diff options
author | tzlil <tzlils@protonmail.com> | 2022-12-13 15:21:30 +0200 |
---|---|---|
committer | tzlil <tzlils@protonmail.com> | 2022-12-13 15:21:30 +0200 |
commit | f51f8e398fffe33dcbb4b9f9db95708e7a3dde82 (patch) | |
tree | 08a9c853a29b01c53be526aecc8d2505f5086af5 | |
parent | 24637dfdfdd6dc8d116542f16a07d808c9e43c36 (diff) |
stuff
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | flake.lock | 131 | ||||
-rw-r--r-- | flake.nix | 4 | ||||
-rw-r--r-- | hosts/vm/cfg.nix | 63 | ||||
-rw-r--r-- | mixins/cli.nix | 33 | ||||
-rw-r--r-- | mixins/greet.nix | 34 | ||||
-rw-r--r-- | mixins/pipewire.nix | 15 | ||||
-rw-r--r-- | mixins/sway.nix | 258 | ||||
-rw-r--r-- | mixins/tailscale.nix | 2 | ||||
-rw-r--r-- | profiles/core.nix | 5 | ||||
-rw-r--r-- | profiles/graphical.nix | 34 | ||||
-rw-r--r-- | profiles/network.nix | 24 | ||||
-rw-r--r-- | profiles/ssh.nix | 34 | ||||
-rw-r--r-- | profiles/user.nix | 16 |
14 files changed, 622 insertions, 32 deletions
diff --git a/.gitignore b/.gitignore index af6411a..ba15d45 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.img *.fd +*.tgz diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..64aec97 --- /dev/null +++ b/flake.lock @@ -0,0 +1,131 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1665870395, + "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "a630400067c6d03c9b3e0455347dc8559db14288", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1670513770, + "narHash": "sha256-muL74fsbGA8K8WlZSPNWddOiuBnC54kAajncX6nXrh4=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "054d9e3187ca00479e8036dc0e92900a384f30fd", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1668668915, + "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1670174919, + "narHash": "sha256-XdQr3BUnrvVLRFunLWrZORhwYHDG0+9jUUe0Jv1pths=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "9d87bc030a0bf3f00e953dbf095a7d8e852dab6b", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1665732960, + "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4428e23312933a196724da2df7ab78eb5e67a88e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670841420, + "narHash": "sha256-mSEia1FzrsHbfqjorMyYiX8NXdDVeR1Pw1k55jMJlJY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "33e0d99cbedf2acfd7340d2150837fbb28039a64", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "home-manager": "home-manager", + "impermanence": "impermanence", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs_2" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 299e906..7854f0e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "tzlil's system"; + description = "tzlil's system(s)"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; @@ -24,7 +24,7 @@ ]); in { nixosConfigurations = { - # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc"; + pc = mkSystem inputs.nixpkgs "x86_64-linux" "lilith"; vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm"; }; }; diff --git a/hosts/vm/cfg.nix b/hosts/vm/cfg.nix index 1b17ea6..30f55a7 100644 --- a/hosts/vm/cfg.nix +++ b/hosts/vm/cfg.nix @@ -1,17 +1,68 @@ -{config}: { +{config, lib, pkgs, ...}: { imports = [ - "../profiles/core.nix" - "../profiles/user.nix" - "../mixins/tailscale.nix" - ] + ../../profiles/core.nix + ../../profiles/user.nix + ../../profiles/ssh.nix + ../../profiles/graphical.nix + ../../mixins/tailscale.nix + ../../mixins/cli.nix + ../../mixins/greet.nix + ../../mixins/sway.nix + ]; config = { + networking.hostName = "vm"; boot.supportedFilesystems = ["9p"]; fileSystems."