From ec9efc5ca1a23c32b3f0ad49eaaf394bc657786d Mon Sep 17 00:00:00 2001 From: Geir Okkenhaug Jerstad Date: Wed, 4 Jun 2025 16:56:22 +0200 Subject: [PATCH] =?UTF-8?q?feat:=20create=20modular=20user=20configuration?= =?UTF-8?q?s=20=E2=88=99=20=E2=88=99=20User=20Accounts:=20=E2=88=99=20?= =?UTF-8?q?=E2=9C=85=20geir=20-=20Primary=20user=20(development,=20desktop?= =?UTF-8?q?,=20multimedia)=20=E2=88=99=20=E2=9C=85=20sma=20-=20Admin=20use?= =?UTF-8?q?r=20(Diziet=20Sma,=20system=20administration)=20=E2=88=99=20?= =?UTF-8?q?=E2=9C=85=20common.nix=20-=20Shared=20user=20settings=20and=20s?= =?UTF-8?q?ecurity=20=E2=88=99=20=E2=88=99=20Key=20Features:=20=E2=88=99?= =?UTF-8?q?=20=F0=9F=94=A7=20Culture=20character=20naming=20(sma=20=3D=20D?= =?UTF-8?q?iziet=20Sma,=20SC=20agent)=20=E2=88=99=20=F0=9F=94=92=20Securit?= =?UTF-8?q?y-focused=20admin=20account=20(SSH=20keys=20only,=20passwordles?= =?UTF-8?q?s=20sudo)=20=E2=88=99=20=F0=9F=9B=A0=20Development-focuse?= =?UTF-8?q?d=20primary=20user=20(containers,=20virtualization,=20creative?= =?UTF-8?q?=20tools)=20=E2=88=99=20=F0=9F=93=A6=20Modern=20CLI=20tools=20a?= =?UTF-8?q?nd=20shell=20enhancements=20=E2=88=99=20=F0=9F=8E=AF=20Role-bas?= =?UTF-8?q?ed=20package=20selection=20and=20group=20memberships=20?= =?UTF-8?q?=E2=88=99=20=E2=88=99=20Security=20Model:=20=E2=88=99=20-=20SSH?= =?UTF-8?q?=20key=20authentication=20for=20admin=20users=20=E2=88=99=20-?= =?UTF-8?q?=20Separate=20admin=20and=20daily-use=20accounts=20=E2=88=99=20?= =?UTF-8?q?-=20Principle=20of=20least=20privilege=20=E2=88=99=20-=20No=20r?= =?UTF-8?q?oot=20login=20allowed=20=E2=88=99=20=E2=88=99=20Integration:=20?= =?UTF-8?q?=E2=88=99=20-=20Container=20runtime=20access=20(podman,=20incus?= =?UTF-8?q?)=20=E2=88=99=20-=20Virtualization=20management=20(libvirt,=20v?= =?UTF-8?q?irt-manager)=20=E2=88=99=20-=20Development=20workflow=20(git,?= =?UTF-8?q?=20editors,=20languages)=20=E2=88=99=20-=20Desktop=20environmen?= =?UTF-8?q?ts=20(GNOME,=20Cosmic,=20Sway)=20=E2=88=99=20=E2=88=99=20Ready?= =?UTF-8?q?=20for=20machine-specific=20deployment=20across=20home=20lab=20?= =?UTF-8?q?infrastructure.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/users/README.md | 114 ++++++++++++++++++++++++++++++ modules/users/common.nix | 126 +++++++++++++++++++++++++++++++++ modules/users/sma.nix | 134 ++++++++++++++++++++++++++++++++++++ user_configs/geir/emacs.org | 21 ++---- 4 files changed, 380 insertions(+), 15 deletions(-) diff --git a/modules/users/README.md b/modules/users/README.md index e69de29..fb475f2 100644 --- a/modules/users/README.md +++ b/modules/users/README.md @@ -0,0 +1,114 @@ +# User Configurations + +This directory contains modular user configurations for the home lab infrastructure. + +## Philosophy + +Following the Culture ship naming convention and Emacs org-mode literate programming approach, user configurations are organized to be: + +- **Modular**: Each user has their own configuration module +- **Shared**: Common settings are in `common.nix` +- **Character-driven**: User names follow Culture character names +- **Functional**: Focus on practical daily use and system administration + +## User Accounts + +### Primary Users + +#### `geir` - Primary User Account +- **Role**: Development, desktop use, daily computing +- **Access**: Full desktop environments (GNOME, Cosmic, Sway) +- **Focus**: Development tools, creative applications, multimedia +- **Groups**: wheel, networkmanager, libvirt, incus-admin, podman, audio, video, render + +#### `sma` - System Administrator +- **Full Name**: Named after Diziet Sma (Special Circumstances agent) +- **Role**: System administration, security oversight, maintenance +- **Access**: SSH-only, command-line focused +- **Focus**: Monitoring, containers, security, infrastructure management +- **Groups**: wheel, networkmanager, libvirt, incus-admin, podman +- **Security**: SSH key authentication only, passwordless sudo + +### Service Accounts (Future) +- Consider adding service-specific users for: + - `forgejo-admin`: Forgejo administration + - `media-admin`: Jellyfin/media server management + - `backup-agent`: Automated backup operations + +## File Structure + +``` +modules/users/ +├── common.nix # Shared user settings and packages +├── geir.nix # Primary user configuration +├── sma.nix # Admin user configuration +└── README.md # This documentation +``` + +## Design Principles + +### Security +- SSH key-based authentication for admin users +- Principle of least privilege +- Separate admin and daily-use accounts +- No root login allowed + +### Convenience +- Modern CLI