chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 03:18:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

use fixed uid

Browse Source
This commit is contained in:
陈浩南 2023-12-09 20:01:50 +08:00
parent 0dff3a17c0
commit 6369cf7842
24 changed files with 157 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@ -442,7 +442,7 @@
nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
wireguard = { enable = true; peers = [ "vps6" ]; };
};
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
users.users = [ "chn" "xll" "zem" "yjq" "yxy" ];
};})
];
yoga =

12
modules/services/frp.nix
View File

@ -139,7 +139,11 @@ inputs:
(attrsToList (with frpClient; stcp // stcpVisitor)))
);
};
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
users =
{
users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
groups.frp.gid = inputs.config.nixos.system.user.group.frp;
};
}
)
(
@ -186,7 +190,11 @@ inputs:
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
users =
{
users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
groups.frp.gid = inputs.config.nixos.system.user.group.frp;
};
networking.firewall.allowedTCPPorts = [ 7000 ];
}
)

10
modules/services/fz-new-order/default.nix
View File

@ -15,8 +15,14 @@ inputs:
users =
{
users.fz-new-order =
{ isSystemUser = true; group = "fz-new-order"; home = "/var/lib/fz-new-order"; createHome = true; };
groups.fz-new-order = {};
{
uid = inputs.config.nixos.system.user.user.fz-new-order;
group = "fz-new-order";
home = "/var/lib/fz-new-order";
createHome = true;
isSystemUser = true;
};
groups.fz-new-order.gid = inputs.config.nixos.system.user.group.fz-new-order;
};
systemd =
{

15
modules/services/groupshare.nix
View File

@ -9,20 +9,25 @@ inputs:
config =
let
inherit (inputs.lib) mkIf;
inherit (builtins) listToAttrs map concatLists;
inherit (builtins) listToAttrs map concatLists concatStringsSep;
inherit (inputs.config.nixos.services) groupshare;
users = inputs.config.users.groups.groupshare.members;
in mkIf groupshare.enable
{
users.groups.groupshare = {};
users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare;
systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
++ (concatLists (map
(user:
[
"d /var/lib/groupshare/${user} 2750 ${user} groupshare"
# sudo setfacl -m 'xxx' dir
("a /var/lib/groupshare/${user} - - - - "
+ "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
"Z /var/lib/groupshare/${user} 2750 ${user} groupshare"
("A /var/lib/groupshare/${user} - - - - "
# d 指 default, 即目录下新创建的文件和目录的权限
# 大写 X 指仅给目录执行权限
# m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限
+ (concatStringsSep "," (concatLists (map
(perm: [ "d:${perm}" perm ])
[ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ]))))
])
users));
fileSystems = listToAttrs (map

5
modules/services/httpapi.nix
View File

@ -9,7 +9,7 @@ inputs:
let
inherit (inputs.config.nixos.services) httpapi;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
inherit (builtins) toString map;
in mkIf httpapi.enable
{
nixos.services =
@ -25,7 +25,6 @@ inputs:
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
};
};
phpfpm.instances.httpapi = {};
};
sops =
{
@ -41,6 +40,6 @@ inputs:
};
secrets."httpapi/token" = {};
};
systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" ];
systemd.tmpfiles.rules = let perm = "/srv/api 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
};
}

9
modules/services/meilisearch.nix
View File

@ -17,7 +17,7 @@ inputs:
let
inherit (inputs.config.nixos.services) meilisearch;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (builtins) map listToAttrs;
inherit (builtins) map listToAttrs concatLists;
in
{
systemd =
@ -73,14 +73,15 @@ inputs:
};
})
(attrsToList meilisearch.instances));
tmpfiles.rules = map
tmpfiles.rules = concatLists (map
(instance:
let
user = instance.value.user;
group = inputs.config.users.users.${instance.value.user}.group;
perm = "/var/lib/meilisearch/${instance.name} 0700 ${user} ${group}";
in
"d /var/lib/meilisearch/${instance.name} 0700 ${user} ${group}")
(attrsToList meilisearch.instances);
[ "d ${perm}" "Z ${perm}" ])
(attrsToList meilisearch.instances));
};
sops =
{

