diff --git a/flake.lock b/flake.lock index f1fb516..18aef8e 100644 --- a/flake.lock +++ b/flake.lock @@ -58,11 +58,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1715874814, - "narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=", + "lastModified": 1715968354, + "narHash": "sha256-SqWi7qdDTdWV8eNfe/AgPI2qa+CR9xvSqeW+bUlgrQs=", "ref": "refs/heads/master", - "rev": "dc3f14aae4111cd318f4c42c91382bf884101556", - "revCount": 6, + "rev": "e2756ddf1b86a9fa574740fe7e9d12c3996a24a1", + "revCount": 10, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/flake.nix b/flake.nix index 4c93abd..104f6f1 100644 --- a/flake.nix +++ b/flake.nix @@ -81,10 +81,10 @@ ./hosts/bootstrap ]; }; - media = nixpkgs.lib.nixosSystem { + sparky = nixpkgs.lib.nixosSystem { inherit specialArgs; modules = [ - ./hosts/media + ./hosts/sparky home-manager.nixosModules.home-manager{ home-manager.extraSpecialArgs = specialArgs; } diff --git a/home/common/optional/sops.nix b/home/common/optional/sops.nix index 9164eb3..a4e96f2 100644 --- a/home/common/optional/sops.nix +++ b/home/common/optional/sops.nix @@ -1,8 +1,10 @@ -{ inputs, config, ... }: +{ inputs, config, osConfig, ... }: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; homeDirectory = config.home.homeDirectory; + username = config.home.username; + hostname = osConfig.networking.hostName; in { imports = [ @@ -16,11 +18,11 @@ in validateSopsFiles = false; secrets = { - "ssh_keys/sam/gitea" = { - path = "${homeDirectory}/.ssh/gitea"; + "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = { + path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519"; }; - "ssh_keys/sam/gitea.pub" = { - path = "${homeDirectory}/.ssh/gitea.pub"; + "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = { + path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub"; }; }; }; diff --git a/home/media.nix b/home/sparky.nix similarity index 100% rename from home/media.nix rename to home/sparky.nix diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index 874f876..667587b 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -9,6 +9,7 @@ pkgs.curl pkgs.just pkgs.git + pkgs.neovim ]; } diff --git a/hosts/media/default.nix b/hosts/sparky/default.nix similarity index 71% rename from hosts/media/default.nix rename to hosts/sparky/default.nix index 7444f7e..5d378c0 100644 --- a/hosts/media/default.nix +++ b/hosts/sparky/default.nix @@ -4,8 +4,8 @@ imports = [ # Disk configuration - #inputs.disko.nixosModules.disko - #(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) + inputs.disko.nixosModules.disko + (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence @@ -41,6 +41,7 @@ ]; users.media = { directories = [ + "sync" "keep" ".ssh" ]; @@ -56,7 +57,7 @@ }; networking = { - hostName = "media"; + hostName = "sparky"; networkmanager.enable = true; enableIPv6 = false; }; @@ -67,33 +68,29 @@ enable = true; ports = [22]; # FIXME: Make this use configVars.networking settings.PermitRootLogin = "yes"; - # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611 - # this mitigates the security issue caused by enabling u2fAuth in pam authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; }; }; + services.libinput.enable = true; + services.displayManager.defaultSession = "cinnamon"; + + services.xserver = { + enable = true; + #libinput.enable = true; + displayManager.lightdm.enable = true; + desktopManager = { + cinnamon.enable = true; + }; + #displayManager.defaultSession = "cinnamon"; + }; security.pam = { sshAgentAuth.enable = true; - #FIXME the above is deprecated in 24.05 but we will wait until release - #sshAgentAuth.enable = true; services = { sudo.u2fAuth = true; }; }; - # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config. - # programs.ssh.startAgent = true; - - environment.systemPackages = builtins.attrValues { - inherit(pkgs) - wget - curl - git - rsync; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; system.stateVersion = "23.11"; } diff --git a/hosts/media/hardware-configuration.nix b/hosts/sparky/hardware-configuration.nix similarity index 55% rename from hosts/media/hardware-configuration.nix rename to hosts/sparky/hardware-configuration.nix index ab1d5d8..0a2bb19 100644 --- a/hosts/media/hardware-configuration.nix +++ b/hosts/sparky/hardware-configuration.nix @@ -13,38 +13,6 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; - - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa"; - fsType = "btrfs"; - options = [ "subvol=nix" ]; - }; - - fileSystems."/.swapvol" = - { device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa"; - fsType = "btrfs"; - options = [ "subvol=swap" ]; - }; - - fileSystems."/persist" = - { device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa"; - fsType = "btrfs"; - options = [ "subvol=persist" ]; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/7619-58F2"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 6ae4165..18ad867 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -21,8 +21,8 @@ read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config KEY_DIR="$HOME/keys/$hostname/" mkdir -p $KEY_DIR -echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR -KEY_NAME="ssh_ed25519_key_$hostname" +echo "Creating ssh keys for new host." +KEY_NAME="$username@$hostname-ssh-ed25519" KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts) confirm_delete="" @@ -30,8 +30,8 @@ confirm_delete="" [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts -echo "Copying pubkey to target host" -ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip" +echo "Copying deploy_key pubkey to target host" +ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip" overwrite="" [ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite @@ -39,7 +39,7 @@ overwrite="" [ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N "" echo "Copying ssh key to target host:" -scp -i "$KEY_DIR/ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/" +scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/" [ $? != 0 ] && echo "Error copying keys to target host" && exit 1 echo "Generating age key from ssh key" @@ -76,12 +76,12 @@ done echo "$ip is now online and port 22 is open!" echo "Configuring ssh keys on target host to enable connection to gitea:" -ssh-copy-id -i "$HOME/.ssh/gitea.pub" "$username@$ip" +ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip" read -r -d '' config << EOM Host git.bitlab21.com IdentitiesOnly yes StrictHostKeyChecking no - IdentityFile ~/.ssh/gitea + IdentityFile ~/.ssh/deploy_key-ssh-ed25519 EOM # Append the string to file on target machine @@ -119,7 +119,7 @@ done echo "Copying gitea private ssh key to host" echo "New password is 'nixos'" -rsync -av "$(readlink -n "$HOME/.ssh/gitea" )" "$username@$ip":~/.ssh/gitea +rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519 ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'" ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"