Skip to content

Commit b472304

Browse files
authored
Merge branch 'main' into nix-flake-update
2 parents 49e5552 + 3073ffc commit b472304

15 files changed

Lines changed: 342 additions & 105 deletions

File tree

.github/workflows/build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,4 @@ jobs:
2323
# `--evaluator streaming` would be preferable, but it results in
2424
# colmena exiting as successful after 2 seconds without doing anything,
2525
# even if nix-eval-jobs is installed.
26-
run: nix develop -c colmena build --keep-result --nix-option keep-going true -v
26+
run: nix develop -c nix-fast-build --no-nom --flake .#colmenaHive.toplevel

flake.lock

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

flake.nix

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,7 @@
160160
disko.nixosModules.disko
161161
niks3.nixosModules.default
162162
niks3.nixosModules.niks3-auto-upload
163+
wayout.nixosModules.default
163164
];
164165

165166
defaultSystem = "x86_64-linux";
@@ -277,13 +278,15 @@
277278

278279
overlays.default = final: prev: {
279280
ocf-utils = ocf-utils.packages.${final.stdenv.hostPlatform.system}.default;
280-
ocf-wayout = wayout.packages.${final.stdenv.hostPlatform.system}.default;
281281
ocf-jukebox = ocf-jukebox.packages.${final.stdenv.hostPlatform.system}.default;
282282
plasma-applet-commandoutput = final.callPackage ./pkgs/plasma-applet-commandoutput.nix { };
283283
catppuccin-sddm = final.qt6Packages.callPackage ./pkgs/catppuccin-sddm.nix { };
284284
ocf-cosmic-applets = ocf-cosmic-applets.packages.${final.stdenv.hostPlatform.system}.default;
285285
ocf-cosmic-greeter = final.callPackage ./pkgs/ocf-cosmic-greeter.nix { };
286286
ocf-hplip = final.callPackage ./pkgs/ocf-hplip.nix { };
287+
ocf-niks3-push = final.callPackage ./pkgs/ocf-niks3-push {
288+
niks3 = niks3.packages.${final.stdenv.hostPlatform.system}.default;
289+
};
287290
};
288291

289292
agenix-rekey = agenix-rekey.configure {
@@ -300,6 +303,7 @@
300303
pkgs.age-plugin-fido2-hmac
301304
pkgs.wol
302305
pkgs.nixfmt-tree
306+
pkgs.nix-fast-build
303307
colmena.packages.${pkgs.stdenv.hostPlatform.system}.colmena
304308
];
305309
};
@@ -309,6 +313,7 @@
309313
pkgs.openssh
310314
pkgs.wol
311315
pkgs.nixfmt-tree
316+
pkgs.nix-fast-build
312317
colmena.packages.${pkgs.stdenv.hostPlatform.system}.colmena
313318
];
314319
};

hosts/servers/amethyst.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
lastOctet = 50;
99
};
1010

11-
ocf.managed-deployment.staffOnlySsh = false;
11+
ocf.auth.staffOnlySSH = false;
1212

1313
ocf.webhost = {
1414
enable = true;

modules/auth.nix

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ in
1313
{
1414
options.ocf.auth = {
1515
enable = lib.mkEnableOption "Enable OCF authentication";
16+
staffOnlySSH = lib.mkOption {
17+
type = lib.types.bool;
18+
description = "Restrict SSH access to ocfstaff and ocfroot. Disable for public login servers (as of now, only carp).";
19+
default = true;
20+
};
1621
};
1722

1823
config = lib.mkIf cfg.enable {
@@ -149,6 +154,10 @@ in
149154
# exchanges (which supports post-quantum safe key exchange).
150155
# Only enable key exchange if host has a keytab
151156
#GSSAPIKeyExchange = lib.mkIf hasKeytab "yes";
157+
AllowGroups = lib.mkIf cfg.staffOnlySSH [
158+
"ocfstaff"
159+
"ocfroot"
160+
];
152161
};
153162
};
154163
}

modules/gui/default.nix

Lines changed: 13 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -99,10 +99,17 @@ in
9999
pkgs.cosmic-initial-setup
100100
];
101101

