summary refs log tree commit diff
diff options
context:
space:
mode:
authortzlil <tzlils@protonmail.com>2023-01-21 17:34:49 +0200
committertzlil <tzlils@protonmail.com>2023-01-21 17:34:49 +0200
commitd9317de584c66b068a336889aa9adc3ac3837e5e (patch)
treef9418f271c8e9bdc2cc6075de471bc4b7049f965
parent5aa3d1eb375f7d67b717f0306752bd974fce1fbc (diff)
change deploy-rs to nixinate, change user to use passwordFile, add password age secret, remove NetworkManager-wait-online.service
-rw-r--r--flake.lock61
-rw-r--r--flake.nix15
-rw-r--r--hosts/vm/cfg.nix16
-rw-r--r--profiles/core.nix3
-rw-r--r--profiles/gentoo.nix22
-rw-r--r--profiles/network.nix7
-rw-r--r--profiles/ssh.nix8
-rw-r--r--profiles/user.nix19
-rw-r--r--secrets/secrets.nix1
9 files changed, 109 insertions, 43 deletions
diff --git a/flake.lock b/flake.lock
index 64aec97..63c4d5d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1665870395,
-        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "lastModified": 1673301561,
+        "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
         "type": "github"
       },
       "original": {
@@ -26,11 +26,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1670513770,
-        "narHash": "sha256-muL74fsbGA8K8WlZSPNWddOiuBnC54kAajncX6nXrh4=",
+        "lastModified": 1674250603,
+        "narHash": "sha256-SBolFspxBHpW3hCCDNAFXUiO2mucmkVmf17UmSIK3Cs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "054d9e3187ca00479e8036dc0e92900a384f30fd",
+        "rev": "275ab728912006eecb549338a50f24f294a7cfb7",
         "type": "github"
       },
       "original": {
@@ -54,13 +54,31 @@
         "type": "github"
       }
     },
+    "nixinate": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1671116920,
+        "narHash": "sha256-QmDGsUUmAGn77UTR7eQJmebl8f3IIUCtmbbAdJqKA3s=",
+        "owner": "matthewcroughan",
+        "repo": "nixinate",
+        "rev": "b4d17b8e2a4abc47e93e1a1c466e0286a63640d8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "matthewcroughan",
+        "repo": "nixinate",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1670174919,
-        "narHash": "sha256-XdQr3BUnrvVLRFunLWrZORhwYHDG0+9jUUe0Jv1pths=",
+        "lastModified": 1673803274,
+        "narHash": "sha256-zaJDlHFXewT4KUsidMpRcPE+REymGH1Y3Eoc3Pjv4Xs=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "9d87bc030a0bf3f00e953dbf095a7d8e852dab6b",
+        "rev": "7bd6b87b3712e68007823e8dd5c37ee9b114fee3",
         "type": "github"
       },
       "original": {
@@ -87,11 +105,27 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1670841420,
-        "narHash": "sha256-mSEia1FzrsHbfqjorMyYiX8NXdDVeR1Pw1k55jMJlJY=",
+        "lastModified": 1653060744,
+        "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "dfd82985c273aac6eced03625f454b334daae2e8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1674120619,
+        "narHash": "sha256-xLT1FQl7/jNPOEq5q/vmc3AExt1V9LtcjM+QY2+MUpA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "33e0d99cbedf2acfd7340d2150837fbb28039a64",
+        "rev": "d7705c01ef0a39c8ef532d1033bace8845a07d35",
         "type": "github"
       },
       "original": {
@@ -106,8 +140,9 @@
         "agenix": "agenix",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "nixinate": "nixinate",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
       }
     },
     "utils": {
diff --git a/flake.nix b/flake.nix
index e0cef8c..6fc07c2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,14 +6,14 @@
     impermanence.url = "github:nix-community/impermanence";
     agenix.url = "github:ryantm/agenix";
     nixos-hardware.url = "github:nixos/nixos-hardware";
-    # deploy-rs.url = "github:serokell/deploy-rs";
+    nixinate.url = "github:matthewcroughan/nixinate";
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = inputs: let
+  outputs = inputs@{ self, ... }: let
     mkSystem_ = pkgs: system: h: modules:
       pkgs.lib.nixosSystem {
         system = system;
@@ -24,17 +24,10 @@
         inputs.agenix.nixosModule inputs.impermanence.nixosModules.impermanence
       ]);
   in {
+    apps = inputs.nixinate.nixinate.x86_64-linux self;
     nixosConfigurations = {
-      pc = mkSystem inputs.nixpkgs "x86_64-linux" "lilith";
+      # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc";
       vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm";
     };
-
-    # deploy.nodes.some-random-system.profiles.system = {
-    #   user = "root";
-    #   path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vm;
-    # };
-
-    # This is highly advised, and will prevent many possible mistakes
-    # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
   };
 }
diff --git a/hosts/vm/cfg.nix b/hosts/vm/cfg.nix
index 8efee3b..3b5ace8 100644
--- a/hosts/vm/cfg.nix
+++ b/hosts/vm/cfg.nix
@@ -11,7 +11,18 @@
   ];
 
