From 41acb1a1ff3469b3a964c1d7170e35d8f963f9e6 Mon Sep 17 00:00:00 2001 From: Manuel Bluhm Date: Tue, 22 Oct 2024 22:51:38 +0400 Subject: [PATCH] WIP: - removes userborn for gui-vm, allowing name change would require significant changes. "/etc" persisted without restrictions atm. password change alone works fine with userborn - userborn enabled for all vms except gui - USERS: admin (ghaf) user, proxy user (audio/net vms), app user (app vms), and loginuser (guivm) - proxy/app users allow unprivileged application/service - Login user name and password can be set at first (gui-vm) boot - Additional script required to adjust home (impermanence name 'hardcoded' in nix store) - Password can be changed anytime using passwd - Name can be changed by admin/root removing the lock file Signed-off-by: Manuel Bluhm --- flake.lock | 7 +- flake.nix | 2 +- modules/common/services/xdgopener.nix | 2 +- modules/common/users/accounts.nix | 215 ++++++++++++++++-- modules/givc/appvm.nix | 4 +- modules/givc/common.nix | 2 +- .../virtualization/microvm/adminvm.nix | 15 +- .../microvm/virtualization/microvm/appvm.nix | 20 +- .../virtualization/microvm/audiovm.nix | 36 +-- .../microvm/common/storagevm.nix | 28 ++- .../microvm/virtualization/microvm/guivm.nix | 32 +-- .../virtualization/microvm/microvm-host.nix | 35 +-- .../microvm/virtualization/microvm/netvm.nix | 30 +-- modules/reference/personalize/keys.nix | 2 +- packages/bt-launcher/default.nix | 4 +- packages/nm-launcher/default.nix | 4 +- 16 files changed, 330 insertions(+), 108 deletions(-) diff --git a/flake.lock b/flake.lock index 6a5da2334..d07b3b5f1 100644 --- a/flake.lock +++ b/flake.lock @@ -315,16 +315,17 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1728049659, + "narHash": "sha256-lGtad92Y/TnqpXRlZ1syiEq5czpvblKmcypeqGPiVF4=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "32b1094d28d5fbedcc85a403bc08c8877b396255", "type": "github" }, "original": { "owner": "nix-community", "repo": "impermanence", + "rev": "32b1094d28d5fbedcc85a403bc08c8877b396255", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 5bdfb3460..47dbedd50 100644 --- a/flake.nix +++ b/flake.nix @@ -140,7 +140,7 @@ }; impermanence = { - url = "github:nix-community/impermanence"; + url = "github:nix-community/impermanence/32b1094d28d5fbedcc85a403bc08c8877b396255"; }; givc = { diff --git a/modules/common/services/xdgopener.nix b/modules/common/services/xdgopener.nix index a7e7985d4..ea8123a4d 100644 --- a/modules/common/services/xdgopener.nix +++ b/modules/common/services/xdgopener.nix @@ -53,7 +53,7 @@ in serviceConfig = { # The user 'ghaf' is used here to access SSH keys for the scp command # This is required to copy files to the zathuravm - User = "ghaf"; + User = "${config.ghaf.users.accounts.admin}"; ExecStart = "${ghaf-xdg-open}/bin/ghaf-xdg-open"; StandardInput = "socket"; StandardOutput = "journal"; diff --git a/modules/common/users/accounts.nix b/modules/common/users/accounts.nix index 3c337101f..0ef04c62d 100644 --- a/modules/common/users/accounts.nix +++ b/modules/common/users/accounts.nix @@ -3,6 +3,7 @@ { config, lib, + pkgs, ... }: # account for the development time login with sudo rights @@ -20,24 +21,30 @@ in { #TODO Extend this to allow definition of multiple users options.ghaf.users.accounts = { - enable = mkEnableOption "Default account Setup"; - user = mkOption { + enable = mkOption { + default = true; + type = types.bool; + description = '' + Enable Ghaf user accounts. Defaults to true. + ''; + }; + admin = mkOption { default = "ghaf"; type = types.str; description = '' The admin account with sudo rights. ''; }; - password = mkOption { + initialPassword = mkOption { default = "ghaf"; type = types.str; description = '' - Default password for the admin user. + Default password for the admin and login user accounts. ''; }; enableLoginUser = mkEnableOption "Enable login user setup for UI."; loginuser = mkOption { - default = "manuel"; + default = "user"; type = types.str; description = '' Default user account for UI. @@ -50,16 +57,63 @@ in Default UID for the login user. ''; }; + # TODO Remove proxy user with ssh functionality + enableProxyUser = mkEnableOption "Enable proxy for login user."; + proxyuser = mkOption { + default = "proxyuser"; + type = types.str; + description = '' + Default user account for dbus proxy functionality. + ''; + }; + proxyuserGroups = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + Extra groups for the proxy user. + ''; + }; + enableAppUser = mkEnableOption "Enable app for user to run applications."; + appuser = mkOption { + default = "appuser"; + type = types.str; + description = '' + Default user account to run applications. + ''; + }; + appuserGroups = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + Extra groups for the app user. + ''; + }; }; config = mkIf cfg.enable { + + assertions = [ + { + assertion = !(cfg.enableLoginUser && cfg.enableProxyUser); + message = "You cannot enable both login and proxy users at the same time"; + } + { + assertion = !(cfg.enableLoginUser && cfg.enableAppUser); + message = "You cannot enable both login and app users at the same time"; + } + { + assertion = !(cfg.enableAppUser && cfg.enableProxyUser); + message = "You cannot enable both app and proxy users at the same time"; + } + ]; + users = { mutableUsers = cfg.enableLoginUser; users = { - "${cfg.user}" = { + "${cfg.admin}" = { isNormalUser = true; - inherit (cfg) password; + inherit (cfg) initialPassword; extraGroups = [ "wheel" @@ -73,17 +127,33 @@ in "${cfg.loginuser}" = { isNormalUser = true; uid = cfg.loginuid; - inherit (cfg) password; + inherit (cfg) initialPassword; extraGroups = [ "video" ]; }; + } + // optionalAttrs cfg.enableProxyUser { + "${cfg.proxyuser}" = { + isNormalUser = true; + createHome = false; + uid = cfg.loginuid; + extraGroups = cfg.proxyuserGroups; + }; + } + // optionalAttrs cfg.enableAppUser { + "${cfg.appuser}" = { + isNormalUser = true; + createHome = true; + uid = cfg.loginuid; + extraGroups = cfg.appuserGroups; + }; }; groups = { - "${cfg.user}" = { - name = cfg.user; - members = [ cfg.user ]; + "${cfg.admin}" = { + name = cfg.admin; + members = [ cfg.admin ]; }; } // optionalAttrs cfg.enableLoginUser { @@ -91,11 +161,130 @@ in name = cfg.loginuser; members = [ cfg.loginuser ]; }; + } + // optionalAttrs cfg.enableProxyUser { + "${cfg.proxyuser}" = { + name = cfg.proxyuser; + members = [ cfg.proxyuser ]; + }; + } + // optionalAttrs cfg.enableAppUser { + "${cfg.appuser}" = { + name = cfg.appuser; + members = [ cfg.appuser ]; + }; }; }; # to build ghaf as ghaf-user with caches - nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.user ]; - #services.userborn.enable = true; + nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.admin ]; + + # Enable userborn + services.userborn = optionalAttrs (!cfg.enableLoginUser) { + enable = true; + }; + + # First boot login user setup + systemd.services.ghaf-loginuser-setup = + let + userSetupScript = pkgs.writeShellApplication { + name = "ghaf-user-setup"; + runtimeInputs = [ + pkgs.su + pkgs.shadow + pkgs.coreutils + pkgs.ncurses + ]; + text = '' + clear + echo -e "\e[1;32;1m Ghaf User Setup \e[0m" + echo "" + echo "Create your user account and set your password." + echo "" + + # Read new user name + ACCEPTABLE_USER=false + until $ACCEPTABLE_USER; do + echo -n "Enter your user name: " + read -e -r USERNAME + USERNAME=''${USERNAME//_/} + USERNAME=''${USERNAME// /_} + USERNAME=''${USERNAME//[^a-zA-Z0-9_]/} + USERNAME=''$(echo -n "$USERNAME" | tr '[:upper:]' '[:lower:]') + if grep -q -w "$USERNAME:" /etc/passwd; then + echo "User $USERNAME already exists. Please choose another user name." + else + ACCEPTABLE_USER=true + fi + done + + # Change login user name and home + usermod -l "$USERNAME" -d /home/"$USERNAME" -m ${cfg.loginuser} + groupmod -n "$USERNAME" ${cfg.loginuser} + chown -R "$USERNAME":users /home/"$USERNAME" + chmod -R 0760 /home/"$USERNAME" + + # Change password + until passwd "$USERNAME"; do + echo "Please try again." + done + + # Create user.lock file + install -m 000 /dev/null /etc/user.lock + + echo "User $USERNAME created." + sleep 1 + ''; + }; + in + optionalAttrs cfg.enableLoginUser { + description = "First boot setup of login user"; + enable = true; + requiredBy = [ "multi-user.target" ]; + before = [ "systemd-user-sessions.service" ]; + after = [ "userborn.service" ]; + path = [ userSetupScript ]; + unitConfig.ConditionPathExists = "!