users in hosts
This commit is contained in:
parent
acb21454c0
commit
240c099526
|
|
@ -0,0 +1,11 @@
|
|||
keys:
|
||||
- &users:
|
||||
- &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
|
||||
- &hosts:
|
||||
- &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
|
||||
creation_rules:
|
||||
- path_regex: secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *sam
|
||||
- *nixdev
|
||||
40
flake.lock
40
flake.lock
|
|
@ -32,6 +32,22 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1715458492,
|
||||
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8e47858badee5594292921c2668c11004c3b0142",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1714906307,
|
||||
|
|
@ -52,7 +68,29 @@
|
|||
"inputs": {
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715482972,
|
||||
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,6 +12,12 @@
|
|||
# Home manager
|
||||
home-manager.url = "github:nix-community/home-manager";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
# Secrets management
|
||||
sops-nix = {
|
||||
url = "github:mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = {
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@
|
|||
pkgs.kitty
|
||||
pkgs.zathura
|
||||
pkgs.xfce.thunar
|
||||
#pkgs.age
|
||||
];
|
||||
|
||||
programs.zsh = {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
{ inputs, config, ... }:
|
||||
let
|
||||
secretsFile = ../../../../secrets.yaml;
|
||||
homeDirectory = config.home.homeDirectory;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
];
|
||||
|
||||
sops = {
|
||||
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
|
||||
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
secrets = {
|
||||
"ssh_keys/sam" = {
|
||||
path = "${homeDirectory}/.ssh/sam";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -8,6 +8,7 @@
|
|||
./common/core
|
||||
./common/optional/desktop/hyprland
|
||||
./common/optional/desktop/waybar.nix
|
||||
./common/optional/sops.nix
|
||||
];
|
||||
|
||||
# ------
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
{pkgs, ...}: {
|
||||
imports = [
|
||||
./sops.nix
|
||||
];
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
{ pkgs, inputs, config, configVars, ... }:
|
||||
let
|
||||
secretsDirectory = ../../../secrets.yaml;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
homeDirectory = "/home/${configVars.username}";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
age = {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
generateKey = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
sshPort = 22;
|
||||
in
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = [ sshPort ];
|
||||
|
||||
settings = {
|
||||
# Harden
|
||||
PasswordAuthentication = true;
|
||||
PermitRootLogin = "no";
|
||||
# Automatically remove stale sockets
|
||||
StreamLocalBindUnlink = "yes";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
{ pkgs, inputs, config, lib, ... }:
|
||||
{
|
||||
users.users.sam = {
|
||||
isNormalUser = true;
|
||||
password = "nixos"; # Overridden if sops is working
|
||||
shell = pkgs.zsh; # default shell
|
||||
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"docker"
|
||||
"git"
|
||||
"networkmanager"
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.rsync
|
||||
pkgs.curl
|
||||
pkgs.tmux
|
||||
pkgs.neovim
|
||||
];