   config = {
+    _module.args.nixinate = {
+      host = "100.109.155.123";
+      sshUser = "tzlil";
+      buildOn = "remote"; # valid args are "local" or "remote"
+      substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
+      hermetic = false;
+    };
     networking.hostName = "vm";
+
+    # dont do this
+    users.users.root.initialPassword = "hunter2";
+    
     boot.supportedFilesystems = ["9p"];
     boot = {
       initrd = {
@@ -53,11 +64,6 @@
       "/boot" = {
         device = "/dev/disk/by-partlabel/boot";
       };
-      "/flake" = {
-        fsType = "9p";
-        device = "host0";
-        options = ["_netdev"];
-      };
     };
 
     zramSwap = {
diff --git a/profiles/core.nix b/profiles/core.nix
index f578621..e23879f 100644
--- a/profiles/core.nix
+++ b/profiles/core.nix
@@ -23,9 +23,6 @@
     users.mutableUsers = false;
     environment.defaultPackages = lib.mkForce [];
 
-    # dont do this
-    users.users.root.initialPassword = "hunter2";
-
     age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ];
   };
 }
\ No newline at end of file
diff --git a/profiles/gentoo.nix b/profiles/gentoo.nix
new file mode 100644
index 0000000..67f7e78
--- /dev/null
+++ b/profiles/gentoo.nix
@@ -0,0 +1,22 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  imports = [];
+  config = {
+    nativeStdenv = prev.stdenvAdapters.withCFlags [ "-O3" "-pipe" "-mcpu=apple-m1" ]
+    (prev.overrideCC prev.llvmPackages_latest.stdenv
+      (prev.wrapCCWith rec {
+        cc = prev.llvmPackages_latest.clang-unwrapped;
+        bintools = (final.wrapBintoolsWith {
+          coreutils = final.uutils-coreutils;
+          libc = final.musl;
+          bintools = final.binutils-unwrapped.overrideAttrs
+            (old: {
+              postInstall = ''
+                ln -sf ${final.mold}/bin/mold $out/bin/ld
+              '';
+            });
+        });
+      }));
+  };
+}
\ No newline at end of file
diff --git a/profiles/network.nix b/profiles/network.nix
index 0ba325b..1b3026b 100644
--- a/profiles/network.nix
+++ b/profiles/network.nix
@@ -22,6 +22,13 @@
         '';
     };
 
+    # Don't wait for network startup
+    # https://old.reddit.com/r/NixOS/comments/vdz86j/how_to_remove_boot_dependency_on_network_for_a
+    systemd = {
+      targets.network-online.wantedBy = pkgs.lib.mkForce []; # Normally ["multi-user.target"]
+      services.NetworkManager-wait-online.wantedBy = pkgs.lib.mkForce []; # Normally ["network-online.target"]
+    };
+
     services.dnscrypt-proxy2 = {
       enable = true;
       settings = {
diff --git a/profiles/ssh.nix b/profiles/ssh.nix
index e0a623a..4c12cc7 100644
--- a/profiles/ssh.nix
+++ b/profiles/ssh.nix
@@ -5,10 +5,7 @@
     services.openssh = {
       enable = true;
       openFirewall = false;
-      passwordAuthentication = false;
-      kbdInteractiveAuthentication = false;
       allowSFTP = false;
-      permitRootLogin = "no";
       startWhenNeeded = true;
       extraConfig = ''
         AllowTcpForwarding yes
@@ -20,6 +17,11 @@
 
         AllowUsers tzlil
       '';
+      settings = {
+        permitRootLogin = "no";
+        passwordAuthentication = false;
+        kbdInteractiveAuthentication = false;
+      };
     };
     environment.persistence."/nix/persist" = {
       hideMounts = true;
diff --git a/profiles/user.nix b/profiles/user.nix
index 6ae1261..6aa8262 100644
--- a/profiles/user.nix
+++ b/profiles/user.nix
@@ -9,13 +9,23 @@
     inputs.home-manager.nixosModules."home-manager"
   ];
   config = {
+    age.secrets = {
+      id_ed25519 = {
+        file = ../secrets/id_ed25519.age;
+        mode = "600";
+        owner = "tzlil";
+        group = "users";
+      };
+      password.file = ../secrets/password.age;
+    };
+
     users.users.tzlil = {
       isNormalUser = true;
       description = "Me";
       extraGroups = ["wheel"];
       packages = [pkgs.git];
       shell = pkgs.fish;
-      hashedPassword = "$5$itsrHkJPRhLdik0x$RxCXp8KmiPVa1dMQhHMQsjLgvx27MmeQ9ZVybV8bzE8";
+      passwordFile = config.age.secrets.password.path;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA"
       ];
@@ -24,13 +34,6 @@
     nix.settings.allowed-users = ["root" "tzlil"];
     nix.settings.trusted-users = ["root" "tzlil"];
 
-    age.secrets.id_ed25519 = {
-      file = ../secrets/id_ed25519.age;
-      mode = "600";
-      owner = "tzlil";
-      group = "users";
-    };
-
     home-manager = {
       useGlobalPkgs = true;
       useUserPackages = true;
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bf4b037..1020fc4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,4 +6,5 @@ let
 in
 {
   "id_ed25519.age".publicKeys = [ tzlil ] ++ systems;
+  "password.age".publicKeys = [ tzlil ] ++ systems;
 }
\ No newline at end of file