From be9b20825b808182652042c92398a69ad8e376a9 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Thu, 5 Sep 2024 11:30:53 +0000 Subject: [PATCH] improvedDef/sshAuthorize: only warn on multi-user systems - avoiding single purpose configs like installers --- .../improvedDefaults/sshAuthorize.nix | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/nix/nixos-modules/improvedDefaults/sshAuthorize.nix b/nix/nixos-modules/improvedDefaults/sshAuthorize.nix index 7b9b443..1439980 100644 --- a/nix/nixos-modules/improvedDefaults/sshAuthorize.nix +++ b/nix/nixos-modules/improvedDefaults/sshAuthorize.nix @@ -1,9 +1,4 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, ... }: let myOpts = config.x-banananetwork; cfg = config.x-banananetwork.improvedDefaults; @@ -44,8 +39,11 @@ in inherit (lib.lists) any; # variables users = config.users.users; - wheelUsers = lib.trivial.pipe users [ + nonRootUsers = lib.trivial.pipe users [ (filterAttrs (n: v: n != "root")) + (filterAttrs (n: v: v.isNormalUser)) + ]; + wheelUsers = lib.trivial.pipe nonRootUsers [ (filterAttrs (n: v: builtins.elem "wheel" v.extraGroups)) ]; areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles); @@ -54,6 +52,7 @@ in isNonRootAuthed = any isUserAuthed (attrValues wheelUsers); isRootAuthed = isUserAuthed users."root"; doRootAuth = !isNonRootAuthed; + otherUserExists = nonRootUsers != [ ]; in { @@ -63,7 +62,10 @@ in users.users.root.openssh.authorizedKeys.keys = lib.mkIf doRootAuth ( lib.mkDefault myOpts.sshPublicKeys ); - warnings = lib.mkIf doRootAuth [ + + # warn only if other users exist -> multi-user machine + # compared to "root"-only systems (e.g. installer, embedded systems) + warnings = lib.mkIf (doRootAuth && otherUserExists) [ '' root’s authorized keys were automatically configured because no other user with wheel permission has authorized keys configured