From d9317de584c66b068a336889aa9adc3ac3837e5e Mon Sep 17 00:00:00 2001 From: tzlil Date: Sat, 21 Jan 2023 17:34:49 +0200 Subject: change deploy-rs to nixinate, change user to use passwordFile, add password age secret, remove NetworkManager-wait-online.service --- flake.lock | 61 +++++++++++++++++++++++++++++++++++++++++----------- flake.nix | 15 ++++--------- hosts/vm/cfg.nix | 16 +++++++++----- profiles/core.nix | 3 --- profiles/gentoo.nix | 22 +++++++++++++++++++ profiles/network.nix | 7 ++++++ profiles/ssh.nix | 8 ++++--- profiles/user.nix | 19 +++++++++------- secrets/secrets.nix | 1 + 9 files changed, 109 insertions(+), 43 deletions(-) create mode 100644 profiles/gentoo.nix diff --git a/flake.lock b/flake.lock index 64aec97..63c4d5d 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1665870395, - "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=", + "lastModified": 1673301561, + "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", "owner": "ryantm", "repo": "agenix", - "rev": "a630400067c6d03c9b3e0455347dc8559db14288", + "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", "type": "github" }, "original": { @@ -26,11 +26,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1670513770, - "narHash": "sha256-muL74fsbGA8K8WlZSPNWddOiuBnC54kAajncX6nXrh4=", + "lastModified": 1674250603, + "narHash": "sha256-SBolFspxBHpW3hCCDNAFXUiO2mucmkVmf17UmSIK3Cs=", "owner": "nix-community", "repo": "home-manager", - "rev": "054d9e3187ca00479e8036dc0e92900a384f30fd", + "rev": "275ab728912006eecb549338a50f24f294a7cfb7", "type": "github" }, "original": { @@ -54,13 +54,31 @@ "type": "github" } }, + "nixinate": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1671116920, + "narHash": "sha256-QmDGsUUmAGn77UTR7eQJmebl8f3IIUCtmbbAdJqKA3s=", + "owner": "matthewcroughan", + "repo": "nixinate", + "rev": "b4d17b8e2a4abc47e93e1a1c466e0286a63640d8", + "type": "github" + }, + "original": { + "owner": "matthewcroughan", + "repo": "nixinate", + "type": "github" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1670174919, - "narHash": "sha256-XdQr3BUnrvVLRFunLWrZORhwYHDG0+9jUUe0Jv1pths=", + "lastModified": 1673803274, + "narHash": "sha256-zaJDlHFXewT4KUsidMpRcPE+REymGH1Y3Eoc3Pjv4Xs=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "9d87bc030a0bf3f00e953dbf095a7d8e852dab6b", + "rev": "7bd6b87b3712e68007823e8dd5c37ee9b114fee3", "type": "github" }, "original": { @@ -87,11 +105,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1670841420, - "narHash": "sha256-mSEia1FzrsHbfqjorMyYiX8NXdDVeR1Pw1k55jMJlJY=", + "lastModified": 1653060744, + "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dfd82985c273aac6eced03625f454b334daae2e8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1674120619, + "narHash": "sha256-xLT1FQl7/jNPOEq5q/vmc3AExt1V9LtcjM+QY2+MUpA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33e0d99cbedf2acfd7340d2150837fbb28039a64", + "rev": "d7705c01ef0a39c8ef532d1033bace8845a07d35", "type": "github" }, "original": { @@ -106,8 +140,9 @@ "agenix": "agenix", "home-manager": "home-manager", "impermanence": "impermanence", + "nixinate": "nixinate", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" } }, "utils": { diff --git a/flake.nix b/flake.nix index e0cef8c..6fc07c2 100644 --- a/flake.nix +++ b/flake.nix @@ -6,14 +6,14 @@ impermanence.url = "github:nix-community/impermanence"; agenix.url = "github:ryantm/agenix"; nixos-hardware.url = "github:nixos/nixos-hardware"; - # deploy-rs.url = "github:serokell/deploy-rs"; + nixinate.url = "github:matthewcroughan/nixinate"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = inputs: let + outputs = inputs@{ self, ... }: let mkSystem_ = pkgs: system: h: modules: pkgs.lib.nixosSystem { system = system; @@ -24,17 +24,10 @@ inputs.agenix.nixosModule inputs.impermanence.nixosModules.impermanence ]); in { + apps = inputs.nixinate.nixinate.x86_64-linux self; nixosConfigurations = { - pc = mkSystem inputs.nixpkgs "x86_64-linux" "lilith"; + # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc"; vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm"; }; - - # deploy.nodes.some-random-system.profiles.system = { - # user = "root"; - # path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vm; - # }; - - # This is highly advised, and will