diff --git a/flake.nix b/flake.nix index 6a0b6199..9dd9f788 100644 --- a/flake.nix +++ b/flake.nix @@ -442,7 +442,7 @@ nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; }; wireguard = { enable = true; peers = [ "vps6" ]; }; }; - users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ]; + users.users = [ "chn" "xll" "zem" "yjq" "yxy" ]; };}) ]; yoga = diff --git a/modules/services/frp.nix b/modules/services/frp.nix index ee2058cc..8a69a305 100644 --- a/modules/services/frp.nix +++ b/modules/services/frp.nix @@ -139,7 +139,11 @@ inputs: (attrsToList (with frpClient; stcp // stcpVisitor))) ); }; - users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; }; + users = + { + users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; }; + groups.frp.gid = inputs.config.nixos.system.user.group.frp; + }; } ) ( @@ -186,7 +190,11 @@ inputs: secrets."frp/token" = {}; }; nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; }; - users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; }; + users = + { + users.frp = { uid = inputs.config.nixos.system.user.user.frp; group = "frp"; isSystemUser = true; }; + groups.frp.gid = inputs.config.nixos.system.user.group.frp; + }; networking.firewall.allowedTCPPorts = [ 7000 ]; } ) diff --git a/modules/services/fz-new-order/default.nix b/modules/services/fz-new-order/default.nix index 777d9e13..42e61243 100644 --- a/modules/services/fz-new-order/default.nix +++ b/modules/services/fz-new-order/default.nix @@ -15,8 +15,14 @@ inputs: users = { users.fz-new-order = - { isSystemUser = true; group = "fz-new-order"; home = "/var/lib/fz-new-order"; createHome = true; }; - groups.fz-new-order = {}; + { + uid = inputs.config.nixos.system.user.user.fz-new-order; + group = "fz-new-order"; + home = "/var/lib/fz-new-order"; + createHome = true; + isSystemUser = true; + }; + groups.fz-new-order.gid = inputs.config.nixos.system.user.group.fz-new-order; }; systemd = { diff --git a/modules/services/groupshare.nix b/modules/services/groupshare.nix index 1e994f54..20d89e3b 100644 --- a/modules/services/groupshare.nix +++ b/modules/services/groupshare.nix @@ -9,20 +9,25 @@ inputs: config = let inherit (inputs.lib) mkIf; - inherit (builtins) listToAttrs map concatLists; + inherit (builtins) listToAttrs map concatLists concatStringsSep; inherit (inputs.config.nixos.services) groupshare; users = inputs.config.users.groups.groupshare.members; in mkIf groupshare.enable { - users.groups.groupshare = {}; + users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare; systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ] ++ (concatLists (map (user: [ "d /var/lib/groupshare/${user} 2750 ${user} groupshare" - # sudo setfacl -m 'xxx' dir - ("a /var/lib/groupshare/${user} - - - - " - + "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x") + "Z /var/lib/groupshare/${user} 2750 ${user} groupshare" + ("A /var/lib/groupshare/${user} - - - - " + # d 指 default, 即目录下新创建的文件和目录的权限 + # 大写 X 指仅给目录执行权限 + # m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限 + + (concatStringsSep "," (concatLists (map + (perm: [ "d:${perm}" perm ]) + [ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ])))) ]) users)); fileSystems = listToAttrs (map diff --git a/modules/services/httpapi.nix b/modules/services/httpapi.nix index cf1dd1d3..6de740ec 100644 --- a/modules/services/httpapi.nix +++ b/modules/services/httpapi.nix @@ -9,7 +9,7 @@ inputs: let inherit (inputs.config.nixos.services) httpapi; inherit (inputs.lib) mkIf; - inherit (builtins) toString; + inherit (builtins) toString map; in mkIf httpapi.enable { nixos.services = @@ -25,7 +25,6 @@ inputs: fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi; }; }; - phpfpm.instances.httpapi = {}; }; sops = { @@ -41,6 +40,6 @@ inputs: }; secrets."httpapi/token" = {}; }; - systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" ]; + systemd.tmpfiles.rules = let perm = "/srv/api 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; }; } diff --git a/modules/services/meilisearch.nix b/modules/services/meilisearch.nix index 34e61ee8..c0ab9027 100644 --- a/modules/services/meilisearch.nix +++ b/modules/services/meilisearch.nix @@ -17,7 +17,7 @@ inputs: let inherit (inputs.config.nixos.services) meilisearch; inherit (inputs.localLib) stripeTabs attrsToList; - inherit (builtins) map listToAttrs; + inherit (builtins) map listToAttrs concatLists; in { systemd = @@ -73,14 +73,15 @@ inputs: }; }) (attrsToList meilisearch.instances)); - tmpfiles.rules = map + tmpfiles.rules = concatLists (map (instance: let user = instance.value.user; group = inputs.config.users.users.