }; + khscodes.services.vault-agent.templates = [ + { + contents = '' + {{- with secret "unix-users/data/khs/password" -}} + {{ .Data.data.hashedPassword }} + {{- end -}} + ''; + destination = "/run/unix-users/khs"; + perms = "0600"; + owner = "root"; + group = "root"; + exec = lib.getExe setKhsPassword; + } + ]; + }; +} diff --git a/nix/modules/nixos/users/khs/default.nix b/nix/modules/nixos/users/khs/default.nix index 527be3e..097f630 100644 --- a/nix/modules/nixos/users/khs/default.nix +++ b/nix/modules/nixos/users/khs/default.nix @@ -8,10 +8,8 @@ in }; config = lib.mkIf cfg.enable { - snowfallorg.users.khs.admin = true; + snowfallorg.users.khs.admin = lib.mkDefault true; users.users.khs = { - # TODO: What should I do wrt. ensuring the passwords are consistent? - # Maybe set them through OpenBAO and some service? initialPassword = "changeme"; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" diff --git a/nix/profiles/nixos/khs-base.nix b/nix/profiles/nixos/khs-base.nix index 5fa7b73..aa27539 100644 --- a/nix/profiles/nixos/khs-base.nix +++ b/nix/profiles/nixos/khs-base.nix @@ -1,19 +1,11 @@ { pkgs, config, - lib, ... }: { imports = [ ./nix-base.nix ]; - snowfallorg.users.khs.admin = lib.mkDefault true; - users.users.khs = { - # TODO: Figure out how to provision password changes to servers from VAULT - initialPassword = "changeme"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" - ]; - }; + khscodes.users.khs.enable = true; time.timeZone = "Europe/Copenhagen"; environment = { systemPackages = [ pkgs.openbao ]; diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix index 3413105..d77f0e3 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix @@ -31,12 +31,6 @@ in khscodes.infrastructure.provisioning.post.secretsSource = "bitwarden"; khscodes.infrastructure.vault-server-approle.stage = "post"; khscodes.networking.fqdn = "security.kaareskovgaard.net"; - users.users.khs = { - initialPassword = "changeme"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" - ]; - }; khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net"; system.stateVersion = "25.05"; }; diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix index bbeb301..5bbb726 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/default.nix @@ -4,6 +4,7 @@ ./ssh-host.nix ./loki-mtls.nix ./prometheus-mtls.nix + ./unix-users.nix ]; khscodes.infrastructure.vault-server-approle.path = "\${ vault_auth_backend.approle.path }"; khscodes.infrastructure.provisioning.post.modules = [ diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix new file mode 100644 index 0000000..ce8fc54 --- /dev/null +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/post/openbao/unix-users.nix @@ -0,0 +1,14 @@ +{ + khscodes.infrastructure.provisioning.post.modules = [ + { + khscodes.vault.mount.unix-users = { + type = "kv"; + path = "unix-users"; + options = { + version = "2"; + }; + description = "Secrets used for forgejo"; + }; + } + ]; +} diff --git a/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix b/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix index b66eb59..48e5dcf 100644 --- a/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix +++ b/nix/systems/x86_64-linux/desktop.kaareskovgaard.net/default.nix @@ -10,11 +10,6 @@ device = "/dev/sda"; diskName = "nixos"; }; - users.users.khs = { - initialPassword = "changeme"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" - ]; - }; + khscodes.users.khs.enable = true; system.stateVersion = "25.05"; } diff --git a/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix index f11e16b..37e82d5 100644 --- a/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix +++ b/nix/systems/x86_64-linux/monitoring.kaareskovgaard.net/default.nix @@ -213,13 +213,6 @@ in }; }; }; - snowfallorg.users.khs.admin = true; - users.users.khs = { - initialPassword = "changeme"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==" - ]; - }; khscodes.networking.fqdn = "monitoring.kaareskovgaard.net"; system.stateVersion = "25.05"; }