/etc/user.lock"; + serviceConfig = { + Type = "oneshot"; + StandardInput = "tty"; + StandardOutput = "tty"; + StandardError = "tty"; + TTYPath = "/dev/tty1"; + TTYReset = true; + TTYVHangup = true; + ExecStart = "${userSetupScript}/bin/ghaf-user-setup"; + }; + }; + + systemd.services.ghaf-home-setup = + let + homeSetupScript = pkgs.writeShellApplication { + name = "ghaf-home-setup"; + runtimeInputs = [ + pkgs.coreutils + pkgs.getent + ]; + text = '' + # Change home dir permissions + USERNAME=$(getent passwd ${toString cfg.loginuid} | cut -d: -f1) + mv /home/${cfg.loginuser} /home/"$USERNAME" + chown -R "$USERNAME":users /home/"$USERNAME" + chmod -R 0760 /home/"$USERNAME" + ''; + }; + in + optionalAttrs cfg.enableLoginUser { + description = "Correct login user home permissions"; + enable = true; + requiredBy = [ "multi-user.target" ]; + before = [ "greetd.service" ]; + path = [ homeSetupScript ]; + unitConfig.ConditionPathExists = "/etc/user.lock"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${homeSetupScript}/bin/ghaf-home-setup"; + }; + }; }; } diff --git a/modules/givc/appvm.nix b/modules/givc/appvm.nix index 2274124de..1568605ef 100644 --- a/modules/givc/appvm.nix +++ b/modules/givc/appvm.nix @@ -44,7 +44,7 @@ in admin = config.ghaf.givc.adminConfig; }; - # Quick fix to allow linger (linger option in user def. currently doesn't work, e.g., bc mutable) - systemd.tmpfiles.rules = [ "f /var/lib/systemd/linger/${config.ghaf.users.accounts.user}" ]; + # Enable lingering + users.users.${config.ghaf.users.accounts.appuser}.linger = true; }; } diff --git a/modules/givc/common.nix b/modules/givc/common.nix index 6306376ec..49ba75869 100644 --- a/modules/givc/common.nix +++ b/modules/givc/common.nix @@ -12,7 +12,7 @@ let mitmEnabled = config.ghaf.virtualization.microvm.idsvm.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable; - mitmExtraArgs = lib.optionalString mitmEnabled "--user-data-dir=/home/${config.ghaf.users.accounts.user}/.config/chromium/Default --test-type --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU="; + mitmExtraArgs = lib.optionalString mitmEnabled "--user-data-dir=/home/${config.ghaf.users.accounts.admin}/.config/chromium/Default --test-type --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU="; in { options.ghaf.givc = { diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix index 32672ae2c..546ba5207 100644 --- a/modules/microvm/virtualization/microvm/adminvm.nix +++ b/modules/microvm/virtualization/microvm/adminvm.nix @@ -10,6 +10,7 @@ let adminvmBaseConfiguration = { imports = [ + inputs.impermanence.nixosModules.impermanence inputs.self.nixosModules.givc-adminvm (import ./common/vm-networking.nix { inherit @@ -20,6 +21,7 @@ let ; internalIP = 10; }) + ./common/storagevm.nix # We need to retrieve mac address and start log aggregator ../../../common/logging/hw-mac-retrieve.nix ../../../common/logging/logs-aggregator.nix @@ -27,7 +29,7 @@ let { lib, ... }: { ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + # Profiles profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; development = { # NOTE: SSH port also becomes accessible on the network interface @@ -36,6 +38,8 @@ let debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; }; + + # System systemd = { enable = true; withName = "adminvm-systemd"; @@ -47,10 +51,15 @@ let withDebug = configHost.ghaf.profiles.debug.enable; withHardenedConfigs = true; }; - givc.adminvm.enable = true; - # Log aggregation configuration + # Storage + storagevm = { + enable = true; + name = "adminvm"; + }; + + # Services logging = { client.enable = isLoggingEnabled; listener = { diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix index 4445d2e89..d0dbed4c6 100644 --- a/modules/microvm/virtualization/microvm/appvm.nix +++ b/modules/microvm/virtualization/microvm/appvm.nix @@ -60,14 +60,16 @@ let in { ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + # Profiles + users.accounts.enableAppUser = true; profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - development = { ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; }; + + # Systemd systemd = { enable = true; withName = "appvm-systemd"; @@ -80,15 +82,11 @@ let withHardenedConfigs = true; }; - ghaf-audio = { - inherit (vm.ghafAudio) enable; - name = "${vm.name}"; - }; - + # Storage storagevm = { enable = true; name = "${vm.name}"; - users.