Increase security: sudo with password, no more docker group for users
This commit is contained in:
parent
2ae3375592
commit
230c1d727b
3 changed files with 38 additions and 18 deletions
|
@ -115,7 +115,6 @@ in
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"wheel" # Enable ‘sudo’ for the user.
|
"wheel" # Enable ‘sudo’ for the user.
|
||||||
"video" # Having fun with links -g
|
"video" # Having fun with links -g
|
||||||
"docker" # Enable management of Docker containers
|
|
||||||
];
|
];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
# Keys for accessing nodes from outside
|
# Keys for accessing nodes from outside
|
||||||
|
@ -126,7 +125,7 @@ in
|
||||||
|
|
||||||
users.users.quentin = {
|
users.users.quentin = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" "docker" ];
|
extraGroups = [ "wheel" ];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io"
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr"
|
||||||
|
@ -135,7 +134,7 @@ in
|
||||||
|
|
||||||
users.users.adrien = {
|
users.users.adrien = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" "docker" ];
|
extraGroups = [ "wheel" ];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBfVX+iQSHl3V0el3/y2Rtl9Q/nrmLoTE3oXnR+16yX7g8HvzU871q89jbE/UWvNRvO4hirTcKF8yojuq8ZRCoUcQO+6/YlPrY/2G8kFhPTlUGDQ+mLT+ancZsom4mkg3I9oQjKZ9qxMD1GuU8Ydz4eXjhJ8OGFZhBpEgnrLmdA53Y5d2fCbaZN5EYD4sWEFYN7xBLxTGNwv0gygiPs967Z4/ZfHngTvqVoS9wnQThSCIoXPTWFAJCkN8dC5tPZwnbOT1bGcYUF0VTrcaD6cU6Q1ZRrtyqXxnnyxpQCAoe2hgdIm+LnDsBx9trfPauqi0dXi36X8pLmudW1f1RmKWT adrien@bacigalupi"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBfVX+iQSHl3V0el3/y2Rtl9Q/nrmLoTE3oXnR+16yX7g8HvzU871q89jbE/UWvNRvO4hirTcKF8yojuq8ZRCoUcQO+6/YlPrY/2G8kFhPTlUGDQ+mLT+ancZsom4mkg3I9oQjKZ9qxMD1GuU8Ydz4eXjhJ8OGFZhBpEgnrLmdA53Y5d2fCbaZN5EYD4sWEFYN7xBLxTGNwv0gygiPs967Z4/ZfHngTvqVoS9wnQThSCIoXPTWFAJCkN8dC5tPZwnbOT1bGcYUF0VTrcaD6cU6Q1ZRrtyqXxnnyxpQCAoe2hgdIm+LnDsBx9trfPauqi0dXi36X8pLmudW1f1RmKWT adrien@bacigalupi"
|
||||||
];
|
];
|
||||||
|
@ -143,7 +142,7 @@ in
|
||||||
|
|
||||||
users.users.maximilien = {
|
users.users.maximilien = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" "docker" ];
|
extraGroups = [ "wheel" ];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5"
|
||||||
];
|
];
|
||||||
|
@ -151,15 +150,12 @@ in
|
||||||
|
|
||||||
users.users.kokakiwi = {
|
users.users.kokakiwi = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" "docker" ];
|
extraGroups = [ "wheel" ];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Passwordless sudo
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
24
deploy.sh
24
deploy.sh
|
@ -8,6 +8,8 @@ else
|
||||||
NIXHOSTLIST="$@"
|
NIXHOSTLIST="$@"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
TMP_PATH=/tmp/tmp-deploy-$(date +%s)
|
||||||
|
|
||||||
for NIXHOST in $NIXHOSTLIST; do
|
for NIXHOST in $NIXHOSTLIST; do
|
||||||
NIXHOST=${NIXHOST%.*}
|
NIXHOST=${NIXHOST%.*}
|
||||||
|
|
||||||
|
@ -21,13 +23,25 @@ for NIXHOST in $NIXHOSTLIST; do
|
||||||
|
|
||||||
echo "Sending NixOS config files"
|
echo "Sending NixOS config files"
|
||||||
|
|
||||||
cat configuration.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/configuration.nix > /dev/null
|
ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH
|
||||||
cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/node.nix > /dev/null
|
cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
|
||||||
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/site.nix > /dev/null
|
cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
|
||||||
|
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
||||||
|
|
||||||
echo "Sending secret files"
|
echo "Sending secret files"
|
||||||
test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST sudo tee /root/rclone.conf > /dev/null)
|
test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/rclone.conf > /dev/null)
|
||||||
|
|
||||||
echo "Rebuilding NixOS"
|
echo "Rebuilding NixOS"
|
||||||
ssh -F ssh_config $SSH_DEST sudo nixos-rebuild switch
|
|
||||||
|
ssh -F ssh_config $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <<EOF
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
cd $TMP_PATH
|
||||||
|
mv configuration.nix node.nix site.nix /etc/nixos
|
||||||
|
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
|
||||||
|
nixos-rebuild switch
|
||||||
|
EOF
|
||||||
|
|
||||||
|
ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
|
||||||
|
ssh -F ssh_config $SSH_DEST rm -rv $TMP_PATH
|
||||||
done
|
done
|
||||||
|
|
20
upgrade.sh
20
upgrade.sh
|
@ -8,6 +8,8 @@ else
|
||||||
NIXHOSTLIST="$@"
|
NIXHOSTLIST="$@"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
TMP_SCRIPT=/tmp/tmp-upgrade-$(date +%s).sh
|
||||||
|
|
||||||
for NIXHOST in $NIXHOSTLIST; do
|
for NIXHOST in $NIXHOSTLIST; do
|
||||||
NIXHOST=${NIXHOST%.*}
|
NIXHOST=${NIXHOST%.*}
|
||||||
|
|
||||||
|
@ -19,10 +21,18 @@ for NIXHOST in $NIXHOSTLIST; do
|
||||||
|
|
||||||
echo "==== DOING $NIXHOST ===="
|
echo "==== DOING $NIXHOST ===="
|
||||||
|
|
||||||
ssh -F ssh_config $SSH_DEST sudo nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
|
ssh -F ssh_config $SSH_DEST tee $TMP_SCRIPT > /dev/null <<EOF
|
||||||
ssh -F ssh_config $SSH_DEST sudo nix-channel --update
|
set -ex
|
||||||
ssh -F ssh_config $SSH_DEST sudo nixos-rebuild boot
|
|
||||||
|
|
||||||
echo "Please reboot node manually to activate upgraded system:"
|
nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
|
||||||
echo "$ ssh -F ssh_config $SSH_DEST sudo reboot"
|
nix-channel --update
|
||||||
|
nixos-rebuild boot
|
||||||
|
EOF
|
||||||
|
|
||||||
|
read -p "Press Enter to continue (run upgrade on $NIXHOST)..."
|
||||||
|
ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_SCRIPT
|
||||||
|
ssh -F ssh_config $SSH_DEST rm -v $TMP_SCRIPT
|
||||||
|
|
||||||
|
read -p "Press Enter to continue (reboot $NIXHOST)..."
|
||||||
|
ssh -t -F ssh_config $SSH_DEST sudo reboot
|
||||||
done
|
done
|
||||||
|
|
Loading…
Reference in a new issue