102-
environment.etc = {
103-
skel.source = ./skel;
104-
ocf-assets.source = ./assets;
105-
};
102+
environment.etc =
103+
let
104+
kittyThemes = "${pkgs.kitty-themes}share/kitty-themes/themes";
105+
in
106+
{
107+
skel.source = ./skel;
108+
ocf-assets.source = ./assets;
109+
"xdg/kitty/dark-theme.auto.conf".source = "${kittyThemes}/rose-pine.conf";
110+
"xdg/kitty/light-theme.auto.conf ".source = "${kittyThemes}/rose-pine-dawn.conf";
111+
"xdg/kitty/no-preference-theme.auto.conf".source = "${kittyThemes}/rose-pine.conf";
112+
};
106113

107114
# Conflict override since multiple DEs set this option
108115
programs.ssh.askPassword = pkgs.lib.mkForce (lib.getExe pkgs.ksshaskpass.out);
@@ -191,17 +198,8 @@ in
191198
};
192199
};
193200

194-
systemd.user.services.wayout = {
195-
description = "Automatic idle logout manager";
196-
after = [ "graphical-session.target" ];
197-
partOf = [ "graphical-session.target" ];
198-
wantedBy = [ "graphical-session.target" ];
199-
serviceConfig = {
200-
ExecStart = "${pkgs.ocf-wayout}/bin/wayout";
201-
Type = "simple";
202-
Restart = "on-failure";
203-
};
204-
};
201+
services.wayout.enable = true;
202+
services.wayout.openFirewall = true;
205203

206204
systemd.user.services.desktoprc = {
207205
description = "Source custom rc shared across desktops";

modules/home/home.nix

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,7 @@ in
1616
{
1717
options.ocf.home = {
1818
tmpfs = lib.mkEnableOption "mount tmpfs on /home and each user's home directory (unmounted on logout)";
19-
mountRemote = lib.mkOption {
20-
type = lib.types.bool;
21-
default = config.ocf.nfs.mount && config.ocf.nfs.asRemote;
22-
description = "nfs mount ~/remote, copy skel from remote on login if it exists";
23-
};
19+
mountRemote = lib.mkEnableOption "nfs mount ~/remote, copy skel from remote on login if it exists";
2420
};
2521

2622
config = lib.mkIf cfg.tmpfs {

modules/login-server.nix

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,13 @@ in
3030
ocf.nfs = {
3131
enable = true;
3232
mount = true;
33+
asRemote = false;
34+
kerberos = false;
35+
36+
# if nfs servers are down, the login servers will be so broken that you
37+
# might as well freeze all io to the nfs mounts at /home and /services.
38+
# this would also be better for data integrity.
39+
softerr = false;
3340
};
3441

3542
programs.mosh.enable = true;
@@ -62,7 +69,7 @@ in
6269
})
6370

6471
(lib.mkIf (cfg.enable && cfg.public) {
65-
ocf.managed-deployment.staffOnlySsh = false;
72+
ocf.auth.staffOnlySSH = false;
6673
ocf.ttyd.enable = true;
6774

6875
security.pam.loginLimits = [

modules/managed-deployment.nix

Lines changed: 92 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,22 @@
88
let
99
cfg = config.ocf.managed-deployment;
1010
deploy-user = "ocf-nix-deploy-user";
11+
authorizedKeys = [
12+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlViRB5HH1bTaS1S7TcqVBSuxKdrbdhL2CmhDqc/t6A" # oliverni
13+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOaJJvOUG08qr3yeeQRB71M30cdPMuO69nsf0CodALa" # jaysa
14+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token
15+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdAe7sPMxaidnqOah3UVrjt41KFHHOYleS1VWGH+ZUc" # storce
16+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICW8L5pydSCGwBstSlXWNSQh//wmRB03RmAWaT3u7+8hAAAABHNzaDo=" # sbwilliams primary hardware token
17+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIsQXwbC4lVR8qMbduDWHVNvjfqD1m8yYbjdEOGCNVNPAAAABHNzaDo=" # sbwilliams secondary hardware token
18+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIe3xdiMA4u6OhEEa8gw1w26G8mBvAC6SXbbgR0sSWO7AAAABHNzaDo=" # michaelzls hardware token 1
19+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICWs4Daof6LfwMw6376xOfuPgBnZNxnPWpoUvcWdlql5AAAABHNzaDo=" # michaelzls hardware token 2
20+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3DDYaYibt/VjeYDR7cO8tZA2iJUhPBh6jFrB1mBxJA" # chamburr
21+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token
22+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK6PlfQq5LYIOHTnPwQvJeiGo3MYDxBRb+KdTqrffxFnAAAABHNzaDo=" # blakeh hardware token
23+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPs3+fHihwZSBQVtoXffCtSSmBBDb/0NY+BPDIo+FKh9AAAABHNzaDo=" # blakeh backup hardware token
24+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1zLZffea+7TdFSQOhNBmT1hftFwPzAEK2c8siFeS/7AAAABHNzaDo=" # ericgu hardware token
25+
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKtH02NTIoDXgcD5UJoxWWBu5EhHoYaP6NZQKZSIWmadAAAABHNzaDo=" # ericgu backup hardware token
26+
];
1127
in
1228
{
1329
options.ocf.managed-deployment.enable = lib.mkEnableOption "Enable OCF Colmena / GitHub Actions Managed Deployment";
@@ -18,82 +34,96 @@ in
1834
default = true;
1935
};
2036

