changed media to sparky
This commit is contained in:
parent
878fffd900
commit
9df3bf2ff8
|
@ -58,11 +58,11 @@
|
|||
"nix-secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1715874814,
|
||||
"narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=",
|
||||
"lastModified": 1715968354,
|
||||
"narHash": "sha256-SqWi7qdDTdWV8eNfe/AgPI2qa+CR9xvSqeW+bUlgrQs=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "dc3f14aae4111cd318f4c42c91382bf884101556",
|
||||
"revCount": 6,
|
||||
"rev": "e2756ddf1b86a9fa574740fe7e9d12c3996a24a1",
|
||||
"revCount": 10,
|
||||
"type": "git",
|
||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||
},
|
||||
|
|
|
@ -81,10 +81,10 @@
|
|||
./hosts/bootstrap
|
||||
];
|
||||
};
|
||||
media = nixpkgs.lib.nixosSystem {
|
||||
sparky = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
modules = [
|
||||
./hosts/media
|
||||
./hosts/sparky
|
||||
home-manager.nixosModules.home-manager{
|
||||
home-manager.extraSpecialArgs = specialArgs;
|
||||
}
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
{ inputs, config, ... }:
|
||||
{ inputs, config, osConfig, ... }:
|
||||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
homeDirectory = config.home.homeDirectory;
|
||||
username = config.home.username;
|
||||
hostname = osConfig.networking.hostName;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
@ -16,11 +18,11 @@ in
|
|||
validateSopsFiles = false;
|
||||
|
||||
secrets = {
|
||||
"ssh_keys/sam/gitea" = {
|
||||
path = "${homeDirectory}/.ssh/gitea";
|
||||
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
|
||||
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
|
||||
};
|
||||
"ssh_keys/sam/gitea.pub" = {
|
||||
path = "${homeDirectory}/.ssh/gitea.pub";
|
||||
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
|
||||
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
pkgs.curl
|
||||
pkgs.just
|
||||
pkgs.git
|
||||
pkgs.neovim
|
||||
];
|
||||
|
||||
}
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
imports =
|
||||
[
|
||||
# Disk configuration
|
||||
#inputs.disko.nixosModules.disko
|
||||
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||
inputs.disko.nixosModules.disko
|
||||
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||
../common/optional/btrfs-impermanence.nix
|
||||
inputs.impermanence.nixosModules.impermanence
|
||||
|
||||
|
@ -41,6 +41,7 @@
|
|||
];
|
||||
users.media = {
|
||||
directories = [
|
||||
"sync"
|
||||
"keep"
|
||||
".ssh"
|
||||
];
|
||||
|
@ -56,7 +57,7 @@
|
|||
};
|
||||
|
||||
networking = {
|
||||
hostName = "media";
|
||||
hostName = "sparky";
|
||||
networkmanager.enable = true;
|
||||
enableIPv6 = false;
|
||||
};
|
||||
|
@ -67,33 +68,29 @@
|
|||
enable = true;
|
||||
ports = [22]; # FIXME: Make this use configVars.networking
|
||||
settings.PermitRootLogin = "yes";
|
||||
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
|
||||
# this mitigates the security issue caused by enabling u2fAuth in pam
|
||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
};
|
||||
};
|
||||
services.libinput.enable = true;
|
||||
services.displayManager.defaultSession = "cinnamon";
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
#libinput.enable = true;
|
||||
displayManager.lightdm.enable = true;
|
||||
desktopManager = {
|
||||
cinnamon.enable = true;
|
||||
};
|
||||
#displayManager.defaultSession = "cinnamon";
|
||||
};
|
||||
|
||||
security.pam = {
|
||||
sshAgentAuth.enable = true;
|
||||
#FIXME the above is deprecated in 24.05 but we will wait until release
|
||||
#sshAgentAuth.enable = true;
|
||||
services = {
|
||||
sudo.u2fAuth = true;
|
||||
};
|
||||
};
|
||||
|
||||
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
|
||||
# programs.ssh.startAgent = true;
|
||||
|
||||
environment.systemPackages = builtins.attrValues {
|
||||
inherit(pkgs)
|
||||
wget
|
||||
curl
|
||||
git
|
||||
rsync;
|
||||
};
|
||||
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -13,38 +13,6 @@
|
|||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=root" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
fileSystems."/.swapvol" =
|
||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=swap" ];
|
||||
};
|
||||
|
||||
fileSystems."/persist" =
|
||||
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=persist" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/7619-58F2";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
@ -21,8 +21,8 @@ read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
|
|||
KEY_DIR="$HOME/keys/$hostname/"
|
||||
mkdir -p $KEY_DIR
|
||||
|
||||
echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR
|
||||
KEY_NAME="ssh_ed25519_key_$hostname"
|
||||
echo "Creating ssh keys for new host."
|
||||
KEY_NAME="$username@$hostname-ssh-ed25519"
|
||||
|
||||
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
|
||||
confirm_delete=""
|
||||
|
@ -30,8 +30,8 @@ confirm_delete=""
|
|||
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
|
||||
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||
|
||||
echo "Copying pubkey to target host"
|
||||
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip"
|
||||
echo "Copying deploy_key pubkey to target host"
|
||||
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
|
||||
|
||||
overwrite=""
|
||||
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
|
||||
|
@ -39,7 +39,7 @@ overwrite=""
|
|||
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
|
||||
|
||||
echo "Copying ssh key to target host:"
|
||||
scp -i "$KEY_DIR/ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/"
|
||||
scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
|
||||
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
|
||||
|
||||
echo "Generating age key from ssh key"
|
||||
|
@ -76,12 +76,12 @@ done
|
|||
echo "$ip is now online and port 22 is open!"
|
||||
|
||||
echo "Configuring ssh keys on target host to enable connection to gitea:"
|
||||
ssh-copy-id -i "$HOME/.ssh/gitea.pub" "$username@$ip"
|
||||
ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
|
||||
read -r -d '' config << EOM
|
||||
Host git.bitlab21.com
|
||||
IdentitiesOnly yes
|
||||
StrictHostKeyChecking no
|
||||
IdentityFile ~/.ssh/gitea
|
||||
IdentityFile ~/.ssh/deploy_key-ssh-ed25519
|
||||
EOM
|
||||
|
||||
# Append the string to file on target machine
|
||||
|
@ -119,7 +119,7 @@ done
|
|||
echo "Copying gitea private ssh key to host"
|
||||
echo "New password is 'nixos'"
|
||||
|
||||
rsync -av "$(readlink -n "$HOME/.ssh/gitea" )" "$username@$ip":~/.ssh/gitea
|
||||
rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
|
||||
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
|
||||
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
|
||||
|
||||
|
|
Loading…
Reference in New Issue