From 4e6bdd2ff5ccb7bdce3fa520772cdfa7f7bdc41f Mon Sep 17 00:00:00 2001 From: Alice Huston Date: Sat, 3 Feb 2024 17:24:45 -0500 Subject: [PATCH] Disable mutable-users, fix passwords globally (#71) * updated passwd * Disable mutable-users Signed-off-by: ahuston-0 * fix password config Signed-off-by: ahuston-0 * change secrets --------- Signed-off-by: ahuston-0 Co-authored-by: Richie Cahill Co-authored-by: Dennis Wuitz --- flake.lock | 102 ++++++++++++++++++++++++++++++++------ flake.nix | 11 +--- systems/configuration.nix | 5 +- users/alice/secrets.yaml | 6 +-- users/richie/secrets.yaml | 6 +-- 5 files changed, 97 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index 0a2c7bb..3ad81fc 100644 --- a/flake.lock +++ b/flake.lock @@ -152,18 +152,10 @@ "inputs": { "blobs": "blobs", "flake-compat": "flake-compat", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-23_05": [ - "nixpkgs" - ], - "nixpkgs-23_11": [ - "nixpkgs" - ], - "utils": [ - "flake-utils" - ] + "nixpkgs": "nixpkgs", + "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-23_11": "nixpkgs-23_11", + "utils": "utils" }, "locked": { "lastModified": 1706219574, @@ -273,16 +265,45 @@ "locked": { "lastModified": 1706732774, "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", - "owner": "nixos", + "owner": "NixOS", "repo": "nixpkgs", "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", "type": "github" }, "original": { - "owner": "nixos", + "id": "nixpkgs", "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-23_11": { + "locked": { + "lastModified": 1706826059, + "narHash": "sha256-N69Oab+cbt3flLvYv8fYnEHlBsWwdKciNZHUbynVEOA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "25e3d4c0d3591c99929b1ec07883177f6ea70c9d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.11", + "type": "indirect" } }, "nixpkgs-fmt": { @@ -327,6 +348,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1706732774, + "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "c3d2-user-module": "c3d2-user-module", @@ -338,10 +375,10 @@ "nix-index-database": "nix-index-database", "nix-pre-commit": "nix-pre-commit", "nixos-modules": "nixos-modules", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-fmt": "nixpkgs-fmt", "sops-nix": "sops-nix", - "systems": "systems" + "systems": "systems_2" } }, "rust-analyzer-src": { @@ -398,6 +435,39 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f5f7dbc..b996293 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; systems.url = "github:nix-systems/default"; + mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; nix-index-database = { url = "github:Mic92/nix-index-database"; @@ -49,16 +50,6 @@ }; }; - mailserver = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; - inputs = { - nixpkgs.follows = "nixpkgs"; - nixpkgs-23_05.follows = "nixpkgs"; - nixpkgs-23_11.follows = "nixpkgs"; - utils.follows = "flake-utils"; - }; - }; - home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/systems/configuration.nix b/systems/configuration.nix index f43bc97..4488036 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -14,7 +14,10 @@ useUserPackages = true; }; - users.defaultUserShell = pkgs.zsh; + users = { + defaultUserShell = pkgs.zsh; + mutableUsers = false; + }; networking = { firewall = { diff --git a/users/alice/secrets.yaml b/users/alice/secrets.yaml index 21da1d9..0aac289 100644 --- a/users/alice/secrets.yaml +++ b/users/alice/secrets.yaml @@ -1,5 +1,5 @@ alice: - user-password: ENC[AES256_GCM,data:Mc4I/M0r8hA4w2JmVwAYUjc0V3F81YwljHjGrIsLDu8qpg8agRFSmmfwhv3dUDTpy12iaA8L9aFUqHjv+DANdTDu7UaHB9hyczqc927VrgdC2sgN8p3SYU9NxkmX4HxHS4FV1sQgtj8AntTbbI3qu7Yjn2TDXQ==,iv:/wIcTFCayBZWiPno4BwEo1o8rqM6FO0J+xUn8SmI6uQ=,tag:g6Ge+4YEcf1U7suewnOCDA==,type:str] + user-password: ENC[AES256_GCM,data:ew2R77T02LYby9fclYYqYXQBgDtKf7miFYMeS70/hj30fFw580qRCPeVicILB5UTnZCIoPf24ZCr2DGJ3UBrk8cvYQ285i0FWD/OfLAqZ/Tosi36MJKv6Nob/Z/vAltHIVqBJA5UiAU58UohbBos1lfZMWGFsg==,iv:mpIf9n4MgbbjD2jFkVGAL/lGNh5VW81FIzvmb1x/H1I=,tag:MVZRrHxxyDwu2mbRQMz9VA==,type:str] sops: kms: [] gcp_kms: [] @@ -33,8 +33,8 @@ sops: THdwZG9QQ01mamYrclhHT2dQUXhIWTQK9fxQV7RDYij2aCdfgCufUToWgoais1KI UQ7bPV0ZPhaBX4h2Q7kUk7FJwK5aGAsoBxf4KW4V78tSbz+XIyd3JQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-01T04:49:18Z" - mac: ENC[AES256_GCM,data:4TarduVMtlQWCcCY73i6xuZOAUZAVHuGVxy+Mpl5IPo+BPMTUYjMed4x/EbYSV/+j/NEvA3A5c9+MTHjDvO9ywCYjulgosSim5aNHacOpQ7rwwa7fLFyztmL2SG3ZSBdjH2H/5VXkPfpKpOmp6X/yRHxnEKa0WAJg9FKOht/P2E=,iv:iqFwMB6hid7hEq7HZ7jCYCAXoZjDypC6Qg7qqcJxfAc=,tag:A7AoIPm8IsjPgOOl4Burxg==,type:str] + lastmodified: "2024-02-03T22:20:54Z" + mac: ENC[AES256_GCM,data:X+j5RMl1RUlciT1fdLYGCzkD2AZmprmAsLhaC9Fy3zoeWlGJcC/m5g7kftPOUkha83NgOkWuaa4tjIMegQwK8snmY8R8Q6XNVuS6maYnynzFwzhGON7L33j7465onXsNqfQfa+I8AEaz69CynfbTq4L7WOLO6s8pvh1LDLi4ZvE=,iv:8uTaRrYxg6mVNIPm0Pg7S13nG2VOg/4IjVbbeilQOAg=,tag:lCrBGVRt3uYY5/fHDG2xVQ==,type:str] pgp: - created_at: "2023-12-29T19:22:00Z" enc: |- diff --git a/users/richie/secrets.yaml b/users/richie/secrets.yaml index 48cc4c6..ea03d2c 100644 --- a/users/richie/secrets.yaml +++ b/users/richie/secrets.yaml @@ -1,5 +1,5 @@ richie: - user-password: ENC[AES256_GCM,data:gcQaaFXQJSXgYR6L,iv:rO7hXTuiCDt4UWnnYfQrhSBMrhU359tyCjSGFde60BA=,tag:yfbD+BItaMkZQ4balezzLA==,type:str] + user-password: ENC[AES256_GCM,data:l1WF7bwzEDKoDh3lv60H2A35ndPmTSsBQeso8YksZO4UstOjtSKFF5IZJYlE6Amonl9ZFUsQFtgVN+Rg2Yh/rmlI1TBL7CZDadlYIueQh8Si1Xr6qJJMBxqT/dV7G9tH24auUVdWc7tfoEYh6qZ+n9JR47H73A==,iv:d/Xe6qxaNSWo//gPES4h1XqWPGjALQ2316LPPZZyM68=,tag:2lJEc7UrpdmeAVfNXxy7Kw==,type:str] sops: kms: [] gcp_kms: [] @@ -33,8 +33,8 @@ sops: Q0U1OUtUM1N4MGQyZnAwd1l5alVOSUUK9xe9xmC4zFpy7sukTzdHsQQjc3eFphXD 2zx2PkAvHh5lN8k+ZRd9UvZG4olrIe9KwXfmIb+6i02HgVIhA94SWw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-29T19:13:11Z" - mac: ENC[AES256_GCM,data:47aPXQ6n7AvYuYpvhk7jWjeqQnjXsSShrcboiwLja5p+VIJsOUWYtNonq45Owtlo30eQE46wJK4IJLEl8AAdotYLrpqAb0d+ox4tZq/HgVRAqG7j7aLw846KpogTUeRHH577ieoWo82+70DT1+HIyO+qB44ZYuJ7TY3BUt0MX7Q=,iv:OxDzGBEr2xBiOvPl7iUK0mwsaqHrZ/pQVLdrdTSm9tM=,tag:/2vQLyL/WmR02kWO3GHGNA==,type:str] + lastmodified: "2024-02-03T22:08:10Z" + mac: ENC[AES256_GCM,data:KUhn+0srLHqmHVPYuJV8L5CClgSABxvknaZ7DZQU8goQ9CpM6LIdys+VdsbOYPAcO/lVSzgtjX3/umuDDsJbAEwTXoJZWITCVNYXJDNvYSDke5ZSrl/xq9UugJHyvzX9HOnKXkLsxNU+VrA9EBUfrTWoYnaz+NPes9com1efvqY=,iv:GV5eIFNJuQPJliSOOb2ebkjX99WHbOtSjl1kHrAnTyc=,tag:iuFqrBbQk4ruk733pxDgoA==,type:str] pgp: - created_at: "2023-12-29T19:12:08Z" enc: |-