diff options
| author | Kjetil Ørbekk <kj@orbekk.com> | 2018-08-23 19:51:28 -0400 |
|---|---|---|
| committer | Kjetil Ørbekk <kj@orbekk.com> | 2018-08-23 19:51:28 -0400 |
| commit | ec8751941bbc81ad5b8512086a8f95f09611dbe2 (patch) | |
| tree | a9d47c8a5d7f5ceab0803e43b57027f5ac611f60 | |
| parent | f12affb4f352b5bb8911d69a2d70ddb1660a2b93 (diff) | |
Add readonly user
| -rw-r--r-- | config/users.nix | 22 | ||||
| -rw-r--r-- | config/web-server.nix | 2 | ||||
| -rw-r--r-- | machines/dragon.nix | 6 |
3 files changed, 27 insertions, 3 deletions
diff --git a/config/users.nix b/config/users.nix index 0eb7dcb..c6acbe8 100644 --- a/config/users.nix +++ b/config/users.nix @@ -9,13 +9,17 @@ in { home = "/home/orbekk"; uid = 1000; description = "KJ"; - extraGroups = ["wheel" "networkmanager" "dialout" "uucp" "audio" "plugdev" "lxd"]; + extraGroups = ["wheel" "networkmanager" "dialout" "uucp" "audio" "plugdev" "lxd" "readonly"]; openssh.authorizedKeys.keyFiles = [ ../data/pincer_rsa.pub ../data/yubikey_rsa.pub ]; }; - fcgi = { name = "fcgi"; group = "fcgi"; uid = 500; }; + fcgi = { + group = "fcgi"; + extraGroups = ["readonly"]; + uid = 500; + }; systemhttpd = { name = "systemhttpd"; group = "systemhttpd"; @@ -44,6 +48,19 @@ in { uid = 505; home = "/var/lib/terraria"; }; + readonly = { + group = "readonly"; + createHome = false; + uid = 506; + useDefaultShell = true; + home = "/storage"; + }; + mpd = lib.optionalAttrs config.services.mpd.enable { + extraGroups = ["readonly"]; + }; + nginx = lib.optionalAttrs config.services.nginx.enable { + extraGroups = ["readonly"]; + }; }; extraGroups = { fcgi = { name = "fcgi"; gid = 500; }; @@ -52,6 +69,7 @@ in { linoquotes = { name = "linoquotes"; gid = 503; }; stats = { name = "stats"; gid = 504; }; terraria = { name = "terraria"; gid = 505; }; + readonly = { gid = 506; }; }; }; } diff --git a/config/web-server.nix b/config/web-server.nix index 9dfe528..4a126dc 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -90,7 +90,7 @@ }; }; "kufieta.net" = template // { - locations."/".proxyPass = "http://10.0.20.13"; + # locations."/".proxyPass = "http://10.0.20.13"; }; }; }; diff --git a/machines/dragon.nix b/machines/dragon.nix index d6b72ec..0fa5559 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -139,10 +139,16 @@ in # XXX: temorary hack because of an accidental upgrade. systemd.services.lxd.serviceConfig.ExecStart = lib.mkForce "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; + # Required to enable password authentication for one user. + security.pam.services.sshd.unixAuth = lib.mkForce true; services = { openssh = { enable = lib.mkDefault true; passwordAuthentication = false; + extraConfig = '' + Match User readonly + PasswordAuthentication yes + ''; }; }; |