From 489db31b80bc47e114b4a66a1664c095df4f12d4 Mon Sep 17 00:00:00 2001 From: Manuel Bluhm Date: Tue, 7 Jan 2025 18:27:29 +0400 Subject: [PATCH] fix(login): add custom PAM rules for desktop login - remove fprint auth from greetd as user home needs decryption - add custom rule to require users to be in group 'video', preventing admin login on GUI - remove older 'desktop' group in favor of 'video' - fix user creation script to disallow creating user duplicates - fix user creation script to allow '-' characters in name - move ollama persistent directory to service, removing failing ollama user/group setting - move XDG parameters from gui-vm to labc config Signed-off-by: Manuel Bluhm --- modules/common/users/admin.nix | 6 ++- modules/common/users/desktop.nix | 15 +++--- modules/desktop/graphics/labwc.nix | 30 ++++++++++-- .../virtualization/microvm/audiovm.nix | 1 - .../microvm/virtualization/microvm/guivm.nix | 24 +--------- .../virtualization/microvm/microvm-host.nix | 4 +- modules/reference/services/ollama/ollama.nix | 46 +++++++++++-------- 7 files changed, 67 insertions(+), 59 deletions(-) diff --git a/modules/common/users/admin.nix b/modules/common/users/admin.nix index 3806b9b7c..dcb13ba1f 100644 --- a/modules/common/users/admin.nix +++ b/modules/common/users/admin.nix @@ -93,10 +93,12 @@ in extraGroups = [ "wheel" - "video" ] ++ cfg.extraGroups - ++ optionals cfg.createHome [ "desktop" ] + ++ optionals cfg.createHome [ + "audio" + "video" + ] ++ optionals config.security.tpm2.enable [ "tss" ] ++ optionals config.ghaf.virtualization.docker.daemon.enable [ "docker" ]; }; diff --git a/modules/common/users/desktop.nix b/modules/common/users/desktop.nix index f4a477be7..36162d7a0 100644 --- a/modules/common/users/desktop.nix +++ b/modules/common/users/desktop.nix @@ -29,7 +29,10 @@ let extraGroups = mkOption { description = "Extra groups for the login user."; type = types.listOf types.str; - default = [ ]; + default = [ + "audio" + "video" + ]; }; homeSize = mkOption { description = '' @@ -137,12 +140,6 @@ in members = [ cfg.appUser.name ]; }; }) - { - "desktop" = { - name = "desktop"; - members = [ ]; - }; - } ]; }; } @@ -177,9 +174,9 @@ in echo -n "Enter your user name: " read -e -r USERNAME USERNAME=''${USERNAME// /_} - USERNAME=''${USERNAME//[^a-zA-Z0-9_]/} + USERNAME=''${USERNAME//[^a-zA-Z0-9_-]/} USERNAME=''$(echo -n "$USERNAME" | tr '[:upper:]' '[:lower:]') - if grep -q -w "$USERNAME:" /etc/passwd; then + if grep -q "$USERNAME:" /etc/passwd; then echo "User $USERNAME already exists. Please choose another user name." else ACCEPTABLE_USER=true diff --git a/modules/desktop/graphics/labwc.nix b/modules/desktop/graphics/labwc.nix index f4d5d7d93..21bd3a127 100644 --- a/modules/desktop/graphics/labwc.nix +++ b/modules/desktop/graphics/labwc.nix @@ -162,12 +162,37 @@ in XDG_DATA_HOME = "$HOME/.local/share"; XDG_STATE_HOME = "$HOME/.local/state"; XDG_CACHE_HOME = "$HOME/.cache"; + XDG_PICTURES_DIR = "$HOME/Pictures"; + XDG_VIDEOS_DIR = "$HOME/Videos"; GSETTINGS_SCHEMA_DIR = "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}/glib-2.0/schemas"; }; }; - # It will create a /etc/pam.d/ file for authentication - security.pam.services.gtklock = { }; + # Create custom PAM rules + security.pam.services = { + gtklock = { + rules.auth = { + systemd_home.order = 11399; # Re-order to allow either password _or_ fingerprint + fprintd.args = [ "maxtries=3" ]; + }; + }; + greetd = { + fprintAuth = false; # User needs to enter password to decrypt home + rules = { + account.group = { + enable = true; + control = "requisite"; + modulePath = "${pkgs.linux-pam}/lib/security/pam_succeed_if.so"; + order = 10000; + args = [ + "user" + "ingroup" + "video" + ]; + }; + }; + }; + }; # Needed for power commands security.polkit.enable = true; @@ -179,7 +204,6 @@ in BindsTo = [ "graphical-session.target" ]; After = [ "graphical-session-pre.target" ]; Wants = [ "graphical-session-pre.target" ]; - ConditionGroup = "desktop"; }; }; diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix index cefb803df..8a4a7d356 100644 --- a/modules/microvm/virtualization/microvm/audiovm.nix +++ b/modules/microvm/virtualization/microvm/audiovm.nix @@ -44,7 +44,6 @@ let enable = true; extraGroups = [ "audio" - "video" "pipewire" ]; }; diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix index 8dcc32706..8b0b54d8c 100644 --- a/modules/microvm/virtualization/microvm/guivm.nix +++ b/modules/microvm/virtualization/microvm/guivm.nix @@ -72,17 +72,7 @@ let applications.enable = false; graphics.enable = true; }; - users = { - loginUser = { - enable = true; - extraGroups = [ - "audio" - "video" - "desktop" - ]; - }; - }; - + users.loginUser.enable = true; development = { ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; @@ -108,14 +98,6 @@ let storagevm = { enable = true; name = vmName; - directories = [ - { - directory = "/var/lib/private/ollama"; - user = "ollama"; - group = "ollama"; - mode = "u=rwx,g=,o="; - } - ]; }; # Services @@ -219,10 +201,6 @@ let pkgs.libva-utils pkgs.glib ]; - sessionVariables = { - XDG_PICTURES_DIR = "$HOME/Pictures"; - XDG_VIDEOS_DIR = "$HOME/Videos"; - }; }; time.timeZone = config.time.timeZone; diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix index c5944c0b0..fd64d436c 100644 --- a/modules/microvm/virtualization/microvm/microvm-host.nix +++ b/modules/microvm/virtualization/microvm/microvm-host.nix @@ -134,15 +134,13 @@ in ''; }; in - mkIf config.ghaf.profiles.debug.enable { + { description = "Remove ghaf login users"; enable = true; path = [ userRemovalScript ]; unitConfig.ConditionPathExists = "/storagevm/gui-vm/var/lib/nixos/user.lock"; serviceConfig = { Type = "oneshot"; - StandardOutput = "journal"; - StandardError = "journal"; ExecStart = "${userRemovalScript}/bin/remove-users"; }; }; diff --git a/modules/reference/services/ollama/ollama.nix b/modules/reference/services/ollama/ollama.nix index 1b42cf4a6..1b958269b 100644 --- a/modules/reference/services/ollama/ollama.nix +++ b/modules/reference/services/ollama/ollama.nix @@ -8,14 +8,23 @@ }: let cfg = config.ghaf.reference.services; - inherit (lib) mkIf; + inherit (lib) mkIf optionalAttrs; in { config = mkIf cfg.ollama { services.ollama = { enable = true; openFirewall = true; - host = "0.0.0.0"; + host = "127.0.0.1"; + }; + + ghaf = optionalAttrs (builtins.hasAttr "storagevm" config.ghaf) { + storagevm.directories = [ + { + directory = "/var/lib/private/ollama"; + mode = "u=rwx,g=,o="; + } + ]; }; environment.systemPackages = [ @@ -72,23 +81,24 @@ in # its own. system.userActivationScripts.alpaca-configure = { text = '' - source ${config.system.build.setEnvironment} - mkdir -p $HOME/.config/com.jeffser.Alpaca - cat < $HOME/.config/com.jeffser.Alpaca/server.json + [[ "$UID" != ${toString config.ghaf.users.loginUser.uid} ]] && exit 0 + source ${config.system.build.setEnvironment} + mkdir -p $HOME/.config/com.jeffser.Alpaca + cat < $HOME/.config/com.jeffser.Alpaca/server.json { - "remote_url": "http://localhost:11434", - "remote_bearer_token": "", - "run_remote": true, - "local_port": 11435, - "run_on_background": false, - "powersaver_warning": true, - "model_tweaks": { - "temperature": 0.7, - "seed": 0, - "keep_alive": 5 - }, - "ollama_overrides": {}, - "idle_timer": 0 + "remote_url": "http://localhost:11434", + "remote_bearer_token": "", + "run_remote": true, + "local_port": 11435, + "run_on_background": false, + "powersaver_warning": true, + "model_tweaks": { + "temperature": 0.7, + "seed": 0, + "keep_alive": 5 + }, + "ollama_overrides": {}, + "idle_timer": 0 } EOF '';