diff --git a/flake.lock b/flake.lock index b0baf46..8aa7f88 100644 --- a/flake.lock +++ b/flake.lock @@ -29,11 +29,11 @@ ] }, "locked": { - "lastModified": 1716431128, - "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=", + "lastModified": 1716773194, + "narHash": "sha256-rskkGmWlvYFb+CXedBiL8eWEuED0Es0XR4CkJ11RQKY=", "owner": "nix-community", "repo": "disko", - "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606", + "rev": "10986091e47fb1180620b78438512b294b7e8f67", "type": "github" }, "original": { @@ -126,11 +126,38 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716213921, + "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ "nixvim", - "pre-commit-hooks", + "git-hooks", "nixpkgs" ] }, @@ -228,11 +255,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716758960, - "narHash": "sha256-CcI0sEjih/z9ChQg81QY0+fyY//gx9KZ6CoMxAwWJBA=", + "lastModified": 1716818667, + "narHash": "sha256-t5TG+Y+T+U/a84pILOJgLBQwP6lE4MOMT1+W0+q26a8=", "ref": "refs/heads/master", - "rev": "d0f16258f5867769ed35445b24286cc831ff730c", - "revCount": 60, + "rev": "658287451387f15166fe7266b411aba50d520a61", + "revCount": 61, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -291,20 +318,20 @@ "flake-compat": "flake-compat", "flake-parts": "flake-parts", "flake-root": "flake-root", + "git-hooks": "git-hooks", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nixpkgs": [ "nixpkgs" ], - "pre-commit-hooks": "pre-commit-hooks", "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1716746631, - "narHash": "sha256-0/G9FQaVm321BoCKREwRqr4l93ZwtvW+4x8gjN67bWs=", + "lastModified": 1716814660, + "narHash": "sha256-lDy4PXkwQs3qBxVCdwOcNDJbWBCMJcoGfsHnr3U3Okg=", "owner": "nix-community", "repo": "nixvim", - "rev": "9697385115fe557468b2ddcbd1277602b3e58d5e", + "rev": "4175fac0ea144679b9818bfc3c7becfbd68e25a4", "type": "github" }, "original": { @@ -313,33 +340,6 @@ "type": "github" } }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": "flake-compat_2", - "gitignore": "gitignore", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ], - "nixpkgs-stable": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1716213921, - "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "disko": "disko", diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index d47a7b2..b8b8351 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -3,17 +3,26 @@ let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + + # Disko setup + fsType = "btrfs"; + dev = "/dev/vda"; + encrypted = false; + btrfsMountDevice = "/dev/mapper/crypted"; in { imports = [ # Disk configuration inputs.sops-nix.nixosModules.sops + + # Disk configuration inputs.disko.nixosModules.disko - (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) - #(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; }) - ../common/optional/btrfs-impermanence.nix + (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; }) + + # Impermanence inputs.impermanence.nixosModules.impermanence + (import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) # Import core options ./hardware-configuration.nix @@ -43,7 +52,6 @@ in ]; }; - i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; diff --git a/hosts/common/optional/btrfs-impermanence.nix b/hosts/common/disks/btrfs-impermanence.nix similarity index 88% rename from hosts/common/optional/btrfs-impermanence.nix rename to hosts/common/disks/btrfs-impermanence.nix index ab94fb2..3f0e11c 100644 --- a/hosts/common/optional/btrfs-impermanence.nix +++ b/hosts/common/disks/btrfs-impermanence.nix @@ -1,8 +1,11 @@ -{lib, ...}: +{lib, btrfsMountDevice, ...}: +let + device = btrfsMountDevice; +in { boot.initrd.postDeviceCommands = lib.mkAfter '' mkdir /btrfs_tmp - mount /dev/mapper/crypted /btrfs_tmp + mount ${device} /btrfs_tmp if [[ -e /btrfs_tmp/root ]]; then mkdir -p /btrfs_tmp/old_roots timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") diff --git a/hosts/common/disks/default.nix b/hosts/common/disks/default.nix new file mode 100644 index 0000000..8a33d58 --- /dev/null +++ b/hosts/common/disks/default.nix @@ -0,0 +1,7 @@ +{ device, fsType, encrypted, ... }: +let + ext4 = import ./gpt-bios-compact.nix { inherit device; }; + + btrfs = import ./luks-btrfs-subvolumes.nix { inherit device; }; +in +if fsType == "ext4" then ext4 else btrfs diff --git a/hosts/common/disks/luks-btrfs-subvolumes.nix b/hosts/common/disks/luks-btrfs-subvolumes.nix index e5e2953..3b902bd 100644 --- a/hosts/common/disks/luks-btrfs-subvolumes.nix +++ b/hosts/common/disks/luks-btrfs-subvolumes.nix @@ -25,12 +25,7 @@ content = { type = "luks"; name = "crypted"; - # disable settings.keyFile if you want to use interactive password entry passwordFile = "/tmp/luks_secret.key"; # Interactive -# settings = { -# allowDiscards = true; -# keyFile = "${sopsHashedPasswordFile}"; -# }; content = { type = "btrfs"; extraArgs = ["-f"]; diff --git a/hosts/common/optional/persistence.nix b/hosts/common/optional/persistence.nix index 1f2f8c4..7793c4c 100644 --- a/hosts/common/optional/persistence.nix +++ b/hosts/common/optional/persistence.nix @@ -8,6 +8,7 @@ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" + "/var/lib/flatpak" ]; files = [ "/etc/ssh/ssh_host_ed25519_key" diff --git a/hosts/common/users/admin/default.nix b/hosts/common/users/admin/default.nix index adedd87..430ef00 100644 --- a/hosts/common/users/admin/default.nix +++ b/hosts/common/users/admin/default.nix @@ -1,24 +1,55 @@ { pkgs, inputs, config, lib, ... }: let + username = "admin"; pubKeys = lib.filesystem.listFilesRecursive (../keys); + hostname = config.networking.hostName; + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path; + secretsDirectory = builtins.toString inputs.nix-secrets; + secretsFile = "${secretsDirectory}/secrets.yaml"; + in { - users.users.admin = { + users.users.${username} = { isNormalUser = true; - password = "nixos"; # Overridden if sops is working shell = pkgs.zsh; # default shell - + hashedPasswordFile = sopsHashedPasswordFile; openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); extraGroups = - [ "qemu-libvirtd" "libvirtd" - "wheel" "video" "audio" "disk" "networkmanager" + [ + "wheel" ]; + packages = with pkgs; [ + flatpak + gnome.gnome-software + ]; + }; + + sops.secrets = { + "passwords/${username}" = { + sopsFile = "${secretsFile}"; + neededForUsers = true; + }; + "ssh_keys/${username}/id_ed25519" = { + path = "/home/${username}/.ssh/id_ed25519"; + mode = "0600"; + owner = "${username}"; + }; + "ssh_keys/${username}/id_ed25519.pub" = { + path = "/home/${username}/.ssh/id_ed25519.pub"; + mode = "0644"; + owner = "${username}"; + }; }; programs.zsh.enable = true; + programs.fuse.userAllowOther = true; - environment.systemPackages = [ - ]; + home-manager = { + extraSpecialArgs = { inherit inputs; }; + users = { + ${username} = import ../../../../home/${hostname}.nix; + }; + }; } diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index 06bae66..41f52f4 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -1,15 +1,7 @@ { inputs, config, lib, pkgs, outputs,... }: -let - dev = "/dev/vda"; -in { imports = [ - # Disk configuration - inputs.disko.nixosModules.disko - (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) - ../common/optional/btrfs-impermanence.nix - # Create users for this host ../common/users/media @@ -31,13 +23,6 @@ in }; }; - environment.persistence."/persist" = { - hideMounts = true; - directories = [ - "/var/lib/flatpak" - ]; - }; - networking = { hostName = "sparky"; networkmanager.enable = true; diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 3fde864..ce85882 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -60,16 +60,11 @@ sed -i "{ /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} }" $SOPS_FILE -just update-sops-secrets && just update-flake-secrets && just update-flake - # Extract luks key from secrets -luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml") +luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml") echo "$luks_secret" > /tmp/luks_secret.key # Install Nixos to target -cd "$HOME/nixos" -git add . && git commit -m "auto: bootstrapping $hostname" && git push - SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 @@ -91,6 +86,10 @@ do done echo "$ip is now online and port 22 is open!" +# Commit and push changes +just update-sops-secrets && just update-flake-secrets && just update-flake +git add . && git commit -m "auto: bootstrapping $hostname" && git push + # Authorise source public key echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"