kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

User management module #80

Merged
kalipso merged 8 commits from issue77 into master 2025-03-04 17:22:24 +01:00
Conversation 7 Commits 8 Files Changed 4 +72 -3
ahtlon commented 2025-01-28 12:07:08 +01:00
Collaborator
Copy Link

I'm not sure if the sops thing works. Maybe the hash in cleartext is secure enough?
Fixes #77

I'm not sure if the sops thing works. Maybe the hash in cleartext is secure enough? Fixes #77
ahtlon added 2 commits 2025-01-28 12:07:08 +01:00
Add malo user module dfd8eb9c15
add malo user password
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m16s
Details
fdb9980176
ahtlon added 1 commit 2025-01-28 12:44:15 +01:00
[user module] actually call the module
Some checks failed
Check flake syntax / flake-check (push) Failing after 2m1s
Details
eb61088dc9 
and fix some issues
ahtlon commented 2025-01-28 12:46:18 +01:00
Author
Collaborator
Copy Link

Yeah, sops doesn't work like this. In my local testing when I just write the hash in cleartext it passes the flake check, but I'm not sure if it is secure enough

Yeah, sops doesn't work like this. In my local testing when I just write the hash in cleartext it passes the flake check, but I'm not sure if it is secure enough
kalipso commented 2025-01-28 13:55:14 +01:00
Owner
Copy Link

@Ahtlon instead of using the users.users.<name>.hashedPassword use users.users.<name>.hashedPasswordFile which will work with sops :)

Btw reading the description of that option on search.nixos.org i found this:

If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

maybe this is something we want to set - but iam not sure.

@Ahtlon instead of using the `users.users.<name>.hashedPassword` use `users.users.<name>.hashedPasswordFile` which will work with sops :) Btw reading the description of that option on search.nixos.org i found this: > If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options. maybe this is something we want to set - but iam not sure.
kalipso commented 2025-01-28 14:23:37 +01:00
Owner
Copy Link

Actually there is more to setting a userpw with sops: https://github.com/Mic92/sops-nix?tab=readme-ov-file#setting-a-users-password

Actually there is more to setting a userpw with sops: https://github.com/Mic92/sops-nix?tab=readme-ov-file#setting-a-users-password
ahtlon added 1 commit 2025-01-29 09:30:31 +01:00
[user module] fix sops user password
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m17s
Details
8b33a1c704
ahtlon commented 2025-01-29 09:41:55 +01:00
Author
Collaborator
Copy Link

Still doesn't work in run-vm. Probably because of the early-loading stuff

Still doesn't work in run-vm. Probably because of the early-loading stuff
kalipso commented 2025-01-29 13:37:49 +01:00
Owner
Copy Link

maybe i miss something here, but as far as i understand none of the hosts can decrypt the malobeo user secrets.yaml at all right now. In the .sops.yaml. only admin keys are added. Also when we add new sops secret files that do not belong to a single host we need to properly handle the dummy-secrets overwrite for them so than run-vm with the --dummy-secrets flag can take care of that as in

infrastructure/machines/modules/host_builder.nix Line 174 in 1f9d39b53d
sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;

If there are questions on how to do that just let me know :)

maybe i miss something here, but as far as i understand none of the hosts can decrypt the malobeo user secrets.yaml at all right now. In the .sops.yaml. only admin keys are added. Also when we add new sops secret files that do not belong to a single host we need to properly handle the dummy-secrets overwrite for them so than run-vm with the --dummy-secrets flag can take care of that as in https://git.dynamicdiscord.de/kalipso/infrastructure/src/commit/1f9d39b53d0450bacc28bc1bef905f7ff51af563/machines/modules/host_builder.nix#L174 If there are questions on how to do that just let me know :)
ahtlon added 16 commits 2025-02-14 23:58:08 +01:00
[malovpn] add hetzner cb0fc8bb9e
[fanny] update sops key after reset d93e33ad9c
[sops] update secrets 93e9b86c6e
[nextcloud] update sops key d16409d78b
[nextcloud] add some attributes 0dba6e5dcd
Fix #67 fcd5743121
Add microvm data dirs 3c501f14cf 
(untested because virtiofs mounts currently dont work)
[disko] no encrypted swap when encryption disabled f66f4fa387
[fanny] more ram and cores for vmVariantWithDisko c029f7028c
[disko] fix dataset typo 54d583221e
[fanny] update sops key after reset 60748f0ecb
Add keepass db for hostkeys etc e31cacd2fa
Add script for creating new hosts 5c21a9207d
Add age info after creation e1f6baaea1
move fanny to db a1d9947cb7
Change install script to use db
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m22s
Details
e379679448
ahtlon commented 2025-02-14 23:58:41 +01:00
Author
Collaborator
Copy Link

Rebased on #84

Rebased on #84
ahtlon force-pushed issue77 from e379679448 to 912c8e1195 2025-03-01 21:14:19 +01:00 Compare
ahtlon changed title from WIP: User management module to User management module 2025-03-01 21:15:49 +01:00
ahtlon added 1 commit 2025-03-01 21:37:51 +01:00
[user module] default enable users to prevent lockouts
All checks were successful
Check flake syntax / flake-check (push) Successful in 6m18s
Details
e2fac827bd 
also, add admin to trusted users
ahtlon reviewed 2025-03-01 21:48:09 +01:00
machines/bakunin/configuration.nix
@@ -38,6 +37,8 @@ in
ethernetDrivers = ["r8169"];
};
malobeo.users.malobeo = true;
ahtlon commented 2025-03-01 21:44:07 +01:00
Author
Collaborator
Copy Link

With default enable, this does nothing anymore... Should we disable the admin account on bakunin? The autoupdate script should still run to apply updates but we (and any attackers) could no longer change the system manually

With default enable, this does nothing anymore... Should we disable the admin account on bakunin? The autoupdate script should still run to apply updates but we (and any attackers) could no longer change the system manually
machines/fanny/configuration.nix
@@ -52,1 +52,4 @@
malobeo.users = {
malobeo = true;
admin = true;
ahtlon commented 2025-03-01 21:46:36 +01:00
Author
Collaborator
Copy Link

Forgot to remove this when I changed the default, but it also doesn't hurt to write it explicitly

Forgot to remove this when I changed the default, but it also doesn't hurt to write it explicitly
machines/modules/malobeo/users.nix
@@ -0,0 +23,4 @@
description = "malobeo user, password and ssh access, no root";
extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
openssh.authorizedKeys.keys = sshKeys.admins;
hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1";
ahtlon commented 2025-03-01 21:47:11 +01:00
Author
Collaborator
Copy Link

Should be changed at some point to use sops

Should be changed at some point to use sops
ahtlon requested review from kalipso 2025-03-01 21:48:27 +01:00
kalipso merged commit c409c5d53b into master 2025-03-04 17:22:24 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
ahtlon
kalipso
Labels
Clear labels
Bug/Problem
Lokal
Migration
Module/Disks
Module/Initssh
Request
Service
Updates
nextcloud
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ahtlon quinn kalipso
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kalipso/infrastructure#80
Delete Branch "issue77"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?