users in hosts

This commit is contained in:
Sam 2024-05-12 19:58:55 +01:00
parent acb21454c0
commit 240c099526
13 changed files with 205 additions and 11 deletions

11
.sops.yaml Normal file
View File

@ -0,0 +1,11 @@
keys:
- &users:
- &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
- &hosts:
- &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *sam
- *nixdev

View File

@ -32,6 +32,22 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1715458492,
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8e47858badee5594292921c2668c11004c3b0142",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1714906307,
@ -52,7 +68,29 @@
"inputs": {
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1715482972,
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
}
},

View File

@ -12,6 +12,12 @@
# Home manager
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
# Secrets management
sops-nix = {
url = "github:mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {

View File

@ -15,6 +15,7 @@
pkgs.kitty
pkgs.zathura
pkgs.xfce.thunar
#pkgs.age
];
programs.zsh = {

View File

@ -0,0 +1,23 @@
{ inputs, config, ... }:
let
secretsFile = ../../../../secrets.yaml;
homeDirectory = config.home.homeDirectory;
in
{
imports = [
inputs.sops-nix.homeManagerModules.sops
];
sops = {
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
secrets = {
"ssh_keys/sam" = {
path = "${homeDirectory}/.ssh/sam";
};
};
};
}

View File

@ -8,6 +8,7 @@
./common/core
./common/optional/desktop/hyprland
./common/optional/desktop/waybar.nix
./common/optional/sops.nix
];
# ------

View File

@ -0,0 +1,5 @@
{pkgs, ...}: {
imports = [
./sops.nix
];
}

View File

@ -0,0 +1,22 @@
{ pkgs, inputs, config, configVars, ... }:
let
secretsDirectory = ../../../secrets.yaml;
secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = "/home/${configVars.username}";
in
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}

View File

@ -0,0 +1,22 @@
{ lib, config, ... }:
let
sshPort = 22;
in
{
services.openssh = {
enable = true;
ports = [ sshPort ];
settings = {
# Harden
PasswordAuthentication = true;
PermitRootLogin = "no";
# Automatically remove stale sockets
StreamLocalBindUnlink = "yes";
};
};
networking.firewall.allowedTCPPorts = [ sshPort ];
}

View File

@ -0,0 +1,25 @@
{ pkgs, inputs, config, lib, ... }:
{
users.users.sam = {
isNormalUser = true;
password = "nixos"; # Overridden if sops is working
shell = pkgs.zsh; # default shell
extraGroups = [
"wheel"
"docker"
"git"
"networkmanager"
];
};
programs.zsh.enable = true;
environment.systemPackages = [
pkgs.rsync
pkgs.curl
pkgs.tmux
pkgs.neovim
];
}

View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgPtDNQEN97mnrq/v9RPMUaSjLpIaF/ga/L41xETB9h0y5jdpPUMbZ6uTV6vW8Vm1YW2tzEs2l1lxb9yTrsK8hdVfz8/vWvDSbsUIJn3gOQSOTNQ+nNFFYlKqNhypK+3Mn8BD7EeJaLNK8Ahr/87PS0c/B5YN+TcntsEZpsXF7U2CCqMh559JXp1byie7DuwTYUdvjdDtCidYNphGoEljuzID+lJFBYsaa5SQFlmrr7HcQfaE/MwyxyPRryRnlO7E9k12BrL56UONYycyTf4dyK9MnhhO0wAkIoHyd46/sAdgvNrloY4I+WLjUOqKY6vys8kxG7xNcmN5XfeDJXrPMhW5N0Kz2dc/Yu8SOG8weCiz7uuDjcxYz9eK5cxKgg37A+drbgddoHTi7GCM5Q6wN2Jlig0++6Xo2CGOUKpNOmGBRGAjlIByXYWu1KFRBVclXZES/g38274gRihVk3WCbtLEUafS7wsl8ruMmecU7rhDL7fITd2hWvBkONpA7RxLlMTBfMAEXuq4hOystGZeZj7KusPG4purJDtT+3rCcl5LZ8cn4G5fvINTbXeix5pOz/TdSGNTSJW7ML2W0W6Q+2kVO0l2N/+6IA/rPa4j+AwTODBxWkWVHEBRncJ5hIh5iFz+dSnmllkwOi41tbDFmdGuDeyQ0dsq4wXrBzXGfxw== samual.shop@protonmail.com :: laptop

