changed media to sparky
This commit is contained in:
parent
878fffd900
commit
9df3bf2ff8
|
@ -58,11 +58,11 @@
|
||||||
"nix-secrets": {
|
"nix-secrets": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715874814,
|
"lastModified": 1715968354,
|
||||||
"narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=",
|
"narHash": "sha256-SqWi7qdDTdWV8eNfe/AgPI2qa+CR9xvSqeW+bUlgrQs=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "dc3f14aae4111cd318f4c42c91382bf884101556",
|
"rev": "e2756ddf1b86a9fa574740fe7e9d12c3996a24a1",
|
||||||
"revCount": 6,
|
"revCount": 10,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -81,10 +81,10 @@
|
||||||
./hosts/bootstrap
|
./hosts/bootstrap
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
media = nixpkgs.lib.nixosSystem {
|
sparky = nixpkgs.lib.nixosSystem {
|
||||||
inherit specialArgs;
|
inherit specialArgs;
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/media
|
./hosts/sparky
|
||||||
home-manager.nixosModules.home-manager{
|
home-manager.nixosModules.home-manager{
|
||||||
home-manager.extraSpecialArgs = specialArgs;
|
home-manager.extraSpecialArgs = specialArgs;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
{ inputs, config, ... }:
|
{ inputs, config, osConfig, ... }:
|
||||||
let
|
let
|
||||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||||
homeDirectory = config.home.homeDirectory;
|
homeDirectory = config.home.homeDirectory;
|
||||||
|
username = config.home.username;
|
||||||
|
hostname = osConfig.networking.hostName;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -16,11 +18,11 @@ in
|
||||||
validateSopsFiles = false;
|
validateSopsFiles = false;
|
||||||
|
|
||||||
secrets = {
|
secrets = {
|
||||||
"ssh_keys/sam/gitea" = {
|
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
|
||||||
path = "${homeDirectory}/.ssh/gitea";
|
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
|
||||||
};
|
};
|
||||||
"ssh_keys/sam/gitea.pub" = {
|
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
|
||||||
path = "${homeDirectory}/.ssh/gitea.pub";
|
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
pkgs.curl
|
pkgs.curl
|
||||||
pkgs.just
|
pkgs.just
|
||||||
pkgs.git
|
pkgs.git
|
||||||
|
pkgs.neovim
|
||||||
];
|
];
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,8 +4,8 @@
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
# Disk configuration
|
# Disk configuration
|
||||||
#inputs.disko.nixosModules.disko
|
inputs.disko.nixosModules.disko
|
||||||
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||||
../common/optional/btrfs-impermanence.nix
|
../common/optional/btrfs-impermanence.nix
|
||||||
inputs.impermanence.nixosModules.impermanence
|
inputs.impermanence.nixosModules.impermanence
|
||||||
|
|
||||||
|
@ -41,6 +41,7 @@
|
||||||
];
|
];
|
||||||
users.media = {
|
users.media = {
|
||||||
directories = [
|
directories = [
|
||||||
|
"sync"
|
||||||
"keep"
|
"keep"
|
||||||
".ssh"
|
".ssh"
|
||||||
];
|
];
|
||||||
|
@ -56,7 +57,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "media";
|
hostName = "sparky";
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
enableIPv6 = false;
|
enableIPv6 = false;
|
||||||
};
|
};
|
||||||
|
@ -67,33 +68,29 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
ports = [22]; # FIXME: Make this use configVars.networking
|
ports = [22]; # FIXME: Make this use configVars.networking
|
||||||
settings.PermitRootLogin = "yes";
|
settings.PermitRootLogin = "yes";
|
||||||
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
|
|
||||||
# this mitigates the security issue caused by enabling u2fAuth in pam
|
|
||||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
services.libinput.enable = true;
|
||||||
|
services.displayManager.defaultSession = "cinnamon";
|
||||||
|
|
||||||
|
services.xserver = {
|
||||||
|
enable = true;
|
||||||
|
#libinput.enable = true;
|
||||||
|
displayManager.lightdm.enable = true;
|
||||||
|
desktopManager = {
|
||||||
|
cinnamon.enable = true;
|
||||||
|
};
|
||||||
|
#displayManager.defaultSession = "cinnamon";
|
||||||
|
};
|
||||||
|
|
||||||
security.pam = {
|
security.pam = {
|
||||||
sshAgentAuth.enable = true;
|
sshAgentAuth.enable = true;
|
||||||
#FIXME the above is deprecated in 24.05 but we will wait until release
|
|
||||||
#sshAgentAuth.enable = true;
|
|
||||||
services = {
|
services = {
|
||||||
sudo.u2fAuth = true;
|
sudo.u2fAuth = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