37+
options.ocf.managed-deployment.emergencyRootSSH = lib.mkOption {
38+
type = lib.types.bool;
39+
description = "Whether to add the deploy user's authorized keys (except github actions) to root for emergency access";
40+
default = true;
41+
};
42+
2143
options.ocf.managed-deployment.mac-address = lib.mkOption {
2244
type = lib.types.str;
2345
description = "MAC address of the host so that it can be woken up with WoL during deploy";
2446
default = "";
2547
};
2648

27-
options.ocf.managed-deployment.staffOnlySsh = lib.mkOption {
28-
type = lib.types.bool;
29-
description = "Restrict SSH access to ocfstaff. Disable for public login servers (as of now, only carp).";
30-
default = true;
31-
};
32-
33-
config = lib.mkIf cfg.enable {
34-
deployment.allowLocalDeployment = true; # for debugging and deploying when github actions deployment breaks
49+
config = lib.mkIf cfg.enable (
50+
lib.mkMerge [
51+
{
52+
deployment.allowLocalDeployment = true; # for debugging and deploying when github actions deployment breaks
3553

36-
nix.settings.trusted-users = [ deploy-user ];
54+
nix.settings.trusted-users = [ deploy-user ];
3755

38-
users.groups.${deploy-user} = { };
56+
users.groups.${deploy-user} = { };
3957

40-
users.users.${deploy-user} = {
41-
isNormalUser = true;
42-
group = deploy-user;
43-
createHome = false;
44-
home = "/var/empty";
45-
openssh.authorizedKeys.keys = [
46-
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMuiOUsjVJSi+0WeMHKquQmwoyz/c3N7HhjJwzz21B3" # github-actions
47-
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlViRB5HH1bTaS1S7TcqVBSuxKdrbdhL2CmhDqc/t6A" # oliverni
48-
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOaJJvOUG08qr3yeeQRB71M30cdPMuO69nsf0CodALa" # jaysa
49-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token
50-
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdAe7sPMxaidnqOah3UVrjt41KFHHOYleS1VWGH+ZUc" # storce
51-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICW8L5pydSCGwBstSlXWNSQh//wmRB03RmAWaT3u7+8hAAAABHNzaDo=" # sbwilliams primary hardware token
52-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIsQXwbC4lVR8qMbduDWHVNvjfqD1m8yYbjdEOGCNVNPAAAABHNzaDo=" # sbwilliams secondary hardware token
53-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIe3xdiMA4u6OhEEa8gw1w26G8mBvAC6SXbbgR0sSWO7AAAABHNzaDo=" # michaelzls hardware token 1
54-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICWs4Daof6LfwMw6376xOfuPgBnZNxnPWpoUvcWdlql5AAAABHNzaDo=" # michaelzls hardware token 2
55-
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3DDYaYibt/VjeYDR7cO8tZA2iJUhPBh6jFrB1mBxJA" # chamburr
56-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token
57-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK6PlfQq5LYIOHTnPwQvJeiGo3MYDxBRb+KdTqrffxFnAAAABHNzaDo=" # blakeh hardware token
58-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPs3+fHihwZSBQVtoXffCtSSmBBDb/0NY+BPDIo+FKh9AAAABHNzaDo=" # blakeh backup hardware token
59-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1zLZffea+7TdFSQOhNBmT1hftFwPzAEK2c8siFeS/7AAAABHNzaDo=" # ericgu hardware token
60-
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKtH02NTIoDXgcD5UJoxWWBu5EhHoYaP6NZQKZSIWmadAAAABHNzaDo=" # ericgu backup hardware token
61-
];
62-
};
58+
users.users.${deploy-user} = {
59+
isNormalUser = true;
60+
group = deploy-user;
61+
createHome = false;
62+
home = "/var/empty";
63+
openssh.authorizedKeys.keys = [
64+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMuiOUsjVJSi+0WeMHKquQmwoyz/c3N7HhjJwzz21B3" # github-actions
65+
]
66+
++ authorizedKeys;
67+
};
6368

