aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEuAndreh <eu@euandre.org>2022-03-20 01:46:30 -0300
committerEuAndreh <eu@euandre.org>2022-03-20 01:46:30 -0300
commit605f2f296645a8460acf2ee509627714222d9c24 (patch)
tree1f8038c30b3ce726fc7960976c82ff279760f1cb
parentsrc/lib/curth0.scm: Re-export "first" and "second" functions (diff)
downloadtoph-605f2f296645a8460acf2ee509627714222d9c24.tar.gz
toph-605f2f296645a8460acf2ee509627714222d9c24.tar.xz
src/machines.scm: Declaratively list users
-rw-r--r--src/machines.scm66
1 files changed, 37 insertions, 29 deletions
diff --git a/src/machines.scm b/src/machines.scm
index d08a48f..9bcd55f 100644
--- a/src/machines.scm
+++ b/src/machines.scm
@@ -1,5 +1,6 @@
(use-modules (gnu)
(curth0)
+ (srfi srfi-26)
(gnu packages ssh)
@@ -155,15 +156,13 @@
borg init -e repokey-blake2 "$R:toph-borg" ||:
borg key export "$R:toph-borg" /opt/secrets/borg-key.txt
- # FIXME: more users
borg create \
--exclude /root/.cache/ \
- --exclude /home/andreh/.cache/ \
--stats \
--compression lzma,9 \
"R$:toph-borg::{hostname}-{now}-${1:-cronjob}" \
/root/ \
- /home/andreh/ \
+ /home/ \
/etc/letsencrypt/ \
/var/lib/certbot/ \
/var/lib/letsencrypt \
@@ -224,33 +223,42 @@
#~(job "* * * * *" "seq 20 30 >&2")))
+(define admin-user "andreh")
+
+(define andreh-pk
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnUv7iWOejQNa3fZ6v4lkHT6qFRp2+NuzIpFJ2Vy7eP58XZoiz6HJPcCU8Hf95JXwaXEwS4S7mXdw1x60hd8JIe058Ek6MZSSVQmlLfocGsAYj1wTrLmnQ8+PV0IeQlNj1aytBI1fL+v3IPt+JdLt6b+g3vwcEUU9efzxx2E0KZ5GIpb2meiCQ6ha+tcd7XqegB53eQj/h/coE2zLJodpaJ3xbj894pE/OJCNC0+4d0Sv7oHhY7QoLYldTQbSgPyhyfl4iZpJf6OEPZxK2cJaB+cbeoBB6aGNyU+CIJToM+uAJJ7H7EpvxfcnfJQ1PuY5szTdvFbW820euiUEKEW69mW4uaFNPSc6D4Z8tZ5hXQIqBD40irULhF0CYNkIILmyNV/KJIZ5HkbQ1q+UrCFHJyvuH/3aCTjj9OSfE7xHPQ3xd3Xw8vvj0Mjie09xFbbcklBTw5WRzH7cw8c+Q0O69kZZ8b+ykcdzWTeZeWNdnzptNqnMjfheig90rUIJ7DN0c+53jCUcGpWJxJhcYF9Uk1RNHmSE5+VzK1y+20t0grVFX90nApm4Tl35QPrX7Qxp9C81cWiUB8xCAE6jYrmd4x+P/3wSQfc1Xg0Eg3QjJB+6JD7cbyDJpzDR3ja+CLZCAr9I0B4rDKD2d6et/z67iXPnZUWMyZ8RVVZPFbBMOTw== openpgp:0xF727046D")
+
(define users
- '())
+ `(((#:username . "andreh")
+ (#:extra-groups . ("wheel"))
+ (#:public-keys . (,andreh-pk)))))
(define user-accounts
- '())
-(define authorized-keys)
-`(("andreh" ,(plain-file "id_rsa.pub" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnUv7iWOejQNa3fZ6v4lkHT6qFRp2+NuzIpFJ2Vy7eP58XZoiz6HJPcCU8Hf95JXwaXEwS4S7mXdw1x60hd8JIe058Ek6MZSSVQmlLfocGsAYj1wTrLmnQ8+PV0IeQlNj1aytBI1fL+v3IPt+JdLt6b+g3vwcEUU9efzxx2E0KZ5GIpb2meiCQ6ha+tcd7XqegB53eQj/h/coE2zLJodpaJ3xbj894pE/OJCNC0+4d0Sv7oHhY7QoLYldTQbSgPyhyfl4iZpJf6OEPZxK2cJaB+cbeoBB6aGNyU+CIJToM+uAJJ7H7EpvxfcnfJQ1PuY5szTdvFbW820euiUEKEW69mW4uaFNPSc6D4Z8tZ5hXQIqBD40irULhF0CYNkIILmyNV/KJIZ5HkbQ1q+UrCFHJyvuH/3aCTjj9OSfE7xHPQ3xd3Xw8vvj0Mjie09xFbbcklBTw5WRzH7cw8c+Q0O69kZZ8b+ykcdzWTeZeWNdnzptNqnMjfheig90rUIJ7DN0c+53jCUcGpWJxJhcYF9Uk1RNHmSE5+VzK1y+20t0grVFX90nApm4Tl35QPrX7Qxp9C81cWiUB8xCAE6jYrmd4x+P/3wSQfc1Xg0Eg3QjJB+6JD7cbyDJpzDR3ja+CLZCAr9I0B4rDKD2d6et/z67iXPnZUWMyZ8RVVZPFbBMOTw== openpgp:0xF727046D")))