/flake" = { fsType = "9p"; device = "host0"; options = ["_netdev"]; }; - boot.kernelParams = [ "console=ttyS0" ]; + boot = { + initrd = { + supportedFilesystems = ["btrfs"]; + }; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + kernelParams = [ + "console=ttyS0" + "init_on_free=1" + "page_poison=1" + "page_alloc.shuffle=1" + "slab_nomerge" + "vsyscall=none" + ]; + cleanTmpDir = true; + loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; + + time.timeZone = lib.mkDefault "Israel"; + + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = ["noexec" "defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = "/dev/disk/by-partlabel/nix"; + options = ["noatime" "compress=zstd"]; + }; + "/boot" = { + device = "/dev/disk/by-partlabel/boot"; + }; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; }; } \ No newline at end of file diff --git a/mixins/cli.nix b/mixins/cli.nix index c5ff7b9..ca6d55d 100644 --- a/mixins/cli.nix +++ b/mixins/cli.nix @@ -7,7 +7,6 @@ }: { imports = [ inputs.home-manager.nixosModules."home-manager" - inputs.agenix.nixosModules ]; config = { home-manager.users.tzlil = {pkgs, ...}@hm: { @@ -17,23 +16,23 @@ curl ripgrep ]; - programs = { - ssh.enable = true; - git = { - userName = "tzlil"; - userEmail = "tzlils@protonmail.com"; - enable = true; + }; + programs = { + ssh.enable = true; + git = { + userName = "tzlil"; + userEmail = "tzlils@protonmail.com"; + enable = true; + }; + fish = { + enable = true; + shellAliases = { + gc = "git clone"; + l = "ls -alh"; }; - fish = { - enable = true; - shellAliases = { - gc = "git clone"; - l = "ls -alh"; - }; - functions = { - sb.body = "sudo nixos-rebuild build --flake ~/sources/nixcfg#(hostname)"; - sw.body = "sudo nixos-rebuild switch --flake ~/sources/nixcfg#(hostname)"; - }; + functions = { + sb.body = "sudo nixos-rebuild build --flake ~/sources/nixcfg#(hostname)"; + sw.body = "sudo nixos-rebuild switch --flake ~/sources/nixcfg#(hostname)"; }; }; }; diff --git a/mixins/greet.nix b/mixins/greet.nix new file mode 100644 index 0000000..5c46792 --- /dev/null +++ b/mixins/greet.nix @@ -0,0 +1,34 @@ +{ + pkgs, + lib, + ... +}: let + user = "tzlil"; + + users.users.greeter.packages = [pkgs.sway]; + greetd = "${pkgs.greetd.greetd}/bin/greetd"; + gtkgreet = "${pkgs.greetd.gtkgreet}/bin/gtkgreet"; + + sway-kiosk = command: "${pkgs.sway}/bin/sway --unsupported-gpu --config ${pkgs.writeText "kiosk.config" '' + output * bg #000000 solid_color + exec "${command}; ${pkgs.sway}/bin/swaymsg exit" + ''}"; +in { + environment.etc."greetd/environments".text = + "sway\n" + + "$SHELL -l\n"; + + services.greetd = { + enable = true; + settings = { + default_session = { + inherit user; + command = sway-kiosk "${gtkgreet} -l &>/dev/null"; + }; + initial_session = { + inherit user; + command = "sh -c sway"; + }; + }; + }; +} \ No newline at end of file diff --git a/mixins/pipewire.nix b/mixins/pipewire.nix new file mode 100644 index 0000000..7f17aa1 --- /dev/null +++ b/mixins/pipewire.nix @@ -0,0 +1,15 @@ +{ pkgs, config, ... }: + +{ + config = { + sound.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + }; +} \ No newline at end of file diff --git a/mixins/sway.nix b/mixins/sway.nix new file mode 100644 index 0000000..f1cf98d --- /dev/null +++ b/mixins/sway.nix @@ -0,0 +1,258 @@ +{ + config, + pkgs, + lib, + ... +}: let + menuscript = + pkgs.writeShellScript "menu" + '' + #!/bin/sh -eu + + in_pipe="$XDG_RUNTIME_DIR/menu-in.$$.pipe" + out_pipe="$XDG_RUNTIME_DIR/menu-out.$$.pipe" + + mkfifo "$in_pipe" "$out_pipe" + trap "rm -f $in_pipe $out_pipe" EXIT + + app_id=menu + chooser="${pkgs.fzf}/bin/fzf <$in_pipe >$out_pipe" + foot -W40x40 --app-id "$app_id" -- sh -c "$chooser" & + cat >"$in_pipe" + cat <"$out_pipe" + ''; + sel = + pkgs.writeShellScript "sel" + '' + #!