gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: static UIDs

Browse source
This commit is contained in:
arcnmx 2024-02-09 06:22:32 -08:00
parent 6671103eba
commit 602eda1012
13 changed files with 102 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/arc.nix
View file

@ -1,17 +0,0 @@
{ ... }: {
imports = [
({ config, pkgs, ... }:
{
users.users.arc = {
uid = 1001;
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
];
shell = pkgs.zsh;
};
})
];
}

15
nixos/base/access.nix
View file

@ -1,11 +1,10 @@
{ {
config, config,
lib,
pkgs, pkgs,
meta, meta,
... ...
}: { }: {
security.sudo.wheelNeedsPassword = lib.mkForce false; security.sudo.wheelNeedsPassword = false;
security.polkit.extraConfig = '' security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) {
@ -15,22 +14,22 @@
}); });
''; '';
imports = with meta; [ imports = let
nixos.kat inherit (meta) nixos;
nixos.arc in [
nixos.users
]; ];
users.motd = '' users.motd = ''
${config.networking.hostName}.${config.networking.domain} ${config.networking.hostName}.${config.networking.domain}
''; '';
users.defaultUserShell = pkgs.zsh;
users.users.root = { users.users.root = {
shell = pkgs.zsh;
hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
openssh.authorizedKeys.keys = with pkgs.lib; openssh.authorizedKeys.keys = with pkgs.lib;
["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi"] (concatLists (mapAttrsToList
++ (concatLists (mapAttrsToList
(name: user: (name: user:
if elem "wheel" user.extraGroups if elem "wheel" user.extraGroups
then user.openssh.authorizedKeys.keys then user.openssh.authorizedKeys.keys

17
nixos/users/arc.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, ... }:
{
users.users.arc = { name, ... }: {
uid = 8001;
isNormalUser = true;
autoSubUidGidRange = false;
group = name;
extraGroups = [ "users" "peeps" "kyuuto" "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
];
};
users.groups.arc = { name, ... }: {
gid = config.users.users.${name}.uid;
};
}

11
nixos/users/groups.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
users.groups = {
peeps = {
gid = 8128;
};
kyuuto = {
gid = 8129;
};
};
}

19
nixos/kat.nix → nixos/users/kat.nix
View file

@ -1,19 +1,20 @@
{ meta, config, pkgs, lib, ... }: with lib; { config, ... }:
{ {
users.users.kat = { users.users.kat = { name, ... }: {
uid = 1000; uid = 8000;
isNormalUser = true; isNormalUser = true;
autoSubUidGidRange = false;
group = name;
extraGroups = [ "users" "peeps" "kyuuto" "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi"
]; ];
shell = pkgs.zsh;
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];
}; };
users.groups.kat = { name, ... }: {
systemd.tmpfiles.rules = [ gid = config.users.users.${name}.uid;
"f /var/lib/systemd/linger/kat" };
];
} }

2
packages/default.nix
View file

@ -29,6 +29,8 @@
exec ssh root@$SETUP_HOSTNAME env \ exec ssh root@$SETUP_HOSTNAME env \
INPUT_ROOT_SSH_AUTHORIZEDKEYS="$(base64 -w0 <<<"$INPUT_ROOT_SSH_AUTHORIZEDKEYS")" \ INPUT_ROOT_SSH_AUTHORIZEDKEYS="$(base64 -w0 <<<"$INPUT_ROOT_SSH_AUTHORIZEDKEYS")" \
INPUT_TF_SSH_AUTHORIZEDKEYS="$(base64 -w0 < ${reisen + "/tf.authorized_keys"})" \ INPUT_TF_SSH_AUTHORIZEDKEYS="$(base64 -w0 < ${reisen + "/tf.authorized_keys"})" \
INPUT_SUBUID="$(base64 -w0 < ${reisen + "/subuid"})" \
INPUT_SUBGID="$(base64 -w0 < ${reisen + "/subgid"})" \
INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \ INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \
INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \ INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \
INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \ INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \

12
systems/hakurei/lxc.json
View file

@ -2,6 +2,18 @@
"lxc": { "lxc": {
"lxc.mount.entry": [ "lxc.mount.entry": [
"/dev/net/tun dev/net/tun none bind,optional,create=file" "/dev/net/tun dev/net/tun none bind,optional,create=file"
],
"lxc.idmap": [
"u 0 100000 8000",
"g 0 100000 8000",
"u 8000 8000 128",
"g 8000 8000 256",
"u 8128 108128 57406",
"g 8256 108256 57278",
"u 65534 65534 1",
"g 65534 65534 1",
"u 65535 165535 1",
"g 65535 165535 1"
] ]
} }
} }

6
systems/hakurei/reisen-ssh.nix
View file

@ -16,8 +16,14 @@
''; '';
in { in {
users.users.${username} = { users.users.${username} = {
uid = 4000;
hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path; hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path;
isNormalUser = true; isNormalUser = true;
autoSubUidGidRange = false;
group = username;
};
users.groups.${username} = {
gid = config.users.users.${username}.uid;
}; };
services.openssh = { services.openssh = {

12
systems/mediabox/lxc.json
View file

@ -4,6 +4,18 @@
"/mnt/kyuuto-media/library mnt/kyuuto-media/library none bind,optional,create=dir", "/mnt/kyuuto-media/library mnt/kyuuto-media/library none bind,optional,create=dir",
"/mnt/kyuuto-media/downloads/deluge mnt/kyuuto-media/downloads/deluge none bind,optional,create=dir", "/mnt/kyuuto-media/downloads/deluge mnt/kyuuto-media/downloads/deluge none bind,optional,create=dir",
"/dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file" "/dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file"
],
"lxc.idmap": [
"u 0 100000 8000",
"g 0 100000 8000",
"u 8000 8000 128",
"g 8000 8000 256",
"u 8128 108128 57406",
"g 8256 108256 57278",
"u 65534 65534 1",
"g 65534 65534 1",
"u 65535 165535 1",
"g 65535 165535 1"
] ]
} }
} }

7
systems/reisen/setup.sh
View file

@ -16,6 +16,13 @@ EOF
cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys
rm $TMP_KEYFILE rm $TMP_KEYFILE
base64 -d > /etc/subuid <<EOF
$INPUT_SUBUID
EOF
base64 -d > /etc/subgid <<EOF
$INPUT_SUBGID
EOF
if [[ ! -d /home/tf ]]; then if [[ ! -d /home/tf ]]; then
echo setting up pve terraform user... >&2 echo setting up pve terraform user... >&2
groupadd -g 1001 tf groupadd -g 1001 tf

3
systems/reisen/subgid Normal file
View file

@ -0,0 +1,3 @@
root:100000:65536
root:65534:1
root:8000:256

3
systems/reisen/subuid Normal file
View file

@ -0,0 +1,3 @@
root:100000:65536
root:65534:1
root:8000:128

12
systems/tei/lxc.json
View file

@ -3,6 +3,18 @@
"lxc.mount.entry": [ "lxc.mount.entry": [
"/dev/ttyZigbee dev/ttyZigbee none bind,optional,create=file", "/dev/ttyZigbee dev/ttyZigbee none bind,optional,create=file",
"/dev/net/tun dev/net/tun none bind,optional,create=file" "/dev/net/tun dev/net/tun none bind,optional,create=file"
],
"lxc.idmap": [
"u 0 100000 8000",
"g 0 100000 8000",
"u 8000 8000 128",
"g 8000 8000 256",
"u 8128 108128 57406",
"g 8256 108256 57278",
"u 65534 65534 1",
"g 65534 65534 1",
"u 65535 165535 1",
"g 65535 165535 1"
] ]
} }
} }