64-
# note: this breaks colmena exec, which runs the given command with sudo,
65-
# but sudo cant ask for a password without a proper terminal
66-
security.sudo.extraRules = [
67-
{
68-
users = [ deploy-user ];
69-
commands = [
70-
# needed for colmena apply
71-
{
72-
command = "/run/current-system/sw/bin/nix-store --no-gc-warning --realise /nix/store/*";
73-
options = [ "NOPASSWD" ];
74-
}
75-
{
76-
command = "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set /nix/store/*";
77-
options = [ "NOPASSWD" ];
78-
}
69+
# note: this breaks colmena exec, which runs the given command with sudo,
70+
# but sudo cant ask for a password without a proper terminal
71+
security.sudo.extraRules = [
7972
{
80-
command = "/nix/store/*/bin/switch-to-configuration *";
81-
options = [ "NOPASSWD" ];
82-
}
73+
users = [ deploy-user ];
74+
commands = [
75+
# needed for colmena apply
76+
{
77+
command = "/run/current-system/sw/bin/nix-store --no-gc-warning --realise /nix/store/*";
78+
options = [ "NOPASSWD" ];
79+
}
80+
{
81+
command = "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set /nix/store/*";
82+
options = [ "NOPASSWD" ];
83+
}
84+
{
85+
command = "/nix/store/*/bin/switch-to-configuration *";
86+
options = [ "NOPASSWD" ];
87+
}
8388

84-
# extra commands allowed on colmena exec
85-
{
86-
command = "/run/current-system/sw/bin/systemctl *";
87-
options = [ "NOPASSWD" ];
89+
# extra commands allowed on colmena exec
90+
{
91+
command = "/run/current-system/sw/bin/systemctl *";
92+
options = [ "NOPASSWD" ];
93+
}
94+
];
8895
}
8996
];
97+
98+
# add deploy-user to allowed groups if staffOnlySSH is enabled
99+
services.openssh.settings.AllowGroups = lib.mkIf config.ocf.auth.staffOnlySSH [
100+
deploy-user
101+
];
90102
}
91-
];
92103

93-
services.openssh.settings.AllowGroups = lib.mkIf cfg.staffOnlySsh [
94-
"ocfstaff"
95-
"ocfroot"
96-
deploy-user
97-
];
98-
};
104+
(lib.mkIf cfg.emergencyRootSSH {
105+
services.openssh.settings.AllowGroups = lib.mkIf config.ocf.auth.staffOnlySSH [
106+
"root"
107+
];
108+
# for when things really go wrong (for example if ldap doesnt work)
109+
users.users.root.openssh.authorizedKeys.keys = authorizedKeys;
110+
111+
# set sensible defaults (and to create the PubKeyAuthentication attribute)
112+
# but catch it if it changes and show a warning
113+
services.openssh.settings = {
114+
PermitRootLogin = lib.mkDefault "prohibit-password";
115+
PubKeyAuthentication = lib.mkDefault true;
116+
};
117+
118+
assertions =
119+
let
120+
sshcfg = config.services.openssh.settings;
121+
in
122+
lib.singleton {
123+
assertion = (sshcfg.PermitRootLogin == "prohibit-password" && sshcfg.PubKeyAuthentication or true);
124+
message = "PermitRootLogin must be set to 'prohibit-password' and PubKeyAuthentication must be set to 'yes' when ocf.managed-deployment.emergencyRootSSH is enabled.";
125+
};
126+
})
127+
]
128+
);
99129
}

0 commit comments

Comments
 (0)