10
modules/services/mirism.nix
View File

@ -11,7 +11,11 @@ inputs:
inherit (builtins) map listToAttrs toString concatLists;
in mkIf mirism.enable
{
users = { users.mirism = { isSystemUser = true; group = "mirism"; }; groups.mirism = {}; };
users =
{
users.mirism = { uid = inputs.config.nixos.system.user.user.mirism; group = "mirism"; isSystemUser = true; };
groups.mirism.gid = inputs.config.nixos.system.user.group.mirism;
};
systemd =
{
services = listToAttrs (map
@ -32,7 +36,9 @@ inputs:
};
})
[ "ng01" "beta" ]);
tmpfiles.rules = [ "d /srv/entry.mirism 0700 nginx nginx" "d /srv/mirism 0700 nginx nginx" ];
tmpfiles.rules = concatLists (map
(perm: [ "d ${perm}" "Z ${perm}" ])
(map (dir: "/srv/${dir}mirism 0700 nginx nginx") [ "" "entry." ]));
};
nixos.services =
{

8
modules/services/misskey.nix
View File

@ -49,7 +49,8 @@ inputs:
};
};
tmpfiles.rules =
[ "d /var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}" ];
let perm = "/var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}";
in [ "d ${perm}" "Z ${perm}" ];
})
(attrsToList misskey.instances));
fileSystems = mkMerge (map
@ -125,12 +126,13 @@ inputs:
{
users."misskey-${instance.name}" =
{
isSystemUser = true;
uid = inputs.config.nixos.system.user.user."misskey-${instance.name}";
group = "misskey-${instance.name}";
home = "/var/lib/misskey/${instance.name}";
createHome = true;
isSystemUser = true;
};
groups."misskey-${instance.name}" = {};
groups."misskey-${instance.name}".gid = inputs.config.nixos.system.user.group."misskey-${instance.name}";
})
(attrsToList misskey.instances));
nixos.services =

2
modules/services/nginx/applications/blog.nix
View File

@ -12,6 +12,6 @@ inputs:
{
nixos.services.nginx.https."blog.chn.moe".location."/".static =
{ root = "/srv/blog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" ];
systemd.tmpfiles.rules = let perm = "/srv/blog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
};
}

2
modules/services/nginx/applications/catalog.nix
View File

@ -12,6 +12,6 @@ inputs:
{
nixos.services.nginx.https."catalog.chn.moe".location."/".static =
{ root = "/srv/catalog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" ];
systemd.tmpfiles.rules = let perm = "/srv/catalog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
};
}

2
modules/services/nginx/applications/kkmeeting.nix
View File

@ -13,6 +13,6 @@ inputs:
{
nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
{ root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" ];
systemd.tmpfiles.rules = let perm = "/srv/kkmeeting 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
};
}

2
modules/services/nginx/applications/webdav.nix
View File

@ -28,7 +28,7 @@ inputs:
systemd = mkMerge (map
(site:
{
tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" ];
tmpfiles.rules = let perm = "${site.path} 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
services.nginx.serviceConfig.ReadWritePaths = [ site.path ];
})
(attrValues instances));

14
modules/services/phpfpm.nix
View File

@ -50,10 +50,20 @@ inputs:
users =
{
users = listToAttrs (map
(pool: { inherit (pool) name; value = { isSystemUser = true; group = pool.name; extraGroups = [ "nginx" ]; }; })
(pool:
{
inherit (pool) name;
value =
{
uid = inputs.config.nixos.system.user.user.${pool.name};
group = pool.name;
extraGroups = [ "nginx" ];
isSystemUser = true;
};
})
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
groups = listToAttrs (map
(pool: { inherit (pool) name; value = {}; })
(pool: { inherit (pool) name; value.gid = inputs.config.nixos.system.user.group.${pool.name}; })
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
};
};

