cry/cerulean
2
2
Fork 0
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity Actions

migrate to cerubld user

Browse source
This commit is contained in:
do butterflies cry? 2026-03-07 23:48:38 +10:00
parent 6b579dff1e
commit 630389a598
Signed by: cry
GPG key ID: F68745A836CA0412
3 changed files with 116 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

27
cerulean/nixos/default.nix
View file

@ -13,29 +13,32 @@
# limitations under the License. # limitations under the License.
{ {
root, root,
pkgs,
system, system,
hostname,
node,
pkgs,
lib,
_cerulean, _cerulean,
... ...
} @ args: { } @ args: {
imports = with _cerulean.inputs; imports =
[ [
_cerulean.inputs.sops-nix.nixosModules.sops
# _cerulean.inputs.microvm.nixosModules.microvm
# add support for `options.legacyImports` # add support for `options.legacyImports`
# ./legacy-imports.nix # ./legacy-imports.nix
# user configuration # nixos options declarations
(import /${root}/nixpkgs.nix)
# options declarations
(import ./nixpkgs.nix (args // {contextName = "hosts";})) (import ./nixpkgs.nix (args // {contextName = "hosts";}))
sops-nix.nixosModules.sops # user's nixpkg configuration
# microvm.nixosModules.microvm (import /${root}/nixpkgs.nix)
] ]
++ ( # homemanager options declarations
if _cerulean.homeManager != null ++ (lib.optional (_cerulean.homeManager != null) ./home.nix)
then [./home.nix] # remote deployment configuration
else [] ++ (lib.optional (node.deploy.ssh.host != null) ./remote-deploy);
);
networking.hostName = lib.mkDefault hostname; networking.hostName = lib.mkDefault hostname;

72
cerulean/nixos/remote-deploy/default.nix Normal file
View file

@ -0,0 +1,72 @@
{
config,
node,
lib,
pkgs,
hostname,
...
}: let
user = node.deploy.ssh.user;
cfg = config.users.users.${user};
DEFAULT_USER = "cerubld";
isStandardDeployUser = user == DEFAULT_USER;
in {
assertions = [
{
assertion = builtins.length node.deploy.ssh.publicKeys != 0;
message = ''
The Cerulean deployment user `${user}` for node `${hostname}` must have at least
one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
'';
}
{
assertion = cfg.isSystemUser && !cfg.isNormalUser;
message = ''
The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
'';
}
];
warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
The Cerulean deplyment user `${user}` for node `${hostname}` has been overriden.
It is recommended to leave this user as `${DEFAULT_USER}` unless you TRULY understand what you are doing!
This message can be disabled by setting `<node>.deploy.warnNonstandardBuildUser = false`.
'';
# prefer sudo-rs over sudo
security.sudo-rs = {
enable = true;
wheelNeedsPassword = true;
# allow the build user to run nix commands
extraRules = [
{
users = [user];
runAs = "${node.deploy.user}:ALL";
commands = [
"${pkgs.nix}/bin/nix"
];
}
];
};
# ensure deployment user has SSH permissions
services.openssh.settings.AllowUsers = [user];
users = lib.mkIf isStandardDeployUser {
groups.${user} = {};
users.${user} = {
enable = true;
isSystemUser = true;
group = user;
description = "Cerulean's user for building and remote deployment.";
shell = pkgs.bash;
openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
};
};
}

39
cerulean/snow/nodes/submodule.nix
View file

@ -59,23 +59,32 @@
default = "root"; default = "root";
example = "admin"; example = "admin";
description = '' description = ''
The user that the system derivation will be deployed to. The command specified in The user that the system derivation will be built with. The command specified in
`<node>.deploy.sudoCmd` will be used if `<node>.deploy.user` is not the `<node>.deploy.sudoCmd` will be used if `<node>.deploy.user` is not the
same as `<node>.deploy.ssh.user` the same as above). same as `<node>.deploy.ssh.user` the same as above).
''; '';
}; };
sudoCmd = mkOption { warnNonstandardDeployUser = mkOption {
type = types.str; type = types.bool;
default = "sudo -u"; default = true;
example = "doas -u"; example = false;
description = '' description = ''
Which sudo command to use. Must accept at least two arguments: Disables the warning that shows when `deploy.ssh.user` is set to a non-standard value.
1. the user name to execute commands as
2. the rest is the command to execute
''; '';
}; };
# sudoCmd = mkOption {
# type = types.str;
# default = "sudo -u";
# example = "doas -u";
# description = ''
# Which sudo command to use. Must accept at least two arguments:
# 1. the user name to execute commands as
# 2. the rest is the command to execute
# '';
# };
interactiveSudo = mkOption { interactiveSudo = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -145,8 +154,8 @@
ssh = { ssh = {
host = mkOption { host = mkOption {
type = types.str; type = types.nullOr types.str;
default = ""; default = null;
example = "dobutterfliescry.net"; example = "dobutterfliescry.net";
description = '' description = ''
The host to connect to over ssh during deployment The host to connect to over ssh during deployment
@ -171,6 +180,16 @@
''; '';
}; };
publicKeys = mkOption {
type = types.listOf types.str;
default = [];
example = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeyZuUUmyUYrYaEJwEMvcXqZFYm1NaZab8klOyK6Imr me@puter"];
description = ''
SSH public keys that will be authorized to the deployment user.
This key is intended solely for deployment, allowing for fine-grained permission control.
'';
};
opts = mkOption { opts = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];