From 67eddccc4077874d86aa3407620838ca10eb7e47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Thu, 21 Nov 2024 11:39:32 +0100 Subject: [PATCH] Apply @kevin's recommendations - Remove `root`'s password; SSH password authentication is already removed for all users. - Enable password-less sudo for `wheel` group. - Add a note about removing `root` SSH connection altogether. - Add `niols` user with sudo capabilities. --- infra/common/users.nix | 25 +++++++++++++++++-------- infra/vm02187/configuration.nix | 2 -- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/infra/common/users.nix b/infra/common/users.nix index d45642b..8bf33ac 100644 --- a/infra/common/users.nix +++ b/infra/common/users.nix @@ -10,6 +10,14 @@ ]; }; + niols = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY" + ]; + }; + valentin = { isNormalUser = true; extraGroups = [ "wheel" ]; @@ -17,13 +25,14 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJzgwAYAoMexc1fBJxU08YmsiU9T4Ua8QFeE4/kZNZ5" ]; }; - - root = { - hashedPassword = "$y$j9T$WXvLAUqArJJusuC017FCW0$.rfMOeyx/BsClkJFi5hLcynrSk.njWmfiB6Uy.9th3A"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg" - ]; - }; }; + + security.sudo.wheelNeedsPassword = false; + + ## FIXME: Remove direct root authentication once NixOps4 supports users with + ## password-less sudo. + users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg" + ]; } diff --git a/infra/vm02187/configuration.nix b/infra/vm02187/configuration.nix index a17a850..4304bd2 100644 --- a/infra/vm02187/configuration.nix +++ b/infra/vm02187/configuration.nix @@ -101,8 +101,6 @@ wget ]; - security.sudo.wheelNeedsPassword = false; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave