post(nixos): enable isSystemUser to disable shell

This commit is contained in:
Ming Di Leom 2021-06-13 09:22:57 +00:00
parent 1b3cefa26c
commit 1d1bd91266
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
3 changed files with 18 additions and 16 deletions

View File

@ -181,12 +181,12 @@ Following is my "configuration.nix". I'll show you how to secure NixOS using has
caddyProxy = { caddyProxy = {
home = "/var/lib/caddyProxy"; home = "/var/lib/caddyProxy";
createHome = true; createHome = true;
isNormalUser = true; isSystemUser = true;
}; };
caddyTor = { caddyTor = {
home = "/var/lib/caddyTor"; home = "/var/lib/caddyTor";
createHome = true; createHome = true;
isNormalUser = true; isSystemUser = true;
}; };
}; };

View File

@ -102,16 +102,17 @@ Combining with the previous user configs, I ended up with:
caddyProxy = { caddyProxy = {
home = "/var/lib/caddyProxy"; home = "/var/lib/caddyProxy";
createHome = true; createHome = true;
isNormalUser = true; isSystemUser = true;
}; };
caddyTor = { caddyTor = {
home = "/var/lib/caddyTor"; home = "/var/lib/caddyTor";
createHome = true; createHome = true;
isNormalUser = true; isSystemUser = true;
}; };
tor = { tor = {
home = "/var/lib/tor"; home = "/var/lib/tor";
createHome = true; createHome = true;
isSystemUser = true;
group = "tor"; group = "tor";
uid = config.ids.uids.tor; uid = config.ids.uids.tor;
}; };
@ -522,14 +523,17 @@ Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay ga
caddyProxy = { caddyProxy = {
home = "/var/lib/caddyProxy"; home = "/var/lib/caddyProxy";
createHome = true; createHome = true;
isSystemUser = true;
}; };
caddyTor = { caddyTor = {
home = "/var/lib/caddyTor"; home = "/var/lib/caddyTor";
createHome = true; createHome = true;
isSystemUser = true;
}; };
caddyI2p = { caddyI2p = {
home = "/var/lib/caddyI2p"; home = "/var/lib/caddyI2p";
createHome = true; createHome = true;
isSystemUser = true;
}; };
}; };

View File

@ -37,24 +37,22 @@ Create a separate user with home folder set to where web server will be deployed
www-data = { www-data = {
openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ];
home = "/var/www"; home = "/var/www";
# Remove this line after "/var/www" is created
createHome = true;
# Required for rsync # Required for rsync
useDefaultShell = true; isNormalUser = true;
}; };
}; };
}; };
## Make /var/www world-readable
system.activationScripts = {
www-data.text =
''
chmod +xr "/var/www"
'';
};
``` ```
`useDefaultShell` is required to execute rsync on the remote server. This has a security implication and requires a minor tweak to the web server; more on this in the next section. Execute `nixos-rebuild switch` as root to create `www-data` user and its home folder. `isNormalUser` (which also enables `useDefaultShell`) is required to execute rsync on the remote server. This has a security implication and requires a minor tweak to the web server; more on this in the next section. Execute `nixos-rebuild switch` as root to create `www-data` user and its home folder.
Home folder is not world-readable by default, so if you start a web server using different user, it can't access the `/var/www`. To fix this,
```
chmod +xr /var/www
```
Make sure `users.users.www-data.createHome` setting is removed/disabled, otherwise `/var/www` will become non-world-readable after an upgrade.
### Hide dotfiles in web server ### Hide dotfiles in web server