${config.ghaf.users.accounts.user}.directories = [ + users.${config.ghaf.users.accounts.appuser}.directories = [ ".config/" "Downloads" "Music" @@ -98,7 +96,11 @@ let ]; }; - # Logging client configuration + # Services + ghaf-audio = { + inherit (vm.ghafAudio) enable; + name = "${vm.name}"; + }; logging.client.enable = configHost.ghaf.logging.client.enable; logging.client.endpoint = configHost.ghaf.logging.client.endpoint; }; diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix index f30e455ca..231990039 100644 --- a/modules/microvm/virtualization/microvm/audiovm.nix +++ b/modules/microvm/virtualization/microvm/audiovm.nix @@ -39,14 +39,23 @@ let imports = [ ../../../common ]; ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + # Profiles profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - development = { ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; }; + users.accounts = { + enableProxyUser = true; + proxyuserGroups = [ + "audio" + "video" + "pipewire" + ]; + }; + + # System systemd = { enable = true; withName = "audiovm-systemd"; @@ -60,14 +69,18 @@ let withHardenedConfigs = true; }; givc.audiovm.enable = true; - services.audio.enable = true; - # Logging client configuration - logging.client.enable = configHost.ghaf.logging.client.enable; - logging.client.endpoint = configHost.ghaf.logging.client.endpoint; + + # Storage storagevm = { enable = true; name = "audiovm"; }; + + # Services + services.audio.enable = true; + # Logging client configuration + logging.client.enable = configHost.ghaf.logging.client.enable; + logging.client.endpoint = configHost.ghaf.logging.client.endpoint; }; environment = { @@ -78,17 +91,6 @@ let ] ++ lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils; }; - users.users."proxy-user-audio" = { - isNormalUser = true; - uid = config.ghaf.users.accounts.loginuid; - createHome = false; - extraGroups = [ - "audio" - "video" - "pipewire" - ]; - }; - time.timeZone = config.time.timeZone; system.stateVersion = lib.trivial.release; diff --git a/modules/microvm/virtualization/microvm/common/storagevm.nix b/modules/microvm/virtualization/microvm/common/storagevm.nix index aa431e23c..1df69d694 100644 --- a/modules/microvm/virtualization/microvm/common/storagevm.nix +++ b/modules/microvm/virtualization/microvm/common/storagevm.nix @@ -1,6 +1,10 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ lib, config, ... }: +{ + lib, + config, + ... +}: let cfg = config.ghaf.storagevm; inherit (lib) @@ -8,11 +12,9 @@ let mkOption mkIf mkMerge - mkForce types optionals ; - mountPath = "/guestStorage"; in { options.ghaf.storagevm = { @@ -25,6 +27,14 @@ in type = types.str; }; + mountPath = mkOption { + description = '' + Mount path for the storage virtual machine. + ''; + type = types.str; + default = "/guestStorage"; + }; + directories = mkOption { # FIXME: Probably will lead to disgraceful error messages, as we # put typechecking on nix impermanence option. But other, @@ -70,7 +80,7 @@ in }; config = lib.mkIf cfg.enable { - fileSystems.${mountPath} = { + fileSystems.${cfg.mountPath} = { neededForBoot = true; options = [ "rw" @@ -79,7 +89,7 @@ in "noexec" ]; }; - virtualisation.fileSystems.${mountPath}.device = "/dev/vda"; + virtualisation.fileSystems.${cfg.mountPath}.device = "/dev/vda"; microvm.shares = [ { @@ -87,11 +97,11 @@ in proto = "virtiofs"; securityModel = "passthrough"; source = "/storagevm/${cfg.name}"; - mountPoint = mountPath; + mountPoint = cfg.mountPath; } ]; - environment.persistence.${mountPath} = lib.mkMerge [ + environment.persistence.