mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 03:18:45 +08:00
use fixed uid
This commit is contained in:
parent
0dff3a17c0
commit
6369cf7842
@ -442,7 +442,7 @@
|
||||
nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
|
||||
wireguard = { enable = true; peers = [ "vps6" ]; };
|
||||
};
|
||||
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
|
||||
users.users = [ "chn" "xll" "zem" "yjq" "yxy" ];
|
||||
};})
|
||||
];
|
||||
yoga =
|
||||
|
@ -139,7 +139,11 @@ inputs:
|
||||
(attrsToList (with frpClient; stcp // stcpVisitor)))
|
||||
);
|
||||
};
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
users =
|
||||
{
|
||||
users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
|
||||
groups.frp.gid = inputs.config.nixos.system.user.group.frp;
|
||||
};
|
||||
}
|
||||
)
|
||||
(
|
||||
@ -186,7 +190,11 @@ inputs:
|
||||
secrets."frp/token" = {};
|
||||
};
|
||||
nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
users =
|
||||
{
|
||||
users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; };
|
||||
groups.frp.gid = inputs.config.nixos.system.user.group.frp;
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 7000 ];
|
||||
}
|
||||
)
|
||||
|
@ -15,8 +15,14 @@ inputs:
|
||||
users =
|
||||
{
|
||||
users.fz-new-order =
|
||||
{ isSystemUser = true; group = "fz-new-order"; home = "/var/lib/fz-new-order"; createHome = true; };
|
||||
groups.fz-new-order = {};
|
||||
{
|
||||
uid = inputs.config.nixos.system.user.user.fz-new-order;
|
||||
group = "fz-new-order";
|
||||
home = "/var/lib/fz-new-order";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
groups.fz-new-order.gid = inputs.config.nixos.system.user.group.fz-new-order;
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
|
@ -9,20 +9,25 @@ inputs:
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) listToAttrs map concatLists;
|
||||
inherit (builtins) listToAttrs map concatLists concatStringsSep;
|
||||
inherit (inputs.config.nixos.services) groupshare;
|
||||
users = inputs.config.users.groups.groupshare.members;
|
||||
in mkIf groupshare.enable
|
||||
{
|
||||
users.groups.groupshare = {};
|
||||
users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare;
|
||||
systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
|
||||
++ (concatLists (map
|
||||
(user:
|
||||
[
|
||||
"d /var/lib/groupshare/${user} 2750 ${user} groupshare"
|
||||
# sudo setfacl -m 'xxx' dir
|
||||
("a /var/lib/groupshare/${user} - - - - "
|
||||
+ "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
|
||||
"Z /var/lib/groupshare/${user} 2750 ${user} groupshare"
|
||||
("A /var/lib/groupshare/${user} - - - - "
|
||||
# d 指 default, 即目录下新创建的文件和目录的权限
|
||||
# 大写 X 指仅给目录执行权限
|
||||
# m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限
|
||||
+ (concatStringsSep "," (concatLists (map
|
||||
(perm: [ "d:${perm}" perm ])
|
||||
[ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ]))))
|
||||
])
|
||||
users));
|
||||
fileSystems = listToAttrs (map
|
||||
|
@ -9,7 +9,7 @@ inputs:
|
||||
let
|
||||
inherit (inputs.config.nixos.services) httpapi;
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) toString;
|
||||
inherit (builtins) toString map;
|
||||
in mkIf httpapi.enable
|
||||
{
|
||||
nixos.services =
|
||||
@ -25,7 +25,6 @@ inputs:
|
||||
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
|
||||
};
|
||||
};
|
||||
phpfpm.instances.httpapi = {};
|
||||
};
|
||||
sops =
|
||||
{
|
||||
@ -41,6 +40,6 @@ inputs:
|
||||
};
|
||||
secrets."httpapi/token" = {};
|
||||
};
|
||||
systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" ];
|
||||
systemd.tmpfiles.rules = let perm = "/srv/api 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
