Skip to content

Commit

Permalink
Enable userborn
Browse files Browse the repository at this point in the history 
- enable userborn across all VMs and host
- add impermanence path to fix user home permissions
- persist /etc for gui-vm
- change 'password' to 'initialPassword' option to allow updating the system without resetting the passwords
- add a proxyuser for dbus over ssh functionality (temporary?)

This version persists the entire /etc of the guivm. A second version persists only shadow, passwd, and group as required by userborn. This is better, but may require more work to use tools like usermod later, if required. Both versions support user updates through configuration.

Signed-off-by: Manuel Bluhm <[email protected]>
  • Loading branch information
@mbssrc
mbssrc committed Oct 18, 2024
1 parent d0b92d0 commit 6ed8b3d
Show file tree
Hide file tree
Showing 14 changed files with 182 additions and 98 deletions.
7 changes: 4 additions & 3 deletions flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@
};

impermanence = {
url = "github:nix-community/impermanence";
url = "github:nix-community/impermanence/32b1094d28d5fbedcc85a403bc08c8877b396255";
};

givc = {
Expand Down
2 changes: 1 addition & 1 deletion modules/common/services/xdgopener.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ in
serviceConfig = {
# The user 'ghaf' is used here to access SSH keys for the scp command
# This is required to copy files to the zathuravm
User = "ghaf";
User = "${config.ghaf.users.accounts.user}";
ExecStart = "${ghaf-xdg-open}/bin/ghaf-xdg-open";
StandardInput = "socket";
StandardOutput = "journal";
Expand Down
66 changes: 59 additions & 7 deletions modules/common/users/accounts.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,24 +20,30 @@ in
{
#TODO Extend this to allow definition of multiple users
options.ghaf.users.accounts = {
enable = mkEnableOption "Default account Setup";
enable = mkOption {
default = true;
type = types.bool;
description = ''
Enable Ghaf user accounts. Defaults to true.
'';
};
user = mkOption {
default = "ghaf";
type = types.str;
description = ''
The admin account with sudo rights.
'';
};
password = mkOption {
initialPassword = mkOption {
default = "ghaf";
type = types.str;
description = ''
Default password for the admin user.
Default password for the admin and login user accounts.
'';
};
enableLoginUser = mkEnableOption "Enable login user setup for UI.";
loginuser = mkOption {
default = "manuel";
default = "user";
type = types.str;
description = ''
Default user account for UI.
Expand All @@ -50,16 +56,40 @@ in
Default UID for the login user.
'';
};
# TODO Remove proxy user with ssh functionality
enableProxyUser = mkEnableOption "Enable proxy for login user.";
proxyuser = mkOption {
default = "proxyuser";
type = types.str;
description = ''
Default user account for dbus proxy functionality.
'';
};
proxyuserGroups = mkOption {
default = [ ];
type = types.listOf types.str;
description = ''
Extra groups for the proxy user.
'';
};
};

config = mkIf cfg.enable {

assertions = [
{
assertion = !(cfg.enableLoginUser && cfg.enableProxyUser);
message = "You cannot enable both login and proxy users at the same time";
}
];

users = {
mutableUsers = cfg.enableLoginUser;
users =
{
"${cfg.user}" = {
isNormalUser = true;
inherit (cfg) password;
inherit (cfg) initialPassword;
extraGroups =
[
"wheel"
Expand All @@ -73,11 +103,19 @@ in
"${cfg.loginuser}" = {
isNormalUser = true;
uid = cfg.loginuid;
inherit (cfg) password;
inherit (cfg) initialPassword;
extraGroups = [
"video"
];
};
}
// optionalAttrs cfg.enableProxyUser {
"${cfg.proxyuser}" = {
isNormalUser = true;
createHome = false;
uid = cfg.loginuid;
extraGroups = cfg.proxyuserGroups;
};
};
groups =
{
Expand All @@ -91,11 +129,25 @@ in
name = cfg.loginuser;
members = [ cfg.loginuser ];
};
}
// optionalAttrs cfg.enableProxyUser {
"${cfg.proxyuser}" = {
name = cfg.proxyuser;
members = [ cfg.proxyuser ];
};
};
};

# to build ghaf as ghaf-user with caches
nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.user ];
#services.userborn.enable = true;

