mirror of https://gitlab.com/curben/blog
post(nixos): enable isSystemUser to disable shell
This commit is contained in:
parent
1b3cefa26c
commit
1d1bd91266
|
@ -181,12 +181,12 @@ Following is my "configuration.nix". I'll show you how to secure NixOS using has
|
|||
caddyProxy = {
|
||||
home = "/var/lib/caddyProxy";
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
caddyTor = {
|
||||
home = "/var/lib/caddyTor";
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -102,16 +102,17 @@ Combining with the previous user configs, I ended up with:
|
|||
caddyProxy = {
|
||||
home = "/var/lib/caddyProxy";
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
caddyTor = {
|
||||
home = "/var/lib/caddyTor";
|
||||
createHome = true;
|
||||
isNormalUser = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
tor = {
|
||||
home = "/var/lib/tor";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
group = "tor";
|
||||
uid = config.ids.uids.tor;
|
||||
};
|
||||
|
@ -522,14 +523,17 @@ Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay ga
|
|||
caddyProxy = {
|
||||
home = "/var/lib/caddyProxy";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
caddyTor = {
|
||||
home = "/var/lib/caddyTor";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
caddyI2p = {
|
||||
home = "/var/lib/caddyI2p";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -37,24 +37,22 @@ Create a separate user with home folder set to where web server will be deployed
|
|||
www-data = {
|
||||
openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ];
|
||||
home = "/var/www";
|
||||
# Remove this line after "/var/www" is created
|
||||
createHome = true;
|
||||
# Required for rsync
|
||||
useDefaultShell = true;
|
||||
isNormalUser = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Make /var/www world-readable
|
||||
system.activationScripts = {
|
||||
www-data.text =
|
||||
''
|
||||
chmod +xr "/var/www"
|
||||
'';
|
||||
};
|
||||
```
|
||||
|
||||
`useDefaultShell` is required to execute rsync on the remote server. This has a security implication and requires a minor tweak to the web server; more on this in the next section. Execute `nixos-rebuild switch` as root to create `www-data` user and its home folder.
|
||||
|
||||
Home folder is not world-readable by default, so if you start a web server using different user, it can't access the `/var/www`. To fix this,
|
||||
|
||||
```
|
||||
chmod +xr /var/www
|
||||
```
|
||||
|
||||
Make sure `users.users.www-data.createHome` setting is removed/disabled, otherwise `/var/www` will become non-world-readable after an upgrade.
|
||||
`isNormalUser` (which also enables `useDefaultShell`) is required to execute rsync on the remote server. This has a security implication and requires a minor tweak to the web server; more on this in the next section. Execute `nixos-rebuild switch` as root to create `www-data` user and its home folder.
|
||||
|
||||
### Hide dotfiles in web server
|
||||
|
||||
|
|
Loading…
Reference in New Issue