[Nix-dev] [PoC] Automatic UIDs and keys owned by non-root users

Игорь Пашев pashev.igor at gmail.com
Fri Dec 18 21:17:41 CET 2015 

Sorry ¯\_(ツ)_/¯

       hex = lib.toLower (builtins.substring 0 7 (builtins.hashString
"sha1" name));
-      digits = lib.imap (i: d: {m = (i - 1)*16; d = d;})
(lib.stringToCharacters hex);
+      pow = b: n: lib.foldl builtins.mul 1 (builtins.genList (_: b) n);
+      digits = lib.imap (i: d: {m = pow 16 (i - 1); d = d;})
(lib.stringToCharacters hex);

2015-11-29 19:20 GMT+03:00 Игорь Пашев <pashev.igor at gmail.com>:
> $ id mariadb
> uid=1000003264(mariadb) gid=1000003264(mariadb)
> groups=96(keys),1000003264(mariadb)
>
> ...
>   config = mkIf cfg.enable {
>     autoUsers = [ cfg.user ];
>     keyrings.${cfg.user} = [ cfg.s3cfg ];
> ...
>
>
> keyrings.nix: ----------------
> { config, lib, ... }:
>
> with lib;
> with lib.types;
> with builtins;
>
> let
>   allusers = config.users.users;
>   read = key:
>     if config.production
>     then (readFile (<secrets> + "/${key}"))
>     else "dummy";
>
> in {
>   options = {
>     keyrings = mkOption {
>       type = attrsOf (listOf path);
>       description = "Binds keys to a user";
>       default = {};
>       example = { backup = [ "s3cmd.cfg" ]; };
>     };
>   };
>
>   config = {
>     users.users = genAttrs (attrNames config.keyrings) (
>       name: optionalAttrs (name != "root") { extraGroups = [ "keys" ]; }
>     );
>
>     deployment.keys = foldl (a: b: a//b) {} (
>       mapAttrsToList (name: keys:
>         genAttrs (map baseNameOf keys)
>                  (key: { text = read key;
>                          user = toString allusers.${name}.uid;
>                        })
>       ) config.keyrings
>     );
>   };
> }
>
>
> autoUsers.nix: ---------------
> { config, pkgs, lib, ... }:
>
> let
>   names = config.autoUsers;
>   uid = name: let
>       dec = {
>         "0" =  0; "1" =  1; "2" =  2; "3" =  3;
>         "4" =  4; "5" =  5; "6" =  6; "7" =  7;
>         "8" =  8; "9" =  9; "a" = 10; "b" = 11;
>         "c" = 12; "d" = 13; "e" = 14; "f" = 15;
>       };
>       base = 1000000000; # 2^31 > base + 16^7, 2^31 for JSON int
>       hex = lib.toLower (builtins.substring 0 7 (builtins.hashString
> "sha1" name));
>       digits = lib.imap (i: d: {m = (i - 1)*16; d = d;})
> (lib.stringToCharacters hex);
>       f = a: {m, d}: a + m * dec.${d};
>
>       in lib.foldl f base digits;
>
> in {
>   options = {
>     autoUsers = lib.mkOption {
>       type = lib.types.listOf lib.types.str;
>       description = "List of system users with automatic UID and group";
>       default = [];
>     };
>   };
>
>   config = {
>     users.extraGroups = lib.genAttrs names (name: { gid = uid name; });
>     users.extraUsers = lib.genAttrs names
>       (name: {
>         isSystemUser = true;
>         uid = uid name;
>         group = name;
>       });
>   };
> }

More information about the nix-dev mailing list