nixos-config/lib/fudo/users.nix

{ config, lib, pkgs, ... }:

with lib;
let

  user = import ../types/user.nix { inherit lib; };

  list-includes = list: el: isNull (findFirst (this: this == el) null list);

  filterExistingUsers = users: group-members:
    let user-list = attrNames users;
    in filter (username: list-includes user-list username) group-members;

  hostname = config.instance.hostname;
  host-cfg = config.fudo.hosts.${hostname};

in {
  options = with types; {
    fudo = {
      users = mkOption {
        type = attrsOf (submodule user.userOpts);
        description = "Users";
        default = { };
      };

      groups = mkOption {
        type = attrsOf (submodule user.groupOpts);
        description = "Groups";
        default = { };
      };

      system-users = mkOption {
        type = attrsOf (submodule user.systemUserOpts);
        description = "System users (probably not what you're looking for!)";
        default = { };
      };
    };
  };

  config = let
    sys = config.instance;
  in {
    fudo.auth.ldap-server = {
      users = filterAttrs
        (username: userOpts: userOpts.ldap-hashed-passwd != null)
        config.fudo.users;

      groups = config.fudo.groups;

      system-users = config.fudo.system-users;
    };

    programs.ssh.extraConfig = mkAfter ''
      IdentityFile %h/.ssh/id_rsa
      IdentityFile /etc/ssh/private_keys.d/%u.key
    '';

    environment.etc = mapAttrs' (username: userOpts:
      nameValuePair
        "ssh/private_keys.d/${username}"
        {
          text = concatStringsSep "\n"
            (map (keypair: readFile keypair.public-key)
              userOpts.ssh-keys);
        })
      sys.local-users;

    users = {
      users = mapAttrs (username: userOpts: {
        isNormalUser = true;
        uid = userOpts.uid;
        createHome = true;
        description = userOpts.common-name;
        group = userOpts.primary-group;
        home = if (userOpts.home-directory != null) then
          userOpts.home-directory
        else
          "/home/${userOpts.primary-group}/${username}";
        hashedPassword = userOpts.login-hashed-passwd;
        openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys;
      }) sys.local-users;

      groups = (mapAttrs (groupname: groupOpts: {
        gid = groupOpts.gid;
        members = filterExistingUsers sys.local-users groupOpts.members;
      }) sys.local-groups) // {
        wheel = { members = sys.local-admins; };
        docker = mkIf (host-cfg.docker-server) { members = sys.local-admins; };
      };
    };

    services.nfs.idmapd.settings = let
      local-domain = config.instance.local-domain;
      local-admins = config.instance.local-admins;
      local-users = config.instance.local-users;
      local-realm = config.fudo.domains.${local-domain}.gssapi-realm;
    in {
      General = {
        Verbosity = 10;
        # Domain = local-domain;
        "Local-Realms" = local-realm;
      };
      Translation = {
        GSS-Methods = "static";
      };
      Static = let
        generate-admin-entry = admin: userOpts:
          nameValuePair "${admin}/root@${local-realm}" "root";
        generate-user-entry = user: userOpts:
          nameValuePair "${user}@${local-realm}" user;

        admin-entries =
          mapAttrs' generate-admin-entry (getAttrs local-admins local-users);
        user-entries =
          mapAttrs' generate-user-entry local-users;
      in admin-entries // user-entries;
    };

    # Group home directories have to exist, otherwise users can't log in
    systemd.tmpfiles.rules = let
      groups-with-members = attrNames
        (filterAttrs (group: groupOpts: (length groupOpts.members) > 0)
          sys.local-groups);
    in map (group: "d /home/${group} 550 root ${group} - -") groups-with-members;
  };
}
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`

Checkin to see if lib gets fudo 2021-10-04 10:20:53 -07:00			`user = import ../types/user.nix { inherit lib; };`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`list-includes = list: el: isNull (findFirst (this: this == el) null list);`

			`filterExistingUsers = users: group-members:`
			`let user-list = attrNames users;`
			`in filter (username: list-includes user-list username) group-members;`

Started to move to flakes 2021-07-28 12:01:06 -07:00			`hostname = config.instance.hostname;`
			`host-cfg = config.fudo.hosts.${hostname};`

Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`in {`
Move user types to a common file 2021-10-01 16:05:56 -07:00			`options = with types; {`
			`fudo = {`
			`users = mkOption {`
			`type = attrsOf (submodule user.userOpts);`
			`description = "Users";`
			`default = { };`
			`};`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Move user types to a common file 2021-10-01 16:05:56 -07:00			`groups = mkOption {`
			`type = attrsOf (submodule user.groupOpts);`
			`description = "Groups";`
			`default = { };`
			`};`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Move user types to a common file 2021-10-01 16:05:56 -07:00			`system-users = mkOption {`
			`type = attrsOf (submodule user.systemUserOpts);`
			`description = "System users (probably not what you're looking for!)";`
			`default = { };`
			`};`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`
			`};`

