From ec8751941bbc81ad5b8512086a8f95f09611dbe2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kjetil=20=C3=98rbekk?= <kj@orbekk.com>
Date: Thu, 23 Aug 2018 19:51:28 -0400
Subject: Add readonly user

---
 config/users.nix      | 22 ++++++++++++++++++++--
 config/web-server.nix |  2 +-
 machines/dragon.nix   |  6 ++++++
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/config/users.nix b/config/users.nix
index 0eb7dcb..c6acbe8 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -9,13 +9,17 @@ in {
         home = "/home/orbekk";
         uid = 1000;
         description = "KJ";
-        extraGroups = ["wheel" "networkmanager" "dialout" "uucp" "audio" "plugdev" "lxd"];
+        extraGroups = ["wheel" "networkmanager" "dialout" "uucp" "audio" "plugdev" "lxd" "readonly"];
         openssh.authorizedKeys.keyFiles = [
           ../data/pincer_rsa.pub
           ../data/yubikey_rsa.pub
         ];
       };
-      fcgi = { name = "fcgi"; group = "fcgi"; uid = 500; };
+      fcgi = {
+        group = "fcgi";
+	extraGroups = ["readonly"];
+	uid = 500;
+      };
       systemhttpd = {
         name = "systemhttpd";
         group = "systemhttpd";
@@ -44,6 +48,19 @@ in {
 	uid = 505;
 	home = "/var/lib/terraria";
       };
+      readonly = {
+        group = "readonly";
+	createHome = false;
+	uid = 506;
+	useDefaultShell = true;
+	home = "/storage";
+      };
+      mpd = lib.optionalAttrs config.services.mpd.enable {
+        extraGroups = ["readonly"];
+      };
+      nginx = lib.optionalAttrs config.services.nginx.enable {
+        extraGroups = ["readonly"]; 
+      };
     };
     extraGroups = {
       fcgi = { name = "fcgi"; gid = 500; };
@@ -52,6 +69,7 @@ in {
       linoquotes = { name = "linoquotes"; gid = 503; };
       stats = { name = "stats"; gid = 504; };
       terraria = { name = "terraria"; gid = 505; };
+      readonly = { gid = 506; };
     };
   };
 }
diff --git a/config/web-server.nix b/config/web-server.nix
index 9dfe528..4a126dc 100644
--- a/config/web-server.nix
+++ b/config/web-server.nix
@@ -90,7 +90,7 @@
         };
       };
       "kufieta.net" = template // {
-        locations."/".proxyPass = "http://10.0.20.13";
+        # locations."/".proxyPass = "http://10.0.20.13";
       };
     };
   };
diff --git a/machines/dragon.nix b/machines/dragon.nix
index d6b72ec..0fa5559 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -139,10 +139,16 @@ in
   # XXX: temorary hack because of an accidental upgrade.
   systemd.services.lxd.serviceConfig.ExecStart = lib.mkForce "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd";
 
+  # Required to enable password authentication for one user.
+  security.pam.services.sshd.unixAuth = lib.mkForce true;
   services = {
     openssh = {
       enable = lib.mkDefault true;
       passwordAuthentication = false;
+      extraConfig = ''
+        Match User readonly
+	PasswordAuthentication yes
+      '';
     };
   };
 
-- 
cgit v1.2.3