Add Jett forge access and rekey secrets

contributors.nix

@@ -35,7 +35,9 @@
       canonicalEmail = "jett@burrow.net";
       isAdmin = true;
       forgeAuthorized = false;
+      forgeUnixUser = true;
       bootstrapAuthentik = true;
+      sshPublicKeyPath = ./nixos/keys/jett_at_burrow_net.pub;
       roles = [
         "member"
         "operator"

nixos/hosts/burrow-forge/default.nix

@@ -3,6 +3,7 @@
 let
   contributors = import ../../../contributors.nix;
   identities = contributors.identities;
+  stripNewline = value: lib.replaceStrings [ "\n" ] [ "" ] value;
   authentikPasswordSecretPath = identity:
     if identity ? authentikPasswordSecret
     then config.age.secrets.${identity.authentikPasswordSecret}.path
@@ -27,6 +28,23 @@ let
       }
     )
     (lib.filterAttrs (_: identity: identity.bootstrapAuthentik or false) identities);
+  forgeUnixUsernames =
+    builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeUnixUser or false) identities);
+  forgeUnixUsers = lib.genAttrs forgeUnixUsernames (username:
+    let
+      identity = identities.${username};
+      sshKeys = lib.optional (identity ? sshPublicKeyPath) (stripNewline (builtins.readFile identity.sshPublicKeyPath));
+    in
+    {
+      isNormalUser = true;
+      createHome = true;
+      home = "/home/${username}";
+      shell = pkgs.bashInteractive;
+      extraGroups = lib.optional (identity.isAdmin or false) "wheel";
+      openssh.authorizedKeys.keys = sshKeys;
+    });
+  forgeUnixAdminUsernames =
+    builtins.attrNames (lib.filterAttrs (_: identity: (identity.forgeUnixUser or false) && (identity.isAdmin or false)) identities);
   forgeAuthorizedKeys = map
     (username: builtins.readFile identities.${username}.sshPublicKeyPath)
     (builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeAuthorized or false) identities));
@@ -52,6 +70,18 @@ in
     "flakes"
   ];
 
+  users.users = forgeUnixUsers;
+
+  security.sudo.extraRules = lib.map (username: {
+    users = [ username ];
+    commands = [
+      {
+        command = "ALL";
+        options = [ "NOPASSWD" ];
+      }
+    ];
+  }) forgeUnixAdminUsernames;
+
   environment.systemPackages = lib.optionals config.services.forgejo-nsc.enable [
     self.packages.${pkgs.stdenv.hostPlatform.system}.nsc
   ];

nixos/keys/jett_at_burrow_net.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMe960j6TC869F6RvElpICxlBauIT3E0uLyy0m7n70ZC

secrets.nix

@@ -2,10 +2,12 @@ let
   conradev = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBueQxNbP2246pxr/m7au4zNVm+ShC96xuOcfEcpIjWZ";
   contact = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO42guJ5QvNMw3k6YKWlQnjcTsc+X4XI9F2GBtl8aHOa";
   agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
+  jett = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./nixos/keys/jett_at_burrow_net.pub);
   burrowForgeHost = "age1quxf27gnun0xghlnxf3jrmqr3h3a3fzd8qxpallsaztd2u74pdfq9e7w9l";
   burrowForgeRecipients = [
     contact
     agent
+    jett
     burrowForgeHost
   ];
   uiTestRecipients = burrowForgeRecipients ++ [ conradev ];

secrets/infra/authentik-google-client-secret.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ux4N8Q 4uq5z93mRUUgcMOxP4+Yfe2Jq4tGYErwtzvtMHUvgi0
-J9DkDeSPkQbOjFM3QoV+1Kz3ZVLfR4PUxCT8Zxz+Wvk
--> ssh-ed25519 IrZmAg uLEVmJ+e9ZiLas5YooR4GfgyspWTsFdMB2WPvluU/VI
-7vqqQ/BIDQaOp6VDVLa5ugoRxVZZsMj116cTHY6+8KM
--> X25519 9spF9eLz63UOaBfuG9vTIr6bCKwzFsWMjnaIj1PIR3Y
-iGFELg2RQUT9rEal7pblQhfxtwYhxsZdXYxEhvjtHpw
---- 3TDrUnIN826N/n5gc+YY8ilMMc/6K8zGTh6FxzKC/JM
-ÊÉXÍHºéÓ#IJG§uíÃâeÒüÖ¹f&1€a2ƒB„JÔŽõg¯ºÁ=Ì¿Šä”.ÅÕ÷ë*7™F<E284A2>·<EFBFBD>´‰–bÖ
+-> ssh-ed25519 ux4N8Q Q3rYrGroJXarMLdatYCHVERefWDyGwM0Ii/kOp5m3Fs
+W3tgHNXLSVfGU5p8MhBj0mX72SNgMl8nf8sQX29yvBw
+-> ssh-ed25519 IrZmAg fyFQQkd51GthNZ4R+W5Al266LnlKbr4ZoMERlCM1OTQ
+rNjnHTGCfF8LkqU8mzTrHlL5G4az1k62gvH4gW8zmjc
+-> ssh-ed25519 0kWPgQ OWokv9XAphqbkDi1cznb9V09VcM6Li1eIh0JpcIlVTY
+TnPVlqKB78y7NPYp02UJmuRXdBMKJKCngpvo8TjpFZ8
+-> X25519 HWaWhyejjo4IjDrNsBYxU1JaGU0899FqiBYgstInuiU
+enbBGnhH+uJKY3NBD6mmy09Uos+in6ytRQ5BakvTUvI
+--- gOBrh88hnvlUSmnRiowJiUIwgIz5zzVKH8YCRb8Ckdw
+Úx¥¢õokPà²íáÐàn8¬ý­vòµ„™HR
Ê<>oMºÒðªÃ‹¼ê¢9&TÁb]ĉ¬Àƒ'|ý<ÒèPbe†