added persist test, nixvim to flake, user ssh config

2024-05-25 15:23:00 +00:00 · 2024-05-25 15:23:00 +00:00 · 486a03ca47
parent 2d0c12a033
commit 486a03ca47
9 changed files with 312 additions and 15 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,27 @@
 {
  "nodes": {
+    "devshell": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1713532798,
+        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -20,6 +42,112 @@
        "type": "github"
      }
    },
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "revCount": 57,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1715865404,
+        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-root": {
+      "locked": {
+        "lastModified": 1713493429,
+        "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
+        "owner": "srid",
+        "repo": "flake-root",
+        "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "repo": "flake-root",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "nixvim",
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -40,6 +168,27 @@
        "type": "github"
      }
    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716448020,
+        "narHash": "sha256-u1ddoBOILtLVX4NYzqSZ9Qaqusql1M4reLd1fs554hY=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "25dedb0d52c20448f6a63cc346df1adbd6ef417e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "impermanence": {
      "locked": {
        "lastModified": 1708968331,
@ -55,6 +204,27 @@
        "type": "github"
      }
    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716329735,
+        "narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "nix-secrets": {
      "flake": false,
      "locked": {
@ -115,6 +285,61 @@
        "type": "github"
      }
    },
+    "nixvim": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-root": "flake-root",
+        "home-manager": "home-manager_2",
+        "nix-darwin": "nix-darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": "pre-commit-hooks",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1716566815,
+        "narHash": "sha256-WO3MF4W1SrSD0lanU1n7dfuHizeSLfDHJNEir9exlcM=",
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "rev": "9d858de2e9ab136d1c53d92af62fed8fccf492ab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716213921,
+        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "disko": "disko",
@ -123,6 +348,7 @@
        "nix-secrets": "nix-secrets",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixvim": "nixvim",
        "sops-nix": "sops-nix"
      }
    },
@ -146,6 +372,42 @@
        "repo": "sops-nix",
        "type": "github"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1715940852,
+        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,15 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    # Nixvim
+    nixvim = {
+      url = "github:nix-community/nixvim";
+      # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
+      # url = "github:nix-community/nixvim/nixos-23.05";
+
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # Declarative partitioning and formatting
    disko = {
      url = "github:nix-community/disko";
--- a/home/common/core/default.nix
+++ b/home/common/core/default.nix
@ -2,5 +2,6 @@
 {
  imports = [
    ./zsh.nix
+    ./ssh.nix
  ] ;
 }
--- a/home/common/core/ssh.nix
+++ b/home/common/core/ssh.nix
@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  programs.ssh = {
+    enable = true;
+    matchBlocks = {
+      "git.bitlab21.com" = {
+       identitiesOnly = true;
+       identityFile = "~/.ssh/deploy_key-ssh-ed25519";
+      };
+    };
+  };
+}
--- a/home/common/optional/sops.nix
+++ b/home/common/optional/sops.nix
@ -13,9 +13,10 @@ in

  sops = {
    age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"];
-
    defaultSopsFile = "${secretsFile}";
    validateSopsFiles = false;
-
+    secrets."ssh_keys/deploy_key/id_ed25519" = {
+      path = "/home/${username}/.ssh/deploy_key-ssh-ed25519";
+  };
  };
 }
--- a/hosts/common/core/sops.nix
+++ b/hosts/common/core/sops.nix
@ -1,8 +1,9 @@
-{ pkgs, inputs, config, username, ... }:
+{ pkgs, lib, inputs, config, username, ... }:

 let
  secretsDirectory = builtins.toString inputs.nix-secrets;
  secretsFile = "${secretsDirectory}/secrets.yaml";
+  hasOptinPersistence = config.environment.persistence ? "/persist";
  hostname = config.networking.hostName;
 in
 {
@ -15,7 +16,7 @@ in
    validateSopsFiles = false;

    age = {
-      sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
+      sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
    };
    secrets =  {
        "passwords/root".neededForUsers = true;
--- a/hosts/common/optional/openssh.nix
+++ b/hosts/common/optional/openssh.nix
@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
  sshPort = 22;
+  hasOptinPersistence = config.environment.persistence ? "/persist";
 in

 {
@ -9,7 +10,7 @@ in
    ports = [ sshPort ];
    authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
    hostKeys = [{
-      path = "/persist/etc/ssh/ssh_host_ed25519_key";
+      path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }];
    settings = {
--- a/hosts/common/users/media/default.nix
+++ b/hosts/common/users/media/default.nix
@ -2,9 +2,10 @@
 let
  pubKeys = lib.filesystem.listFilesRecursive (../keys);
  hostname = config.networking.hostName;
-  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/media".path;
+  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${user}".path;
  secretsDirectory = builtins.toString inputs.nix-secrets;
  secretsFile = "${secretsDirectory}/secrets.yaml";
+  user = "media";

 in 
 {
@ -23,7 +24,7 @@ in

  environment.persistence."/persist" = {
    hideMounts = true;
-    users.media= {
+    users.${user}= {
        directories = [
          "sync"
          "keep"
@ -39,19 +40,29 @@ in
    };
  };

-  sops.secrets."passwords/media" = {
+  sops.secrets."passwords/${user}" = {
    sopsFile = "${secretsFile}";
    neededForUsers = true;
  };

-  sops.secrets."ssh_keys/media/id_ed25519" = {
-    path = "/home/media/.ssh/id_ed25519";
+  sops.secrets."ssh_keys/${user}/id_ed25519" = {
+    path = "/home/${user}/.ssh/id_ed25519";
+    mode = "0600";
+    owner = config.users.users.media.name;
  };

-  sops.secrets."ssh_keys/media/id_ed25519.pub" = {
-    path = "/home/media/.ssh/id_ed25519.pub";
+  sops.secrets."ssh_keys/${user}/id_ed25519.pub" = {
+    path = "/home/${user}/.ssh/id_ed25519.pub";
+    mode = "0644";
+    owner = config.users.users.media.name;
  };

+#  # Need to change ownership of the secrets as they are created as root
+#  system.activationScripts.sopsSetAgeKeyOwnwership = ''
+#    mkdir -p /home/${user}/.config || true
+#    chown -R ${user}:users /home/${user}/.config
+#  '';
+
  services.flatpak.enable = true;
  users.users.media = {
    packages = with pkgs; [
@ -66,7 +77,7 @@ in
  home-manager = {
    extraSpecialArgs = { inherit inputs; };
    users = {
-      media = import ../../../../home/${hostname}.nix;
+      ${user} = import ../../../../home/${hostname}.nix;
    };
  };
 }
--- a/hosts/sparky/default.nix
+++ b/hosts/sparky/default.nix
@ -1,8 +1,6 @@
 { inputs, config, lib, pkgs, outputs,... }:
 let
  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
-  secretsDirectory = builtins.toString inputs.nix-secrets;
-  secretsFile = "${secretsDirectory}/secrets.yaml";
 in
 {
  imports =