-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- new interface for ghaf user accounts - introducing userborn and non-mutable users default - introducing non-declarative login user via homed - proxy and app users to facilitate remote operations - declarative admin (ghaf) user account as before Signed-off-by: Manuel Bluhm <[email protected]>
- Loading branch information
Showing
39 changed files
with
816 additions
and
290 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
config, | ||
lib, | ||
... | ||
}: | ||
let | ||
cfg = config.ghaf.users.admin; | ||
inherit (lib) | ||
mkIf | ||
types | ||
mkOption | ||
optionals | ||
; | ||
in | ||
{ | ||
options.ghaf.users.admin = { | ||
enable = mkOption { | ||
description = "Enable the admin user account. Enabled by default."; | ||
type = types.bool; | ||
default = true; | ||
}; | ||
name = mkOption { | ||
description = "Admin account name."; | ||
type = types.str; | ||
default = "ghaf"; | ||
}; | ||
initialPassword = mkOption { | ||
description = "Default password for the admin user account."; | ||
type = types.str; | ||
default = "ghaf"; | ||
}; | ||
initialHashedPassword = mkOption { | ||
description = "Initial hashed password for the admin user account."; | ||
type = types.nullOr types.str; | ||
default = null; | ||
}; | ||
hashedPassword = mkOption { | ||
description = "Hashed password for live updates."; | ||
type = types.nullOr types.str; | ||
default = null; | ||
}; | ||
extraGroups = mkOption { | ||
description = "Extra groups for the admin user."; | ||
type = types.listOf types.str; | ||
default = [ ]; | ||
}; | ||
}; | ||
|
||
config = mkIf cfg.enable { | ||
|
||
users = { | ||
users = { | ||
"${cfg.name}" = { | ||
isNormalUser = true; | ||
inherit (cfg) initialPassword; | ||
inherit (cfg) initialHashedPassword; | ||
inherit (cfg) hashedPassword; | ||
extraGroups = | ||
[ | ||
"wheel" | ||
"video" | ||
] | ||
++ cfg.extraGroups | ||
++ optionals config.security.tpm2.enable [ "tss" ] | ||
++ optionals config.ghaf.virtualization.docker.daemon.enable [ "docker" ]; | ||
}; | ||
}; | ||
groups = { | ||
"${cfg.name}" = { | ||
inherit (cfg) name; | ||
members = [ cfg.name ]; | ||
}; | ||
}; | ||
}; | ||
|
||
# to build ghaf as admin with caches | ||
nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.name ]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
config, | ||
lib, | ||
... | ||
}: | ||
let | ||
inherit (lib) mkDefault hasAttr optionalString; | ||
hasStorageVm = (hasAttr "storagevm" config.ghaf) && config.ghaf.storagevm.enable; | ||
in | ||
{ | ||
# Common ghaf user settings | ||
config = { | ||
|
||
# Disable mutable users | ||
users.mutableUsers = mkDefault false; | ||
|
||
# Enable userborn | ||
services.userborn = { | ||
enable = mkDefault true; | ||
passwordFilesLocation = optionalString hasStorageVm "/var/lib/nixos"; | ||
}; | ||
|
||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Copyright 2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
imports = [ | ||
./common.nix | ||
./admin.nix | ||
./desktop.nix | ||
]; | ||
} |
Oops, something went wrong.