hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor, ssh keys for root

Browse source
This commit is contained in:
Henri Dohmen 2025-05-26 11:49:02 +02:00
parent 8fbd9d06b4
commit c45f9f7f46
7 changed files with 78 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

17
mod/common/users.nix
View file

@ -2,6 +2,7 @@
pkgs,
lib,
options,
var,
...
}:
{
@ -15,24 +16,12 @@
extraGroups = [ "wheel" ];
shell = pkgs.fish;
packages = [ ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"
];
openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8";
};
users.root = {
hashedPassword = "!";
# I don't like the unprivileged users to have unrestricted access to root
# but this is required for colmena. Better options are
# - only authorize root's pubkey
# - create password protected key
# TODO: do one of the above
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"
];
openssh.authorizedKeys.keys = var.ssh-keys.priviliged;
};
};
}