koishi/nixos
1
0
Fork 0
Code Issues Pull requests Projects Activity

fix(app): isolate app user configuration

Browse source
This commit is contained in:
514fpv 2024-01-09 14:10:05 +08:00
parent 4d31fbbe2a
commit adee5903cc
Signed by: koishi
SSH key fingerprint: SHA256:axz0uIzzY+5W19i7QOUuiw5LSqhKfCBKPf3L4xFRxLw
3 changed files with 38 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
home/app/nixos.nix Normal file
View file

@ -0,0 +1,27 @@
{ pkgs
, lib
, config
, ... }: with lib; let
cfg = config.users;
in {
options.users.home.persistApp = {
files = mkOption {
type = with types; listOf (oneOf [ str (attrsOf str) ]);
default = [ ];
};
directories = mkOption {
type = with types; listOf (oneOf [ str (attrsOf str) ]);
default = [ ];
};
};
config = {
users.profiles.app = {
uid = 5800;
description = "Insecure Applications";
};
# extra persistence specific to the app user
environment.persistence."/nix/persist".users.app = cfg.home.persistApp;
};
}

27
home/profile.nix
View file

@ -43,8 +43,13 @@ in {
description = "home manager modules imported into every profile"; description = "home manager modules imported into every profile";
}; };
home = let home = {
persistOpts = { size = mkOption {
type = with types; str;
default = "1G";
description = "default home tmpfs size, mounted to prevent accidentally filling up root";
};
persist = {
files = mkOption { files = mkOption {
type = with types; listOf (oneOf [ str (attrsOf str) ]); type = with types; listOf (oneOf [ str (attrsOf str) ]);
default = [ ]; default = [ ];
@ -54,14 +59,6 @@ in {
default = [ ]; default = [ ];
}; };
}; };
in {
size = mkOption {
type = with types; str;
default = "1G";
description = "default home tmpfs size, mounted to prevent accidentally filling up root";
};
persist = persistOpts;
persistApp = persistOpts;
}; };
}; };
@ -70,7 +67,7 @@ in {
users = mapAttrs (name: opts: { users = mapAttrs (name: opts: {
inherit (opts) uid; inherit (opts) uid;
description = with opts; mkIf (description != null) description; description = with opts; mkIf (description != null) description;
extraGroups = mkIf opts.admin cfg.adminGroups; extraGroups = [ "dialout" ] ++ optionals opts.admin cfg.adminGroups;
openssh.authorizedKeys.keys = mkIf (opts.sshLogin && config.services.openssh.enable) openssh.authorizedKeys.keys = mkIf (opts.sshLogin && config.services.openssh.enable)
config.global.auth.openssh.publicKeys; config.global.auth.openssh.publicKeys;
hashedPasswordFile = "/nix/persist/shadow/${name}"; hashedPasswordFile = "/nix/persist/shadow/${name}";
@ -82,7 +79,7 @@ in {
# base groups # base groups
adminGroups = [ adminGroups = [
"wheel" "dialout" "kvm" "wheel" "kvm"
"systemd-journal" "systemd-journal"
]; ];
@ -140,10 +137,8 @@ in {
# cannot get it properly for the same reason # cannot get it properly for the same reason
# mentioned above in fileSystems # mentioned above in fileSystems
home = mkIf (name == "root") "/root"; home = mkIf (name == "root") "/root";
}) cfg.profiles) // { }) cfg.profiles);
# extra persistence specific to the app user
app = cfg.home.persistApp;
};
hideMounts = true; hideMounts = true;
}; };

5
home/user.nix
View file

@ -12,11 +12,6 @@
description = "Staging Environment"; description = "Staging Environment";
}; };
app = {
uid = 5800;
description = "Insecure Applications";
};
root.uid = 0; root.uid = 0;
}; };
} }