tools and aliases +- Development-focused package selection +- Shell enhancements (zsh, starship, syntax highlighting) +- Container and virtualization integration + +### Consistency +- Common aliases and environment variables +- Shared shell configuration +- Standardized directory permissions +- Culture-inspired naming convention + +## Integration Points + +### With System Configuration +- Desktop environment modules automatically enable GUI applications +- Virtualization modules grant appropriate group memberships +- Network modules configure user network access + +### With User Configs +- Literate configurations stored in `/home/geir/Home-lab/user_configs/` +- Emacs org-mode files for complex configurations +- Automatic tangling of configuration files +- Version control integration + +### With Services +- User accounts automatically configured for enabled services +- Container runtime access for development users +- Monitoring and administration access for admin users + +## Usage Examples + +### Adding a New User +1. Create new module file: `modules/users/new-username.nix` +2. Choose appropriate Culture character name +3. Define role-specific packages and groups +4. Import in machine configuration +5. Document in this README + +### Modifying User Access +- Edit `extraGroups` for service access +- Update `packages` for new tools +- Modify shell aliases for workflow improvements +- Adjust sudo rules for administrative access + +### Security Considerations +- Regular audit of user accounts and permissions +- SSH key rotation schedule +- Monitor sudo usage and administrative actions +- Review group memberships quarterly + +## Culture Character Reference + +- **Diziet Sma**: Pragmatic SC agent, perfect for system administration +- **Cheradenine Zakalwe**: Complex SC agent, high-capability operations +- **Jernau Morat Gurgeh**: Strategic game player, systematic thinking +- **Perosteck Balveda**: Professional SC agent, reliable operations + +Choose character names that reflect the user's role and personality within the home lab infrastructure. diff --git a/modules/users/common.nix b/modules/users/common.nix index e69de29..9d54f6d 100644 --- a/modules/users/common.nix +++ b/modules/users/common.nix @@ -0,0 +1,126 @@ +# Common User Configuration +# Shared settings for all users in the home lab +{ config, pkgs, ... }: + +{ + # Common user settings + users = { + # Use mutable users for flexibility + mutableUsers = true; + + # Default shell for all users + defaultUserShell = pkgs.zsh; + }; + + # Enable zsh system-wide + programs.zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + + # Common aliases for all users + shellAliases = { + # Modern CLI tool replacements + "ls" = "eza --color=auto --group-directories-first"; + "ll" = "eza -l --color=auto --group-directories-first"; + "la" = "eza -la --color=auto --group-directories-first"; + "tree" = "eza --tree"; + + # Git shortcuts + "gs" = "git status"; + "ga" = "git add"; + "gc" = "git commit"; + "gp" = "git push"; + "gl" = "git log --oneline -10"; + + # System shortcuts + "grep" = "rg"; + "find" = "fd"; + "cat" = "bat"; + "top" = "btop"; + + # Network + "ping" = "ping -c 5"; + "myip" = "curl -s ifconfig.me"; + + # Safety + "rm" = "rm -i"; + "mv" = "mv -i"; + "cp" = "cp -i"; + }; + + # Common environment variables + sessionVariables = { + EDITOR = "emacs"; + BROWSER = "firefox"; + TERMINAL = "alacritty"; + }; + }; + + # Common packages for all users + environment.systemPackages = with pkgs; [ + # Essential CLI tools (already configured in base.nix) + # Adding user-specific tools here + + # Communication + firefox + thunderbird + + # Productivity + libreoffice + + # Development (basic) + git + curl + wget + + # Media + vlc + + # Utilities + file + unzip + zip + ]; + + # Common security settings + security = { + # Require password for sudo (can be overridden per user) + sudo.wheelNeedsPassword = true; + + # Polkit for desktop users + polkit.enable = true; + }; + + # Common services + services = { + # Enable SSH for remote management + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; # Key-based auth only + PermitRootLogin = "no"; # No root login + X11Forwarding = true; # For GUI applications over SSH + }; + }; + + # Enable CUPS for printing + printing.enable = true; + + # Enable sound + pipewire = { + enable = true; + alsa.enable = true; + pulse.enable = true; + }; + }; + + # XDG portal for desktop integration + xdg.portal = { + enable = true; + extraPortals = with pkgs; [ + xdg-desktop-portal-gtk + xdg-desktop-portal-gnome + ]; + }; +} diff --git