From 67137f1ccd4235f973964e418dd2c8a51219ec1b Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 17:28:56 +1000 Subject: [PATCH 1/9] wheel needs not password --- nixos/22.05/final-configuration.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/22.05/final-configuration.nix b/nixos/22.05/final-configuration.nix index ddb46ce..a29e9fb 100644 --- a/nixos/22.05/final-configuration.nix +++ b/nixos/22.05/final-configuration.nix @@ -11,7 +11,7 @@ # we always want nano & vi environment.systemPackages = with pkgs; [ nano - vi + vim ]; boot.loader.grub.enable = true; @@ -21,7 +21,9 @@ users.users.cyberian = { isNormalUser = true; + extraGroups = [ "wheel" ]; }; + security.sudo.wheelNeedsPassword = false; # We through away the password but we still want root services.openssh = { enable = true; -- 2.45.2 From ce7c6dc0825c02c6c7efc13d43f58e9917757e1a Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 17:29:08 +1000 Subject: [PATCH 2/9] vi doesn't exist --- nixos/22.05/configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/22.05/configuration.nix b/nixos/22.05/configuration.nix index 257ba17..1f88205 100644 --- a/nixos/22.05/configuration.nix +++ b/nixos/22.05/configuration.nix @@ -8,9 +8,9 @@ ./hardware-configuration.nix ]; - # we always want nano & vi + # we always want nano & vim environment.systemPackages = with pkgs; [ - vi + vim nano ]; -- 2.45.2 From 8639493c9d87d63faa04045d5bdb7b41d7f49561 Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 17:29:18 +1000 Subject: [PATCH 3/9] set random passwords for cyberian and root --- nixos/22.05/capsul-init | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nixos/22.05/capsul-init b/nixos/22.05/capsul-init index fdef65d..daf78f1 100644 --- a/nixos/22.05/capsul-init +++ b/nixos/22.05/capsul-init @@ -15,6 +15,12 @@ chmod 600 "$homedir/.ssh/authorized_keys" chown "$user:$user" "$homedir/.ssh/authorized_keys" +# set random forgotten password for cyberian and root +pass="\$(head /dev/urandom | tr -dc a-z0-9 | head -c30)" +echo "cyberian:\$pass" | chpasswd +pass="\$(head /dev/urandom | tr -dc a-z0-9 | head -c30)" +echo "root:\$pass" | chpasswd + /run/current-system/profile/sbin/resize2fs /dev/vda2 umount /mnt -- 2.45.2 From 07c2f632056983abbb225e2454fb5f6b41ff8a37 Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 18:43:28 +1000 Subject: [PATCH 4/9] no more password based logins --- nixos/22.05/final-configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/22.05/final-configuration.nix b/nixos/22.05/final-configuration.nix index a29e9fb..93513e7 100644 --- a/nixos/22.05/final-configuration.nix +++ b/nixos/22.05/final-configuration.nix @@ -27,6 +27,7 @@ services.openssh = { enable = true; + passwordAuthentication = false; }; # Feel free to remove this after first boot -- 2.45.2 From 79d69f321722a7cef4b53ab157aa9913025dcc0a Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 23:47:33 +1000 Subject: [PATCH 5/9] finally working systemd unit. we have to move the script after the generation is built so it doesn't run on rebuild and remove the script (the drive isn't mounted yet) --- nixos/22.05/capsul-init | 4 ++-- nixos/22.05/packer.json | 24 ++++++++++++------------ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/nixos/22.05/capsul-init b/nixos/22.05/capsul-init index daf78f1..08595fd 100644 --- a/nixos/22.05/capsul-init +++ b/nixos/22.05/capsul-init @@ -13,7 +13,7 @@ grep '\- ssh' /mnt/user-data | cut -d ' ' -f 8- > "$homedir/.ssh/authorized_key chmod 600 "$homedir/.ssh/authorized_keys" -chown "$user:$user" "$homedir/.ssh/authorized_keys" +chown "$user" "$homedir/.ssh/authorized_keys" # set random forgotten password for cyberian and root pass="\$(head /dev/urandom | tr -dc a-z0-9 | head -c30)" @@ -21,7 +21,7 @@ echo "cyberian:\$pass" | chpasswd pass="\$(head /dev/urandom | tr -dc a-z0-9 | head -c30)" echo "root:\$pass" | chpasswd -/run/current-system/profile/sbin/resize2fs /dev/vda2 +resize2fs /dev/vda2 umount /mnt rm /root/capsul-init diff --git a/nixos/22.05/packer.json b/nixos/22.05/packer.json index d48ac78..e74b4f0 100644 --- a/nixos/22.05/packer.json +++ b/nixos/22.05/packer.json @@ -35,18 +35,6 @@ "inline": ["echo 'reconnected after rebooting'"], "pause_before": "30s" }, - { - "type": "file", - "source": "capsul-init", - "destination": "/tmp/capsul-init" - }, - { - "type": "shell", - "inline": [ - "mv /tmp/capsul-init /root/capsul-init", - "chmod +x /root/capsul-init" - ] - }, { "type": "file", "source": "final-configuration.nix", @@ -59,6 +47,18 @@ "rm -f /etc/ssh/*key*", "printf '' > /etc/machine-id" ] + }, + { + "type": "file", + "source": "capsul-init", + "destination": "/tmp/capsul-init" + }, + { + "type": "shell", + "inline": [ + "mv /tmp/capsul-init /root/capsul-init", + "chmod +x /root/capsul-init" + ] } ], "builders": [ -- 2.45.2 From e1a43c1588574b30cfdd10aef2ffd6575f69a0dd Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 23:48:28 +1000 Subject: [PATCH 6/9] comment --- nixos/22.05/final-configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/22.05/final-configuration.nix b/nixos/22.05/final-configuration.nix index 93513e7..e8c9aa6 100644 --- a/nixos/22.05/final-configuration.nix +++ b/nixos/22.05/final-configuration.nix @@ -23,7 +23,7 @@ isNormalUser = true; extraGroups = [ "wheel" ]; }; - security.sudo.wheelNeedsPassword = false; # We through away the password but we still want root + security.sudo.wheelNeedsPassword = false; # We throw away the password but we still want root services.openssh = { enable = true; @@ -34,6 +34,7 @@ # /root/capsul-init gets deleted after first run systemd.services.capsul-init = { enable = true; + path = [ pkgs.coreutils pkgs.e2fsprogs pkgs.shadow pkgs.mount pkgs.umount ]; unitConfig = { ConditionPathExists = "/root/capsul-init"; }; -- 2.45.2 From 523e92c10ee3c8f387e5299553188433258d2a48 Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Mon, 18 Jul 2022 23:52:49 +1000 Subject: [PATCH 7/9] remove todo --- nixos/TODO.md | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 nixos/TODO.md diff --git a/nixos/TODO.md b/nixos/TODO.md deleted file mode 100644 index ff4e0d4..0000000 --- a/nixos/TODO.md +++ /dev/null @@ -1,2 +0,0 @@ -- test that the systemd module works as intended -- `nixos-delete-generations` -- 2.45.2 From b5785b3b0b2d93d349146079c94e45bfdd3695db Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Tue, 19 Jul 2022 12:35:31 +1000 Subject: [PATCH 8/9] create /mnt --- nixos/22.05/capsul-init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/22.05/capsul-init b/nixos/22.05/capsul-init index 08595fd..8fa2ef5 100644 --- a/nixos/22.05/capsul-init +++ b/nixos/22.05/capsul-init @@ -7,6 +7,9 @@ mkdir -p "$homedir/.ssh" chmod 700 "$homedir/.ssh" chown -R "$user:$user" "$homedir" +mkdir "/mnt" +chmod -R 755 "/mnt" + mount -t iso9660 -o ro /dev/sr0 /mnt grep '\- ssh' /mnt/user-data | cut -d ' ' -f 8- > "$homedir/.ssh/authorized_keys" -- 2.45.2 From 30f3d6c6e0d48a75ca6b1832454b6594748774f2 Mon Sep 17 00:00:00 2001 From: Anish Lakhwara Date: Tue, 19 Jul 2022 12:38:00 +1000 Subject: [PATCH 9/9] chown cyberian not cyberian:cyberian --- nixos/22.05/capsul-init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/22.05/capsul-init b/nixos/22.05/capsul-init index 8fa2ef5..3b9000a 100644 --- a/nixos/22.05/capsul-init +++ b/nixos/22.05/capsul-init @@ -5,7 +5,7 @@ homedir="/home/$user" mkdir -p "$homedir/.ssh" chmod 700 "$homedir/.ssh" -chown -R "$user:$user" "$homedir" +chown -R "$user" "$homedir" mkdir "/mnt" chmod -R 755 "/mnt" -- 2.45.2