feat: move off of using root for deployment

2023-09-30 23:18:14 +01:00 · 2023-09-30 23:18:14 +01:00 · 165c4645bf
commit 165c4645bf
parent c87fec1a65
14 changed files with 18 additions and 13 deletions
--- a/applications/ldap/client.nix
+++ b/applications/ldap/client.nix
@ -69,6 +69,11 @@ in {
      }
    ];

+    nix.settings.trusted-users = [
+      "root"
+      "@skynet-admins-linux"
+    ];
+
    # give users a home dir
    security.pam.services.sshd.makeHomeDir = true;

--- a/machines/agentjones.nix
+++ b/machines/agentjones.nix
@ -27,7 +27,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    # somehow ssh from runner to this fails
    tags = ["active-firewall"];
--- a/machines/earth.nix
+++ b/machines/earth.nix
@ -26,7 +26,7 @@ in {
  deployment = {
    targetHost = ip_pub;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-core"];
  };
--- a/machines/galatea.nix
+++ b/machines/galatea.nix
@ -27,7 +27,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active"];
  };
--- a/machines/gir.nix
+++ b/machines/gir.nix
@ -27,7 +27,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-core"];
  };
--- a/machines/glados.nix
+++ b/machines/glados.nix
@ -27,7 +27,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-gitlab"];
  };
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@ -28,7 +28,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-core"];
  };
--- a/machines/neuromancer.nix
+++ b/machines/neuromancer.nix
@ -37,7 +37,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-core"];
  };
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@ -27,7 +27,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active"];
  };
--- a/machines/retired/ash.nix
+++ b/machines/retired/ash.nix
@ -30,7 +30,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
  };

  # these two are to be able to add the rules for firewall and dns
--- a/machines/skynet.nix
+++ b/machines/skynet.nix
@ -28,7 +28,7 @@ in {
  deployment = {
    targetHost = ip_pub;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    # this one is manually deployed
    tags = ["active-ext"];
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@ -27,7 +27,7 @@ in {
  deployment = {
    targetHost = ip_pub;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-dns" "dns"];
  };
--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@ -24,7 +24,7 @@ in {
  deployment = {
    targetHost = ip_pub;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-dns" "dns"];
  };
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@ -26,7 +26,7 @@ in {
  deployment = {
    targetHost = hostname;
    targetPort = 22;
-    targetUser = "root";
+    targetUser = null;

    tags = ["active-gitlab"];
  };