nixos-mods/improvedDefaults: auto authorize root if no other user is

secrix-issue25
Felix Stupp 2 months ago
parent acecbc8a91
commit 49af74ed54
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -12,6 +12,7 @@ in
imports = [ imports = [
./command-not-found.nix ./command-not-found.nix
./powertop-tlp.nix ./powertop-tlp.nix
./sshAuthorize.nix
./wayland.nix ./wayland.nix
]; ];

@ -0,0 +1,71 @@
{ config
, lib
, pkgs
, ...
}:
let
myOpts = config.x-banananetwork;
cfg = config.x-banananetwork.improvedDefaults;
in
{
options = {
x-banananetwork.improvedDefaults = {
autoSshAuthorizeRoot = lib.mkEnableOption ''
automatically add option{x-banananetwork.sshPublicKeys} to roots authorized keys
and enable option{services.openssh.settings.PermitRootLogin}
if no other user has "wheel" power & SSH authorized keys defined.
Also, option{services.openssh.settings.PermitRootLogin} will be disabled
if this module does not require it.
'' // { default = true; };
};
};
config = lib.mkIf
(lib.lists.all (x: x) [
cfg.enable
cfg.autoSshAuthorizeRoot
config.services.openssh.enable
]
)
(
let
inherit (lib.attrsets) attrValues filterAttrs;
inherit (lib.lists) any;
# variables
users = config.users.users;
wheelUsers = lib.trivial.pipe users [
(filterAttrs (n: v: n != "root"))
(filterAttrs (n: v: builtins.elem "wheel" v.extraGroups))
];
areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles);
isUserAuthed = userOpts: areKeysSet userOpts.openssh.authorizedKeys;
# used facts
isNonRootAuthed = any isUserAuthed (attrValues wheelUsers);
isRootAuthed = isUserAuthed users."root";
doRootAuth = !isNonRootAuthed;
in
{
services.openssh.settings.PermitRootLogin = if isRootAuthed then true else lib.mkDefault false;
users.users.root.openssh.authorizedKeys = lib.mkIf doRootAuth (lib.mkDefault myOpts.sshPublicKeys);
warnings = lib.mkIf doRootAuth [
''
roots authorized keys were automatically configured
because no other user with wheel permission has authorized keys configured
''
];
}
);
}
Loading…
Cancel
Save