/bin/sh + swaymsg -t get_tree | \ + ${pkgs.jq}/bin/jq -r '.. | select(.pid? and .visible?) | .rect | "\(.x),\(.y) \(.width)x\(.height)"' | \ + ${pkgs.slurp}/bin/slurp + ''; +in { + # config.home-manager.users.tzlil.xdg.configFile."i3status-rust/config.toml".source = ./i3status-rs.toml; + config.security.pam.services.swaylock = {}; + config.home-manager.users.tzlil.programs.mako.enable = true; + config.home-manager.users.tzlil.home.packages = with pkgs; [ + grim + slurp + wf-recorder + font-awesome_6 + ]; + config.home-manager.users.tzlil.services.swayidle = let + pgrep = "${pkgs.procps}/bin/pgrep"; + dpms_check = s: + pkgs.writeShellScript "dpms_check_${s}" '' + set -x + if ${pgrep} swaylock; then ${pkgs.sway}/bin/swaymsg 'output * dpms ${s}'; fi + ''; + dpms_set = s: + pkgs.writeShellScript "dpms_set_${s}" '' + set -x + "${pkgs.sway}/bin/swaymsg" 'output * dpms ${s}' + ''; + fadelock = pkgs.writeShellScript "fadelock.sh" '' + set -x + exec "${pkgs.swaylock}/bin/swaylock" + ''; + in { + enable = false; + systemdTarget = "graphical-session.target"; + timeouts = [ + # auto-lock after 30 seconds + { + timeout = 30; + command = fadelock.outPath; + } + ]; + events = [ + { + event = "before-sleep"; + command = fadelock.outPath; + } + ]; + extraArgs = [ + "idlehint 30" + ]; + }; + config.home-manager.users.tzlil.wayland.windowManager.sway = rec { + enable = true; + wrapperFeatures.gtk = true; + config = rec { + fonts = { + names = ["Iosevka"]; + style = "Regular"; + size = 11.0; + }; + output = { + "DP-1" = { + resolution = "1920x1080@166Hz"; + }; + }; + bars = [ + { + fonts = { + names = ["Iosevka" "FontAwesome"]; + style = "Regular"; + size = 11.0; + }; + position = "top"; + statusCommand = "${pkgs.i3status-rust}/bin/i3status-rs"; + colors = { + statusline = "#ffffff"; + background = "#323232"; + inactiveWorkspace = { + background = "#323232"; + border = "#323232"; + text = "#5c5c5c"; + }; + }; + } + ]; + + modifier = "Mod4"; + left = "h"; + down = "n"; + up = "e"; + right = "i"; + keybindings = { + "${modifier}+Return" = "exec $term"; + "${modifier}+q" = "kill"; + "${modifier}+space" = "exec ${pkgs.dmenu}/bin/dmenu_path | ${menuscript} | xargs swaymsg exec --"; + "${modifier}+Shift+c" = "reload"; + "${modifier}+Shift+q" = "exit"; + "${modifier}+Shift+p" = "exec systemctl poweroff"; + "${modifier}+Shift+s" = "exec systemctl suspend"; + "${modifier}+${left}" = "focus left"; + "${modifier}+${down}" = "focus down"; + "${modifier}+${up}" = "focus up"; + "${modifier}+${right}" = "focus right"; + "${modifier}+Left" = "focus left"; + "${modifier}+Down" = "focus down"; + "${modifier}+Up" = "focus up"; + "${modifier}+Right" = "focus right"; + "${modifier}+Shift+${left}" = "move left"; + "${modifier}+Shift+${down}" = "move down"; + "${modifier}+Shift+${up}" = "move up"; + "${modifier}+Shift+${right}" = "move right"; + "${modifier}+Shift+Left" = "move left"; + "${modifier}+Shift+Down" = "move down"; + "${modifier}+Shift+Up" = "move up"; + "${modifier}+Shift+Right" = "move right"; + "${modifier}+1" = "workspace number 1"; + "${modifier}+2" = "workspace number 2"; + "${modifier}+3" = "workspace number 3"; + "${modifier}+4" = "workspace number 4"; + "${modifier}+5" = "workspace number 5"; + "${modifier}+6" = "workspace number 6"; + "${modifier}+7" = "workspace number 7"; + "${modifier}+8" = "workspace number 8"; + "${modifier}+9" = "workspace number 9"; + "${modifier}+0" = "workspace number 10"; + "${modifier}+Tab" = "workspace back_and_forth"; + "${modifier}+Shift+1" = "move container to workspace number 1"; + "${modifier}+Shift+2" = "move container to workspace number 2"; + "${modifier}+Shift+3" = "move container to workspace number 3"; + "${modifier}+Shift+4" = "move container to workspace number 4"; + "${modifier}+Shift+5" = "move container to workspace number 5"; + "${modifier}+Shift+6" = "move container to