mirror of https://gitlab.com/curben/blog
post(nixos): enable isSystemUser to disable shell
This commit is contained in:
parent
1b3cefa26c
commit
1d1bd91266
|
@ -181,12 +181,12 @@ Following is my "configuration.nix". I'll show you how to secure NixOS using has
|
||||||
caddyProxy = {
|
caddyProxy = {
|
||||||
home = "/var/lib/caddyProxy";
|
home = "/var/lib/caddyProxy";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
isNormalUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
caddyTor = {
|
caddyTor = {
|
||||||
home = "/var/lib/caddyTor";
|
home = "/var/lib/caddyTor";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
isNormalUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -102,16 +102,17 @@ Combining with the previous user configs, I ended up with:
|
||||||
caddyProxy = {
|
caddyProxy = {
|
||||||
home = "/var/lib/caddyProxy";
|
home = "/var/lib/caddyProxy";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
isNormalUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
caddyTor = {
|
caddyTor = {
|
||||||
home = "/var/lib/caddyTor";
|
home = "/var/lib/caddyTor";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
isNormalUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
tor = {
|
tor = {
|
||||||
home = "/var/lib/tor";
|
home = "/var/lib/tor";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
isSystemUser = true;
|
||||||
group = "tor";
|
group = "tor";
|
||||||
uid = config.ids.uids.tor;
|
uid = config.ids.uids.tor;
|
||||||
};
|
};
|
||||||
|
@ -522,14 +523,17 @@ Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay ga
|
||||||
caddyProxy = {
|
caddyProxy = {
|
||||||
home = "/var/lib/caddyProxy";
|
home = "/var/lib/caddyProxy";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
caddyTor = {
|
caddyTor = {
|
||||||
home = "/var/lib/caddyTor";
|
home = "/var/lib/caddyTor";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
caddyI2p = {
|
caddyI2p = {
|
||||||
home = "/var/lib/caddyI2p";
|
home = "/var/lib/caddyI2p";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -37,24 +37,22 @@ Create a separate user with home folder set to where web server will be deployed
|
||||||
www-data = {
|
www-data = {
|
||||||
openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ];
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ];
|
||||||
home = "/var/www";
|
home = "/var/www";
|
||||||
# Remove this line after "/var/www" is created
|
|
||||||
createHome = true;
|
|
||||||
# Required for rsync
|
# Required for rsync
|
||||||
useDefaultShell = true;
|
isNormalUser = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
## Make /var/www world-readable
|
||||||
|
system.activationScripts = {
|
||||||
|
www-data.text =
|
||||||
|
''
|
||||||
|
chmod +xr "/var/www"
|
||||||
|
'';
|
||||||
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
`useDefaultShell` is required to execute rsync on the remote server. This has a security implication and requires a minor tweak to the web server; more on this in the next section. Execute `nixos-rebuild switch` as root to create `www-data` user and its home folder.
|
`isNormalUser` (which also enables `useDefaultShell`) is required to execute rsync on the remote server. This has a security implication and requires a minor tweak to the web server; more on this in the next section. Execute `nixos-rebuild switch` as root to create `www-data` user and its home folder.
|
||||||
|
|
||||||
Home folder is not world-readable by default, so if you start a web server using different user, it can't access the `/var/www`. To fix this,
|
|
||||||
|
|
||||||
```
|
|
||||||
chmod +xr /var/www
|
|
||||||
```
|
|
||||||
|
|
||||||
Make sure `users.users.www-data.createHome` setting is removed/disabled, otherwise `/var/www` will become non-world-readable after an upgrade.
|
|
||||||
|
|
||||||
### Hide dotfiles in web server
|
### Hide dotfiles in web server
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue