From feefcfc89b00d4955dbb3314c20be035f3db206f Mon Sep 17 00:00:00 2001 From: tzlil Date: Sat, 29 Jul 2023 20:53:14 +0300 Subject: disko for laptop, wip rewrite --- flake.lock | 21 ++++ flake.nix | 33 ++---- hosts/default.nix | 47 +++++++++ hosts/laptop/cfg.nix | 192 ---------------------------------- hosts/navi/default.nix | 163 +++++++++++++++++++++++++++++ hosts/navi/hardware-configuration.nix | 71 +++++++++++++ hosts/pc/cfg.nix | 87 --------------- hosts/pc/default.nix | 87 +++++++++++++++ hosts/vm/cfg.nix | 92 ---------------- hosts/vm/default.nix | 92 ++++++++++++++++ hosts/vps/cfg.nix | 91 ---------------- hosts/vps/default.nix | 91 ++++++++++++++++ hosts/vps/git.nix | 3 +- mixins/syncthing.nix | 16 +-- profiles/core.nix | 65 ++++++------ profiles/default.nix | 8 ++ profiles/impermanence.nix | 29 +++++ profiles/nix.nix | 44 ++++++++ profiles/security.nix | 135 ++++++++++++------------ profiles/ssh.nix | 1 - profiles/tzlil.nix | 78 ++++++++++++++ profiles/user.nix | 76 -------------- secrets/id_ed25519.age | Bin 1066 -> 1092 bytes secrets/matrix.age | Bin 565 -> 605 bytes 24 files changed, 846 insertions(+), 676 deletions(-) create mode 100644 hosts/default.nix delete mode 100644 hosts/laptop/cfg.nix create mode 100644 hosts/navi/default.nix create mode 100644 hosts/navi/hardware-configuration.nix delete mode 100644 hosts/pc/cfg.nix create mode 100644 hosts/pc/default.nix delete mode 100644 hosts/vm/cfg.nix create mode 100644 hosts/vm/default.nix delete mode 100644 hosts/vps/cfg.nix create mode 100644 hosts/vps/default.nix create mode 100644 profiles/default.nix create mode 100644 profiles/impermanence.nix create mode 100644 profiles/nix.nix create mode 100644 profiles/tzlil.nix delete mode 100644 profiles/user.nix diff --git a/flake.lock b/flake.lock index 98b5ce3..75ee543 100644 --- a/flake.lock +++ b/flake.lock @@ -42,6 +42,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690548222, + "narHash": "sha256-EcVjLOpbAuL/y55fLlEl3BNM4FP5Pwtp+6DbTiL6FDM=", + "owner": "nix-community", + "repo": "disko", + "rev": "43f17a8b31c49f6696b8b258d317161afdc7e36b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "hardware": { "locked": { "lastModified": 1689320556, @@ -189,6 +209,7 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "hardware": "hardware", "home-manager": "home-manager_2", "impermanence": "impermanence", diff --git a/flake.nix b/flake.nix index 9c5352a..c5f559c 100644 --- a/flake.nix +++ b/flake.nix @@ -18,39 +18,24 @@ url = "github:wamserma/flake-programs-sqlite"; inputs.nixpkgs.follows = "nixpkgs"; }; - # hyprland = { - # url = "github:hyprwm/Hyprland"; - # inputs.nixpkgs.follows = "nixpkgs"; - # }; viper-nix-common = { url = "github:viperML/nix-common"; inputs.nixpkgs-lib.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs @ {self, ...}: let - mkSystem_ = pkgs: system: h: modules: - pkgs.lib.nixosSystem { - system = system; - modules = [./hosts/${h}/cfg.nix] ++ modules; - specialArgs = {inherit inputs;}; - }; - mkSystem = pkgs: system: h: (mkSystem_ pkgs system h [ - inputs.agenix.nixosModules.age - inputs.impermanence.nixosModules.impermanence - inputs.home-manager.nixosModules."home-manager" - ]); - in { + outputs = inputs @ {self, ...}: { apps = inputs.nixinate.nixinate.x86_64-linux self; - nixosConfigurations = { - laptop = mkSystem inputs.nixpkgs "x86_64-linux" "laptop"; - # pc = mkSystem inputs.nixpkgs "x86_64-linux" "pc"; - vm = mkSystem inputs.nixpkgs "x86_64-linux" "vm"; - vps = mkSystem inputs.nixpkgs "x86_64-linux" "vps"; - }; - formatter = { x86_64-linux = inputs.nixpkgs.legacyPackages.x86_64-linux.alejandra; }; + imports = [ + ./profiles + ]; + nixosConfigurations = import ./hosts inputs; }; } diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..0b9bd1c --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,47 @@ +inputs: let + commonProfiles = [ + { + imports = [ + ../profiles/nix.nix + ../profiles/tzlil.nix + ../profiles/security.nix + ../profiles/ssh.nix + ]; + } + inputs.agenix.nixosModules.age + inputs.impermanence.nixosModules.impermanence + ]; + + commonHome = [ + inputs.home-manager.nixosModule + { + home-manager = { + useGlobalPkgs = true; + extraSpecialArgs = {inherit inputs;}; + }; + } + ]; + + nixinate = host: { + _module.args.nixinate = { + inherit host; + sshUser = "tzlil"; + buildOn = "remote"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = false; + }; + }; +in { + navi = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = + [ + "${inputs.self}/hosts/navi" + {networking.hostName = "navi";} + (nixinate "navi") + ] + ++ commonProfiles + ++ commonHome; + }; +} diff --git a/hosts/laptop/cfg.nix b/hosts/laptop/cfg.nix deleted file mode 100644 index ab372c2..0000000 --- a/hosts/laptop/cfg.nix +++ /dev/null @@ -1,192 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: { - imports = [ - inputs.hardware.nixosModules.common-cpu-intel - inputs.hardware.nixosModules.common-gpu-intel - ../../profiles/core.nix - ../../profiles/user.nix - ../../profiles/ssh.nix - ../../profiles/graphical.nix - ../../mixins/tailscale.nix - ../../mixins/cli.nix - ../../mixins/greet.nix - # ../../mixins/hyprland.nix - ../../mixins/sway.nix - ../../mixins/pipewire.nix - ../../mixins/multimedia.nix - # ../../mixins/emacs - ../../mixins/syncthing.nix - ]; - - config = { - _module.args.nixinate = { - host = "100.121.226.3"; - sshUser = "tzlil"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = false; - }; - networking.hostName = "navi"; - - boot = { - initrd = { - supportedFilesystems = ["btrfs"]; - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "usbhid" "snd_usb_audio"]; - }; - supportedFilesystems = ["ntfs"]; - kernelModules = ["kvm-intel" "snd-seq" "snd-rawmidi" "bridge"]; - kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - # extraModulePackages = [ config.boot.kernelPackages.rtl8821ce ]; - loader = { - systemd-boot = { - enable = true; - }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - }; - - hardware.firmware = [pkgs.rtw88-firmware]; - - time.timeZone = lib.mkDefault "Israel"; - - fileSystems."/" = { - device = "none"; - fsType = "tmpfs"; - # hyprland doesnt compile with noexec root - options = ["defaults" "size=8G" "mode=755"]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/34CB-F158"; - fsType = "vfat"; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061"; - fsType = "btrfs"; - }; - - zramSwap = { - enable = true; - algorithm = "zstd"; - }; - - networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; - - # # iwd networking stuffs - # networking.networkmanager.enable = lib.mkForce false; - # networking.wireless.iwd.enable = true; - # services.connman = { - # enable = true; - # wifi.backend = "iwd"; - # }; - # networking.wireless.dbusControlled = true; - # home-manager.users.tzlil.home.packages = [pkgs.cmst]; - # networking.wireless.userControlled.enable = true; - # networking.wireless.enable = true; - # services.connman.enable = true; - - services.tor = { - enable = true; - openFirewall = true; - client.enable = true; - torsocks.enable = true; - }; - environment.persistence."/nix/persist".directories = [ - "/etc/NetworkManager/system-connections" - { - directory = "/home/tzlil/.config/SchildiChat"; - user = "tzlil"; - group = "users"; - } - { - directory = "/home/tzlil/.local/share/Terraria"; - user = "tzlil"; - group = "users"; - } - - { - directory = "/home/tzlil/.local/share/Steam"; - user = "tzlil"; - group = "users"; - } - "/var/lib/docker" - ]; - - home-manager.users.tzlil = { - home.packages = [pkgs.schildichat-desktop-wayland pkgs.keepassxc]; - programs.qutebrowser = { - enable = true; - settings.colors.webpage.darkmode.enabled = true; - }; - }; - - programs.steam.enable = true; - - programs.firejail.wrappedBinaries = { - mullvad-browser = { - executable = lib.getExe pkgs.mullvad-browser; - extraArgs = [ - "--env=MOZ_ENABLE_WAYLAND=1" - "--env=GTK_THEME=Adwaita:dark" - ]; - # profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; - }; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - nixpkgs.config.allowUnfree = true; - hardware.enableAllFirmware = true; - - # greeter.initialSession = "${pkgs.fish}/bin/fish"; - - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [rocm-opencl-icd rocm-opencl-runtime]; - driSupport = true; - driSupport32Bit = true; - }; - - networking.firewall.allowedTCPPorts = [25565]; - - services = { - power-profiles-daemon.enable = true; - thermald.enable = true; - tlp = { - settings = { - CPU_BOOST_ON_AC = 1; - CPU_BOOST_ON_BAT = 0; - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - }; - }; - acpid.enable = true; - }; - - hardware.bluetooth.enable = true; - services.blueman.enable = true; - - # dont know if i like this - nix.settings.trusted-public-keys = [ - "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" - ]; - nix.settings.substituters = [ - "https://cache.iog.io" - ]; - - virtualisation.docker.enable = true; - virtualisation.docker.storageDriver = "btrfs"; - users.users.tzlil.extraGroups = ["docker"]; - }; -} diff --git a/hosts/navi/default.nix b/hosts/navi/default.nix new file mode 100644 index 0000000..a8702a8 --- /dev/null +++ b/hosts/navi/default.nix @@ -0,0 +1,163 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: { + imports = [ + ./hardware-configuration.nix + # ../../profiles/core.nix + ../../profiles/graphical.nix + ../../mixins/tailscale.nix + ../../mixins/cli.nix + ../../mixins/greet.nix + # ../../mixins/hyprland.nix + ../../mixins/sway.nix + ../../mixins/pipewire.nix + ../../mixins/multimedia.nix + # ../../mixins/emacs + ../../mixins/syncthing.nix + ]; + + config = { + system.stateVersion = "23.11"; + boot = { + tmp.cleanOnBoot = true; + initrd = { + supportedFilesystems = ["btrfs"]; + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "usbhid" "snd_usb_audio"]; + }; + supportedFilesystems = ["ntfs"]; + kernelModules = ["kvm-intel" "snd-seq" "snd-rawmidi" "bridge"]; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + # extraModulePackages = [ config.boot.kernelPackages.rtl8821ce ]; + loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; + + time.timeZone = lib.mkDefault "Israel"; + + # fileSystems."/" = { + # device = "none"; + # fsType = "tmpfs"; + # # hyprland doesnt compile with noexec root + # options = ["defaults" "size=8G" "mode=755"]; + # }; + + # fileSystems."/boot" = { + # device = "/dev/disk/by-uuid/34CB-F158"; + # fsType = "vfat"; + # }; + + # fileSystems."/nix" = { + # device = "/dev/disk/by-uuid/8a8cc550-034e-4545-a958-564779f51061"; + # fsType = "btrfs"; + # }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; + + networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + # # iwd networking stuffs + # networking.networkmanager.enable = lib.mkForce false; + # networking.wireless.iwd.enable = true; + # services.connman = { + # enable = true; + # wifi.backend = "iwd"; + # }; + # networking.wireless.dbusControlled = true; + # home-manager.users.tzlil.home.packages = [pkgs.cmst]; + # networking.wireless.userControlled.enable = true; + # networking.wireless.enable = true; + # services.connman.enable = true; + + # services.tor = { + # enable = true; + # openFirewall = true; + # client.enable = true; + # torsocks.enable = true; + # }; + environment.persistence."/nix/persist".directories = [ + "/etc/NetworkManager/system-connections" + { + directory = "/home/tzlil/.config/SchildiChat"; + user = "tzlil"; + group = "users"; + } + { + directory = "/home/tzlil/.local/share/Terraria"; + user = "tzlil"; + group = "users"; + } + + { + directory = "/home/tzlil/.local/share/Steam"; + user = "tzlil"; + group = "users"; + } + "/var/lib/docker" + ]; + + home-manager.users.tzlil = { + home.packages = [pkgs.schildichat-desktop-wayland pkgs.keepassxc]; + programs.qutebrowser = { + enable = true; + settings.colors.webpage.darkmode.enabled = true; + }; + }; + + programs.steam.enable = true; + + # programs.firejail.wrappedBinaries = { + # mullvad-browser = { + # executable = lib.getExe pkgs.mullvad-browser; + # extraArgs = [ + # "--env=MOZ_ENABLE_WAYLAND=1" + # "--env=GTK_THEME=Adwaita:dark" + # ]; + # # profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + # }; + # }; + + # greeter.initialSession = "${pkgs.fish}/bin/fish"; + + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [rocm-opencl-icd rocm-opencl-runtime]; + driSupport = true; + driSupport32Bit = true; + }; + + networking.firewall.allowedTCPPorts = [25565]; + + services = { + power-profiles-daemon.enable = true; + thermald.enable = true; + tlp = { + settings = { + CPU_BOOST_ON_AC = 1; + CPU_BOOST_ON_BAT = 0; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + }; + }; + acpid.enable = true; + }; + + services.blueman.enable = true; + + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "btrfs"; + }; +} diff --git a/hosts/navi/hardware-configuration.nix b/hosts/navi/hardware-configuration.nix new file mode 100644 index 0000000..7b24c68 --- /dev/null +++ b/hosts/navi/hardware-configuration.nix @@ -0,0 +1,71 @@ +{ + inputs, + pkgs, + lib, + config, + ... +}: let + device = "/dev/nvme0n1"; +in { + imports = [ + inputs.disko.nixosModules.disko + inputs.hardware.nixosModules.common-cpu-intel + inputs.hardware.nixosModules.common-gpu-intel + ]; + + hardware.firmware = [pkgs.rtw88-firmware]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.enableAllFirmware = true; + + hardware.bluetooth.enable = true; + + disko.devices = { + disk.${baseNameOf device} = { + inherit device; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + type = "EF00"; + size = "512M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/nix" = { + mountOptions = ["compress=zstd" "noatime"]; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + }; + }; + nodev."/" = { + fsType = "tmpfs"; + mountOptions = [ + "size=8G" + "defaults" + "mode=755" + ]; + }; + }; +} diff --git a/hosts/pc/cfg.nix b/hosts/pc/cfg.nix deleted file mode 100644 index ee3b716..0000000 --- a/hosts/pc/cfg.