workspace number 6"; + "${modifier}+Shift+7" = "move container to workspace number 7"; + "${modifier}+Shift+8" = "move container to workspace number 8"; + "${modifier}+Shift+9" = "move container to workspace number 9"; + "${modifier}+Shift+0" = "move container to workspace number 10"; + "${modifier}+b" = "splith"; + "${modifier}+v" = "splitv"; + "${modifier}+s" = "layout stacking"; + "${modifier}+w" = "layout tabbed"; + "${modifier}+k" = "layout toggle split"; + "${modifier}+f" = "fullscreen"; + "${modifier}+Shift+space" = "floating toggle"; + "${modifier}+t" = "focus mode_toggle"; + "${modifier}+a" = "focus parent"; + "${modifier}+shift+a" = "focus child"; + "${modifier}+Shift+minus" = "move scratchpad"; + "${modifier}+minus" = "scratchpad show"; + "${modifier}+m" = "mode notifications"; + }; + input = { + "type:keyboard" = { + xkb_layout = "us"; + xkb_variant = "colemak_dh"; + xkb_options = "altwin:swap_lalt_lwin,caps:backspace"; + }; + "type:touchpad" = { + tap = "enabled"; + }; + }; + }; + extraConfig = '' + exec dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway + exec ${pkgs.swayidle}/bin/swayidle -w \ + timeout 300 '${pkgs.swaylock}/bin/swaylock -f -c 000000' \ + timeout 600 'swaymsg "output * dpms off"' \ + resume 'swaymsg "output * dpms on"' \ + before-sleep '${pkgs.swaylock}/bin/swaylock -f -c 000000' + exec ${pkgs.polkit_gnome}/polkit-gnome/polkit-gnome-authentication-agent-1 + + #set $mod Alt + set $mod Mod4 + set $left h + set $down n + set $up e + set $right i + set $term ${pkgs.foot}/bin/foot + + default_border pixel + hide_edge_borders smart + smart_borders on + + output * bg ~/tmp/graveyard.png fill + + + + floating_modifier $mod normal + mode notifications { + bindsym Escape mode default + bindsym Return exec ${pkgs.mako}/bin/makoctl invoke; exec ${pkgs.mako}/bin/makoctl dismiss; mode default + bindsym d exec ${pkgs.mako}/bin/makoctl dismiss; mode default + bindsym Shift+d exec ${pkgs.mako}/bin/makoctl dismiss -a; mode default + } + + + font Iosevka 10 + + bindsym $mod+p exec passmenu $menu_args + bindsym --locked XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle + bindsym --locked XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5% + bindsym --locked XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5% + bindsym --locked XF86AudioMicMute exec pactl set-source-mute @DEFAULT_SOURCE@ toggle + + bindsym --locked XF86AudioNext exec playerctl next + bindsym --locked XF86AudioPlay exec playerctl play-pause + bindsym --locked XF86AudioPrev exec playerctl previous + bindsym --locked XF86AudioStop exec playerctl stop + + for_window [app_id="^menu$"] floating enable, border none + for_window [app_id="mpv"] sticky enable + for_window [floating] border csd + for_window [app_id="firefox" title="Picture-in-Picture"] floating enable, sticky enable, border none + for_window [app_id="imv"] floating enable + for_window [app_id="imv"] floating enable + for_window [class="PacketTracer"] floating enable + + bindsym XF86MonBrightnessUp exec light -A 5 + bindsym XF86MonBrightnessDown exec light -U 5 + + bindsym Print exec ${pkgs.grim}/bin/grim - | tee $(xdg-user-dir PICTURES)/$(date +'%s_grim.png') | wl-copy + bindsym Shift+Print exec ${pkgs.grim}/bin/grim -g "$(${sel})" - | tee $(xdg-user-dir PICTURES)/$(date +'%s_grim.png') | wl-copy + bindsym Ctrl+Print exec ${pkgs.grim}/bin/grim -g "$(swaymsg -t get_tree | jq -j '.. | select(.type?) | select(.focused).rect | "\(.x),\(.y) \(.width)x\(.height)"')" - |tee $(xdg-user-dir PICTURES)/$(date +'%s_grim.png') | wl-copy + + bindsym $mod+l exec ${pkgs.swaylock}/bin/swaylock -c 070D0D + + exec ${pkgs.mako}/bin/mako >/tmp/mako.log 2>&1 + exec_always kanshi >/tmp/kanshi.log 2>&1 + + include /etc/sway/config.d/* + ''; + }; +} \ No newline at end of file diff --git a/mixins/tailscale.nix b/mixins/tailscale.nix index 8be3147..ccefc48 100644 --- a/mixins/tailscale.nix +++ b/mixins/tailscale.nix @@ -7,5 +7,7 @@ trustedInterfaces = [ "tailscale0" ]; allowedUDPPorts = [41641]; }; + + environment.persistence."/nix/persist".directories = [ "/var/lib/tailscale" ]; }; } \ No newline at end of file diff --git a/profiles/core.nix b/profiles/core.nix index 01ec85a..f578621 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -22,5 +22,10 @@ }; users.mutableUsers = false; environment.defaultPackages = lib.mkForce []; + + # dont do this + users.users.root.initialPassword = "hunter2"; + + age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; }; } \ No newline at end of file diff --git a/profiles/graphical.nix b/profiles/graphical.nix new file mode 100644 index 0000000..f3bff3a --- /dev/null +++ b/profiles/graphical.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + config = { + home-manager.users.tzlil = {...}: { + fonts.fontconfig.enable = true; + + home.packages = with pkgs; [ + iosevka + gnome3.adwaita-icon-theme + noto-fonts + noto-fonts-emoji + noto-fonts-cjk + ]; + + # gtk = { + # theme.package = pkgs.gnome.gnome-themes-extra; + # theme.name = "Adwaita-dark"; + # enable = true; + # gtk3.extraConfig = { + # gtk-application-prefer-dark-theme = 1; + # gtk-xft-hinting = 1; + # gtk-xft-hintstyle = "slight"; + # gtk-xft-antialias = 1; # => font-antialiasing="grayscale" + # gtk-xft-rgba = "rgb"; # => font-rgb-order="rgb" + # }; + # font = { + # package = pkgs.noto-fonts; + # name = "Noto Sans 11"; + # }; + # }; + }; + }; +} \ No newline at end of file diff --git a/profiles/network.nix b/profiles/network.nix index 5aee7a1..8e6a83d 100644 --- a/profiles/network.nix +++ b/profiles/network.nix @@ -15,5 +15,29 @@ nameservers = ["127.0.0.1" "::1"]; networkmanager.dns = "none"; }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + + # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md + # server_names = [ ... ]; + }; + }; + + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; }; } \ No newline at end of file diff --git a/profiles/ssh.nix b/profiles/ssh.nix new file mode 100644 index 0000000..e0a623a --- /dev/null +++ b/profiles/ssh.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + config = { + services.openssh = { + enable = true; + openFirewall = false; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + allowSFTP = false; + permitRootLogin = "no"; + startWhenNeeded = true; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + StreamLocalBindUnlink yes + + AllowUsers tzlil + ''; + }; + environment.persistence."/nix/persist" = { + hideMounts = true; + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + }; +} \ No newline at end of file diff --git a/profiles/user.nix b/profiles/user.nix index ee29bad..3df7c18 100644 --- a/profiles/user.nix +++ b/profiles/user.nix @@ -7,7 +7,6 @@ }: { imports = [ inputs.home-manager.nixosModules."home-manager" - inputs.agenix.nixosModules ]; config = { users.users.tzlil = { @@ -29,13 +28,13 @@ file = ../secrets/id_ed25519.age; mode = "600"; owner = "tzlil"; - group = "tzlil"; + group = "users"; }; - home-manager.nixosModules.home-manager = { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.backupFileExtension = "backup"; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "backup"; }; home-manager.users.tzlil = {pkgs, ...}@hm: { @@ -44,7 +43,10 @@ username = "tzlil"; homeDirectory = "/home/tzlil"; }; - programs.ssh.matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; + programs.ssh = { + enable = true; + matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; + }; }; }; } \ No newline at end of file |