|
|
||||||
# programs.ssh.startAgent = true;
|
|
||||||
|
|
||||||
environment.systemPackages = builtins.attrValues {
|
|
||||||
inherit(pkgs)
|
|
||||||
wget
|
|
||||||
curl
|
|
||||||
git
|
|
||||||
rsync;
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
}
|
}
|
|
@ -13,38 +13,6 @@
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=root" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/nix" =
|
|
||||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=nix" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/.swapvol" =
|
|
||||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=swap" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/persist" =
|
|
||||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=persist" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/7619-58F2";
|
|
||||||
fsType = "vfat";
|
|
||||||
options = [ "fmask=0022" "dmask=0022" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
# still possible to use this option, but it's recommended to use it in conjunction
|
|
@ -21,8 +21,8 @@ read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
|
||||||
KEY_DIR="$HOME/keys/$hostname/"
|
KEY_DIR="$HOME/keys/$hostname/"
|
||||||
mkdir -p $KEY_DIR
|
mkdir -p $KEY_DIR
|
||||||
|
|
||||||
echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR
|
echo "Creating ssh keys for new host."
|
||||||
KEY_NAME="ssh_ed25519_key_$hostname"
|
KEY_NAME="$username@$hostname-ssh-ed25519"
|
||||||
|
|
||||||
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
|
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
|
||||||
confirm_delete=""
|
confirm_delete=""
|
||||||
|
@ -30,8 +30,8 @@ confirm_delete=""
|
||||||
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
|
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
|
||||||
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
|
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||||
|
|
||||||
echo "Copying pubkey to target host"
|
echo "Copying deploy_key pubkey to target host"
|
||||||
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip"
|
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
|
||||||
|
|
||||||
overwrite=""
|
overwrite=""
|
||||||
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
|
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
|
||||||
|
@ -39,7 +39,7 @@ overwrite=""
|
||||||
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
|
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
|
||||||
|
|
||||||
echo "Copying ssh key to target host:"
|
echo "Copying ssh key to target host:"
|
||||||
scp -i "$KEY_DIR/ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/"
|
scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
|
||||||
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
|
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
|
||||||
|
|
||||||
echo "Generating age key from ssh key"
|
echo "Generating age key from ssh key"
|
||||||
|
@ -76,12 +76,12 @@ done
|
||||||
echo "$ip is now online and port 22 is open!"
|
echo "$ip is now online and port 22 is open!"
|
||||||
|
|
||||||
echo "Configuring ssh keys on target host to enable connection to gitea:"
|
echo "Configuring ssh keys on target host to enable connection to gitea:"
|
||||||
ssh-copy-id -i "$HOME/.ssh/gitea.pub" "$username@$ip"
|
ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
|
||||||
read -r -d '' config << EOM
|
read -r -d '' config << EOM
|
||||||
Host git.bitlab21.com
|
Host git.bitlab21.com
|
||||||
IdentitiesOnly yes
|
IdentitiesOnly yes
|
||||||
StrictHostKeyChecking no
|
StrictHostKeyChecking no
|
||||||
IdentityFile ~/.ssh/gitea
|
IdentityFile ~/.ssh/deploy_key-ssh-ed25519
|
||||||
EOM
|
EOM
|
||||||
|
|
||||||
# Append the string to file on target machine
|
# Append the string to file on target machine
|
||||||
|
@ -119,7 +119,7 @@ done
|
||||||
echo "Copying gitea private ssh key to host"
|
echo "Copying gitea private ssh key to host"
|
||||||
echo "New password is 'nixos'"
|
echo "New password is 'nixos'"
|
||||||
|
|
||||||
rsync -av "$(readlink -n "$HOME/.ssh/gitea" )" "$username@$ip":~/.ssh/gitea
|
rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
|
||||||
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
|
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
|
||||||
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
|
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue