added persist test, nixvim to flake, user ssh config
This commit is contained in:
parent
2d0c12a033
commit
486a03ca47
262
flake.lock
262
flake.lock
|
@ -1,5 +1,27 @@
|
|||
{
|
||||
"nodes": {
|
||||
"devshell": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713532798,
|
||||
"narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
|
||||
"owner": "numtide",
|
||||
"repo": "devshell",
|
||||
"rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "devshell",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -20,6 +42,112 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"revCount": 57,
|
||||
"type": "tarball",
|
||||
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
|
||||
}
|
||||
},
|
||||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715865404,
|
||||
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-root": {
|
||||
"locked": {
|
||||
"lastModified": 1713493429,
|
||||
"narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
|
||||
"owner": "srid",
|
||||
"repo": "flake-root",
|
||||
"rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "srid",
|
||||
"repo": "flake-root",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701680307,
|
||||
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gitignore": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixvim",
|
||||
"pre-commit-hooks",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709087332,
|
||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -40,6 +168,27 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716448020,
|
||||
"narHash": "sha256-u1ddoBOILtLVX4NYzqSZ9Qaqusql1M4reLd1fs554hY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "25dedb0d52c20448f6a63cc346df1adbd6ef417e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1708968331,
|
||||
|
@ -55,6 +204,27 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716329735,
|
||||
"narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -115,6 +285,61 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixvim": {
|
||||
"inputs": {
|
||||
"devshell": "devshell",
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-root": "flake-root",
|
||||
"home-manager": "home-manager_2",
|
||||
"nix-darwin": "nix-darwin",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"pre-commit-hooks": "pre-commit-hooks",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716566815,
|
||||
"narHash": "sha256-WO3MF4W1SrSD0lanU1n7dfuHizeSLfDHJNEir9exlcM=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixvim",
|
||||
"rev": "9d858de2e9ab136d1c53d92af62fed8fccf492ab",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nixvim",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716213921,
|
||||
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"disko": "disko",
|
||||
|
@ -123,6 +348,7 @@
|
|||
"nix-secrets": "nix-secrets",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"nixvim": "nixvim",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
|
@ -146,6 +372,42 @@
|
|||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixvim",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715940852,
|
||||
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
|
@ -11,6 +11,15 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
# Nixvim
|
||||
nixvim = {
|
||||
url = "github:nix-community/nixvim";
|
||||
# If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
|
||||
# url = "github:nix-community/nixvim/nixos-23.05";
|
||||
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
# Declarative partitioning and formatting
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
|
|
|
@ -2,5 +2,6 @@
|
|||
{
|
||||
imports = [
|
||||
./zsh.nix
|
||||
./ssh.nix
|
||||
] ;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
programs.ssh = {
|
||||
enable = true;
|
||||
matchBlocks = {
|
||||
"git.bitlab21.com" = {
|
||||
identitiesOnly = true;
|
||||
identityFile = "~/.ssh/deploy_key-ssh-ed25519";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -13,9 +13,10 @@ in
|
|||
|
||||
sops = {
|
||||
age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"];
|
||||
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
secrets."ssh_keys/deploy_key/id_ed25519" = {
|
||||
path = "/home/${username}/.ssh/deploy_key-ssh-ed25519";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
{ pkgs, inputs, config, username, ... }:
|
||||
{ pkgs, lib, inputs, config, username, ... }:
|
||||
|
||||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
hasOptinPersistence = config.environment.persistence ? "/persist";
|
||||
hostname = config.networking.hostName;
|
||||
in
|
||||
{
|
||||
|
@ -15,7 +16,7 @@ in
|
|||
validateSopsFiles = false;
|
||||
|
||||
age = {
|
||||
sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
|
||||
};
|
||||
secrets = {
|
||||
"passwords/root".neededForUsers = true;
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
sshPort = 22;
|
||||
hasOptinPersistence = config.environment.persistence ? "/persist";
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -9,7 +10,7 @@ in
|
|||
ports = [ sshPort ];
|
||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
hostKeys = [{
|
||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||
path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}];
|
||||
settings = {
|
||||
|
|
|
@ -2,9 +2,10 @@
|
|||
let
|
||||
pubKeys = lib.filesystem.listFilesRecursive (../keys);
|
||||
hostname = config.networking.hostName;
|
||||
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/media".path;
|
||||
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${user}".path;
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
user = "media";
|
||||
|
||||
in
|
||||
{
|
||||
|
@ -23,7 +24,7 @@ in
|
|||
|
||||
environment.persistence."/persist" = {
|
||||
hideMounts = true;
|
||||
users.media= {
|
||||
users.${user}= {
|
||||
directories = [
|
||||
"sync"
|
||||
"keep"
|
||||
|
@ -39,19 +40,29 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
sops.secrets."passwords/media" = {
|
||||
sops.secrets."passwords/${user}" = {
|
||||
sopsFile = "${secretsFile}";
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
sops.secrets."ssh_keys/media/id_ed25519" = {
|
||||
path = "/home/media/.ssh/id_ed25519";
|
||||
sops.secrets."ssh_keys/${user}/id_ed25519" = {
|
||||
path = "/home/${user}/.ssh/id_ed25519";
|
||||
mode = "0600";
|
||||
owner = config.users.users.media.name;
|
||||
};
|
||||
|
||||
sops.secrets."ssh_keys/media/id_ed25519.pub" = {
|
||||
path = "/home/media/.ssh/id_ed25519.pub";
|
||||
sops.secrets."ssh_keys/${user}/id_ed25519.pub" = {
|
||||
path = "/home/${user}/.ssh/id_ed25519.pub";
|
||||
mode = "0644";
|
||||
owner = config.users.users.media.name;
|
||||
};
|
||||
|
||||
# # Need to change ownership of the secrets as they are created as root
|
||||
# system.activationScripts.sopsSetAgeKeyOwnwership = ''
|
||||
# mkdir -p /home/${user}/.config || true
|
||||
# chown -R ${user}:users /home/${user}/.config
|
||||
# '';
|
||||
|
||||
services.flatpak.enable = true;
|
||||
users.users.media = {
|
||||
packages = with pkgs; [
|
||||
|
@ -66,7 +77,7 @@ in
|
|||
home-manager = {
|
||||
extraSpecialArgs = { inherit inputs; };
|
||||
users = {
|
||||
media = import ../../../../home/${hostname}.nix;
|
||||
${user} = import ../../../../home/${hostname}.nix;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ inputs, config, lib, pkgs, outputs,... }:
|
||||
let
|
||||
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
in
|
||||
{
|
||||
imports =
|
||||
|
|
Loading…
Reference in New Issue