From 4caa14d0416c8ac14e0ac617a1eec22b9df830f6 Mon Sep 17 00:00:00 2001 From: seth Date: Wed, 28 Feb 2024 07:31:21 -0500 Subject: nixos: remove root password --- modules/nixos/archetypes/server.nix | 4 --- modules/nixos/base/users.nix | 4 +-- modules/nixos/server/default.nix | 1 + modules/nixos/server/host-user.nix | 40 +++++++++++++++++++++++ modules/nixos/server/mixins/acme.nix | 23 ++++++++------ modules/nixos/server/mixins/cloudflared.nix | 29 ++++++++++------- modules/nixos/traits/containers.nix | 46 ++++++++++++++------------- modules/nixos/traits/default.nix | 1 - modules/nixos/traits/host-user.nix | 40 ----------------------- modules/nixos/traits/tailscale.nix | 49 ++++++++++++++++------------- 10 files changed, 125 insertions(+), 112 deletions(-) create mode 100644 modules/nixos/server/host-user.nix delete mode 100644 modules/nixos/traits/host-user.nix (limited to 'modules/nixos') diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix index 3fdc0d2..cbac329 100644 --- a/modules/nixos/archetypes/server.nix +++ b/modules/nixos/archetypes/server.nix @@ -39,10 +39,6 @@ in { ssh.enable = true; }; - users = { - hostUser.enable = true; - }; - zram.enable = true; }; }; diff --git a/modules/nixos/base/users.nix b/modules/nixos/base/users.nix index 8a554f5..507a82a 100644 --- a/modules/nixos/base/users.nix +++ b/modules/nixos/base/users.nix @@ -11,7 +11,7 @@ in { enable = lib.mkEnableOption "base user configurations" // {default = true;}; defaultRoot = { - enable = lib.mkEnableOption "default root user configuration" // {default = true;}; + enable = lib.mkEnableOption "default root user configuration" // {default = false;}; manageSecrets = lib.mkEnableOption "automatic secrets management" // { @@ -37,7 +37,7 @@ in { }; }) - (lib.mkIf cfg.defaultRoot.manageSecrets { + (lib.mkIf (cfg.defaultRoot.enable && cfg.defaultRoot.manageSecrets) { age.secrets = { rootPassword.file = secretsDir + "/rootPassword.age"; }; diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index 83ec0a8..1c23124 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -12,6 +12,7 @@ in { }; imports = [ + ./host-user.nix ./mixins ]; diff --git a/modules/nixos/server/host-user.nix b/modules/nixos/server/host-user.nix new file mode 100644 index 0000000..5aa1ce5 --- /dev/null +++ b/modules/nixos/server/host-user.nix @@ -0,0 +1,40 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.server.hostUser; + inherit (config.networking) hostName; +in { + options.server.hostUser = { + enable = lib.mkEnableOption "${hostName} user configuration" // {default = config.server.enable;}; + + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + users.users.${hostName} = { + isNormalUser = true; + extraGroups = ["wheel"]; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + userPassword.file = secretsDir + "/userPassword.age"; + }; + + users.users.${hostName} = { + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix index 60703e6..0e4a6d6 100644 --- a/modules/nixos/server/mixins/acme.nix +++ b/modules/nixos/server/mixins/acme.nix @@ -23,23 +23,26 @@ in { { security.acme = { acceptTerms = true; - defaults = - { - email = "getchoo@tuta.io"; - } - // lib.optionalAttrs cfg.useDns { - dnsProvider = "cloudflare"; - } - // lib.optionalAttrs cfg.manageSecrets { - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; + defaults = { + email = "getchoo@tuta.io"; + }; }; } + (lib.mkIf cfg.useDns { + security.acme.defaults = { + dnsProvider = "cloudflare"; + }; + }) + (lib.mkIf cfg.manageSecrets { age.secrets = { cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; }; + + security.acme.defaults = { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; }) ] ); diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix index 5f75a35..26c0714 100644 --- a/modules/nixos/server/mixins/cloudflared.nix +++ b/modules/nixos/server/mixins/cloudflared.nix @@ -9,6 +9,15 @@ in { options.server.mixins.cloudflared = { enable = lib.mkEnableOption "cloudflared mixin"; + tunnelName = lib.mkOption { + type = lib.types.str; + default = "${config.networking.hostName}-nginx"; + example = lib.literalExpression "my-tunnel"; + description = lib.mdDoc '' + Name of the default tunnel being created + ''; + }; + manageSecrets = lib.mkEnableOption "automatic secrets management" // { @@ -21,18 +30,12 @@ in { { services.cloudflared = { enable = true; - tunnels = { - "${config.networking.hostName}-nginx" = - { - default = "http_status:404"; + tunnels.