From 0f83b32f2b95e2f4b14507e100479ac5ea84bf09 Mon Sep 17 00:00:00 2001 From: mrsu Date: Tue, 25 Jun 2024 22:04:28 +0100 Subject: [PATCH] deploy key added in hosts --- flake.lock | 26 +++++----- home/common/core/default.nix | 2 +- home/overseer.nix | 1 - hosts/common/disks/btrfs-luks.nix | 2 +- hosts/common/disks/zfs.nix | 76 ++++++++++++++++++++++++++++ hosts/common/users/admin/default.nix | 12 ++--- 6 files changed, 97 insertions(+), 22 deletions(-) create mode 100644 hosts/common/disks/zfs.nix diff --git a/flake.lock b/flake.lock index 266bfb0..3038f93 100644 --- a/flake.lock +++ b/flake.lock @@ -278,11 +278,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1719333598, - "narHash": "sha256-f587IOaoY3UYHzXzVPsfexkZ82N3UXPTNQths8+a8TA=", + "lastModified": 1719345965, + "narHash": "sha256-ZxnKEatJu/wVxLy0M7UnCVvemU3P5vVvVoueAR289fk=", "ref": "refs/heads/master", - "rev": "53dcdfe690d3393a16c3e110c1c183d0ec1d6711", - "revCount": 116, + "rev": "24db3bffa6b914d0389ff801c054dd48535872a4", + "revCount": 121, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -340,11 +340,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1719075281, - "narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=", + "lastModified": 1719254875, + "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a71e967ef3694799d0c418c98332f7ff4cc5f6af", + "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", "type": "github" }, "original": { @@ -368,11 +368,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1719131261, - "narHash": "sha256-rtcRg/aaZ72Fb7NCFz87ATvmS7LyHKbkY9gwJRqhJK8=", + "lastModified": 1719340721, + "narHash": "sha256-SfjI1Ir3Zs7w5lXXsmJ/MhB3V1Z1gHl9K2dFaEiy/GM=", "owner": "nix-community", "repo": "nixvim", - "rev": "066485bf4c4cd83f01a75d46556ba2037e716604", + "rev": "1fdbf40c177fc2edfcd3c63fadf4a6f596edc6af", "type": "github" }, "original": { @@ -384,11 +384,11 @@ }, "nur": { "locked": { - "lastModified": 1719326701, - "narHash": "sha256-IDEPbakCvjk61uX19cnmSB8fsdFTmMe5Wt4bCyIUGdA=", + "lastModified": 1719344711, + "narHash": "sha256-k389PPp1HG9xk3yXn4Q/eAY/K+qm/+kbHLq9hfo+m14=", "owner": "nix-community", "repo": "NUR", - "rev": "a331f41142ed524ce58ed0df1c72a7d0b13ec867", + "rev": "85596df878b1b71a54e1de3835ac6135c1bb8744", "type": "github" }, "original": { diff --git a/home/common/core/default.nix b/home/common/core/default.nix index 18dcc14..fa6bc24 100644 --- a/home/common/core/default.nix +++ b/home/common/core/default.nix @@ -29,5 +29,5 @@ libqalculate ; }; - home.stateVersion = "24.04"; + home.stateVersion = "24.05"; } diff --git a/home/overseer.nix b/home/overseer.nix index 9e3f0c5..1445a0d 100644 --- a/home/overseer.nix +++ b/home/overseer.nix @@ -8,7 +8,6 @@ # Import optional ./common/optional/git.nix - ./common/optional/sops.nix ]; } diff --git a/hosts/common/disks/btrfs-luks.nix b/hosts/common/disks/btrfs-luks.nix index 29df75a..cd0031b 100644 --- a/hosts/common/disks/btrfs-luks.nix +++ b/hosts/common/disks/btrfs-luks.nix @@ -1,4 +1,4 @@ -{device ? throw "Must define a device, e.g. /dev/sda"}: +{device ? throw "Must define a devices, e.g. /dev/sda"}: { disko.devices = { disk = { diff --git a/hosts/common/disks/zfs.nix b/hosts/common/disks/zfs.nix new file mode 100644 index 0000000..2265b89 --- /dev/null +++ b/hosts/common/disks/zfs.nix @@ -0,0 +1,76 @@ +{device ? throw "Must define a devices, e.g. /dev/sda"}: +{ + disko.devices = { + disk = { + b = { + type = "disk"; + device = "/dev/vdb"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + c = { + type = "disk"; + device = "/dev/vdc"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + mode = "mirror"; + rootFsOptions = { + compression = "zstd"; + "com.sun:auto-snapshot" = "false"; + }; + mountpoint = "/"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank"; + + datasets = { + zfs_fs = { + type = "zfs_fs"; + mountpoint = "/zfs_fs"; + options."com.sun:auto-snapshot" = "true"; + }; + encrypted = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + keylocation = "file:///tmp/secret.key"; + }; + # use this to read the key during boot + # postCreateHook = '' + # zfs set keylocation="prompt" "zroot/$name"; + # ''; + }; + "encrypted/test" = { + type = "zfs_fs"; + mountpoint = "/zfs_crypted"; + }; + }; + }; + }; + }; +} diff --git a/hosts/common/users/admin/default.nix b/hosts/common/users/admin/default.nix index 430ef00..7843ebc 100644 --- a/hosts/common/users/admin/default.nix +++ b/hosts/common/users/admin/default.nix @@ -15,14 +15,9 @@ in hashedPasswordFile = sopsHashedPasswordFile; openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); - extraGroups = - [ - "wheel" - ]; + extraGroups = ["wheel"]; packages = with pkgs; [ - flatpak - gnome.gnome-software ]; }; @@ -41,6 +36,11 @@ in mode = "0644"; owner = "${username}"; }; + "ssh_keys/deploy_key/id_ed25519" = { + path = "/home/${username}/.ssh/deploy_key-ssh-ed25519"; + mode = "0644"; + owner = "${username}"; + }; }; programs.zsh.enable = true;