prevent many possible mistakes - # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; }; } diff --git a/hosts/vm/cfg.nix b/hosts/vm/cfg.nix index 8efee3b..3b5ace8 100644 --- a/hosts/vm/cfg.nix +++ b/hosts/vm/cfg.nix @@ -11,7 +11,18 @@ ]; config = { + _module.args.nixinate = { + host = "100.109.155.123"; + sshUser = "tzlil"; + buildOn = "remote"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = false; + }; networking.hostName = "vm"; + + # dont do this + users.users.root.initialPassword = "hunter2"; + boot.supportedFilesystems = ["9p"]; boot = { initrd = { @@ -53,11 +64,6 @@ "/boot" = { device = "/dev/disk/by-partlabel/boot"; }; - "/flake" = { - fsType = "9p"; - device = "host0"; - options = ["_netdev"]; - }; }; zramSwap = { diff --git a/profiles/core.nix b/profiles/core.nix index f578621..e23879f 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -23,9 +23,6 @@ users.mutableUsers = false; environment.defaultPackages = lib.mkForce []; - # dont do this - users.users.root.initialPassword = "hunter2"; - age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; }; } \ No newline at end of file diff --git a/profiles/gentoo.nix b/profiles/gentoo.nix new file mode 100644 index 0000000..67f7e78 --- /dev/null +++ b/profiles/gentoo.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + imports = []; + config = { + nativeStdenv = prev.stdenvAdapters.withCFlags [ "-O3" "-pipe" "-mcpu=apple-m1" ] + (prev.overrideCC prev.llvmPackages_latest.stdenv + (prev.wrapCCWith rec { + cc = prev.llvmPackages_latest.clang-unwrapped; + bintools = (final.wrapBintoolsWith { + coreutils = final.uutils-coreutils; + libc = final.musl; + bintools = final.binutils-unwrapped.overrideAttrs + (old: { + postInstall = '' + ln -sf ${final.mold}/bin/mold $out/bin/ld + ''; + }); + }); + })); + }; +} \ No newline at end of file diff --git a/profiles/network.nix b/profiles/network.nix index 0ba325b..1b3026b 100644 --- a/profiles/network.nix +++ b/profiles/network.nix @@ -22,6 +22,13 @@ ''; }; + # Don't wait for network startup + # https://old.reddit.com/r/NixOS/comments/vdz86j/how_to_remove_boot_dependency_on_network_for_a + systemd = { + targets.network-online.wantedBy = pkgs.lib.mkForce []; # Normally ["multi-user.target"] + services.NetworkManager-wait-online.wantedBy = pkgs.lib.mkForce []; # Normally ["network-online.target"] + }; + services.dnscrypt-proxy2 = { enable = true; settings = { diff --git a/profiles/ssh.nix b/profiles/ssh.nix index e0a623a..4c12cc7 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -5,10 +5,7 @@ services.openssh = { enable = true; openFirewall = false; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; allowSFTP = false; - permitRootLogin = "no"; startWhenNeeded = true; extraConfig = '' AllowTcpForwarding yes @@ -20,6 +17,11 @@ AllowUsers tzlil ''; + settings = { + permitRootLogin = "no"; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + }; }; environment.persistence."/nix/persist" = { hideMounts = true; diff --git a/profiles/user.nix b/profiles/user.nix index 6ae1261..6aa8262 100644 --- a/profiles/user.nix +++ b/profiles/user.nix @@ -9,13 +9,23 @@ inputs.home-manager.nixosModules."home-manager" ]; config = { + age.secrets = { + id_ed25519 = { + file = ../secrets/id_ed25519.age; + mode = "600"; + owner = "tzlil"; + group = "users"; + }; + password.file = ../secrets/password.age; + }; + users.users.tzlil = { isNormalUser = true; description = "Me"; extraGroups = ["wheel"]; packages = [pkgs.git]; shell = pkgs.fish; - hashedPassword = "$5$itsrHkJPRhLdik0x$RxCXp8KmiPVa1dMQhHMQsjLgvx27MmeQ9ZVybV8bzE8"; + passwordFile = config.age.secrets.password.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" ]; @@ -24,13 +34,6 @@ nix.settings.allowed-users = ["root" "tzlil"]; nix.settings.trusted-users = ["root" "tzlil"]; - age.secrets.id_ed25519 = { - file = ../secrets/id_ed25519.age; - mode = "600"; - owner = "tzlil"; - group = "users"; - }; - home-manager = { useGlobalPkgs = true; useUserPackages = true; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index bf4b037..1020fc4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,4 +6,5 @@ let in { "id_ed25519.age".publicKeys = [ tzlil ] ++ systems; + "password.age".publicKeys = [ tzlil ] ++ systems; } \ No newline at end of file -- cgit 1.4.1