AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: user module with some security

Browse Source
This commit is contained in:
Dmitriy Kholkin 2025-03-10 18:31:24 +03:00
parent 73c86aa500
commit d0563f6028
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
2 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/nixos/roles/default.nix
View File

@ -34,6 +34,7 @@ in
ataraxia.defaults.lix.enable = mkDefault true;
ataraxia.defaults.nix.enable = mkDefault true;
ataraxia.defaults.ssh.enable = mkDefault true;
ataraxia.defaults.users.enable = mkDefault true;
persist.enable = mkDefault true;

108
modules/nixos/user/default.nix Normal file
View File

@ -0,0 +1,108 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.defaults.users;
in
{
options.ataraxia.defaults.users = {
enable = mkEnableOption "Setting up default users";
defaultUser = mkOption {
type = str;
default = "ataraxia";
description = "Name of the default user";
};
};
config = mkIf cfg.enable {
users.mutableUsers = false;
users.groups.limits = { };
users.users.${cfg.defaultUser} = {
description = "Main user of this host.";
isNormalUser = true;
extraGroups = [
"adbusers"
"audio"
"cdrom"
"corectrl"
"dialout"
"disk"
"docker"
"input"
"kvm"
"libvirtd"
"limits"
"lp"
"lxd"
"networkmanager"
"podman"
"qemu-libvirtd"
"render"
"scanner"
"smbuser"
"systemd-journal"
"video"
"wheel"
];
uid = 1000;
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
};
users.users.deploy = {
description = "The administrator account for deploy-rs.";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = config.users.users.${cfg.defaultUser}.openssh.authorizedKeys.keys;
};
security.apparmor.enable = true;
security.pam.loginLimits = [
{
domain = "@limits";
item = "memlock";
type = "soft";
value = "unlimited";
}
{
domain = "@limits";
item = "memlock";
type = "hard";
value = "unlimited";
}
];
security.polkit.enable = true;
systemd.services."user@" = {
serviceConfig = {
Restart = "always";
};
};
# Disable sudo, use doas
users.allowNoPasswordLogin = true;
security.sudo.enable = lib.mkForce false;
security.doas = {
enable = true;
extraRules = [
{
users = [ cfg.defaultUser ];
keepEnv = true;
persist = true;
}
{
users = [ "deploy" ];
noPass = true;
keepEnv = true;
}
];
};
};
}