Move user types to a common file 2021-10-01 16:05:56 -07:00			`config = let`
			`sys = config.instance;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`in {`
Tons of changes, I guess? 2021-11-05 07:06:08 -07:00			`fudo.auth.ldap-server = {`
			`users = filterAttrs`
			`(username: userOpts: userOpts.ldap-hashed-passwd != null)`
ARG FUCKING MIT KPASSWD WAT 2021-03-15 12:39:57 -07:00			`config.fudo.users;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Tons of changes, I guess? 2021-11-05 07:06:08 -07:00			`groups = config.fudo.groups;`

			`system-users = config.fudo.system-users;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`

Fixed deploy keys and added ssh keys pushed from deploy server 2021-09-22 18:43:23 -07:00			`programs.ssh.extraConfig = mkAfter ''`
			`IdentityFile %h/.ssh/id_rsa`
			`IdentityFile /etc/ssh/private_keys.d/%u.key`
			`'';`

Checkin to see if lib gets fudo 2021-10-04 10:20:53 -07:00			`environment.etc = mapAttrs' (username: userOpts:`
			`nameValuePair`
			`"ssh/private_keys.d/${username}"`
			`{`
			`text = concatStringsSep "\n"`
			`(map (keypair: readFile keypair.public-key)`
			`userOpts.ssh-keys);`
			`})`
			`sys.local-users;`
Fixed deploy keys and added ssh keys pushed from deploy server 2021-09-22 18:43:23 -07:00
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`users = {`
			`users = mapAttrs (username: userOpts: {`
			`isNormalUser = true;`
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`uid = userOpts.uid;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`createHome = true;`
			`description = userOpts.common-name;`
			`group = userOpts.primary-group;`
ARG FUCKING MIT KPASSWD WAT 2021-03-15 12:39:57 -07:00			`home = if (userOpts.home-directory != null) then`
			`userOpts.home-directory`
			`else`
			`"/home/${userOpts.primary-group}/${username}";`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`hashedPassword = userOpts.login-hashed-passwd;`
			`openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys;`
Got local packages working again 2021-04-02 14:08:31 -07:00			`}) sys.local-users;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`groups = (mapAttrs (groupname: groupOpts: {`
			`gid = groupOpts.gid;`
Got local packages working again 2021-04-02 14:08:31 -07:00			`members = filterExistingUsers sys.local-users groupOpts.members;`
			`}) sys.local-groups) // {`
			`wheel = { members = sys.local-admins; };`
Started to move to flakes 2021-07-28 12:01:06 -07:00			`docker = mkIf (host-cfg.docker-server) { members = sys.local-admins; };`
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`};`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`

Daaamn NFS is a pain 2021-10-18 21:55:24 -07:00			`services.nfs.idmapd.settings = let`
			`local-domain = config.instance.local-domain;`
			`local-admins = config.instance.local-admins;`
			`local-users = config.instance.local-users;`
			`local-realm = config.fudo.domains.${local-domain}.gssapi-realm;`
			`in {`
			`General = {`
			`Verbosity = 10;`
Networks aren't a function 2021-10-19 10:04:35 -07:00			`# Domain = local-domain;`
Daaamn NFS is a pain 2021-10-18 21:55:24 -07:00			`"Local-Realms" = local-realm;`
			`};`
			`Translation = {`
			`GSS-Methods = "static";`
			`};`
			`Static = let`
			`generate-admin-entry = admin: userOpts:`
			`nameValuePair "${admin}/root@${local-realm}" "root";`
			`generate-user-entry = user: userOpts:`
			`nameValuePair "${user}@${local-realm}" user;`

			`admin-entries =`
			`mapAttrs' generate-admin-entry (getAttrs local-admins local-users);`
			`user-entries =`
			`mapAttrs' generate-user-entry local-users;`
			`in admin-entries // user-entries;`
			`};`

Changes for lambda, fixes for sea.fudo.org 2021-07-26 12:09:47 -07:00			`# Group home directories have to exist, otherwise users can't log in`
Added nutboy3 and nuttyclub 2021-11-13 10:30:58 -08:00			`systemd.tmpfiles.rules = let`
Changes for lambda, fixes for sea.fudo.org 2021-07-26 12:09:47 -07:00			`groups-with-members = attrNames`
			`(filterAttrs (group: groupOpts: (length groupOpts.members) > 0)`
			`sys.local-groups);`
Added nutboy3 and nuttyclub 2021-11-13 10:30:58 -08:00			`in map (group: "d /home/${group} 550 root ${group} - -") groups-with-members;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`
			`}`