From 486a03ca4766c501a9d4da71116184b48a1122ab Mon Sep 17 00:00:00 2001 From: Sam Date: Sat, 25 May 2024 15:23:00 +0000 Subject: [PATCH] added persist test, nixvim to flake, user ssh config --- flake.lock | 262 +++++++++++++++++++++++++++ flake.nix | 9 + home/common/core/default.nix | 1 + home/common/core/ssh.nix | 13 ++ home/common/optional/sops.nix | 5 +- hosts/common/core/sops.nix | 5 +- hosts/common/optional/openssh.nix | 3 +- hosts/common/users/media/default.nix | 27 ++- hosts/sparky/default.nix | 2 - 9 files changed, 312 insertions(+), 15 deletions(-) create mode 100644 home/common/core/ssh.nix diff --git a/flake.lock b/flake.lock index 9c8838e..a6b40a8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,27 @@ { "nodes": { + "devshell": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", + "owner": "numtide", + "repo": "devshell", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -20,6 +42,112 @@ "type": "github" } }, + "flake-compat": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-root": { + "locked": { + "lastModified": 1713493429, + "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=", + "owner": "srid", + "repo": "flake-root", + "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nixvim", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -40,6 +168,27 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716448020, + "narHash": "sha256-u1ddoBOILtLVX4NYzqSZ9Qaqusql1M4reLd1fs554hY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "25dedb0d52c20448f6a63cc346df1adbd6ef417e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1708968331, @@ -55,6 +204,27 @@ "type": "github" } }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716329735, + "narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c", + "type": "github" + }, + "original": { + "owner": "lnl7", + "repo": "nix-darwin", + "type": "github" + } + }, "nix-secrets": { "flake": false, "locked": { @@ -115,6 +285,61 @@ "type": "github" } }, + "nixvim": { + "inputs": { + "devshell": "devshell", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-root": "flake-root", + "home-manager": "home-manager_2", + "nix-darwin": "nix-darwin", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1716566815, + "narHash": "sha256-WO3MF4W1SrSD0lanU1n7dfuHizeSLfDHJNEir9exlcM=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "9d858de2e9ab136d1c53d92af62fed8fccf492ab", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716213921, + "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "disko": "disko", @@ -123,6 +348,7 @@ "nix-secrets": "nix-secrets", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", + "nixvim": "nixvim", "sops-nix": "sops-nix" } }, @@ -146,6 +372,42 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715940852, + "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 104f6f1..7d38e83 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,15 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Nixvim + nixvim = { + url = "github:nix-community/nixvim"; + # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim. + # url = "github:nix-community/nixvim/nixos-23.05"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Declarative partitioning and formatting disko = { url = "github:nix-community/disko"; diff --git a/home/common/core/default.nix b/home/common/core/default.nix index 48a1333..30edb09 100644 --- a/home/common/core/default.nix +++ b/home/common/core/default.nix @@ -2,5 +2,6 @@ { imports = [ ./zsh.nix + ./ssh.nix ] ; } diff --git a/home/common/core/ssh.nix b/home/common/core/ssh.nix new file mode 100644 index 0000000..605a98c --- /dev/null +++ b/home/common/core/ssh.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: + +{ + programs.ssh = { + enable = true; + matchBlocks = { + "git.bitlab21.com" = { + identitiesOnly = true; + identityFile = "~/.ssh/deploy_key-ssh-ed25519"; + }; + }; + }; +} diff --git a/home/common/optional/sops.nix b/home/common/optional/sops.nix index b08cc52..345bafd 100644 --- a/home/common/optional/sops.nix +++ b/home/common/optional/sops.nix @@ -13,9 +13,10 @@ in sops = { age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"]; - defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; - + secrets."ssh_keys/deploy_key/id_ed25519" = { + path = "/home/${username}/.ssh/deploy_key-ssh-ed25519"; + }; }; } diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix index 97c9a3a..fa71d2c 100644 --- a/hosts/common/core/sops.nix +++ b/hosts/common/core/sops.nix @@ -1,8 +1,9 @@ -{ pkgs, inputs, config, username, ... }: +{ pkgs, lib, inputs, config, username, ... }: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + hasOptinPersistence = config.environment.persistence ? "/persist"; hostname = config.networking.hostName; in { @@ -15,7 +16,7 @@ in validateSopsFiles = false; age = { - sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; + sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; }; secrets = { "passwords/root".neededForUsers = true; diff --git a/hosts/common/optional/openssh.nix b/hosts/common/optional/openssh.nix index 1ed4db4..b224739 100644 --- a/hosts/common/optional/openssh.nix +++ b/hosts/common/optional/openssh.nix @@ -1,6 +1,7 @@ { lib, config, ... }: let sshPort = 22; + hasOptinPersistence = config.environment.persistence ? "/persist"; in { @@ -9,7 +10,7 @@ in ports = [ sshPort ]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; hostKeys = [{ - path = "/persist/etc/ssh/ssh_host_ed25519_key"; + path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }]; settings = { diff --git a/hosts/common/users/media/default.nix b/hosts/common/users/media/default.nix index 2242421..358075b 100644 --- a/hosts/common/users/media/default.nix +++ b/hosts/common/users/media/default.nix @@ -2,9 +2,10 @@ let pubKeys = lib.filesystem.listFilesRecursive (../keys); hostname = config.networking.hostName; - sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/media".path; + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${user}".path; secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + user = "media"; in { @@ -23,7 +24,7 @@ in environment.persistence."/persist" = { hideMounts = true; - users.media= { + users.${user}= { directories = [ "sync" "keep" @@ -39,19 +40,29 @@ in }; }; - sops.secrets."passwords/media" = { + sops.secrets."passwords/${user}" = { sopsFile = "${secretsFile}"; neededForUsers = true; }; - sops.secrets."ssh_keys/media/id_ed25519" = { - path = "/home/media/.ssh/id_ed25519"; + sops.secrets."ssh_keys/${user}/id_ed25519" = { + path = "/home/${user}/.ssh/id_ed25519"; + mode = "0600"; + owner = config.users.users.media.name; }; - sops.secrets."ssh_keys/media/id_ed25519.pub" = { - path = "/home/media/.ssh/id_ed25519.pub"; + sops.secrets."ssh_keys/${user}/id_ed25519.pub" = { + path = "/home/${user}/.ssh/id_ed25519.pub"; + mode = "0644"; + owner = config.users.users.media.name; }; +# # Need to change ownership of the secrets as they are created as root +# system.activationScripts.sopsSetAgeKeyOwnwership = '' +# mkdir -p /home/${user}/.config || true +# chown -R ${user}:users /home/${user}/.config +# ''; + services.flatpak.enable = true; users.users.media = { packages = with pkgs; [ @@ -66,7 +77,7 @@ in home-manager = { extraSpecialArgs = { inherit inputs; }; users = { - media = import ../../../../home/${hostname}.nix; + ${user} = import ../../../../home/${hostname}.nix; }; }; } diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index c1e8c09..f0b80a6 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -1,8 +1,6 @@ { inputs, config, lib, pkgs, outputs,... }: let sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path; - secretsDirectory = builtins.toString inputs.nix-secrets; - secretsFile = "${secretsDirectory}/secrets.yaml"; in { imports =