Factorise users configurations #20

Closed
Niols wants to merge 6 commits from factorise-users-config into factorise-networking-config
Owner

This PR merges all users-related configurations from VMs in infra/ into a infra/common/users.nix module. More factorisation will come in subsequent PRs. It builds on top of #19.

While merging these users configurations, I have come across some variations. Similarly to what I did in #19, I have taking the superset of those things. However, I think I can clean things up a bit. In particular:

  • Some machines did not have a hashedPassword for root and now they do. @koen @kevin> I guess that is fine, but should we not just remove password login for root entirely and remove this hashedPassword?

  • Some machines did not have a valentin user and now they do. @fricklerhandwerk> Do you actually need that? Wouldn't your SSH key on the root user suffice? In which case, which one:

    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJzgwAYAoMexc1fBJxU08YmsiU9T4Ua8QFeE4/kZNZ5
    

    (or both) (I believe both are yours but I am not entirely sure)

This PR merges all users-related configurations from VMs in `infra/` into a `infra/common/users.nix` module. More factorisation will come in subsequent PRs. It builds on top of https://git.fediversity.eu/Fediversity/Fediversity/pulls/19. While merging these users configurations, I have come across some variations. Similarly to what I did in https://git.fediversity.eu/Fediversity/Fediversity/pulls/19, I have taking the superset of those things. However, I think I can clean things up a bit. In particular: - Some machines did not have a `hashedPassword` for `root` and now they do. @koen @kevin> I guess that is fine, but should we not just remove password login for `root` entirely and remove this `hashedPassword`? - Some machines did not have a `valentin` user and now they do. @fricklerhandwerk> Do you actually need that? Wouldn't your SSH key on the `root` user suffice? In which case, which one: ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJzgwAYAoMexc1fBJxU08YmsiU9T4Ua8QFeE4/kZNZ5 ``` (or both) (I believe both are yours but I am not entirely sure)
Niols added 4 commits 2024-11-20 17:39:01 +01:00
fricklerhandwerk approved these changes 2024-11-20 23:03:45 +01:00
fricklerhandwerk left a comment
Owner

I agree on disabling sudo passwords, and removing passwords altogether. May even disable root login, as @koen noted on Matrix.

I agree on disabling sudo passwords, and removing passwords altogether. May even disable root login, as @koen noted on Matrix.
@ -0,0 +14,4 @@
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJzgwAYAoMexc1fBJxU08YmsiU9T4Ua8QFeE4/kZNZ5"

this key is good

this key is good
Owner

the reason some have an hashed password and some don't is because we added that option later on so older machines don't have it. I would recommend removing password login for root in case you need to save the machine from the terminal in the vm environment.

as for the user for valetin like you earlier discussed with koen in de matrix its better if don't allow a direct login to root over ssh so the user is needed

the reason some have an hashed password and some don't is because we added that option later on so older machines don't have it. I would recommend removing password login for root in case you need to save the machine from the terminal in the vm environment. as for the user for valetin like you earlier discussed with koen in de matrix its better if don't allow a direct login to root over ssh so the user is needed
Author
Owner

@fricklerhandwerk> Is this your key?

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg
@fricklerhandwerk> Is this your key? ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg ```
Niols force-pushed factorise-users-config from 83e55c89d6 to 67eddccc40 2024-11-21 11:45:04 +01:00 Compare
Niols referenced this pull request from a commit 2024-11-21 11:45:41 +01:00
Author
Owner

Merged with 1e8174799b.

Merged with 1e8174799bbfce5dec4017306c3e2be26680dc4e.
Niols closed this pull request 2024-11-21 11:48:25 +01:00
Author
Owner

Thank you for your comments, @kevin. I applied them as best I could. The only one I did not yet apply is to disable root SSH authentication, because NixOps4 doesn't allow that yet. It is tracked in #24.

Thank you for your comments, @kevin. I applied them as best I could. The only one I did not yet apply is to disable root SSH authentication, because NixOps4 doesn't allow that yet. It is tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/24.
All checks were successful
/ check-pre-commit (pull_request) Successful in 21s

Pull request closed

Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Fediversity/Fediversity#20
No description provided.