feat(www): www

hosts/deertopia/configuration.nix

@@ -11,7 +11,8 @@
 
     users.users = [
       "lain"
-      "besties"
+      "msyds"
+      "liv"
     ];
 
     impermanence = {
@@ -25,6 +26,9 @@
         # are expected to consistently identify machines... I think.  I mostly
         # just think it's annoying to edit ~/.ssh/known_hosts all the time.
         "/etc/ssh"
+
+        # TODO: move
+        "/home/liv"
       ];
       rollback = {
         enable = true;
@@ -40,6 +44,7 @@
 
     deertopia = {
       authelia.enable = true;
+      www.enable = true;
       bepasty.enable = true;
       jellyfin.enable = false;
       lldap.enable = true;
@@ -63,19 +68,6 @@
         # sabnzbd.enable = true;
         # slskd.enable = true;
       };
-
-      # A simple default webpage.  This should probably live somewhere else.
-      nginx.vhosts."www" = {
-        vhostName = "deertopia.net";
-        vhost = {
-          forceSSL = true;
-          enableACME = true;
-
-          locations."/" = {
-            index = "index.html";
-          };
-        };
-      };
     };
   };
 
@@ -120,8 +112,7 @@
     };
   };
 
-  # TODO: Move to defaults.
+  users.mutableUsers = true;
-  users.mutableUsers = false;
 
   nix = {
     settings = {

modules/nixos/deertopia/lldap/pam.nix

@@ -7,6 +7,16 @@ in {
   };
 
   # See https://github.com/lldap/lldap/blob/main/example_configs/pam/README.md.
+
+  # Required imperative configuration: you will need to add the following custom
+  # attributes to the user schema in the LLDAP web UI.
+  #
+  #   • uidNumber (integer)
+  #   • gidNumber (integer, multiple values)
+  #   • homeDirectory (string)
+  #   • unixShell (string)
+  #   • sshPublicKey (string) (only if you’re setting up SSH Public Key Sync)
+
   config = lib.mkIf cfg.enable {
     sydnix.sops.secrets =
       let
@@ -19,6 +29,32 @@ in {
         sssd-environment = {};
       };
 
+    # TODO: The existence of a dynamic set of users leads to some complexities
+    # when combined with Impermanence.  Static users (i.e. those defined in the
+    # NixOS config) shall opt in to Impermanence via the Home-manager setting,
+    # but "dynamic" users (i.e. those per LDAP/PAM) should be persisted
+    # unconditionally.  Implementing this behaviour takes quite the hack:
+    #
+    #   • /home is persisted.
+    #
+    #   • A impersistent directory /transient-home is created.
+    #
+    #   • "Dynamic" users are assigned subdirectories of /home like usual.
+    #     Since /home is persisted, so are the users' individual home
+    #     directories.
+    #
+    #   • The home directories of "static" users (that are opted in to
+    #     Impermanence) are created at /transient-home/«user» and bind-mounted
+    #     to /home/«user».
+
+    security.pam.services."ldap".makeHomeDir = true;
+
+    # For synchronizations of SSH keys.
+    services.openssh.settings = {
+      AuthorizedKeysCommand = lib.getExe' pkgs.sssd "sss_ssh_authorizedkeys";
+      AuthorizedKeysCommandUser = "nobody";
+    };
+
     services.sssd =
       let
         inherit (config.sydnix.deertopia.lldap) baseDN;
@@ -71,7 +107,7 @@ in {
           ldap_user_shell = unixShell
 
           # Uncomment for SSH Key Sync setup
-          #ldap_user_ssh_public_key = sshPublicKey
+          ldap_user_ssh_public_key = sshPublicKey
 
           # Group mappings
           # Put your LDAP dc here

modules/nixos/deertopia/nginx.nix

@@ -101,35 +101,5 @@ in
             };
           })
           (builtins.attrNames cfg.vhosts));
-
-    # services.nginx.virtualHosts."deertopia.net" = {
-    #   root = "${cfg.www.root}/www";
-
-    #   # addSSL = true;
-    #   forceSSL = true;
-    #   enableACME = true;
-
-    #   locations."/" = {
-    #     index = "index.html";
-    #   };
-    # };
-
-    # system.activationScripts.initialiseDeertopiaRoot.text =
-    #   let
-    #     # FIXME: Use `lib.strings.toShellVar`.
-    #     inherit (cfg) root group user;
-    #   in ''
-    #     mkdir -p "${root}"
-    #     chown -R "${user}:${group}" "${root}"
-    #     chmod -R 775 "${root}"
-
-    #     ${lib.toShellVar "dirs"
-    #       (builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts))}
-    #     for i in "''${dirs[@]}"; do
-    #       mkdir -p "$i"
-    #       chown -R "${user}:${group}" "$i"
-    #       chmod -R 775 "$i"
-    #     done
-    # '';
   };
 }

modules/nixos/deertopia/www.nix

@@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.www;
+in {
+  options.sydnix.deertopia.www = {
+    enable = lib.mkEnableOption "www.deertopia.net";
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups.www = {};
+
+    users.users.nginx.extraGroups = [ "www" ];
+
+    systemd.tmpfiles.settings."10-www" =
+      let
+        f = user:
+          let e = { inherit user; group = "www"; mode = "2755"; };
+          in { z = e; v = e; };
+      in {
+        "/www" = f "root";
+        "/www/~msyds" = f "msyds";
+        "/www/~liv" = f "liv";
+      };
+
+    sydnix.impermanence.directories = [ "/www" ];
+
+    sydnix.deertopia.nginx.vhosts."www" = {
+      vhostName = "deertopia.net";
+      directory = "/www";
+      vhost = {
+        forceSSL = true;
+        enableACME = true;
+
+        extraConfig = ''
+          location /~msyds/ {
+            index index.html;
+          }
+          location /~liv/ {
+            index index.html;
+          }
+          location / {
+            index index.html;
+          }
+        '';
+
+        # locations."/" = {
+        #   index = "index.html";
+        # };
+        # locations."/~msyds" = {
+        #   index = "\\~msyds/index.html";
+        # };
+        # locations."/~liv" = {
+        #   index = "\\~liv/index.html";
+        # };
+      };
+    };
+  };
+}