${cfg.mountPath} = mkMerge [ { hideMounts = true; directories = @@ -99,11 +109,9 @@ in "/var/lib/nixos" ] ++ optionals config.ghaf.users.accounts.enableLoginUser [ - # TODO Replace with userborn setup "/etc" ]; - - files = [ + files = optionals (!config.ghaf.users.accounts.enableLoginUser) [ "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix index 1b1ae856a..344a981fb 100644 --- a/modules/microvm/virtualization/microvm/guivm.nix +++ b/modules/microvm/virtualization/microvm/guivm.nix @@ -33,25 +33,21 @@ let { lib, pkgs, ... }: { ghaf = { - users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; - users.accounts.enableLoginUser = true; + # Profiles profiles = { debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; applications.enable = false; graphics.enable = true; }; - - # To enable screen locking set to true - graphics.labwc = { - autolock.enable = lib.mkDefault config.ghaf.graphics.labwc.autolock.enable; - autologinUser = lib.mkDefault config.ghaf.graphics.labwc.autologinUser; - }; + users.accounts.enableLoginUser = true; development = { ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; }; + + # System systemd = { enable = true; withName = "guivm-systemd"; @@ -63,9 +59,8 @@ let withHardenedConfigs = true; }; givc.guivm.enable = true; - # Logging client configuration - logging.client.enable = config.ghaf.logging.client.enable; - logging.client.endpoint = config.ghaf.logging.client.endpoint; + + # Storage storagevm = { enable = true; name = "guivm"; @@ -77,6 +72,15 @@ let "Videos" ]; }; + + # Services + # To enable screen locking set to true + graphics.labwc = { + autolock.enable = lib.mkDefault config.ghaf.graphics.labwc.autolock.enable; + autologinUser = lib.mkDefault config.ghaf.graphics.labwc.autologinUser; + }; + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; services.disks.enable = true; services.disks.fileManager = "${pkgs.pcmanfm}/bin/pcmanfm"; services.xdghandlers.enable = true; @@ -89,12 +93,12 @@ let mkdir -p /run/waypipe-ssh mkdir -p /run/user-ssh echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C "" - chown ${config.ghaf.users.accounts.user}:${config.ghaf.users.accounts.user} /run/waypipe-ssh/* + chown ${config.ghaf.users.accounts.admin}:${config.ghaf.users.accounts.admin} /run/waypipe-ssh/* cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub - echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/user-ssh/id_ed25519_net -C "proxy-user-network@net-vm" + echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/user-ssh/id_ed25519_net -C "proxyuser@net-vm" chown ${config.ghaf.users.accounts.loginuser}:${config.ghaf.users.accounts.loginuser} /run/user-ssh/* cp /run/user-ssh/id_ed25519_net.pub /run/waypipe-ssh-public-key/id_ed25519_net.pub - echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/user-ssh/id_ed25519_ad -C "proxy-user-audio@audio-vm" + echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/user-ssh/id_ed25519_ad -C "proxyuser@audio-vm" chown ${config.ghaf.users.accounts.loginuser}:${config.ghaf.users.accounts.loginuser} /run/user-ssh/* cp /run/user-ssh/id_ed25519_ad.pub /run/waypipe-ssh-public-key/id_ed25519_ad.pub ''; diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix index ab9fcd09b..b383bd696 100644 --- a/modules/microvm/virtualization/microvm/microvm-host.nix +++ b/modules/microvm/virtualization/microvm/microvm-host.nix @@ -44,23 +44,26 @@ in (mkIf cfg.enable { microvm.host.enable = true; microvm.host.useNotifySockets = true; - ghaf.systemd = { - withName = "host-systemd"; - enable = true; - withAudit = config.ghaf.profiles.debug.enable; - withPolkit = true; - withTpm2Tss = pkgs.stdenv.hostPlatform.isx86; - withRepart = true; - withFido2 = true; - withCryptsetup = true; - withTimesyncd = cfg.networkSupport; - withNss = cfg.networkSupport; - withResolved = cfg.networkSupport; - withSerial = config.ghaf.profiles.debug.enable; - withDebug = config.ghaf.profiles.debug.enable; - withHardenedConfigs = true; + ghaf = { + # System + systemd = { + withName = "host-systemd"; + enable = true; + withAudit = config.ghaf.profiles.debug.enable; + withPolkit = true; + withTpm2Tss = pkgs.stdenv.hostPlatform.isx86; + withRepart = true; + withFido2 = true; + withCryptsetup = true; + withTimesyncd = cfg.networkSupport; + withNss = cfg.networkSupport; + withResolved = cfg.networkSupport; + withSerial = config.ghaf.profiles.debug.enable; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + givc.host.enable = true; }; - ghaf.givc.host.enable = true; # TODO: remove hardcoded paths systemd.services."microvm@audio-vm".serviceConfig = diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix index 410156134..2cf9fb30a 100644 --- a/modules/microvm/virtualization/microvm/netvm.nix +++ b/modules/microvm/virtualization/microvm/netvm.nix @@ -43,7 +43,7 @@ let imports = [ ../../../common ]; ghaf = { - users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; + # Profiles profiles.debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; development = { # NOTE: SSH port also becomes accessible on the network interface @@ -52,6 +52,14 @@ let debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; }; + users.accounts = { + enableProxyUser = true; + proxyuserGroups = [ + "networkmanager" + ]; + }; + + # System systemd = { enable = true; withName = "netvm-systemd"; @@ -63,14 +71,19 @@ let withHardenedConfigs = true; }; givc.netvm.enable = true; - # Logging client configuration - logging.client.enable = config.ghaf.logging.client.enable; - logging.client.endpoint = config.ghaf.logging.client.endpoint; + + # Storage storagevm = { enable = true; name = "netvm"; directories = [ "/etc/NetworkManager/system-connections/" ]; }; + + # Services + # Logging client configuration + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; + }; time.timeZone = config.time.timeZone; @@ -139,15 +152,6 @@ let ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ]; }; - users.users."proxy-user-network" = { - isNormalUser = true; - createHome = false; - uid = config.ghaf.users.accounts.loginuid; - extraGroups = [ - "networkmanager" - ]; - }; - # SSH is very picky about to file permissions and ownership and will # accept neither direct path inside /nix/store or symlink that points # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by diff --git a/modules/reference/personalize/keys.nix b/modules/reference/personalize/keys.nix index 6058c2263..46b603d64 100644 --- a/modules/reference/personalize/keys.nix +++ b/modules/reference/personalize/keys.nix @@ -31,7 +31,7 @@ in config = mkIf cfg.enable { users.users.root.openssh.authorizedKeys.keys = authorizedSshKeys; - users.users.${config.ghaf.users.accounts.user}.openssh.authorizedKeys.keys = authorizedSshKeys; + users.users.${config.ghaf.users.accounts.admin}.openssh.authorizedKeys.keys = authorizedSshKeys; ghaf.services.yubikey.u2fKeys = mkForce (concatStrings authorizedYubikeys); }; } diff --git a/packages/bt-launcher/default.nix b/packages/bt-launcher/default.nix index 706ece2b8..309a01139 100644 --- a/packages/bt-launcher/default.nix +++ b/packages/bt-launcher/default.nix @@ -17,7 +17,7 @@ writeShellApplication { export DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/ssh_session_dbus.sock export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/tmp/ssh_system_dbus.sock ${openssh}/bin/ssh -M -S /tmp/control_socket_bt \ - -f -N -q proxy-user-audio@audio-vm \ + -f -N -q proxyuser@audio-vm \ -i /run/user-ssh/id_ed25519_ad \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ @@ -27,7 +27,7 @@ writeShellApplication { -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket # Use the control socket to close the ssh tunnel. close-tunnel() { - ${openssh}/bin/ssh -q -S /tmp/control_socket_bt -O exit proxy-user-audio@audio-vm + ${openssh}/bin/ssh -q -S /tmp/control_socket_bt -O exit proxyuser@audio-vm } launch-blueman() { diff --git a/packages/nm-launcher/default.nix b/packages/nm-launcher/default.nix index d433b388f..2186739fb 100644 --- a/packages/nm-launcher/default.nix +++ b/packages/nm-launcher/default.nix @@ -19,7 +19,7 @@ writeShellApplication { # export DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/ssh_session_dbus.sock export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/tmp/ssh_system_dbus.sock ${openssh}/bin/ssh -M -S /tmp/control_socket \ - -f -N -q proxy-user-network@net-vm \ + -f -N -q proxyuser@net-vm \ -i /run/user-ssh/id_ed25519_net \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ @@ -29,7 +29,7 @@ writeShellApplication { -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket ${networkmanagerapplet}/bin/nm-applet --indicator # Use the control socket to close the ssh tunnel. - ${openssh}/bin/ssh -q -S /tmp/control_socket -O exit proxy-user-network@net-vm + ${openssh}/bin/ssh -q -S /tmp/control_socket -O exit proxyuser@net-vm ''; meta = {