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgPtDNQEN97mnrq/v9RPMUaSjLpIaF/ga/L41xETB9h0y5jdpPUMbZ6uTV6vW8Vm1YW2tzEs2l1lxb9yTrsK8hdVfz8/vWvDSbsUIJn3gOQSOTNQ+nNFFYlKqNhypK+3Mn8BD7EeJaLNK8Ahr/87PS0c/B5YN+TcntsEZpsXF7U2CCqMh559JXp1byie7DuwTYUdvjdDtCidYNphGoEljuzID+lJFBYsaa5SQFlmrr7HcQfaE/MwyxyPRryRnlO7E9k12BrL56UONYycyTf4dyK9MnhhO0wAkIoHyd46/sAdgvNrloY4I+WLjUOqKY6vys8kxG7xNcmN5XfeDJXrPMhW5N0Kz2dc/Yu8SOG8weCiz7uuDjcxYz9eK5cxKgg37A+drbgddoHTi7GCM5Q6wN2Jlig0++6Xo2CGOUKpNOmGBRGAjlIByXYWu1KFRBVclXZES/g38274gRihVk3WCbtLEUafS7wsl8ruMmecU7rhDL7fITd2hWvBkONpA7RxLlMTBfMAEXuq4hOystGZeZj7KusPG4purJDtT+3rCcl5LZ8cn4G5fvINTbXeix5pOz/TdSGNTSJW7ML2W0W6Q+2kVO0l2N/+6IA/rPa4j+AwTODBxWkWVHEBRncJ5hIh5iFz+dSnmllkwOi41tbDFmdGuDeyQ0dsq4wXrBzXGfxw== samual.shop@protonmail.com :: laptop
|
||||
|
|
@ -1,12 +1,21 @@
|
|||
{ inputs, config, lib, pkgs, outputs, ... }:
|
||||
{ inputs, config, lib, pkgs, outputs, configLib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Import core options
|
||||
./hardware-configuration.nix
|
||||
../common/core
|
||||
|
||||
# Import optional options
|
||||
../common/optional/pipewire.nix
|
||||
../common/optional/hyprland.nix
|
||||
../common/optional/displayManager/sddm.nix
|
||||
../common/optional/openssh
|
||||
|
||||
# Create users for this host
|
||||
../common/users/sam
|
||||
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
|
|
@ -45,12 +54,12 @@
|
|||
|
||||
services.libinput.enable = true;
|
||||
|
||||
users.users.sam = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
};
|
||||
# users.users.sam = {
|
||||
# isNormalUser = true;
|
||||
# extraGroups = [ "wheel" ];
|
||||
# };
|
||||
|
||||
users.users.sam.shell = pkgs.zsh;
|
||||
# users.users.sam.shell = pkgs.zsh;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
# curl
|
||||
|
|
@ -81,14 +90,12 @@
|
|||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
# programs.zsh.enable = true;
|
||||
hardware = {
|
||||
opengl.enable = true;
|
||||
nvidia.modesetting.enable = true;
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,32 @@
|
|||
ssh_keys:
|
||||
sam: ENC[AES256_GCM,data:kxUxu5TLJMYfJHLm1AoFkD8xYgxyj7kE8/cEVbm/BvvzPUCe2gvwrZpdEkPBRDMyOQk569szohQ5txPXLj/dYZpAqabqDCr2yNTNPTiOZX7mUp6tH8vWUUmoMRVpJFwdHpanmC8BaKWjgR4E/X293iVQiZ4pQz5QFaMzBQtnZehwNOKgBHIc8Ll/MTu17DmzVQSxrdK/jakBwVfsdV+NTZfGEXjTC5UlvoyeIyODuIiAifvFcB6n/mxxZ4rXHBYZrC0IusDgWvJ74GdYrNaIwnQIwEkWEyhKncDBJehWvlSabsYI02nW41BSMUgA+r/Lu1KwAU83QgW74FRBeC4ZEoL2cRMPTTJP69O3TqJ3CeWOSq1kHScpsSEP/8sGoDS5rX7WQFyHky5oecZlTvjNnklRztnftXL/rsFNOSouFoaAQGU5ay+7y7K8bAsveZVyImyCdGlf+864RxL1wD/oz1DIiYE/gR19bGPRJumDlBOufEHCH0ONU+8PZwpLMMpFVZ3HEMQYsva4eKZfMd5W,iv:X0yg22/dPbSAUmTcb8lePZ403RI6oGNELTZFI6y68AQ=,tag:YfTESEm2GWJApi7LOvY8RA==,type:str]
|
||||
sam-password: ENC[AES256_GCM,data:2TObp9d8fvWWsKyTVqNqSabhmcA+ZVo5N1qmn8N15ZXhb9G4sdfkPspnCZmxZ+FttfTvNYG8ZwcDzBAx2XbR8jRwGxljZaoBXQ==,iv:mysxYtfrE8KEkK0qO1C4+FgJYuWsKvsYVMAYRD0FW/Q=,tag:5LNmkZn1msT6n18BLLP4vA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbE1DejdDSTVhVmdrTC9r
|
||||
Y3BLLytPem90UnUvQkpCZ3NMaFBhYytWUndzCkNUWElDOVVwc0dhWFRWL2ZFQXV4
|
||||
Qi9PdDdqZHR2S2JkeXdEL3RQbXVQREkKLS0tIE5JcHVlTS9LellRM08wZUpiRS9Y
|
||||
cE5LK1llSXVhYWVzUjg0Z0VoQVJIMDAKt+bCXwj6jMLiRDS+/4K3+z+8nc3lUFli
|
||||
WWRVNOTUZT8Ckt5UjHWrZ/FOfgCupGiDD9Imsx1x37cgN0P88vib/A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOG1jTEZYMmdFMWxzWGxE
|
||||
cWp2QlM2N1hxYTlmN0NnRzJKczI4OWRtUW5nCmQ2YVB3SkNxVlFwL3ZVNm03K2U3
|
||||
SFdDU1JXTXJjM1M5UzV1ckoyRGQ5R0EKLS0tIHFsSnk5VWlReW1VZmYvMW50OGJr
|
||||
ZE90dTRDQWdUL0FXNC9IWFhKcEhocG8KF4F5wAnkwF2gfGa3jt2OHseY4NlqHqf2
|
||||
/g2Huk8W6pni2K3XOnIrb+89JQaafI8AJgaBLl6kMrsGHx5Jqa2HjQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-12T17:16:39Z"
|
||||
mac: ENC[AES256_GCM,data:WapNxbYGJC5P07Wh7L7N5na0k6/bNTtQLr0BZWlWBUObwVeCnP2ALBx0RcR34f5fQYGheM6W076AEmMBlmcKmGd8TFoxXikl4ZlCPumD6mp+f49V/YWSEzGKtoAKvdaG2D/1tV37INh/OV6fqyXapZkEEVc25AgjKwzYY8wdM4M=,iv:JDHwLh+Fuhs4WOmZU9/dyKbtH2dC7Adj/vt9/Tci6VM=,tag:qqjhwiYC8x6I1AkvZhyVSA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
Loading…
Reference in New Issue