-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(user accounts): new ghaf user account setup
- introducing userborn - disabling mutable users - re-factoring ghaf account to admin account - introducing login user account with homed + auxiliary accounts - impermanence flake input pinned to userborn patch - /etc/machine-id (gui-vm) is currently hardcoded as login user identity file depends on it. It should be generated on first boot and persistet. Workaround is available upstream (after userborn patch) in impermanence but does not seem to work with our setup, investigation required - reverts .face patch, works by copying .face to user home - known login incoveniences: wrong password entry on lock results in multiple errors, user needs to click login if fprint is enabled (only for login not lock) Signed-off-by: Manuel Bluhm <[email protected]>
- Loading branch information
Showing
41 changed files
with
946 additions
and
390 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
config, | ||
lib, | ||
... | ||
}: | ||
let | ||
cfg = config.ghaf.users.admin; | ||
inherit (lib) | ||
mkIf | ||
types | ||
mkOption | ||
optionals | ||
; | ||
in | ||
{ | ||
options.ghaf.users.admin = { | ||
enable = mkOption { | ||
description = "Enable the admin user account. Enabled by default."; | ||
type = types.bool; | ||
default = true; | ||
}; | ||
name = mkOption { | ||
description = "Admin account name. Defaults to 'ghaf'."; | ||
type = types.str; | ||
default = "ghaf"; | ||
}; | ||
uid = mkOption { | ||
description = "User identifier (uid) for the admin account."; | ||
type = types.int; | ||
default = 1001; | ||
}; | ||
initialPassword = mkOption { | ||
description = "Default password for the admin user account."; | ||
type = types.nullOr types.str; | ||
default = "ghaf"; | ||
}; | ||
initialHashedPassword = mkOption { | ||
description = "Initial hashed password for the admin user account."; | ||
type = types.nullOr types.str; | ||
default = null; | ||
}; | ||
hashedPassword = mkOption { | ||
description = "Hashed password for live updates."; | ||
type = types.nullOr types.str; | ||
default = null; | ||
}; | ||
extraGroups = mkOption { | ||
description = "Extra groups for the admin user."; | ||
type = types.listOf types.str; | ||
default = [ ]; | ||
}; | ||
}; | ||
|
||
config = mkIf cfg.enable { | ||
|
||
# Assertions | ||
assertions = [ | ||
{ | ||
assertion = | ||
(cfg.initialPassword != null) | ||
|| (cfg.initialHashedPassword != null) | ||
|| (cfg.hashedPassword != null); | ||
message = '' | ||
No password set for the admin account. Please set one of the following options: | ||
- initialPassword | ||
- initialHashedPassword | ||
- hashedPassword | ||
to allow admin login. | ||
''; | ||
} | ||
]; | ||
|
||
users = { | ||
users = { | ||
"${cfg.name}" = { | ||
isNormalUser = true; | ||
inherit (cfg) initialPassword; | ||
inherit (cfg) initialHashedPassword; | ||
inherit (cfg) hashedPassword; | ||
inherit (cfg) uid; | ||
createHome = false; | ||
home = "/var/empty"; | ||
extraGroups = | ||
[ | ||
"wheel" | ||
"video" | ||
] | ||
++ cfg.extraGroups | ||
++ optionals config.security.tpm2.enable [ "tss" ] | ||
++ optionals config.ghaf.virtualization.docker.daemon.enable [ "docker" ]; | ||
}; | ||
}; | ||
groups = { | ||
"${cfg.name}" = { | ||
inherit (cfg) name; | ||
members = [ cfg.name ]; | ||
}; | ||
}; | ||
}; | ||
|
||
# to build ghaf as admin with caches | ||
nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.name ]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
config, | ||
lib, | ||
... | ||
}: | ||
let | ||
inherit (lib) mkDefault hasAttr; | ||
hasStorageVm = (hasAttr "storagevm" config.ghaf) && config.ghaf.storagevm.enable; | ||
in | ||
{ | ||
# Common ghaf user settings | ||
config = { | ||
|
||
# Disable mutable users | ||
users.mutableUsers = mkDefault false; | ||
|
||
# Enable userborn | ||
services.userborn = { | ||
enable = mkDefault true; | ||
passwordFilesLocation = if hasStorageVm then "/var/lib/nixos" else "/etc"; | ||
}; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Copyright 2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
imports = [ | ||
./common.nix | ||
./admin.nix | ||
./desktop.nix | ||
./managed.nix | ||
]; | ||
} |
Oops, something went wrong.