From 211ab56adf2dd91732feb0c75332321206e0d499 Mon Sep 17 00:00:00 2001 From: ene Date: Thu, 19 Jan 2023 14:02:04 +0100 Subject: Feat: User configuration, with secure passwords The passwords will be stored in a specific password file, which because it isn't part of this repository is secure. Refs: #9 --- configuration.nix | 6 ++---- users.nix | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 users.nix diff --git a/configuration.nix b/configuration.nix index 600201d..baf982a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,7 +3,9 @@ ./hardware-configuration.nix ./packages.nix ./networking.nix # network configuration that just works + ./users.nix ./services/minecraft.nix + ]; boot.cleanTmpDir = true; @@ -17,10 +19,6 @@ passwordAuthentication = false; extraConfig = "PrintMotd yes\n"; # this could be done with pam }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; system.stateVersion = "22.11"; } diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..dcf06e8 --- /dev/null +++ b/users.nix @@ -0,0 +1,64 @@ +{ + cfg, + lib, + pkgs, + list, + ... +}: { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + # Persisting user passwords + fileSystems."/srv".neededForBoot = true; + + users.users = { + root = { + passwordFile = "/srv/users/root/password"; + #uid = 0; + #hashedPassword = null; # to lock root + }; + + sils = { + name = "sils"; + isNormalUser = true; + home = "/srv/users/sils/home"; + passwordFile = "/srv/users/sils/password"; + uid = 1000; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + ]; + }; + + soispha = { + name = "soispha"; + isNormalUser = true; + home = "/srv/users/soispha/home"; + passwordFile = "/srv/users/soispha/password"; + uid = 1001; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + nightingale = { + name = "nightingale"; + isNormalUser = true; + home = "/srv/users/nightingale/home"; + passwordFile = "/srv/users/nightingale/password"; + uid = 1002; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + ]; + }; + }; +} +# vim: ts=2 + -- cgit 1.4.1 From cf63e4141cf072b7b942bff23e023890e767a3b1 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 21 Jan 2023 07:41:32 +0100 Subject: Fix: Resolve merge conflicts --- configuration.nix | 8 -------- hardware-configuration.nix | 9 +++++---- services/opensshd.nix | 27 +++++++++++++-------------- 3 files changed, 18 insertions(+), 26 deletions(-) diff --git a/configuration.nix b/configuration.nix index 75701ad..8fc047a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -4,7 +4,6 @@ ./packages.nix ./networking.nix # network configuration that just works ./users.nix - ./services/minecraft.nix ./services/minecraft.nix ./services/rust-motd.nix @@ -16,13 +15,6 @@ networking.hostName = "server1"; networking.domain = "vhack.eu"; - # openssh config - services.openssh = { - enable = true; - passwordAuthentication = false; - extraConfig = "PrintMotd yes\n"; # this could be done with pam - }; - system.stateVersion = "22.11"; } # vim: ts=2 diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 9fcbe2b..76cdb1e 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -19,13 +19,14 @@ fsType = "btrfs"; options = ["subvol=storage" "compress-force=zstd"]; }; - "/etc/nixos" = { - device = "/srv/nix-config"; - options = ["bind"]; - }; "/boot" = { device = "/dev/vda3"; options = ["subvol=boot" "compress-force=zstd"]; }; + + "/etc/nixos" = { + device = "/srv/nix-config"; + options = ["bind"]; + }; }; } diff --git a/services/opensshd.nix b/services/opensshd.nix index 4bd38fd..cb9f2ba 100644 --- a/services/opensshd.nix +++ b/services/opensshd.nix @@ -1,19 +1,18 @@ -{ config, pkg, ... }: { +{ + config, + pkg, + ... +}: { services.openssh = { enable = true; passwordAuthentication = false; - extraConfig = '' - PrintMotd yes - ''; # this could be done with pam - hostKeys = [{ - comment = "key comment"; - path = "/srv/sshd/ssh_host_ed25519_key"; - rounds = 1000; - type = "ed25519"; - }]; + hostKeys = [ + { + comment = "key comment"; + path = "/srv/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; } -- cgit 1.4.1 From 19f0808084826a8a46492fcd8fe34833b9ed9a81 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 21 Jan 2023 07:59:44 +0100 Subject: Feat: Save passwords in hashed form directly Saving hashed passwords should be relatively safe, as long as the hashing algorithm isn't flawed. Considering, that we use yescrypt with higher than average parameters ('jFT' instead of 'j9T'), we should be safe for now. --- users.nix | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/users.nix b/users.nix index dcf06e8..ac8cf5d 100644 --- a/users.nix +++ b/users.nix @@ -1,28 +1,23 @@ -{ - cfg, - lib, - pkgs, - list, - ... -}: { +{pkgs, ...}: { users.mutableUsers = false; users.defaultUserShell = pkgs.zsh; - # Persisting user passwords - fileSystems."/srv".neededForBoot = true; - users.users = { root = { - passwordFile = "/srv/users/root/password"; #uid = 0; - #hashedPassword = null; # to lock root + #initialHashedPassword = null; # to lock root + # Backup, if something happens. TODO remove this later + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; }; sils = { name = "sils"; isNormalUser = true; - home = "/srv/users/sils/home"; - passwordFile = "/srv/users/sils/password"; + home = "/srv/home/sils"; + initialHashedPassword = null; # TODO CHANGE uid = 1000; extraGroups = [ "wheel" @@ -35,8 +30,8 @@ soispha = { name = "soispha"; isNormalUser = true; - home = "/srv/users/soispha/home"; - passwordFile = "/srv/users/soispha/password"; + home = "/srv/home/soispha"; + initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; uid = 1001; extraGroups = [ "wheel" @@ -49,8 +44,8 @@ nightingale = { name = "nightingale"; isNormalUser = true; - home = "/srv/users/nightingale/home"; - passwordFile = "/srv/users/nightingale/password"; + home = "/srv/home/nightingale"; + initialHashedPassword = null; # TODO CHANGE uid = 1002; extraGroups = [ "wheel" -- cgit 1.4.1 From 6e0f58c5118f4fc0896eb46faaad94f563c876a9 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 21 Jan 2023 08:23:36 +0100 Subject: Feat: Track last login in motd --- services/rust-motd.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/rust-motd.nix b/services/rust-motd.nix index 6ff9367..21bc1cd 100644 --- a/services/rust-motd.nix +++ b/services/rust-motd.nix @@ -67,6 +67,9 @@ }; last_login = { + sils = 2; + soispha = 2; + nightingale = 2; }; last_run = { -- cgit 1.4.1 From 00f404a100c9e2a5c1802cc0ed62855f5217fb9b Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 23 Jan 2023 21:09:41 +0100 Subject: Update: Save hashed password for sils --- users.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.nix b/users.nix index ac8cf5d..34e1648 100644 --- a/users.nix +++ b/users.nix @@ -17,7 +17,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = null; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE uid = 1000; extraGroups = [ "wheel" -- cgit 1.4.1