|
||||
};
|
||||
}
|
||||
|
@ -17,7 +17,7 @@ inputs:
|
||||
let
|
||||
inherit (inputs.config.nixos.services) meilisearch;
|
||||
inherit (inputs.localLib) stripeTabs attrsToList;
|
||||
inherit (builtins) map listToAttrs;
|
||||
inherit (builtins) map listToAttrs concatLists;
|
||||
in
|
||||
{
|
||||
systemd =
|
||||
@ -73,14 +73,15 @@ inputs:
|
||||
};
|
||||
})
|
||||
(attrsToList meilisearch.instances));
|
||||
tmpfiles.rules = map
|
||||
tmpfiles.rules = concatLists (map
|
||||
(instance:
|
||||
let
|
||||
user = instance.value.user;
|
||||
group = inputs.config.users.users.${instance.value.user}.group;
|
||||
perm = "/var/lib/meilisearch/${instance.name} 0700 ${user} ${group}";
|
||||
in
|
||||
"d /var/lib/meilisearch/${instance.name} 0700 ${user} ${group}")
|
||||
(attrsToList meilisearch.instances);
|
||||
[ "d ${perm}" "Z ${perm}" ])
|
||||
(attrsToList meilisearch.instances));
|
||||
};
|
||||
sops =
|
||||
{
|
||||
|
@ -11,7 +11,11 @@ inputs:
|
||||
inherit (builtins) map listToAttrs toString concatLists;
|
||||
in mkIf mirism.enable
|
||||
{
|
||||
users = { users.mirism = { isSystemUser = true; group = "mirism"; }; groups.mirism = {}; };
|
||||
users =
|
||||
{
|
||||
users.mirism = { uid = inputs.config.nixos.system.user.user.mirism; group = "mirism"; isSystemUser = true; };
|
||||
groups.mirism.gid = inputs.config.nixos.system.user.group.mirism;
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
services = listToAttrs (map
|
||||
@ -32,7 +36,9 @@ inputs:
|
||||
};
|
||||
})
|
||||
[ "ng01" "beta" ]);
|
||||
tmpfiles.rules = [ "d /srv/entry.mirism 0700 nginx nginx" "d /srv/mirism 0700 nginx nginx" ];
|
||||
tmpfiles.rules = concatLists (map
|
||||
(perm: [ "d ${perm}" "Z ${perm}" ])
|
||||
(map (dir: "/srv/${dir}mirism 0700 nginx nginx") [ "" "entry." ]));
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
|
@ -49,7 +49,8 @@ inputs:
|
||||
};
|
||||
};
|
||||
tmpfiles.rules =
|
||||
[ "d /var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}" ];
|
||||
let perm = "/var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}";
|
||||
in [ "d ${perm}" "Z ${perm}" ];
|
||||
})
|
||||
(attrsToList misskey.instances));
|
||||
fileSystems = mkMerge (map
|
||||
@ -125,12 +126,13 @@ inputs:
|
||||
{
|
||||
users."misskey-${instance.name}" =
|
||||
{
|
||||
isSystemUser = true;
|
||||
uid = inputs.config.nixos.system.user.user."misskey-${instance.name}";
|
||||
group = "misskey-${instance.name}";
|
||||
home = "/var/lib/misskey/${instance.name}";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
groups."misskey-${instance.name}" = {};
|
||||
groups."misskey-${instance.name}".gid = inputs.config.nixos.system.user.group."misskey-${instance.name}";
|
||||
})
|
||||
(attrsToList misskey.instances));
|
||||
nixos.services =
|
||||
|
@ -12,6 +12,6 @@ inputs:
|
||||
{
|
||||
nixos.services.nginx.https."blog.chn.moe".location."/".static =
|
||||
{ root = "/srv/blog"; index = [ "index.html" ]; };
|
||||
systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" ];
|
||||
systemd.tmpfiles.rules = let perm = "/srv/blog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
|
||||
};
|
||||
}
|
||||
|
@ -12,6 +12,6 @@ inputs:
|
||||
{
|
||||
nixos.services.nginx.https."catalog.chn.moe".location."/".static =
|
||||
{ root = "/srv/catalog"; index = [ "index.html" ]; };
|
||||
systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" ];
|
||||
systemd.tmpfiles.rules = let perm = "/srv/catalog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
|
||||
};
|
||||
}
|
||||
|
@ -13,6 +13,6 @@ inputs:
|
||||
{
|
||||
nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
|
||||
{ root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