- (list
- (user-account
- (name "andreh")
- (comment "EuAndreh")
- (group "users")
- (supplementary-groups '("wheel"))))
+ (map (lambda (user)
+ (let ((name (assoc-ref user #:username))
+ (groups (or (assoc-ref user #:extra-groups) '())))
+ (user-account
+ (name name)
+ (comment name)
+ (group "users")
+ (supplementary-groups groups))))
+ users))
+
+(define authorized-keys
+ (map (lambda (user)
+ (let* ((name (assoc-ref user #:username))
+ (pk-strs (assoc-ref user #:public-keys))
+ (pk-files (map (cut plain-file "id_rsa.pub" <>) pk-strs)))
+ `(,name . ,pk-files)))
+ users))
+
(define toph
(operating-system
(locale "fr_FR.utf8")
(timezone "America/Sao_Paulo")
(host-name "toph")
- (users (append
- (list
- (user-account
- (name "andreh")
- (comment "EuAndreh")
- (group "users")
- (supplementary-groups '("wheel"))))
- %base-user-accounts))
+ (users (append user-accounts %base-user-accounts))
(sudoers-file (plain-file "sudoers" #"""-
root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL
@@ -272,12 +280,12 @@
(password-authentication? #f)
(subsystems '())
(log-level 'verbose)
+ (authorized-keys authorized-keys)
(extra-content #"""-
ClientAliveInterval 30
ClientAliveCountMax 20
- """#)
- (authorized-keys
- `(("andreh" ,(plain-file "id_rsa.pub" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnUv7iWOejQNa3fZ6v4lkHT6qFRp2+NuzIpFJ2Vy7eP58XZoiz6HJPcCU8Hf95JXwaXEwS4S7mXdw1x60hd8JIe058Ek6MZSSVQmlLfocGsAYj1wTrLmnQ8+PV0IeQlNj1aytBI1fL+v3IPt+JdLt6b+g3vwcEUU9efzxx2E0KZ5GIpb2meiCQ6ha+tcd7XqegB53eQj/h/coE2zLJodpaJ3xbj894pE/OJCNC0+4d0Sv7oHhY7QoLYldTQbSgPyhyfl4iZpJf6OEPZxK2cJaB+cbeoBB6aGNyU+CIJToM+uAJJ7H7EpvxfcnfJQ1PuY5szTdvFbW820euiUEKEW69mW4uaFNPSc6D4Z8tZ5hXQIqBD40irULhF0CYNkIILmyNV/KJIZ5HkbQ1q+UrCFHJyvuH/3aCTjj9OSfE7xHPQ3xd3Xw8vvj0Mjie09xFbbcklBTw5WRzH7cw8c+Q0O69kZZ8b+ykcdzWTeZeWNdnzptNqnMjfheig90rUIJ7DN0c+53jCUcGpWJxJhcYF9Uk1RNHmSE5+VzK1y+20t0grVFX90nApm4Tl35QPrX7Qxp9C81cWiUB8xCAE6jYrmd4x+P/3wSQfc1Xg0Eg3QjJB+6JD7cbyDJpzDR3ja+CLZCAr9I0B4rDKD2d6et/z67iXPnZUWMyZ8RVVZPFbBMOTw== openpgp:0xF727046D"))))))
+ MaxSessions 20
+ """#)))
(service dhcp-client-service-type)
(service mcron-service-type
(mcron-configuration
@@ -320,10 +328,10 @@
add_header Strict-Transport-Security 'max-age=86400; includeSubdomains' always;
"""#)))))))
(service mail-aliases-service-type
- '(("webmaster" "andreh")
- ("abuse" "andreh")
- ("root" "andreh")
- ("postmaster" "andreh")))
+ `(("webmaster" ,admin-user)
+ ("abuse" ,admin-user)
+ ("root" ,admin-user)
+ ("postmaster" ,admin-user)))
(service opensmtpd-service-type
(opensmtpd-configuration
(config-file opensmtpd.conf))))
@@ -365,7 +373,7 @@
(configuration (machine-ssh-configuration
(host-name "toph")
(system "x86_64-linux")
- (user "andreh")
+ (user admin-user)
(port 38123)
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoz1gFl6chY91vQ5SrZXSP5yHqRI3TdYy2ccEDpS7Z4")))))