public-keys/ssh/liv.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERHmO7AdaIvu9HiBMOgjo09iTxgZpnILMgd7+1h7Wsn facem@DESKTOP-40PNQA8

public-keys/ssh/windows.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa+0xeHKDW7T6SIj/QnQVotgkgWXfeGqtWUn9AHh07ECXVIKjrjlPOz72zAB0b/tP6D2WpYlIHRsfXcAAWThORNL83fU72COyEQDOEyu43rRTU3T7CjiICRwJkVC20LfEDor+Z3tD2qGS7r/FNzTmCIH8k9USZwlW4YPAP9ijHWn6GqTjgsRL4jxPM5A2yM+NpUK66U9HPvCi3eH8QTXwhFpW3Ia9SiGzU/UCcd7P9NSTCvZg4H2s6kBPNA+iP+/9u290Lw86n60XFQnsjGEszv1ErDdVpy45BUzjNElZVoktpdSO03v/rIU6QQHa/KSHcY1zmtTBgmIRZkqL29t+H dacom@doktor

users/lain/default.nix

@@ -27,6 +27,7 @@
       ../../public-keys/ssh/crumble-at-fruitbook.pub
       ../../public-keys/ssh/crumb-at-nixos-testbed.pub
       ../../public-keys/ssh/termux.pub
+      ../../public-keys/ssh/windows.pub
     ];
   };
 

users/liv/default.nix

@@ -0,0 +1,28 @@
+{
+  systemConfiguration = { config, ... }: {
+    isNormalUser = true;
+
+    # Unfortunately must be hard-coded so we can attribute it to the
+    # corresponding LDAP user.
+    uid = 1007;
+
+    extraGroups = [ "www" ];
+
+    openssh.authorizedKeys.keyFiles = [
+      ../../public-keys/ssh/liv.pub
+      ../../public-keys/ssh/windows.pub
+    ];
+  };
+
+  homeConfiguration = { config, lib, pkgs, ... }: {
+    programs.bash.enable = true;
+    programs.emacs.enable = true;
+
+    home.packages = [
+      pkgs.nano
+    ];
+
+    # Don't touch!
+    home.stateVersion = "18.09";
+  };
+}

users/msyds/default.nix

@@ -0,0 +1,73 @@
+{
+  systemConfiguration = { config, ... }: {
+    isNormalUser = true;
+
+    # Unfortunately must be hard-coded so we can attribute it to the
+    # corresponding LDAP user.
+    uid = 1006;
+
+    # TODO: Don't hard-code `persist`.  Use
+    # config.sydnix.impermanence.persistGroupName.
+    extraGroups = [
+      # Admin account.
+      "wheel"
+      # Default permissions to modify /persist.
+      "persist"
+      # Can modify the files served by Nginx.
+      "nginx"
+      # Can modify Deertopia's git-annex repos.
+      "annex"
+      # Can modify Deertopia's Jellyfin libraries.
+      "jellyfin"
+      # Can access slskd's downloads.
+      "slskd"
+      # Can access Nixarr's media.
+      "media"
+      "www"
+    ];
+
+    initialHashedPassword =
+      "$y$j9T$aEFDDwdTZbAc6VQRXrkBJ0$K8wxTGTWDihyX1wxJ.ZMH//wmQFfrGGUkLkxIU0Lyq8";
+
+    openssh.authorizedKeys.keyFiles = [
+      ../../public-keys/ssh/crumb-at-guix-rebound.pub
+      ../../public-keys/ssh/crumb-at-nixos-testbed.pub
+      ../../public-keys/ssh/termux.pub
+    ];
+  };
+
+  homeConfiguration = { config, lib, pkgs, ... }: {
+    home.file.".ssh/id_ed25519".source =
+      config.lib.file.mkOutOfStoreSymlink
+        "/persist/private-keys/ssh/lain-at-deertopia";
+
+    home.file.".ssh/id_ed25519.pub".source =
+      ../../public-keys/ssh/lain-at-deertopia.pub;
+
+    programs.bash.enable = true;
+
+    home.sessionVariables = {
+      "EDITOR" = "nvim";
+      "VISUAL" = "nvim";
+    };
+
+    home.packages = [
+      pkgs.btop
+    ];
+
+    sydnix = {
+      impermanence = {
+        enable = true;
+        directories = [
+          ".ssh"
+          "public"
+        ];
+      };
+      users.crumb.git.enable = true;
+      users.crumb.nvim.enable = true;
+    };
+
+    # Don't touch!
+    home.stateVersion = "18.09";
+  };
+}

users/msyds/files.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+let mutableSymlink = config.lib.file.mkOutOfStoreSymlink;
+in {
+  home.file.".ssh/id_ed25519".source =
+    mutableSymlink "/persist/private-keys/ssh/lain-at-deertopia";
+  home.file.".ssh/id_ed25519.pub".source =
+    ../../public-keys/ssh/lain-at-deertopia.pub;
+}