|
||||
systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" ];
|
||||
systemd.tmpfiles.rules = let perm = "/srv/kkmeeting 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
|
||||
};
|
||||
}
|
||||
|
@ -28,7 +28,7 @@ inputs:
|
||||
systemd = mkMerge (map
|
||||
(site:
|
||||
{
|
||||
tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" ];
|
||||
tmpfiles.rules = let perm = "${site.path} 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
|
||||
services.nginx.serviceConfig.ReadWritePaths = [ site.path ];
|
||||
})
|
||||
(attrValues instances));
|
||||
|
@ -50,10 +50,20 @@ inputs:
|
||||
users =
|
||||
{
|
||||
users = listToAttrs (map
|
||||
(pool: { inherit (pool) name; value = { isSystemUser = true; group = pool.name; extraGroups = [ "nginx" ]; }; })
|
||||
(pool:
|
||||
{
|
||||
inherit (pool) name;
|
||||
value =
|
||||
{
|
||||
uid = inputs.config.nixos.system.user.user.${pool.name};
|
||||
group = pool.name;
|
||||
extraGroups = [ "nginx" ];
|
||||
isSystemUser = true;
|
||||
};
|
||||
})
|
||||
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
|
||||
groups = listToAttrs (map
|
||||
(pool: { inherit (pool) name; value = {}; })
|
||||
(pool: { inherit (pool) name; value.gid = inputs.config.nixos.system.user.group.${pool.name}; })
|
||||
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
|
||||
};
|
||||
};
|
||||
|
@ -52,7 +52,11 @@ inputs:
|
||||
"youtube-key" "youtube-client-id" "youtube-client-secret" "youtube-refresh-token"
|
||||
]));
|
||||
};
|
||||
users = { users.rsshub = { isSystemUser = true; group = "rsshub"; }; groups.rsshub = {}; };
|
||||
users =
|
||||
{
|
||||
users.rsshub = { uid = inputs.config.nixos.system.user.user.rsshub; group = "rsshub"; isSystemUser = true; };
|
||||
groups.rsshub.gid = inputs.config.nixos.system.user.group.rsshub;
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
redis.instances.rsshub.port = 7116;
|
||||
|
@ -299,7 +299,11 @@ inputs:
|
||||
};
|
||||
};
|
||||
};
|
||||
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
|
||||
users =
|
||||
{
|
||||
users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
|
||||
groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
|
||||
};
|
||||
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
|
||||
}
|
||||
)
|
||||
@ -482,7 +486,11 @@ inputs:
|
||||
timerConfig = { OnCalendar = "*-*-* 0:00:00"; Unit = "xray-stat.service"; };
|
||||
};
|
||||
};
|
||||
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
|
||||
users =
|
||||
{
|
||||
users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; };
|
||||
groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray;
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };
|
||||
|
@ -14,6 +14,7 @@ inputs:
|
||||
./systemd.nix
|
||||
./security.nix
|
||||
./sops.nix
|
||||
./user.nix
|
||||
];
|
||||
config =
|
||||
{
|
||||
|
37
modules/system/user.nix
Normal file
37
modules/system/user.nix
Normal file
@ -0,0 +1,37 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.system.user = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
user = mkOption
|
||||
{
|
||||
type = types.attrsOf types.ints.unsigned;
|
||||
readOnly = true;
|
||||
default =
|
||||
{
|
||||
chn = 1000;
|
||||
xll = 1001;
|
||||
yjq = 1002;
|
||||
yxy = 1003;
|
||||
zem = 1004;
|
||||
misskey-misskey = 2000;
|
||||
misskey-misskey-old = 2001;
|
||||
frp = 2002;
|
||||
mirism = 2003;
|
||||
httpapi = 2004;
|
||||
httpua = 2005;
|
||||
rsshub = 2006;
|
||||
v2ray = 2007;
|
||||
fz-new-order = 2008;
|
||||
};
|
||||
};
|
||||
group = mkOption
|
||||
{
|
||||
type = types.attrsOf types.ints.unsigned;
|
||||
readOnly = true;
|
||||
default = inputs.config.nixos.system.user.user //
