From 2fc3ae8ab32032291c0afdd21bf4cdbaf4678d74 Mon Sep 17 00:00:00 2001
From: Xavier Detant <1016863+FaustXVI@users.noreply.github.com>
Date: Tue, 31 Dec 2024 20:24:29 +0100
Subject: [PATCH] Make users non mutable

---
 modules/purposes/perso/password.nix           | 11 ++++++++++
 .../perso/secrets/perso-password-hash.txt     | 20 +++++++++++++++++++
 modules/purposes/work/password.nix            | 11 ++++++++++
 .../work/secrets/work-password-hash.txt       | 20 +++++++++++++++++++
 modules/system/users.nix                      |  9 +++++----
 5 files changed, 67 insertions(+), 4 deletions(-)
 create mode 100644 modules/purposes/perso/password.nix
 create mode 100644 modules/purposes/perso/secrets/perso-password-hash.txt
 create mode 100644 modules/purposes/work/password.nix
 create mode 100644 modules/purposes/work/secrets/work-password-hash.txt

diff --git a/modules/purposes/perso/password.nix b/modules/purposes/perso/password.nix
new file mode 100644
index 0000000..b77633a
--- /dev/null
+++ b/modules/purposes/perso/password.nix
@@ -0,0 +1,11 @@
+{ mylib, config, ... }:
+
+{
+  config = mylib.mkIfComputerHasPurpose "perso" {
+    sops.secrets.password = {
+      format = "binary";
+      sopsFile = ./secrets/perso-password-hash.txt;
+      neededForUsers = true;
+    };
+  };
+}
diff --git a/modules/purposes/perso/secrets/perso-password-hash.txt b/modules/purposes/perso/secrets/perso-password-hash.txt
new file mode 100644
index 0000000..13f3974
--- /dev/null
+++ b/modules/purposes/perso/secrets/perso-password-hash.txt
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:yCMR3W74O8BMh7irwlJY8mQNhvwsE9VFI+x4jZv5gJ0uHRxEJ110kL4igytPonBx+ML6gzGKzQAecQIaQ19jjv6y6Ctw4NUMdpQ=,iv:kgxy2dz875IXDJzIDs6YGJZCBrFm9Fvzt8ocnUbH4qw=,tag:lCas9LyAEx7TI8AZK5ujqw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age149suhqjf8zk8phwuvh7lztw79qxmrajdp5uqfhtrd6p8wnss0sssu2qs58",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMTdxTlh5cmw1SDF1Vjdx\nQkZENWtnYUJyVnJkdWxCR1ZVSGxHRXJpZWw0CndWM0hKVU1veTFPQmNLZVJkVDlj\nQW9BVVhaYURhZThpdEdoaUNtTEprZVEKLS0tIGNOY1ZPNGs4MURKL0hRYmJJc3dw\nQVhYeXNSRlhMaDM0MTlYRDlSRnRIVVEK8xzJtE00cMhS5uzZ0LPPmGuJjfRQ8K61\nnNBMIZNBTVW/y1RLFYVPG2okYFWTTTbiRasHBNY7KwpZlIpaYDIeXg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-31T18:14:50Z",
+		"mac": "ENC[AES256_GCM,data:K+jp4mFNkCpOBmRkxDKM/zKcBxfsWpZguNYz/CScEgWQvTDh80vOjxpg4Fs1kJUKm57S53/ckNtCEmQIMQj4ig6uS0GBNEnaSyuKu9c1FqxBOWdbwdOTX1JplWWG/RjiGz7TjqR3VzmtqwXsbWopZjEDTNa5JYvHBzbZ5sComSA=,iv:chtp6c9TFv1OdO7d35XCvIYAcgQuPgmtvYNKQlnQ9pU=,tag:jMHqeNt5Lfv5w5K8gYvsBw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
\ No newline at end of file
diff --git a/modules/purposes/work/password.nix b/modules/purposes/work/password.nix
new file mode 100644
index 0000000..0e7dfa0
--- /dev/null
+++ b/modules/purposes/work/password.nix
@@ -0,0 +1,11 @@
+{ mylib, config, ... }:
+
+{
+  config = mylib.mkIfComputerHasPurpose "work" {
+    sops.secrets.password = {
+      format = "binary";
+      sopsFile = ./secrets/work-password-hash.txt;
+      neededForUsers = true;
+    };
+  };
+}
diff --git a/modules/purposes/work/secrets/work-password-hash.txt b/modules/purposes/work/secrets/work-password-hash.txt
new file mode 100644
index 0000000..593d02c
--- /dev/null
+++ b/modules/purposes/work/secrets/work-password-hash.txt
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:uVYwQHROq32cgpobPiiZRHbH2Z6k/xyx8pKowZKkjXGXE+W1fDkjrYpNqDnylp9lYAnLm4kulSgqTHGCcQ0VSTW6P9vNzuytXEk=,iv:+a1ACaoSZJth0WfAgZ9mjHgl9o1bGYVdyI4awOPM5qA=,tag:+RN3NbzJOP6melohNAuPAw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age149suhqjf8zk8phwuvh7lztw79qxmrajdp5uqfhtrd6p8wnss0sssu2qs58",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZFNmc21pUXQ2YnhKQ3Ra\nRU9aSVJRSHFqaUovUWZEUTlVUHdRc0NKMWdjCnB3cW44Z05Rd21xdWtqMURDUlhu\nSzZCRldtVHgyZG44Nk5kdnBSQ3dnbFUKLS0tIHhybzcwVXl0MnQ4eW5pN2svUnRw\nbjZkby9mbW1ncjRJMnY5b0FDcE8vTEkKIhSFjCfxxEWbE4UsUwIhT8g4nFXQDf7n\nWkA2XEaJS0iafDgBqgx/ZL9U1QhvIUQBKbA6uKG3w9I+kROesasTIQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-31T18:13:15Z",
+		"mac": "ENC[AES256_GCM,data:HWF/RtNzeZ/hYpI4RZ+fXicHmrwfsbHm5/X3OUewtyWe8/cVuqKMXQiIwxqIrYNrfmx/4u17ICxS1qWbr+GhgunwSaAO1UQtUhP2PSDMSY0Mn3ya/7T+fP0oascK6gPTfM++MyUPuDeXgq8FnqZVk4r8/LTQV8TTmA0UtMIYPPs=,iv:hzxm7me3qZai7cHmd5v/KNF9pAOxvMl5gnNSOoM+My8=,tag:0eSvOP9jpLKJHqR34Lz0VQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
\ No newline at end of file
diff --git a/modules/system/users.nix b/modules/system/users.nix
index d4f8d7a..1fef382 100644
--- a/modules/system/users.nix
+++ b/modules/system/users.nix
@@ -1,17 +1,18 @@
-{ pkgs, ... }@args:
+{ pkgs, config, ... }@args:
 
 {
 
   users = {
-    mutableUsers = true;
-    extraUsers = {
+    mutableUsers = false;
+    users = {
+      root.hashedPassword = "!"; # Disable login as root cf : https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/5
       xadet = {
         shell = pkgs.fish;
         isNormalUser = true;
         uid = 1000;
         createHome = true;
         extraGroups = [ "networkmanager" "wheel" "docker" "dialout" "lp" "scanner" "video" "wireshark" ];
-        initialPassword = "changeMe";
+        hashedPasswordFile = config.sops.secrets.password.path;
         openssh = {
           authorizedKeys = {
             keys = [