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - imports = [ - ../../profiles/core.nix - ../../profiles/user.nix - ../../profiles/ssh.nix - ../../profiles/graphical.nix - ../../mixins/tailscale.nix - ../../mixins/cli.nix - ../../mixins/greet.nix - # ../../mixins/hyprland.nix - ../../mixins/sway.nix - ]; - - config = { - _module.args.nixinate = { - host = "pc"; - sshUser = "tzlil"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = false; - }; - networking.hostName = "pc"; - - boot = { - initrd = { - supportedFilesystems = ["btrfs"]; - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"]; - }; - kernelModules = ["kvm-amd"]; - kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - loader = { - systemd-boot = { - enable = true; - }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - }; - - time.timeZone = lib.mkDefault "Israel"; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; - fsType = "btrfs"; - options = ["subvol=root"]; - }; - - "/nix" = { - device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; - fsType = "btrfs"; - options = ["subvol=nix"]; - }; - - "/home" = { - device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; - fsType = "btrfs"; - options = ["subvol=home"]; - }; - - "/swap" = { - device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; - fsType = "btrfs"; - options = ["subvol=swap"]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/D999-2D99"; - fsType = "vfat"; - }; - }; - - zramSwap = { - enable = true; - algorithm = "zstd"; - }; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - # greeter.initialSession = "sh -c hyprland"; - }; -} diff --git a/hosts/pc/default.nix b/hosts/pc/default.nix new file mode 100644 index 0000000..ee3b716 --- /dev/null +++ b/hosts/pc/default.nix @@ -0,0 +1,87 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ../../profiles/core.nix + ../../profiles/user.nix + ../../profiles/ssh.nix + ../../profiles/graphical.nix + ../../mixins/tailscale.nix + ../../mixins/cli.nix + ../../mixins/greet.nix + # ../../mixins/hyprland.nix + ../../mixins/sway.nix + ]; + + config = { + _module.args.nixinate = { + host = "pc"; + sshUser = "tzlil"; + buildOn = "remote"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = false; + }; + networking.hostName = "pc"; + + boot = { + initrd = { + supportedFilesystems = ["btrfs"]; + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"]; + }; + kernelModules = ["kvm-amd"]; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; + + time.timeZone = lib.mkDefault "Israel"; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; + fsType = "btrfs"; + options = ["subvol=home"]; + }; + + "/swap" = { + device = "/dev/disk/by-uuid/3fe7d38b-bb95-41ca-afce-1b0b89cbcd8b"; + fsType = "btrfs"; + options = ["subvol=swap"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/D999-2D99"; + fsType = "vfat"; + }; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + # greeter.initialSession = "sh -c hyprland"; + }; +} diff --git a/hosts/vm/cfg.nix b/hosts/vm/cfg.nix deleted file mode 100644 index 99ed8b9..0000000 --- a/hosts/vm/cfg.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - ../../profiles/core.nix - ../../profiles/user.nix - ../../profiles/ssh.nix - ../../profiles/graphical.nix - ../../mixins/tailscale.nix - ../../mixins/cli.nix - ../../mixins/greet.nix - ../../mixins/pipewire.nix - # ../../mixins/hyprland.nix - ../../mixins/sway.nix - # (modulesPath + "/profiles/qemu-guest.nix") - # (modulesPath + "/virtualisation/qemu-vm.nix") - ]; - - config = { - _module.args.nixinate = { - host = "vm"; - sshUser = "tzlil"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = false; - }; - networking.hostName = "vm"; - - # dont do this - users.users.root.initialPassword = "hunter2"; - - boot.supportedFilesystems = ["9p"]; - boot = { - initrd = { - supportedFilesystems = ["btrfs"]; - availableKernelModules = ["ata_piix" "uhci_hcd" "floppy" "sd_mod" "sr_mod"]; - }; - kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - kernelParams = [ - "console=ttyS0" - ]; - loader = { - systemd-boot = { - enable = true; - }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - }; - - time.timeZone = lib.mkDefault "Israel"; - - fileSystems = { - "/" = { - device = "none"; - fsType = "tmpfs"; - options = ["noexec" "defaults" "size=2G" "mode=755"]; - }; - "/nix" = { - device = "/dev/disk/by-partlabel/nix"; - options = ["noatime" "compress=zstd"]; - }; - "/boot" = { - device = "/dev/disk/by-partlabel/boot"; - }; - }; - - zramSwap = { - enable = true; - algorithm = "zstd"; - }; - - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [rocm-opencl-icd rocm-opencl-runtime]; - driSupport = true; - driSupport32Bit = true; - }; - - greeter.initialSession = "env WLR_RENDERER=pixman ${pkgs.sway.out}/bin/sway"; - # home-manager.users.tzlil.wayland.windowManager.sway.config.input."type:keyboard".xkb_variant = lib.mkForce ""; - - # nice to work with - security.sudo.wheelNeedsPassword = false; - }; -} diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix new file mode 100644 index 0000000..99ed8b9 --- /dev/null +++ b/hosts/vm/default.nix @@ -0,0 +1,92 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + ../../profiles/core.nix + ../../profiles/user.nix + ../../profiles/ssh.nix + ../../profiles/graphical.nix + ../../mixins/tailscale.nix + ../../mixins/cli.nix + ../../mixins/greet.nix + ../../mixins/pipewire.nix + # ../../mixins/hyprland.nix + ../../mixins/sway.nix + # (modulesPath + "/profiles/qemu-guest.nix") + # (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + + config = { + _module.args.nixinate = { + host = "vm"; + sshUser = "tzlil"; + buildOn = "remote"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = false; + }; + networking.hostName = "vm"; + + # dont do this + users.users.root.initialPassword = "hunter2"; + + boot.supportedFilesystems = ["9p"]; + boot = { + initrd = { + supportedFilesystems = ["btrfs"]; + availableKernelModules = ["ata_piix" "uhci_hcd" "floppy" "sd_mod" "sr_mod"]; + }; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + kernelParams = [ + "console=ttyS0" + ]; + loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; + + time.timeZone = lib.mkDefault "Israel"; + + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = ["noexec" "defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = "/dev/disk/by-partlabel/nix"; + options = ["noatime" "compress=zstd"]; + }; + "/boot" = { + device = "/dev/disk/by-partlabel/boot"; + }; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; + + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [rocm-opencl-icd rocm-opencl-runtime]; + driSupport = true; + driSupport32Bit = true; + }; + + greeter.initialSession = "env WLR_RENDERER=pixman ${pkgs.sway.out}/bin/sway"; + # home-manager.users.tzlil.wayland.windowManager.sway.config.input."type:keyboard".xkb_variant = lib.mkForce ""; + + # nice to work with + security.sudo.wheelNeedsPassword = false; + }; +} diff --git a/hosts/vps/cfg.nix b/hosts/vps/cfg.nix deleted file mode 100644 index 3597c5c..0000000 --- a/hosts/vps/cfg.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - imports = [ - ../../profiles/core.nix - ../../profiles/user.nix - ../../profiles/ssh.nix - ../../mixins/tailscale.nix - ../../mixins/cli.nix - ./website.nix - ./git.nix - ./hydrus.nix - ./matrix.nix - ./maloja.nix - ]; - - config = { - _module.args.nixinate = { - host = "vps"; - sshUser = "tzlil"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = false; - }; - - networking.hostName = "vps"; - - boot = { - kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - loader.grub.device = "/dev/vda"; - initrd = { - availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; - kernelModules = []; - }; - kernelModules = []; - extraModulePackages = []; - }; - - networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - virtualisation.hypervGuest.enable = true; - - time.timeZone = lib.mkDefault "Frankfurt"; - - fileSystems = { - "/" = { - device = "none"; - fsType = "tmpfs"; - options = ["noexec" "defaults" "size=2G" "mode=755"]; - }; - "/nix" = { - device = "/dev/disk/by-uuid/e4c4735d-bfdd-477f-bc43-d07510cb6a9a"; - fsType = "btrfs"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/7ea63707-099d-4c21-90eb-a51bfa6d8ba5"; - fsType = "ext4"; - }; - }; - - swapDevices = [{device = "/dev/disk/by-uuid/00eb2d2e-4d7c-4e95-804d-e9ecb22679d4";}]; - - zramSwap = { - enable = true; - algorithm = "zstd"; - }; - - networking.networkmanager.enable = lib.mkForce false; - - nixpkgs.config.allowUnfree = true; - environment.persistence."/nix/persist".directories = [ - { - directory = config.services.terraria.dataDir; - user = "terraria"; - group = "terraria"; - } - ]; - - services.terraria = { - enable = true; - worldPath = "${config.services.terraria.dataDir}/14.wld"; - password = "???"; - openFirewall = true; - }; - }; -} diff --git a/hosts/vps/default.nix b/hosts/vps/default.nix new file mode 100644 index 0000000..3597c5c --- /dev/null +++ b/hosts/vps/default.nix @@ -0,0 +1,91 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ../../profiles/core.nix + ../../profiles/user.nix + ../../profiles/ssh.nix + ../../mixins/tailscale.nix + ../../mixins/cli.nix + ./website.nix + ./git.nix + ./hydrus.nix + ./matrix.nix + ./maloja.nix + ]; + + config = { + _module.args.nixinate = { + host = "vps"; + sshUser = "tzlil"; + buildOn = "remote"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = false; + }; + + networking.hostName = "vps"; + + boot = { + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + loader.grub.device = "/dev/vda"; + initrd = { + availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + kernelModules = []; + }; + kernelModules = []; + extraModulePackages = []; + }; + + networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + virtualisation.hypervGuest.enable = true; + + time.timeZone = lib.mkDefault "Frankfurt"; + + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = ["noexec" "defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = "/dev/disk/by-uuid/e4c4735d-bfdd-477f-bc43-d07510cb6a9a"; + fsType = "btrfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7ea63707-099d-4c21-90eb-a51bfa6d8ba5"; + fsType = "ext4"; + }; + }; + + swapDevices = [{device = "/dev/disk/by-uuid/00eb2d2e-4d7c-4e95-804d-e9ecb22679d4";}]; + + zramSwap = { + enable = true; + algorithm = "zstd"; + }; + + networking.networkmanager.enable = lib.mkForce false; + + nixpkgs.config.allowUnfree = true; + environment.persistence."/nix/persist".directories = [ + { + directory = config.services.terraria.dataDir; + user = "terraria"; + group = "terraria"; + } + ]; + + services.terraria = { + enable = true; + worldPath = "${config.services.terraria.dataDir}/14.wld"; + password = "???"; + openFirewall = true; + }; + }; +} diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix index d9c638d..8bd4653 100644 --- a/hosts/vps/git.nix +++ b/hosts/vps/git.nix @@ -13,8 +13,7 @@ packages = [pkgs.git]; shell = "${pkgs.git}/bin/git-shell"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhN4Iq070J9rFJhOwP9RUyUJG9MC1W5KnDGqBqWZnlu" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" ]; }; diff --git a/mixins/syncthing.nix b/mixins/syncthing.nix index 3e219ae..7faf5db 100644 --- a/mixins/syncthing.nix +++ b/mixins/syncthing.nix @@ -11,13 +11,15 @@ configDir = "/home/tzlil/.config/syncthing"; overrideDevices = true; overrideFolders = true; - devices = { - "phone" = {id = "UHWVTEZ-BERNFCH-3ZXQHNE-ZRBHLU6-MBAVEHB-TKLQJM7-ZGHLJ4R-6E4SAA7";}; - }; - folders = { - "passwords" = { - path = "/home/tzlil/sync/passwords"; - devices = ["phone"]; + settings = { + devices = { + "phone" = {id = "UHWVTEZ-BERNFCH-3ZXQHNE-ZRBHLU6-MBAVEHB-TKLQJM7-ZGHLJ4R-6E4SAA7";}; + }; + folders = { + "passwords" = { + path = "/home/tzlil/sync/passwords"; + devices = ["phone"]; + }; }; }; }; diff --git a/profiles/core.nix b/profiles/core.nix index 3eca577..4fefbdd 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -5,44 +5,39 @@ inputs, ... }: { - imports = [ - ../profiles/security.nix - ../profiles/network.nix - ]; + # imports = [ + # ../profiles/security.nix + # ../profiles/network.nix + # ]; config = { - system.stateVersion = "22.5"; - nix = { - registry.nixpkgs.flake = inputs.nixpkgs; - gc.automatic = true; - optimise.automatic = true; - settings = { - allowed-users = ["root"]; - trusted-users = ["root"]; - sandbox = true; - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - users.mutableUsers = false; - environment.defaultPackages = lib.mkForce []; + # system.stateVersion = "22.5"; + # nix = { + # registry.nixpkgs.flake = inputs.nixpkgs; + # gc.automatic = true; + # optimise.automatic = true; + # settings = { + # allowed-users = ["root"]; + # trusted-users = ["root"]; + # sandbox = true; + # }; + # extraOptions = '' + # experimental-features = nix-command flakes + # ''; + # }; + # users.mutableUsers = false; + # environment.defaultPackages = lib.mkForce []; - age.identityPaths = ["/nix/persist/etc/ssh/ssh_host_ed25519_key"]; - # causing issues, fix this programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; - # save uid/guid - environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; - - boot = { - tmp.cleanOnBoot = true; - kernelParams = [ - "init_on_free=1" - "page_poison=1" - "page_alloc.shuffle=1" - "slab_nomerge" - "vsyscall=none" - ]; - }; + # boot = { + # tmp.cleanOnBoot = true; + # kernelParams = [ + # "init_on_free=1" + # "page_poison=1" + # "page_alloc.shuffle=1" + # "slab_nomerge" + # "vsyscall=none" + # ]; + # }; }; } diff --git a/profiles/default.nix b/profiles/default.nix new file mode 100644 index 0000000..77921b6 --- /dev/null +++ b/profiles/default.nix @@ -0,0 +1,8 @@ +{inputs, ...