|
||||
{
|
||||
groupshare = 3000;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -9,7 +9,6 @@ inputs:
|
||||
{
|
||||
users.users.chn =
|
||||
{
|
||||
isNormalUser = true;
|
||||
extraGroups = inputs.lib.intersectLists
|
||||
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
|
||||
(builtins.attrNames inputs.config.users.groups);
|
||||
|
@ -1,11 +1,31 @@
|
||||
inputs:
|
||||
{
|
||||
imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ];
|
||||
options.nixos.users = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "root" "chn" ]; };
|
||||
users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "chn" ]; };
|
||||
sharedModules = mkOption { type = types.listOf types.anything; default = []; };
|
||||
};
|
||||
imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ];
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos) users;
|
||||
inherit (builtins) map;
|
||||
inherit (inputs.lib) mkMerge;
|
||||
in
|
||||
{
|
||||
users = mkMerge (map
|
||||
(name:
|
||||
{
|
||||
users.${name} =
|
||||
{
|
||||
uid = inputs.config.nixos.system.user.user.${name};
|
||||
group = name;
|
||||
isNormalUser = true;
|
||||
};
|
||||
groups.${name}.gid = inputs.config.nixos.system.user.group.${name};
|
||||
})
|
||||
users.users);
|
||||
};
|
||||
}
|
||||
|
||||
# environment.persistence."/impermanence".users.chn =
|
||||
|
@ -4,7 +4,7 @@ inputs:
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos) users;
|
||||
in mkIf (builtins.elem "root" users.users)
|
||||
in
|
||||
{
|
||||
users.users.root =
|
||||
{
|
||||
|
@ -8,7 +8,6 @@ inputs:
|
||||
{
|
||||
users.users.xll =
|
||||
{
|
||||
isNormalUser = true;
|
||||
extraGroups = inputs.lib.intersectLists
|
||||
[ "groupshare" "video" ]
|
||||
(builtins.attrNames inputs.config.users.groups);
|
||||
|
@ -8,7 +8,6 @@ inputs:
|
||||
{
|
||||
users.users.yjq =
|
||||
{
|
||||
isNormalUser = true;
|
||||
extraGroups = inputs.lib.intersectLists
|
||||
[ "groupshare" "video" ]
|
||||
(builtins.attrNames inputs.config.users.groups);
|
||||
|
@ -8,7 +8,6 @@ inputs:
|
||||
{
|
||||
users.users.yxy =
|
||||
{
|
||||
isNormalUser = true;
|
||||
extraGroups = inputs.lib.intersectLists
|
||||
[ "groupshare" "video" ]
|
||||
(builtins.attrNames inputs.config.users.groups);
|
||||
|
@ -2,23 +2,22 @@ inputs:
|
||||
{
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos) users;
|
||||
in mkIf (builtins.elem "zem" users.users)
|
||||
{
|
||||
users.users.zem =
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos) users;
|
||||
in mkIf (builtins.elem "zem" users.users)
|
||||
{
|
||||
isNormalUser = true;
|
||||
extraGroups = inputs.lib.intersectLists
|
||||
[ "groupshare" "video" ]
|
||||
(builtins.attrNames inputs.config.users.groups);
|
||||
hashedPasswordFile = inputs.config.sops.secrets."users/zem".path;
|
||||
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
|
||||
shell = inputs.pkgs.zsh;
|
||||
autoSubUidGidRange = true;
|
||||
users.users.zem =
|
||||
{
|
||||
extraGroups = inputs.lib.intersectLists
|
||||
[ "groupshare" "video" ]
|
||||
(builtins.attrNames inputs.config.users.groups);
|
||||
hashedPasswordFile = inputs.config.sops.secrets."users/zem".path;
|
||||
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
|
||||
shell = inputs.pkgs.zsh;
|
||||
autoSubUidGidRange = true;
|
||||
};
|
||||
home-manager.users.zem.imports = users.sharedModules;
|
||||
sops.secrets."users/zem".neededForUsers = true;
|
||||
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
|
||||
};
|
||||
home-manager.users.zem.imports = users.sharedModules;
|
||||
sops.secrets."users/zem".neededForUsers = true;
|
||||
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user