6
modules/services/rsshub.nix
View File

@ -52,7 +52,11 @@ inputs:
"youtube-key" "youtube-client-id" "youtube-client-secret" "youtube-refresh-token"
]));
};
users = { users.rsshub = { isSystemUser = true; group = "rsshub"; }; groups.rsshub = {}; };
users =
{
users.rsshub = { uid = inputs.config.nixos.system.user.user.rsshub; group = "rsshub"; isSystemUser = true; };
groups.rsshub.gid = inputs.config.nixos.system.user.group.rsshub;
};
nixos.services =
{
redis.instances.rsshub.port = 7116;

12
modules/services/xray.nix
View File

@ -299,7 +299,11 @@ inputs:
};
};
};
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
users =
{
users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
};
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
}
)
@ -482,7 +486,11 @@ inputs:
timerConfig = { OnCalendar = "*-*-* 0:00:00"; Unit = "xray-stat.service"; };
};
};
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
users =
{
users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
};
nixos.services =
{
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };

1
modules/system/default.nix
View File

@ -14,6 +14,7 @@ inputs:
./systemd.nix
./security.nix
./sops.nix
./user.nix
];
config =
{

37
modules/system/user.nix Normal file
View File

@ -0,0 +1,37 @@
inputs:
{
options.nixos.system.user = let inherit (inputs.lib) mkOption types; in
{
user = mkOption
{
type = types.attrsOf types.ints.unsigned;
readOnly = true;
default =
{
chn = 1000;
xll = 1001;
yjq = 1002;
yxy = 1003;
zem = 1004;
misskey-misskey = 2000;
misskey-misskey-old = 2001;
frp = 2002;
mirism = 2003;
httpapi = 2004;
httpua = 2005;
rsshub = 2006;
v2ray = 2007;
fz-new-order = 2008;
};
};
group = mkOption
{
type = types.attrsOf types.ints.unsigned;
readOnly = true;
default = inputs.config.nixos.system.user.user //
{
groupshare = 3000;
};
};
};
}

1
modules/users/chn/default.nix
View File

@ -9,7 +9,6 @@ inputs:
{
users.users.chn =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
(builtins.attrNames inputs.config.users.groups);

24
modules/users/default.nix
View File

@ -1,11 +1,31 @@
inputs:
{
imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ];
options.nixos.users = let inherit (inputs.lib) mkOption types; in
{
users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "root" "chn" ]; };
users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "chn" ]; };
sharedModules = mkOption { type = types.listOf types.anything; default = []; };
};
imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ];
config =
let
inherit (inputs.config.nixos) users;
inherit (builtins) map;
inherit (inputs.lib) mkMerge;
in
{
users = mkMerge (map
(name:
{
users.${name} =
{
uid = inputs.config.nixos.system.user.user.${name};
group = name;
isNormalUser = true;
};
groups.${name}.gid = inputs.config.nixos.system.user.group.${name};
})
users.users);
};
}
# environment.persistence."/impermanence".users.chn =

2
modules/users/root/default.nix
View File

@ -4,7 +4,7 @@ inputs:
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "root" users.users)
in
{
users.users.root =
{

1
modules/users/xll/default.nix
View File

@ -8,7 +8,6 @@ inputs:
{
users.users.xll =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);

1
modules/users/yjq/default.nix
View File

@ -8,7 +8,6 @@ inputs:
{
users.users.yjq =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);

1
modules/users/yxy/default.nix
View File

@ -8,7 +8,6 @@ inputs:
{
users.users.yxy =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);

33
modules/users/zem/default.nix
View File

@ -2,23 +2,22 @@ inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "zem" users.users)
{
users.users.zem =
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "zem" users.users)
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
hashedPasswordFile = inputs.config.sops.secrets."users/zem".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
users.users.zem =
{
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
hashedPasswordFile = inputs.config.sops.secrets."users/zem".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.zem.imports = users.sharedModules;
sops.secrets."users/zem".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
};
home-manager.users.zem.imports = users.sharedModules;
sops.secrets."users/zem".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
};
}