${cfg.tunnelName} = { + default = "http_status:404"; - ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( - _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} - ); - } - // lib.optionalAttrs cfg.manageSecrets { - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); }; }; } @@ -44,6 +47,10 @@ in { owner = "cloudflared"; group = "cloudflared"; }; + + services.cloudflared.tunnels.${cfg.tunnelName} = { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; }) ] ); diff --git a/modules/nixos/traits/containers.nix b/modules/nixos/traits/containers.nix index e309a89..10824eb 100644 --- a/modules/nixos/traits/containers.nix +++ b/modules/nixos/traits/containers.nix @@ -11,28 +11,30 @@ in { enable = lib.mkEnableOption "containers support"; }; - config.virtualisation = lib.mkMerge [ - (lib.mkIf cfg.enable { - podman = { - enable = true; - extraPackages = with pkgs; [podman-compose]; - autoPrune.enable = true; - }; + config.virtualisation = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + podman = { + enable = true; + extraPackages = with pkgs; [podman-compose]; + autoPrune.enable = true; + }; - oci-containers.backend = "podman"; - }) - - (let - enable = lib.mkDefault ( - lib.elem "nvidia" (config.services.xserver.videoDrivers or []) - ); - in - if (options.virtualisation.containers ? cdi) - then { - containers.cdi.dynamic.nvidia = {inherit enable;}; + oci-containers.backend = "podman"; } - else { - podman.enableNvidia = enable; - }) - ]; + + (let + enable = lib.mkDefault ( + lib.elem "nvidia" (config.services.xserver.videoDrivers or []) + ); + in + if (options.virtualisation.containers ? cdi) + then { + containers.cdi.dynamic.nvidia = {inherit enable;}; + } + else { + podman.enableNvidia = enable; + }) + ] + ); } diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix index 983edce..51682a3 100644 --- a/modules/nixos/traits/default.nix +++ b/modules/nixos/traits/default.nix @@ -3,7 +3,6 @@ ./auto-upgrade.nix ./containers.nix ./home-manager.nix - ./host-user.nix ./locale.nix ./secrets.nix ./tailscale.nix diff --git a/modules/nixos/traits/host-user.nix b/modules/nixos/traits/host-user.nix deleted file mode 100644 index 2da91d6..0000000 --- a/modules/nixos/traits/host-user.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - lib, - pkgs, - secretsDir, - ... -}: let - cfg = config.traits.users.hostUser; - inherit (config.networking) hostName; -in { - options.traits.users.hostUser = { - enable = lib.mkEnableOption "${hostName} user configuration"; - manageSecrets = - lib.mkEnableOption "automatic secrets management" - // { - default = config.traits.secrets.enable; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - users.users.${hostName} = { - isNormalUser = true; - shell = pkgs.bash; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets = { - userPassword.file = secretsDir + "/userPassword.age"; - }; - - users.users.${hostName} = { - hashedPasswordFile = config.age.secrets.userPassword.path; - }; - }) - ] - ); -} diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix index b432ced..a7d8c06 100644 --- a/modules/nixos/traits/tailscale.nix +++ b/modules/nixos/traits/tailscale.nix @@ -16,33 +16,38 @@ in { }; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - { - networking.firewall = - { - trustedInterfaces = ["tailscale0"]; - } - // lib.optionalAttrs cfg.ssh.enable { - allowedTCPPorts = [22]; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + networking.firewall = { + trustedInterfaces = [config.services.tailscale.interfaceName]; }; - services.tailscale = - { + services.tailscale = { enable = true; openFirewall = true; - } - // lib.optionalAttrs cfg.ssh.enable { + }; + } + + (lib.mkIf cfg.ssh.enable { + networking.firewall = { + allowedTCPPorts = [22]; + }; + + services.tailscale = { extraUpFlags = ["--ssh"]; - } - // lib.optionalAttrs cfg.manageSecrets { - authKeyFile = config.age.secrets.tailscaleAuthKey.path; }; - } + }) - (lib.mkIf cfg.manageSecrets { - age.secrets = lib.mkIf cfg.manageSecrets { - tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; - }; - }) - ]); + (lib.mkIf cfg.manageSecrets { + age.secrets = lib.mkIf cfg.manageSecrets { + tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; + }; + + services.tailscale = { + authKeyFile = config.age.secrets.tailscaleAuthKey.path; + }; + }) + ] + ); } -- cgit v1.2.3