From d9317de584c66b068a336889aa9adc3ac3837e5e Mon Sep 17 00:00:00 2001 From: tzlil Date: Sat, 21 Jan 2023 17:34:49 +0200 Subject: change deploy-rs to nixinate, change user to use passwordFile, add password age secret, remove NetworkManager-wait-online.service --- profiles/core.nix | 3 --- profiles/gentoo.nix | 22 ++++++++++++++++++++++ profiles/network.nix | 7 +++++++ profiles/ssh.nix | 8 +++++--- profiles/user.nix | 19 +++++++++++-------- 5 files changed, 45 insertions(+), 14 deletions(-) create mode 100644 profiles/gentoo.nix (limited to 'profiles') diff --git a/profiles/core.nix b/profiles/core.nix index f578621..e23879f 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -23,9 +23,6 @@ users.mutableUsers = false; environment.defaultPackages = lib.mkForce []; - # dont do this - users.users.root.initialPassword = "hunter2"; - age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; }; } \ No newline at end of file diff --git a/profiles/gentoo.nix b/profiles/gentoo.nix new file mode 100644 index 0000000..67f7e78 --- /dev/null +++ b/profiles/gentoo.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + imports = []; + config = { + nativeStdenv = prev.stdenvAdapters.withCFlags [ "-O3" "-pipe" "-mcpu=apple-m1" ] + (prev.overrideCC prev.llvmPackages_latest.stdenv + (prev.wrapCCWith rec { + cc = prev.llvmPackages_latest.clang-unwrapped; + bintools = (final.wrapBintoolsWith { + coreutils = final.uutils-coreutils; + libc = final.musl; + bintools = final.binutils-unwrapped.overrideAttrs + (old: { + postInstall = '' + ln -sf ${final.mold}/bin/mold $out/bin/ld + ''; + }); + }); + })); + }; +} \ No newline at end of file diff --git a/profiles/network.nix b/profiles/network.nix index 0ba325b..1b3026b 100644 --- a/profiles/network.nix +++ b/profiles/network.nix @@ -22,6 +22,13 @@ ''; }; + # Don't wait for network startup + # https://old.reddit.com/r/NixOS/comments/vdz86j/how_to_remove_boot_dependency_on_network_for_a + systemd = { + targets.network-online.wantedBy = pkgs.lib.mkForce []; # Normally ["multi-user.target"] + services.NetworkManager-wait-online.wantedBy = pkgs.lib.mkForce []; # Normally ["network-online.target"] + }; + services.dnscrypt-proxy2 = { enable = true; settings = { diff --git a/profiles/ssh.nix b/profiles/ssh.nix index e0a623a..4c12cc7 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -5,10 +5,7 @@ services.openssh = { enable = true; openFirewall = false; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; allowSFTP = false; - permitRootLogin = "no"; startWhenNeeded = true; extraConfig = '' AllowTcpForwarding yes @@ -20,6 +17,11 @@ AllowUsers tzlil ''; + settings = { + permitRootLogin = "no"; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + }; }; environment.persistence."/nix/persist" = { hideMounts = true; diff --git a/profiles/user.nix b/profiles/user.nix index 6ae1261..6aa8262 100644 --- a/profiles/user.nix +++ b/profiles/user.nix @@ -9,13 +9,23 @@ inputs.home-manager.nixosModules."home-manager" ]; config = { + age.secrets = { + id_ed25519 = { + file = ../secrets/id_ed25519.age; + mode = "600"; + owner = "tzlil"; + group = "users"; + }; + password.file = ../secrets/password.age; + }; + users.users.tzlil = { isNormalUser = true; description = "Me"; extraGroups = ["wheel"]; packages = [pkgs.git]; shell = pkgs.fish; - hashedPassword = "$5$itsrHkJPRhLdik0x$RxCXp8KmiPVa1dMQhHMQsjLgvx27MmeQ9ZVybV8bzE8"; + passwordFile = config.age.secrets.password.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" ]; @@ -24,13 +34,6 @@ nix.settings.allowed-users = ["root" "tzlil"]; nix.settings.trusted-users = ["root" "tzlil"]; - age.secrets.id_ed25519 = { - file = ../secrets/id_ed25519.age; - mode = "600"; - owner = "tzlil"; - group = "users"; - }; - home-manager = { useGlobalPkgs = true; useUserPackages = true; -- cgit 1.4.1