configurations/linux: disable mutableUsers

commit a4b997fcf214bae5ff997d506d25db4caae12eea
parent 8f736f2a35561a64d20427b9fab3e4ddc1df6852
Author: Leah (ctucx) <git@ctu.cx>
Date: Sun, 27 Nov 2022 19:33:47 +0100

configurations/linux: disable mutableUsers

3 files changed, 31 insertions(+), 15 deletions(-)

configurations/linux/default.nix

++++-

secrets/passwords/leah.age

++++++++++++++++++

secrets/secrets.nix

+++++++++--------------

diff --git a/configurations/linux/default.nix b/configurations/linux/default.nix
@@ -66,6 +66,9 @@
     acme.defaults.email = "letsencrypt@ctu.cx";
   };
 
+  age.secrets.leah-systempassword.file = ../../secrets/passwords/leah.age;
+
+  users.mutableUsers = false;
   users.users = {
 
     root.openssh.authorizedKeys.keys = [

@@ -74,7 +77,7 @@
 
     leah = {
       isNormalUser                  = true;
-      initialPassword               = "foobar123";
+      passwordFile                  = config.age.secrets.leah-systempassword.path;
       extraGroups                   = [ "wheel" ]; # Enable ‘sudo’ for the user.
       openssh.authorizedKeys.keys   = [
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"

diff --git a/secrets/passwords/leah.age b/secrets/passwords/leah.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 hk9u0tAPBqc+UANYbsKsAGckJrwew8Qxh5v4URMr3hw
+Q3SkWwpzmPmzmiO+v+5pO8UkTImXotmuaiJlro4hyYY
+-> ssh-ed25519 V0uUrw UsxoYQu3brvF1XDv0RSVhAM7OSukIONblP+Lmadx0B4
+sdRPt4nmD5ZIvp4li99jr3AslUKVUqegLVwZe4Gc/8E
+-> ssh-ed25519 VgQ62A GY7xcqJ2kazyGaNgRKFI+xrQtC/zmcmA0s5thZ0Q1xU
+zuG28Uk4PNa/0U8Q2Q7w7qOtlEWYCapwChN8e8i9bS0
+-> ssh-ed25519 2LuoZg QVOBcXehDS0tX/UKHPVYHG11iAVsWHN99zR/5EQFrB4
+00s3A8kA+WcB+7oCIIj7F02jmMlci99pEaKMeKe3Ra8
+-> ssh-ed25519 NrwbpQ flGl7jiBc/kP1GpdtW6n55hw7iyLXZvKmlKLTxMzqSQ
+iHzkjd89rEj6yvDcD4hCfoG4mXvVnSA16X97/uqu08I
+-> ssh-ed25519 sh8POQ YqkVovv+0C9d4jWraB/EGUebev2GGXUQMgqQ6oXU0QU
+WrwKptEcw/bMHj4fCYdMmv+dzPdNlxRRKga4Op2BBy0
+-> (<>Dj-grease s8; E@I y6K(Y GL
+wJ1OieVRIRB3YiGW6CONjxHxev/jK+oIVVNVnbIa380
+--- MNy9geXjmnFBsWYsMJPyVEwseaPn0H/o1o2pJXvr70Y
+���Oʹ���������W5	V貂`�`�.�-��|�W.��G;J��uaNi�}�>�IR��ɽ�T���
��<�N��	}�V�W���;����&�(pzv�+�&j�$���=$L���M_�ߑ)����ap����+
\ No newline at end of file

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -5,17 +5,19 @@ let
   #servers
   lollo    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNCdn6aHCgxG1tq5f0XPvQ+lIgsQ/3gzT6FNvokOIgX";
   desastro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEniZFbgj9w7fQ+MhTnE83MatgcuDI7c7qqx05DTQcun";
-  taurus   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV+KOqhtBmT5/I6mGvzk4oOdcxdlHazxkDbSXWrVTjk";
-  hector   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWH8uGtxkYfv3CA5Q3qqOvbaTvp9KItrdSiKXZdDUsx";
-  trabbi   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/";
+
+  trabbi      = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/";
+  wanderduene = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+HWYkFCmuHR8HeExYXc2L9CxRdvYZ1UCkbbeDCvF0u";
+  hector      = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWH8uGtxkYfv3CA5Q3qqOvbaTvp9KItrdSiKXZdDUsx";
 
 in {
-  "passwords/leah-at-f2k1-de.age".publicKeys                  = [ leah trabbi taurus desastro lollo hector ];
+  "passwords/leah-at-f2k1-de.age".publicKeys                  = [ leah trabbi desastro lollo hector wanderduene ];
+  "passwords/leah.age".publicKeys                             = [ leah trabbi desastro lollo hector wanderduene ];
 
 
-  "restic-server/lollo.age".publicKeys                        = [ leah trabbi taurus hector lollo ];
-  "restic-server/desastro.age".publicKeys                     = [ leah trabbi taurus hector lollo ];
-  "restic-server/hector.age".publicKeys                       = [ leah trabbi taurus hector lollo desastro ];
+  "restic-server/lollo.age".publicKeys                        = [ leah trabbi hector lollo ];
+  "restic-server/desastro.age".publicKeys                     = [ leah trabbi hector lollo ];
+  "restic-server/hector.age".publicKeys                       = [ leah trabbi hector lollo desastro ];
 
 
   "coladose/syncthing/key.age".publicKeys                     = [ leah coladose ];

@@ -57,13 +59,6 @@ in {
   "desastro/restic/syncthing-wiki.age".publicKeys             = [ leah desastro ];
 
 
-  "taurus/syncthing/key.age".publicKeys                       = [ leah taurus ];
-  "taurus/syncthing/cert.age".publicKeys                      = [ leah taurus ];
-
-  "taurus/restic/pleroma.age".publicKeys                      = [ leah taurus ];
-  "taurus/restic/matrix-synapse.age".publicKeys               = [ leah taurus ];
-
-
   "hector/restic-server-htpasswd.age".publicKeys              = [ leah hector ];