}: { + flake.nixosModules = { + nix = import ./nix.nix {inherit inputs;}; + security = ./security.nix; + tzlil = ./tzlil.nix; + ssh = ./ssh.nix; + }; +} diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix new file mode 100644 index 0000000..5ee9c97 --- /dev/null +++ b/profiles/impermanence.nix @@ -0,0 +1,29 @@ +{inputs, ...}: { + config, + lib, + options, + ... +}: let + sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys; +in { + imports = [inputs.impermanence.nixosModules.impermanence]; + + config = lib.mkMerge [ + { + environment.persistence."/nix/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/systemd/coredump" + "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot) + ]; + files = + [ + "/etc/machine-id" + ] + ++ sshHostKeys; + }; + } + (lib.optionalAttrs (options ? age) {age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys;}) + ]; +} diff --git a/profiles/nix.nix b/profiles/nix.nix new file mode 100644 index 0000000..769a06a --- /dev/null +++ b/profiles/nix.nix @@ -0,0 +1,44 @@ +{ + inputs, + pkgs, + ... +}: { + nix = { + package = pkgs.nixUnstable; + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ + "nixpkgs=flake:nixpkgs" + ]; + gc.automatic = true; + optimise.automatic = true; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "cgroups" + "auto-allocate-uids" + "repl-flake" + "no-url-literals" + ]; + use-cgroups = true; + auto-allocate-uids = true; + builders-use-substitutes = true; + auto-optimise-store = true; + warn-dirty = false; + trusted-users = [ + "@wheel" + ]; + substituters = [ + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + + # save uid/guid + environment.persistence."/nix/persist".directories = ["/var/lib/nixos"]; +} diff --git a/profiles/security.nix b/profiles/security.nix index 63c5fe4..40d5bf4 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -1,75 +1,72 @@ { - pkgs, lib, config, - inputs, ... }: { - imports = []; - config = { - programs.firejail.enable = true; - security.auditd.enable = true; - security.audit.enable = true; - security.audit.rules = [ - "-a exit,always -F arch=b64 -S execve" - ]; - - # https://source.android.com/docs/security/test/scudo - environment.memoryAllocator.provider = "scudo"; - environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; - - security.lockKernelModules = true; - security.protectKernelImage = true; - security.allowSimultaneousMultithreading = false; - security.forcePageTableIsolation = true; - - security.unprivilegedUsernsClone = config.virtualisation.containers.enable; - - security.virtualisation.flushL1DataCache = "always"; - - security.apparmor.enable = true; - security.apparmor.killUnconfinedConfinables = true; - - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - - # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; - - # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = false; - - # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = false; - - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; - - # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; - - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; - - # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; - - security.chromiumSuidSandbox.enable = true; - - security.sudo.execWheelOnly = true; - security.sudo.extraConfig = "Defaults lecture = never"; - }; + programs.firejail.enable = true; + security.auditd.enable = true; + security.audit.enable = true; + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + + # https://source.android.com/docs/security/test/scudo + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + + security.lockKernelModules = true; + security.protectKernelImage = true; + security.allowSimultaneousMultithreading = false; + security.forcePageTableIsolation = true; + + security.unprivilegedUsernsClone = config.virtualisation.containers.enable; + + security.virtualisation.flushL1DataCache = "always"; + + security.apparmor.enable = true; + security.apparmor.killUnconfinedConfinables = true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + + # Disable ftrace debugging + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + + # Ignore broadcast ICMP (mitigate SMURF) + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + + # Ignore outgoing ICMP redirects (this is ipv4 only) + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + + security.chromiumSuidSandbox.enable = true; + + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = "Defaults lecture = never"; + + environment.defaultPackages = lib.mkForce []; } diff --git a/profiles/ssh.nix b/profiles/ssh.nix index 294f015..a753e86 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -2,7 +2,6 @@ pkgs, lib, config, - inputs, ... }: { config = { diff --git