# Enable userborn
services.userborn =
{
enable = true;
}
// optionalAttrs cfg.enableLoginUser {
passwordFilesLocation = "/etc";
};
};
}
4 changes: 2 additions & 2 deletions modules/givc/appvm.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ in
admin = config.ghaf.givc.adminConfig;
};

# Quick fix to allow linger (linger option in user def. currently doesn't work, e.g., bc mutable)
systemd.tmpfiles.rules = [ "f /var/lib/systemd/linger/${config.ghaf.users.accounts.user}" ];
# Enable lingering
users.users.${config.ghaf.users.accounts.user}.linger = true;
};
}
15 changes: 12 additions & 3 deletions modules/microvm/virtualization/microvm/adminvm.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ let

adminvmBaseConfiguration = {
imports = [
inputs.impermanence.nixosModules.impermanence
inputs.self.nixosModules.givc-adminvm
(import ./common/vm-networking.nix {
inherit
Expand All @@ -20,14 +21,15 @@ let
;
internalIP = 10;
})
./common/storagevm.nix
# We need to retrieve mac address and start log aggregator
../../../common/logging/hw-mac-retrieve.nix
../../../common/logging/logs-aggregator.nix
(
{ lib, ... }:
{
ghaf = {
users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable;
# Profiles
profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable;
development = {
# NOTE: SSH port also becomes accessible on the network interface
Expand All @@ -36,6 +38,8 @@ let
debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable;
nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable;
};

# System
systemd = {
enable = true;
withName = "adminvm-systemd";
Expand All @@ -47,10 +51,15 @@ let
withDebug = configHost.ghaf.profiles.debug.enable;
withHardenedConfigs = true;
};

givc.adminvm.enable = true;

# Log aggregation configuration
# Storage
storagevm = {
enable = true;
name = "adminvm";
};

# Services
logging = {
client.enable = isLoggingEnabled;
listener = {
Expand Down
17 changes: 9 additions & 8 deletions modules/microvm/virtualization/microvm/appvm.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,14 +60,15 @@ let
in
{
ghaf = {
users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable;
# Profiles
profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable;

development = {
ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable;
debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable;
nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable;
};

# Systemd
systemd = {
enable = true;
withName = "appvm-systemd";
Expand All @@ -80,11 +81,7 @@ let
withHardenedConfigs = true;
};

ghaf-audio = {
inherit (vm.ghafAudio) enable;
name = "${vm.name}";
};

# Storage
storagevm = {
enable = true;
name = "${vm.name}";
Expand All @@ -98,7 +95,11 @@ let
];
};

# Logging client configuration
# Services
ghaf-audio = {
inherit (vm.ghafAudio) enable;
name = "${vm.name}";
};
logging.client.enable = configHost.ghaf.logging.client.enable;
logging.client.endpoint = configHost.ghaf.logging.client.endpoint;
};
Expand Down
36 changes: 19 additions & 17 deletions modules/microvm/virtualization/microvm/audiovm.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,23 @@ let
imports = [ ../../../common ];

ghaf = {
users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable;
# Profiles
profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable;

development = {
ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable;
debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable;
nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable;
};
users.accounts = {
enableProxyUser = true;
proxyuserGroups = [
"audio"
"video"
"pipewire"
];
};

# System
systemd = {
enable = true;
withName = "audiovm-systemd";
Expand All @@ -60,14 +69,18 @@ let
withHardenedConfigs = true;
};
givc.audiovm.enable = true;
services.audio.enable = true;
# Logging client configuration
logging.client.enable = configHost.ghaf.logging.client.enable;
logging.client.endpoint = configHost.ghaf.logging.client.endpoint;

# Storage
storagevm = {
enable = true;
name = "audiovm";
};

# Services
services.audio.enable = true;
# Logging client configuration
logging.client.enable = configHost.ghaf.logging.client.enable;
logging.client.endpoint = configHost.ghaf.logging.client.endpoint;
};

environment = {
Expand All @@ -78,17 +91,6 @@ let
] ++ lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils;
};

users.users."proxy-user-audio" = {
isNormalUser = true;
uid = config.ghaf.users.accounts.loginuid;
createHome = false;
extraGroups = [
"audio"
"video"
"pipewire"
];
};

time.timeZone = config.time.timeZone;
system.stateVersion = lib.trivial.release;

Expand Down
Loading

0 comments on commit 6ed8b3d

Please sign in to comment.