From 39b2c4301c5c8b6697c1766dc8a4320020ab4a7e Mon Sep 17 00:00:00 2001 From: Drew Haven Date: Mon, 28 Apr 2025 17:15:11 -0700 Subject: [PATCH] [mcp] Some user setup on the way to automated deployments --- system/hosts/mcp/containers/user-ids.nix | 37 ---------------- system/hosts/mcp/containers/users.nix | 56 ++++++++++++++++++++++++ system/hosts/mcp/drew.nix | 6 +++ 3 files changed, 62 insertions(+), 37 deletions(-) delete mode 100644 system/hosts/mcp/containers/user-ids.nix create mode 100644 system/hosts/mcp/containers/users.nix diff --git a/system/hosts/mcp/containers/user-ids.nix b/system/hosts/mcp/containers/user-ids.nix deleted file mode 100644 index 71b3a06..0000000 --- a/system/hosts/mcp/containers/user-ids.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - gitea = 2001; - timetagger = 2002; - pocket-id = { - uid = 2003; - gid = 2003; - }; - bookstack = { - uid = 2004; - gid = 2004; - }; - mariadb = { - uid = 2005; - gid = 2005; - }; - focalboard = { - uid = 2006; - gid = 2006; - }; - offen = { - uid = 2007; - gid = 2007; - }; - - mkUserAndGroup = name: ids: { - groups."${name}" = { - gid = ids.gid; - }; - - users."${name}" = { - uid = ids.uid; - isSystemUser = true; - description = "System User for ${name}"; - group = "${name}"; - }; - }; -} diff --git a/system/hosts/mcp/containers/users.nix b/system/hosts/mcp/containers/users.nix new file mode 100644 index 0000000..ea51cf4 --- /dev/null +++ b/system/hosts/mcp/containers/users.nix @@ -0,0 +1,56 @@ +{ pkgs, ... }: let + systemUsers = { + gitea = { + uid = 2001; + extraGroups = [ "git" ]; + }; + # timetagger = 2002; + pocket-id = 2003; + bookstack = 2004; + mariadb = 2005; + focalboard = 2006; + offen = 2007; + public-html = { + uid = 2008; + shell = pkgs.zsh; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPiqbLAXpBkjXnHLvz3VCd5i+VmYdd9dAcRt+8E1OQX drew@vega" + ]; + home = "/tank/web"; + packages = [ pkgs.git ]; + }; + }; + + mkUser = name: value: { + uid = value.uid or value; + isSystemUser = true; # only affects UID allocation, but required + description = "System User for ${name}"; + group = "${name}"; + shell = value.shell or null; + extraGroups = value.extraGroups or []; + openssh.authorizedKeys.keys = value.authorizedKeys or []; + home = value.home or "/var/empty"; + packages = value.packages or []; + }; + mkGroup = name: value: let + # 1. Value if int + # 2. "gid" if present + # 3. "uid" + gid = + if builtins.isInt value + then value + else if builtins.hasAttr "gid" value + then value.gid + else value.uid; + in { + inherit gid; + }; +in { + users.users = builtins.mapAttrs mkUser systemUsers; + users.groups = (builtins.mapAttrs mkGroup systemUsers) // { + # Legacy groups. + git = { + gid = 992; + }; + }; +} diff --git a/system/hosts/mcp/drew.nix b/system/hosts/mcp/drew.nix index 02121ce..01fb71e 100644 --- a/system/hosts/mcp/drew.nix +++ b/system/hosts/mcp/drew.nix @@ -13,6 +13,12 @@ programs.git = { userName = "Drew Haven"; userEmail = "drew.haven@gmail.com"; + extraConfig = { + safe = { + # Marks the web directory as safe even though I don't own it. + directory = "/tank/web"; + }; + }; }; services.syncthing.tray.enable = false;