a/modules/users/sma.nix b/modules/users/sma.nix index e69de29..a5223ae 100644 --- a/modules/users/sma.nix +++ b/modules/users/sma.nix @@ -0,0 +1,134 @@ +# Admin User Configuration - sma +# Named after Diziet Sma, pragmatic Special Circumstances agent +# Role: System administration, security oversight, maintenance +{ config, pkgs, ... }: + +{ + users.users.sma = { + description = "Diziet Sma - System Administrator"; + isNormalUser = true; + + # Admin privileges + extraGroups = [ + "wheel" # sudo access + "networkmanager" # network management + "libvirt" # virtualization management + "incus-admin" # container management + "podman" # container runtime + "docker" # docker compatibility (if needed) + ]; + + # Security-focused shell setup + shell = pkgs.zsh; + + # SSH key-based authentication only (no password login) + openssh.authorizedKeys.keys = [ + # Add SSH public key here when ready + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5... sma@home-lab" + ]; + + # Essential admin packages + packages = with pkgs; [ + # System monitoring and diagnostics + htop + iotop + nethogs + lsof + strace + + # Network tools + nmap + tcpdump + wireshark-cli + curl + wget + + # File and disk utilities + tree + fd + ripgrep + fzf + ncdu + + # Text processing + jq + yq + + # Version control (for system configs) + git + + # Container management + podman-compose + + # Backup and sync + rsync + rclone + + # Security tools + age + sops + + # NixOS specific tools + nixos-rebuild + nix-tree + nix-diff + ]; + }; + + # Admin-specific shell configuration + programs.zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + + # Admin-focused aliases + shellAliases = { + # System management + "rebuild" = "sudo nixos-rebuild switch --flake /home/geir/Home-lab"; + "rebuild-test" = "sudo nixos-rebuild test --flake /home/geir/Home-lab"; + "rebuild-boot" = "sudo nixos-rebuild boot --flake /home/geir/Home-lab"; + + # Container management + "pods" = "podman ps -a"; + "images" = "podman images"; + "logs" = "podman logs"; + + # System monitoring + "disk-usage" = "df -h"; + "mem-usage" = "free -h"; + "processes" = "ps aux | head -20"; + + # Network + "ports" = "ss -tulpn"; + "connections" = "ss -tuln"; + + # Git for infrastructure + "lab" = "cd /home/geir/Home-lab"; + "lab-status" = "cd /home/geir/Home-lab && git status"; + "lab-pull" = "cd /home/geir/Home-lab && git pull"; + + # Security + "audit-users" = "cat /etc/passwd | grep -E '/bin/(bash|zsh|fish)'"; + "audit-sudo" = "cat /etc/sudoers.d/*"; + }; + }; + + # Sudo configuration for admin user + security.sudo.extraRules = [ + { + users = [ "sma" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; # Allow passwordless sudo for admin tasks + } + ]; + } + ]; + + # Admin user home directory permissions + systemd.tmpfiles.rules = [ + "d /home/sma 0755 sma users -" + "d /home/sma/.ssh 0700 sma users -" + ]; +} diff --git a/user_configs/geir/emacs.org b/user_configs/geir/emacs.org index 94f7a6c..c70f7e1 100644 --- a/user_configs/geir/emacs.org +++ b/user_configs/geir/emacs.org @@ -6,6 +6,7 @@ * About + My attempt at a litterate configuration for Emacs. to tangle this file. keyboard shortcut `C-c C-v t` (org-babel-tangle) in Emacs. @@ -13,8 +14,6 @@ This will generate the `~/.emacs.d/init.el` file with the configuration. * Prep - - * Configuration ** Setup lexical binding @@ -57,7 +56,7 @@ Here we set up the UI to our liking. We disable the menu bar, tool bar, and scro Set up package management -#+BEGIN_SRC +#+BEGIN_SRC emacs-lisp ;; Initialize package sources (require 'package) @@ -71,6 +70,7 @@ Set up package management (unless package-archive-contents (package-refresh-contents)) #+END_SRC + Set up doom modeline, which is a nice status line for Emacs. We set it up to show the current buffer name and the current line number. #+BEGIN_SRC emacs-lisp @@ -188,21 +188,12 @@ Copilot Chat ** Language support Here we install and configure support for various programming languages. We use the `use-package` macro to ensure that the packages are installed and configured correctly. -** NixOS from Emacs -Editing Nix files and doing NixOS admin stuff like nixos-rebuild boot --upgrade -Run the commands with M-x shell-command +** NixOS from Emacs ? +maybe we want to make this useful + #+BEGIN_SRC emacs-lisp -;; NixOS commands -(defun nixos-upgrade () - "Run 'nixos-rebuild boot --upgrade' in a shell." - (interactive) - (shell-command "nixos-rebuild boot --upgrade")) -(defun nixos-switch () - "Run 'nixos-rebuild switch' in a shell." - (interactive) - (shell-command "nixos-rebuild switch")) #+END_SRC