diff --git a/nixos/arc.nix b/nixos/arc.nix deleted file mode 100644 index 14e99a9d..00000000 --- a/nixos/arc.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: { - imports = [ - ({ config, pkgs, ... }: - - { - users.users.arc = { - uid = 1001; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp" - ]; - shell = pkgs.zsh; - }; - }) - ]; -} diff --git a/nixos/base/access.nix b/nixos/base/access.nix index 077c0de3..c840a387 100644 --- a/nixos/base/access.nix +++ b/nixos/base/access.nix @@ -1,11 +1,10 @@ { config, - lib, pkgs, meta, ... }: { - security.sudo.wheelNeedsPassword = lib.mkForce false; + security.sudo.wheelNeedsPassword = false; security.polkit.extraConfig = '' polkit.addRule(function(action, subject) { @@ -15,22 +14,22 @@ }); ''; - imports = with meta; [ - nixos.kat - nixos.arc + imports = let + inherit (meta) nixos; + in [ + nixos.users ]; users.motd = '' ${config.networking.hostName}.${config.networking.domain} ''; + users.defaultUserShell = pkgs.zsh; users.users.root = { - shell = pkgs.zsh; hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; openssh.authorizedKeys.keys = with pkgs.lib; - ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi"] - ++ (concatLists (mapAttrsToList + (concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys diff --git a/nixos/users/arc.nix b/nixos/users/arc.nix new file mode 100644 index 00000000..fbf7aa99 --- /dev/null +++ b/nixos/users/arc.nix @@ -0,0 +1,17 @@ +{ config, ... }: + +{ + users.users.arc = { name, ... }: { + uid = 8001; + isNormalUser = true; + autoSubUidGidRange = false; + group = name; + extraGroups = [ "users" "peeps" "kyuuto" "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp" + ]; + }; + users.groups.arc = { name, ... }: { + gid = config.users.users.${name}.uid; + }; +} diff --git a/nixos/users/groups.nix b/nixos/users/groups.nix new file mode 100644 index 00000000..e9b175e2 --- /dev/null +++ b/nixos/users/groups.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + users.groups = { + peeps = { + gid = 8128; + }; + kyuuto = { + gid = 8129; + }; + }; +} diff --git a/nixos/kat.nix b/nixos/users/kat.nix similarity index 82% rename from nixos/kat.nix rename to nixos/users/kat.nix index caee7782..b6e8cf90 100644 --- a/nixos/kat.nix +++ b/nixos/users/kat.nix @@ -1,19 +1,20 @@ -{ meta, config, pkgs, lib, ... }: with lib; +{ config, ... }: { - users.users.kat = { - uid = 1000; + users.users.kat = { name, ... }: { + uid = 8000; isNormalUser = true; + autoSubUidGidRange = false; + group = name; + extraGroups = [ "users" "peeps" "kyuuto" "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ]; - shell = pkgs.zsh; - extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ]; }; - - systemd.tmpfiles.rules = [ - "f /var/lib/systemd/linger/kat" - ]; + users.groups.kat = { name, ... }: { + gid = config.users.users.${name}.uid; + }; } diff --git a/packages/default.nix b/packages/default.nix index 8d67ec20..c2e2aa82 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -29,6 +29,8 @@ exec ssh root@$SETUP_HOSTNAME env \ INPUT_ROOT_SSH_AUTHORIZEDKEYS="$(base64 -w0 <<<"$INPUT_ROOT_SSH_AUTHORIZEDKEYS")" \ INPUT_TF_SSH_AUTHORIZEDKEYS="$(base64 -w0 < ${reisen + "/tf.authorized_keys"})" \ + INPUT_SUBUID="$(base64 -w0 < ${reisen + "/subuid"})" \ + INPUT_SUBGID="$(base64 -w0 < ${reisen + "/subgid"})" \ INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \ INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \ INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \ diff --git a/systems/hakurei/lxc.json b/systems/hakurei/lxc.json index 1e80a3a3..277ebf9b 100644 --- a/systems/hakurei/lxc.json +++ b/systems/hakurei/lxc.json @@ -2,6 +2,18 @@ "lxc": { "lxc.mount.entry": [ "/dev/net/tun dev/net/tun none bind,optional,create=file" + ], + "lxc.idmap": [ + "u 0 100000 8000", + "g 0 100000 8000", + "u 8000 8000 128", + "g 8000 8000 256", + "u 8128 108128 57406", + "g 8256 108256 57278", + "u 65534 65534 1", + "g 65534 65534 1", + "u 65535 165535 1", + "g 65535 165535 1" ] } } diff --git a/systems/hakurei/reisen-ssh.nix b/systems/hakurei/reisen-ssh.nix index bae07168..4366d304 100644 --- a/systems/hakurei/reisen-ssh.nix +++ b/systems/hakurei/reisen-ssh.nix @@ -16,8 +16,14 @@ ''; in { users.users.${username} = { + uid = 4000; hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path; isNormalUser = true; + autoSubUidGidRange = false; + group = username; + }; + users.groups.${username} = { + gid = config.users.users.${username}.uid; }; services.openssh = { diff --git a/systems/mediabox/lxc.json b/systems/mediabox/lxc.json index 6098aae5..ad6fa924 100644 --- a/systems/mediabox/lxc.json +++ b/systems/mediabox/lxc.json @@ -4,6 +4,18 @@ "/mnt/kyuuto-media/library mnt/kyuuto-media/library none bind,optional,create=dir", "/mnt/kyuuto-media/downloads/deluge mnt/kyuuto-media/downloads/deluge none bind,optional,create=dir", "/dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file" + ], + "lxc.idmap": [ + "u 0 100000 8000", + "g 0 100000 8000", + "u 8000 8000 128", + "g 8000 8000 256", + "u 8128 108128 57406", + "g 8256 108256 57278", + "u 65534 65534 1", + "g 65534 65534 1", + "u 65535 165535 1", + "g 65535 165535 1" ] } } diff --git a/systems/reisen/setup.sh b/systems/reisen/setup.sh index f27fa673..c675a1da 100644 --- a/systems/reisen/setup.sh +++ b/systems/reisen/setup.sh @@ -16,6 +16,13 @@ EOF cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys rm $TMP_KEYFILE +base64 -d > /etc/subuid < /etc/subgid <&2 groupadd -g 1001 tf diff --git a/systems/reisen/subgid b/systems/reisen/subgid new file mode 100644 index 00000000..5c6317e8 --- /dev/null +++ b/systems/reisen/subgid @@ -0,0 +1,3 @@ +root:100000:65536 +root:65534:1 +root:8000:256 diff --git a/systems/reisen/subuid b/systems/reisen/subuid new file mode 100644 index 00000000..17110dfa --- /dev/null +++ b/systems/reisen/subuid @@ -0,0 +1,3 @@ +root:100000:65536 +root:65534:1 +root:8000:128 diff --git a/systems/tei/lxc.json b/systems/tei/lxc.json index 98a06943..1fa109b0 100644 --- a/systems/tei/lxc.json +++ b/systems/tei/lxc.json @@ -3,6 +3,18 @@ "lxc.mount.entry": [ "/dev/ttyZigbee dev/ttyZigbee none bind,optional,create=file", "/dev/net/tun dev/net/tun none bind,optional,create=file" + ], + "lxc.idmap": [ + "u 0 100000 8000", + "g 0 100000 8000", + "u 8000 8000 128", + "g 8000 8000 256", + "u 8128 108128 57406", + "g 8256 108256 57278", + "u 65534 65534 1", + "g 65534 65534 1", + "u 65535 165535 1", + "g 65535 165535 1" ] } }