Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add NixOS tech-support module and security documentation

Browse Source 
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/7e7a94ca-202b-4eb5-aa3a-a36a1365574b

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-04 01:31:56 +00:00
committed by GitHub
parent 3407612ea9
commit 85396e804d
3 changed files with 306 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
modules/core/tech-support.nix Normal file
View File

@@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
# ── Tech Support — restricted support user & tooling ─────────────────────────
#
# This module declaratively provisions the `sovran-support` system account that
# the Sovran Hub uses when a user enables remote tech support access.
#
# Security design:
# • Support staff log in as `sovran-support`, not as root.
# • Wallet directories (LND, Sparrow, Bisq, …) are locked with POSIX ACLs
# (u:sovran-support:---) by the Hub API as soon as a session is started.
# • The Hub web UI lets the user grant time-limited access to wallet files
# and view a full audit log of every session event.
#
# The `acl` package provides the `setfacl` / `getfacl` utilities required by
# the Hub's _apply_wallet_acls() and _revoke_wallet_acls() helpers.
{
# ── System packages ────────────────────────────────────────────────────────
environment.systemPackages = [ pkgs.acl ];
# ── Restricted support user and group ─────────────────────────────────────
users.groups.sovran-support = {};
users.users.sovran-support = {
isSystemUser = true;
group = "sovran-support";
description = "Sovran Systems restricted tech support account";
home = "/var/lib/sovran-support";
createHome = false;
# Use a real interactive shell so support staff can run diagnostic commands;
# the Hub API limits *when* they can connect (key present only while active).
shell = pkgs.bashInteractive;
};
# ── Home and SSH directories ───────────────────────────────────────────────
# tmpfiles ensures the directories exist at boot with the correct ownership
# even before the first support session is started.
systemd.tmpfiles.rules = [
"d /var/lib/sovran-support 0700 sovran-support sovran-support -"
"d /var/lib/sovran-support/.ssh 0700 sovran-support sovran-support -"
];
}