View File

@ -1,12 +1,21 @@
{ inputs, config, lib, pkgs, outputs, ... }:
{ inputs, config, lib, pkgs, outputs, configLib, ... }:
{
imports =
[
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
../common/optional/pipewire.nix
../common/optional/hyprland.nix
../common/optional/displayManager/sddm.nix
../common/optional/openssh
# Create users for this host
../common/users/sam
];
nixpkgs = {
@ -45,12 +54,12 @@
services.libinput.enable = true;
users.users.sam = {
isNormalUser = true;
extraGroups = [ "wheel" ];
};
# users.users.sam = {
# isNormalUser = true;
# extraGroups = [ "wheel" ];
# };
users.users.sam.shell = pkgs.zsh;
# users.users.sam.shell = pkgs.zsh;
environment.systemPackages = with pkgs; [
# curl
@ -81,14 +90,12 @@
enableSSHSupport = true;
};
programs.zsh.enable = true;
# programs.zsh.enable = true;
hardware = {
opengl.enable = true;
nvidia.modesetting.enable = true;
};
services.openssh.enable = true;
system.stateVersion = "23.11";

32
secrets.yaml Normal file
View File

@ -0,0 +1,32 @@
ssh_keys:
sam: ENC[AES256_GCM,data:kxUxu5TLJMYfJHLm1AoFkD8xYgxyj7kE8/cEVbm/BvvzPUCe2gvwrZpdEkPBRDMyOQk569szohQ5txPXLj/dYZpAqabqDCr2yNTNPTiOZX7mUp6tH8vWUUmoMRVpJFwdHpanmC8BaKWjgR4E/X293iVQiZ4pQz5QFaMzBQtnZehwNOKgBHIc8Ll/MTu17DmzVQSxrdK/jakBwVfsdV+NTZfGEXjTC5UlvoyeIyODuIiAifvFcB6n/mxxZ4rXHBYZrC0IusDgWvJ74GdYrNaIwnQIwEkWEyhKncDBJehWvlSabsYI02nW41BSMUgA+r/Lu1KwAU83QgW74FRBeC4ZEoL2cRMPTTJP69O3TqJ3CeWOSq1kHScpsSEP/8sGoDS5rX7WQFyHky5oecZlTvjNnklRztnftXL/rsFNOSouFoaAQGU5ay+7y7K8bAsveZVyImyCdGlf+864RxL1wD/oz1DIiYE/gR19bGPRJumDlBOufEHCH0ONU+8PZwpLMMpFVZ3HEMQYsva4eKZfMd5W,iv:X0yg22/dPbSAUmTcb8lePZ403RI6oGNELTZFI6y68AQ=,tag:YfTESEm2GWJApi7LOvY8RA==,type:str]
sam-password: ENC[AES256_GCM,data:2TObp9d8fvWWsKyTVqNqSabhmcA+ZVo5N1qmn8N15ZXhb9G4sdfkPspnCZmxZ+FttfTvNYG8ZwcDzBAx2XbR8jRwGxljZaoBXQ==,iv:mysxYtfrE8KEkK0qO1C4+FgJYuWsKvsYVMAYRD0FW/Q=,tag:5LNmkZn1msT6n18BLLP4vA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbE1DejdDSTVhVmdrTC9r
Y3BLLytPem90UnUvQkpCZ3NMaFBhYytWUndzCkNUWElDOVVwc0dhWFRWL2ZFQXV4
Qi9PdDdqZHR2S2JkeXdEL3RQbXVQREkKLS0tIE5JcHVlTS9LellRM08wZUpiRS9Y
cE5LK1llSXVhYWVzUjg0Z0VoQVJIMDAKt+bCXwj6jMLiRDS+/4K3+z+8nc3lUFli
WWRVNOTUZT8Ckt5UjHWrZ/FOfgCupGiDD9Imsx1x37cgN0P88vib/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOG1jTEZYMmdFMWxzWGxE
cWp2QlM2N1hxYTlmN0NnRzJKczI4OWRtUW5nCmQ2YVB3SkNxVlFwL3ZVNm03K2U3
SFdDU1JXTXJjM1M5UzV1ckoyRGQ5R0EKLS0tIHFsSnk5VWlReW1VZmYvMW50OGJr
ZE90dTRDQWdUL0FXNC9IWFhKcEhocG8KF4F5wAnkwF2gfGa3jt2OHseY4NlqHqf2
/g2Huk8W6pni2K3XOnIrb+89JQaafI8AJgaBLl6kMrsGHx5Jqa2HjQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-12T17:16:39Z"
mac: ENC[AES256_GCM,data:WapNxbYGJC5P07Wh7L7N5na0k6/bNTtQLr0BZWlWBUObwVeCnP2ALBx0RcR34f5fQYGheM6W076AEmMBlmcKmGd8TFoxXikl4ZlCPumD6mp+f49V/YWSEzGKtoAKvdaG2D/1tV37INh/OV6fqyXapZkEEVc25AgjKwzYY8wdM4M=,iv:JDHwLh+Fuhs4WOmZU9/dyKbtH2dC7Adj/vt9/Tci6VM=,tag:qqjhwiYC8x6I1AkvZhyVSA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1