${instance.value.user}.group; + perm = "/var/lib/meilisearch/${instance.name} 0700 ${user} ${group}"; in - "d /var/lib/meilisearch/${instance.name} 0700 ${user} ${group}") - (attrsToList meilisearch.instances); + [ "d ${perm}" "Z ${perm}" ]) + (attrsToList meilisearch.instances)); }; sops = { diff --git a/modules/services/mirism.nix b/modules/services/mirism.nix index 40966cf8..56a0084c 100644 --- a/modules/services/mirism.nix +++ b/modules/services/mirism.nix @@ -11,7 +11,11 @@ inputs: inherit (builtins) map listToAttrs toString concatLists; in mkIf mirism.enable { - users = { users.mirism = { isSystemUser = true; group = "mirism"; }; groups.mirism = {}; }; + users = + { + users.mirism = { uid = inputs.config.nixos.system.user.user.mirism; group = "mirism"; isSystemUser = true; }; + groups.mirism.gid = inputs.config.nixos.system.user.group.mirism; + }; systemd = { services = listToAttrs (map @@ -32,7 +36,9 @@ inputs: }; }) [ "ng01" "beta" ]); - tmpfiles.rules = [ "d /srv/entry.mirism 0700 nginx nginx" "d /srv/mirism 0700 nginx nginx" ]; + tmpfiles.rules = concatLists (map + (perm: [ "d ${perm}" "Z ${perm}" ]) + (map (dir: "/srv/${dir}mirism 0700 nginx nginx") [ "" "entry." ])); }; nixos.services = { diff --git a/modules/services/misskey.nix b/modules/services/misskey.nix index 0b9059ac..7a0aea6f 100644 --- a/modules/services/misskey.nix +++ b/modules/services/misskey.nix @@ -49,7 +49,8 @@ inputs: }; }; tmpfiles.rules = - [ "d /var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}" ]; + let perm = "/var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}"; + in [ "d ${perm}" "Z ${perm}" ]; }) (attrsToList misskey.instances)); fileSystems = mkMerge (map @@ -125,12 +126,13 @@ inputs: { users."misskey-${instance.name}" = { - isSystemUser = true; + uid = inputs.config.nixos.system.user.user."misskey-${instance.name}"; group = "misskey-${instance.name}"; home = "/var/lib/misskey/${instance.name}"; createHome = true; + isSystemUser = true; }; - groups."misskey-${instance.name}" = {}; + groups."misskey-${instance.name}".gid = inputs.config.nixos.system.user.group."misskey-${instance.name}"; }) (attrsToList misskey.instances)); nixos.services = diff --git a/modules/services/nginx/applications/blog.nix b/modules/services/nginx/applications/blog.nix index 0c30b73b..658ad384 100644 --- a/modules/services/nginx/applications/blog.nix +++ b/modules/services/nginx/applications/blog.nix @@ -12,6 +12,6 @@ inputs: { nixos.services.nginx.https."blog.chn.moe".location."/".static = { root = "/srv/blog"; index = [ "index.html" ]; }; - systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" ]; + systemd.tmpfiles.rules = let perm = "/srv/blog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; }; } diff --git a/modules/services/nginx/applications/catalog.nix b/modules/services/nginx/applications/catalog.nix index 5215c4da..6532dbbb 100644 --- a/modules/services/nginx/applications/catalog.nix +++ b/modules/services/nginx/applications/catalog.nix @@ -12,6 +12,6 @@ inputs: { nixos.services.nginx.https."catalog.chn.moe".location."/".static = { root = "/srv/catalog"; index = [ "index.html" ]; }; - systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" ]; + systemd.tmpfiles.rules = let perm = "/srv/catalog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; }; } diff --git a/modules/services/nginx/applications/kkmeeting.nix b/modules/services/nginx/applications/kkmeeting.nix index f75f84bd..365e5d08 100644 --- a/modules/services/nginx/applications/kkmeeting.nix +++ b/modules/services/nginx/applications/kkmeeting.nix @@ -13,6 +13,6 @@ inputs: { nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static = { root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; }; - systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" ]; + systemd.tmpfiles.rules = let perm = "/srv/kkmeeting 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; }; } diff --git a/modules/services/nginx/applications/webdav.nix b/modules/services/nginx/applications/webdav.nix index 45a05f69..293c175c 100644 --- a/modules/services/nginx/applications/webdav.nix +++ b/modules/services/nginx/applications/webdav.nix @@ -28,7 +28,7 @@ inputs: systemd = mkMerge (map (site: { - tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" ]; + tmpfiles.rules = let perm = "${site.path} 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; services.nginx.serviceConfig.ReadWritePaths = [ site.path ]; }) (attrValues instances)); diff --git a/modules/services/phpfpm.nix b/modules/services/phpfpm.nix index cefa9510..16d0cfd3 100644 --- a/modules/services/phpfpm.nix +++ b/modules/services/phpfpm.nix @@ -50,10 +50,20 @@ inputs: users = { users = listToAttrs (map - (pool: { inherit (pool) name; value = { isSystemUser = true; group = pool.name; extraGroups = [ "nginx" ]; }; }) + (pool: + { + inherit (pool) name; + value = + { + uid = inputs.config.nixos.system.user.user.${pool.name}; + group = pool.name; + extraGroups = [ "nginx" ]; + isSystemUser = true; + }; + }) (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances))); groups = listToAttrs (map - (pool: { inherit (pool) name; value = {}; }) + (pool: { inherit (pool) name; value.gid = inputs.config.nixos.system.user.group.${pool.name}; }) (filter (pool: pool.value.user == null) (attrsToList phpfpm.instances))); }; }; diff --git a/modules/services/rsshub.nix b/modules/services/rsshub.nix index b28f6e0b..842f66e2 100644 --- a/modules/services/rsshub.nix +++ b/modules/services/rsshub.nix @@ -52,7 +52,11 @@ inputs: "youtube-key" "youtube-client-id" "youtube-client-secret" "youtube-refresh-token" ])); }; - users = { users.rsshub = { isSystemUser = true; group = "rsshub"; }; groups.rsshub = {}; }; + users = + { + users.rsshub = { uid = inputs.config.nixos.system.user.user.rsshub; group = "rsshub"; isSystemUser = true; }; + groups.rsshub.gid = inputs.config.nixos.system.user.group.rsshub; + }; nixos.services = { redis.instances.rsshub.port = 7116; diff --git a/modules/services/xray.nix b/modules/services/xray.nix index 21ba9e91..ed11eb1d 100644 --- a/modules/services/xray.nix +++ b/modules/services/xray.nix @@ -299,7 +299,11 @@ inputs: }; }; }; - users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; }; + users = + { + users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; }; + groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray; + }; environment.etc."resolv.conf".text = "nameserver 127.0.0.1"; } ) @@ -482,7 +486,11 @@ inputs: timerConfig = { OnCalendar = "*-*-* 0:00:00"; Unit = "xray-stat.service"; }; }; }; - users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; }; + users = + { + users.v2ray = { uid = inputs.config.nixos.system.user.user.v2ray; group = "v2ray"; isSystemUser = true; }; + groups.v2ray.gid = inputs.config.nixos.system.user.group.v2ray; + }; nixos.services = { acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; }; diff --git a/modules/system/default.nix b/modules/system/default.nix index b83dc564..64f49a4f 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -14,6 +14,7 @@ inputs: ./systemd.nix ./security.nix ./sops.nix + ./user.nix ]; config = { diff --git a/modules/system/user.nix b/modules/system/user.nix new file mode 100644 index 00000000..ba93f1be --- /dev/null +++ b/modules/system/user.nix @@ -0,0 +1,37 @@ +inputs: +{ + options.nixos.system.user = let inherit (inputs.lib) mkOption types; in + { + user = mkOption + { + type = types.attrsOf types.ints.unsigned; + readOnly = true; + default = + { + chn = 1000; + xll = 1001; + yjq = 1002; + yxy = 1003; + zem = 1004; + misskey-misskey = 2000; + misskey-misskey-old = 2001; + frp = 2002; + mirism = 2003; + httpapi = 2004; + httpua = 2005; + rsshub = 2006; + v2ray = 2007; + fz-new-order = 2008; + }; + }; + group = mkOption + { + type = types.attrsOf types.ints.unsigned; + readOnly = true; + default = inputs.config.nixos.system.user.user // + { + groupshare = 3000; + }; + }; + }; +} diff --git a/modules/users/chn/default.nix b/modules/users/chn/default.nix index 138509e0..dc7f49df 100644 --- a/modules/users/chn/default.nix +++ b/modules/users/chn/default.nix @@ -9,7 +9,6 @@ inputs: { users.users.chn = { - isNormalUser = true; extraGroups = inputs.lib.intersectLists [ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ] (builtins.attrNames inputs.config.users.groups); diff --git a/modules/users/default.nix b/modules/users/default.nix index 60d333d3..74d3584d 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -1,11 +1,31 @@ inputs: { + imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ]; options.nixos.users = let inherit (inputs.lib) mkOption types; in { - users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "root" "chn" ]; }; + users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "chn" ]; }; sharedModules = mkOption { type = types.listOf types.anything; default = []; }; }; - imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ]; + config = + let + inherit (inputs.config.nixos) users; + inherit (builtins) map; + inherit (inputs.lib) mkMerge; + in + { + users = mkMerge (map + (name: + { + users.${name} = + { + uid = inputs.config.nixos.system.user.user.${name}; + group = name; + isNormalUser = true; + }; + groups.${name}.gid = inputs.config.nixos.system.user.group.${name}; + }) + users.users); + }; } # environment.persistence."/impermanence".users.chn = diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix index 9a3cccd7..8398af1f 100644 --- a/modules/users/root/default.nix +++ b/modules/users/root/default.nix @@ -4,7 +4,7 @@ inputs: let inherit (inputs.lib) mkIf; inherit (inputs.config.nixos) users; - in mkIf (builtins.elem "root" users.users) + in { users.users.root = { diff --git a/modules/users/xll/default.nix b/modules/users/xll/default.nix index 8c2fdabe..f8804d78 100644 --- a/modules/users/xll/default.nix +++ b/modules/users/xll/default.nix @@ -8,7 +8,6 @@ inputs: { users.users.xll = { - isNormalUser = true; extraGroups = inputs.lib.intersectLists [ "groupshare" "video" ] (builtins.attrNames inputs.config.users.groups); diff --git a/modules/users/yjq/default.nix b/modules/users/yjq/default.nix index 5cb745a4..a3aa5967 100644 --- a/modules/users/yjq/default.nix +++ b/modules/users/yjq/default.nix @@ -8,7 +8,6 @@ inputs: { users.users.yjq = { - isNormalUser = true; extraGroups = inputs.lib.intersectLists [ "groupshare" "video" ] (builtins.attrNames inputs.config.users.groups); diff --git a/modules/users/yxy/default.nix b/modules/users/yxy/default.nix index 5cb2d002..e240c835 100644 --- a/modules/users/yxy/default.nix +++ b/modules/users/yxy/default.nix @@ -8,7 +8,6 @@ inputs: { users.users.yxy = { - isNormalUser = true; extraGroups = inputs.lib.intersectLists [ "groupshare" "video" ] (builtins.attrNames inputs.config.users.groups); diff --git a/modules/users/zem/default.nix b/modules/users/zem/default.nix index fdbb7d5c..32207f2b 100644 --- a/modules/users/zem/default.nix +++ b/modules/users/zem/default.nix @@ -2,23 +2,22 @@ inputs: { config = let - inherit (inputs.lib) mkIf; - inherit (inputs.config.nixos) users; - in mkIf (builtins.elem "zem" users.users) - { - users.users.zem = + inherit (inputs.lib) mkIf; + inherit (inputs.config.nixos) users; + in mkIf (builtins.elem "zem" users.users) { - isNormalUser = true; - extraGroups = inputs.lib.intersectLists - [ "groupshare" "video" ] - (builtins.attrNames inputs.config.users.groups); - hashedPasswordFile = inputs.config.sops.secrets."users/zem".path; - openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ]; - shell = inputs.pkgs.zsh; - autoSubUidGidRange = true; + users.users.zem = + { + extraGroups = inputs.lib.intersectLists + [ "groupshare" "video" ] + (builtins.attrNames inputs.config.users.groups); + hashedPasswordFile = inputs.config.sops.secrets."users/zem".path; + openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ]; + shell = inputs.pkgs.zsh; + autoSubUidGidRange = true; + }; + home-manager.users.zem.imports = users.sharedModules; + sops.secrets."users/zem".neededForUsers = true; + nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ]; }; - home-manager.users.zem.imports = users.sharedModules; - sops.secrets."users/zem".neededForUsers = true; - nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ]; - }; }