changed media to sparky

This commit is contained in:
Sam 2024-05-17 20:17:53 +01:00
parent 878fffd900
commit 9df3bf2ff8
8 changed files with 38 additions and 70 deletions

View File

@ -58,11 +58,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1715874814, "lastModified": 1715968354,
"narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=", "narHash": "sha256-SqWi7qdDTdWV8eNfe/AgPI2qa+CR9xvSqeW+bUlgrQs=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "dc3f14aae4111cd318f4c42c91382bf884101556", "rev": "e2756ddf1b86a9fa574740fe7e9d12c3996a24a1",
"revCount": 6, "revCount": 10,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

View File

@ -81,10 +81,10 @@
./hosts/bootstrap ./hosts/bootstrap
]; ];
}; };
media = nixpkgs.lib.nixosSystem { sparky = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
modules = [ modules = [
./hosts/media ./hosts/sparky
home-manager.nixosModules.home-manager{ home-manager.nixosModules.home-manager{
home-manager.extraSpecialArgs = specialArgs; home-manager.extraSpecialArgs = specialArgs;
} }

View File

@ -1,8 +1,10 @@
{ inputs, config, ... }: { inputs, config, osConfig, ... }:
let let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = config.home.homeDirectory; homeDirectory = config.home.homeDirectory;
username = config.home.username;
hostname = osConfig.networking.hostName;
in in
{ {
imports = [ imports = [
@ -16,11 +18,11 @@ in
validateSopsFiles = false; validateSopsFiles = false;
secrets = { secrets = {
"ssh_keys/sam/gitea" = { "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/gitea"; path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
}; };
"ssh_keys/sam/gitea.pub" = { "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/gitea.pub"; path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
}; };
}; };
}; };

View File

@ -9,6 +9,7 @@
pkgs.curl pkgs.curl
pkgs.just pkgs.just
pkgs.git pkgs.git
pkgs.neovim
]; ];
} }

View File

@ -4,8 +4,8 @@
imports = imports =
[ [
# Disk configuration # Disk configuration
#inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
../common/optional/btrfs-impermanence.nix ../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
@ -41,6 +41,7 @@
]; ];
users.media = { users.media = {
directories = [ directories = [
"sync"
"keep" "keep"
".ssh" ".ssh"
]; ];
@ -56,7 +57,7 @@
}; };
networking = { networking = {
hostName = "media"; hostName = "sparky";
networkmanager.enable = true; networkmanager.enable = true;
enableIPv6 = false; enableIPv6 = false;
}; };
@ -67,33 +68,29 @@
enable = true; enable = true;
ports = [22]; # FIXME: Make this use configVars.networking ports = [22]; # FIXME: Make this use configVars.networking
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
# this mitigates the security issue caused by enabling u2fAuth in pam
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
}; };
}; };
services.libinput.enable = true;
services.displayManager.defaultSession = "cinnamon";
services.xserver = {
enable = true;
#libinput.enable = true;
displayManager.lightdm.enable = true;
desktopManager = {
cinnamon.enable = true;
};
#displayManager.defaultSession = "cinnamon";
};
security.pam = { security.pam = {
sshAgentAuth.enable = true; sshAgentAuth.enable = true;
#FIXME the above is deprecated in 24.05 but we will wait until release
#sshAgentAuth.enable = true;
services = { services = {
sudo.u2fAuth = true; sudo.u2fAuth = true;
}; };
}; };
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
# programs.ssh.startAgent = true;
environment.systemPackages = builtins.attrValues {
inherit(pkgs)
wget
curl
git
rsync;
};
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

View File

@ -13,38 +13,6 @@
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7619-58F2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction

View File

@ -21,8 +21,8 @@ read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
KEY_DIR="$HOME/keys/$hostname/" KEY_DIR="$HOME/keys/$hostname/"
mkdir -p $KEY_DIR mkdir -p $KEY_DIR
echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR echo "Creating ssh keys for new host."
KEY_NAME="ssh_ed25519_key_$hostname" KEY_NAME="$username@$hostname-ssh-ed25519"
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts) KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
confirm_delete="" confirm_delete=""
@ -30,8 +30,8 @@ confirm_delete=""
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
echo "Copying pubkey to target host" echo "Copying deploy_key pubkey to target host"
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip" ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
overwrite="" overwrite=""
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite [ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
@ -39,7 +39,7 @@ overwrite=""
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N "" [ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
echo "Copying ssh key to target host:" echo "Copying ssh key to target host:"
scp -i "$KEY_DIR/ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/" scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1 [ $? != 0 ] && echo "Error copying keys to target host" && exit 1
echo "Generating age key from ssh key" echo "Generating age key from ssh key"
@ -76,12 +76,12 @@ done
echo "$ip is now online and port 22 is open!" echo "$ip is now online and port 22 is open!"
echo "Configuring ssh keys on target host to enable connection to gitea:" echo "Configuring ssh keys on target host to enable connection to gitea:"
ssh-copy-id -i "$HOME/.ssh/gitea.pub" "$username@$ip" ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
read -r -d '' config << EOM read -r -d '' config << EOM
Host git.bitlab21.com Host git.bitlab21.com
IdentitiesOnly yes IdentitiesOnly yes
StrictHostKeyChecking no StrictHostKeyChecking no
IdentityFile ~/.ssh/gitea IdentityFile ~/.ssh/deploy_key-ssh-ed25519
EOM EOM
# Append the string to file on target machine # Append the string to file on target machine
@ -119,7 +119,7 @@ done
echo "Copying gitea private ssh key to host" echo "Copying gitea private ssh key to host"
echo "New password is 'nixos'" echo "New password is 'nixos'"
rsync -av "$(readlink -n "$HOME/.ssh/gitea" )" "$username@$ip":~/.ssh/gitea rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'" ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'" ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"