a/profiles/tzlil.nix b/profiles/tzlil.nix new file mode 100644 index 0000000..0e242e1 --- /dev/null +++ b/profiles/tzlil.nix @@ -0,0 +1,78 @@ +{ + pkgs, + lib, + config, + inputs, + ... +}: { + config = { + age.secrets.id_ed25519 = { + file = ../secrets/id_ed25519.age; + mode = "600"; + owner = "tzlil"; + group = "users"; + }; + + programs.fish.enable = true; # needed now + users.users.tzlil = { + isNormalUser = true; + extraGroups = + ["wheel"] + ++ lib.optional config.virtualisation.docker.enable "docker" + ++ lib.optional config.virtualisation.libvirtd.enable "libvirtd" + ++ lib.optional config.networking.networkmanager.enable "networkmanager" + ++ lib.optional config.programs.light.enable "video" + ++ lib.optional config.programs.adb.enable "adbusers"; + packages = [pkgs.git]; + shell = pkgs.fish; + hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1"; + # passwordFile = config.age.secrets.password.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" + ]; + }; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "backup"; + }; + + home-manager.users.tzlil = {pkgs, ...} @ hm: { + home = { + stateVersion = "22.05"; + username = "tzlil"; + homeDirectory = "/home/tzlil"; + sessionVariables.SSH_AUTH_SOCK = "/run/user/1000/ssh-agent"; + }; + programs.ssh = { + enable = true; + userKnownHostsFile = builtins.toFile "known_hosts" " + pc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINu5lRKb1Ao4uj1tAV10QHKIvXfC8ncQ65b+oJtxrd1e + vm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS6LK6rCmJCR/rKVJYVmJTL8fAdyJSLlgC3mesd6QVS + vps ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdOuj27GB703ZRKRqhytlaLJsKucaRa//yswxijAZT7 + "; + matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; + }; + systemd.user.services.ssh-agent = let + agentTimeout = "1h"; + in { + Unit = { + Description = "SSH Agent"; + After = ["default.target"]; + }; + Service = { + ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; + ExecStart = + "${pkgs.openssh}/bin/ssh-agent " + + "-t ${agentTimeout} " + + "-a %t/ssh-agent"; + StandardOutput = "null"; + Type = "forking"; + Restart = "on-failure"; + SuccessExitStatus = "0 2"; + }; + }; + }; + }; +} diff --git a/profiles/user.nix b/profiles/user.nix deleted file mode 100644 index 7355e85..0000000 --- a/profiles/user.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ - pkgs, - lib, - config, - inputs, - ... -}: { - config = { - age.secrets.id_ed25519 = { - file = ../secrets/id_ed25519.age; - mode = "600"; - owner = "tzlil"; - group = "users"; - }; - - programs.fish.enable = true; # needed now - users.users.tzlil = { - isNormalUser = true; - description = "Me"; - extraGroups = ["wheel"]; - packages = [pkgs.git]; - shell = pkgs.fish; - hashedPassword = "$6$FAQYKz3OCtRNOP7h$XsApvP.r./Jv5MRI1idDI9BMnA26xxEvXFlE61Zls.QA3EK2x76XsetdpxSlgViylnRwRuq5XQMc3GeAJ7tum1"; - # passwordFile = config.age.secrets.password.path; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" - ]; - }; - - nix.settings.allowed-users = ["root" "tzlil"]; - nix.settings.trusted-users = ["root" "tzlil"]; - - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - backupFileExtension = "backup"; - }; - - home-manager.users.tzlil = {pkgs, ...} @ hm: { - home = { - stateVersion = "22.05"; - username = "tzlil"; - homeDirectory = "/home/tzlil"; - sessionVariables.SSH_AUTH_SOCK = "/run/user/1000/ssh-agent"; - }; - programs.ssh = { - enable = true; - userKnownHostsFile = builtins.toFile "known_hosts" " - pc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINu5lRKb1Ao4uj1tAV10QHKIvXfC8ncQ65b+oJtxrd1e - vm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS6LK6rCmJCR/rKVJYVmJTL8fAdyJSLlgC3mesd6QVS - vps ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdOuj27GB703ZRKRqhytlaLJsKucaRa//yswxijAZT7 - "; - matchBlocks."*".identityFile = config.age.secrets."id_ed25519".path; - }; - systemd.user.services.ssh-agent = let - agentTimeout = "1h"; - in { - Unit = { - Description = "SSH Agent"; - After = ["default.target"]; - }; - Service = { - ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; - ExecStart = - "${pkgs.openssh}/bin/ssh-agent " - + "-t ${agentTimeout} " - + "-a %t/ssh-agent"; - StandardOutput = "null"; - Type = "forking"; - Restart = "on-failure"; - SuccessExitStatus = "0 2"; - }; - }; - }; - }; -} diff --git a/secrets/id_ed25519.age b/secrets/id_ed25519.age index 4136ecc..00c540e 100644 Binary files a/secrets/id_ed25519.age and b/secrets/id_ed25519.age differ diff --git a/secrets/matrix.age b/secrets/matrix.age index 3ccb99d..0cf30e0 100644 Binary files a/secrets/matrix.age and b/secrets/matrix.age differ -- cgit 1.4.1