changed media to sparky

This commit is contained in:
Sam 2024-05-17 20:17:53 +01:00
parent 878fffd900
commit 9df3bf2ff8
8 changed files with 38 additions and 70 deletions

View File

@ -58,11 +58,11 @@
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1715874814,
"narHash": "sha256-6/+UqZ8szxgfDUqOoohJes3dp35N1S/WMMb3O5sXMxw=",
"lastModified": 1715968354,
"narHash": "sha256-SqWi7qdDTdWV8eNfe/AgPI2qa+CR9xvSqeW+bUlgrQs=",
"ref": "refs/heads/master",
"rev": "dc3f14aae4111cd318f4c42c91382bf884101556",
"revCount": 6,
"rev": "e2756ddf1b86a9fa574740fe7e9d12c3996a24a1",
"revCount": 10,
"type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
},

View File

@ -81,10 +81,10 @@
./hosts/bootstrap
];
};
media = nixpkgs.lib.nixosSystem {
sparky = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/media
./hosts/sparky
home-manager.nixosModules.home-manager{
home-manager.extraSpecialArgs = specialArgs;
}

View File

@ -1,8 +1,10 @@
{ inputs, config, ... }:
{ inputs, config, osConfig, ... }:
let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = config.home.homeDirectory;
username = config.home.username;
hostname = osConfig.networking.hostName;
in
{
imports = [
@ -16,11 +18,11 @@ in
validateSopsFiles = false;
secrets = {
"ssh_keys/sam/gitea" = {
path = "${homeDirectory}/.ssh/gitea";
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
};
"ssh_keys/sam/gitea.pub" = {
path = "${homeDirectory}/.ssh/gitea.pub";
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
};
};
};

View File

@ -9,6 +9,7 @@
pkgs.curl
pkgs.just
pkgs.git
pkgs.neovim
];
}

View File

@ -4,8 +4,8 @@
imports =
[
# Disk configuration
#inputs.disko.nixosModules.disko
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
inputs.disko.nixosModules.disko
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence
@ -41,6 +41,7 @@
];
users.media = {
directories = [
"sync"
"keep"
".ssh"
];
@ -56,7 +57,7 @@
};
networking = {
hostName = "media";
hostName = "sparky";
networkmanager.enable = true;
enableIPv6 = false;
};
@ -67,33 +68,29 @@
enable = true;
ports = [22]; # FIXME: Make this use configVars.networking
settings.PermitRootLogin = "yes";
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
# this mitigates the security issue caused by enabling u2fAuth in pam
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
};
};
services.libinput.enable = true;
services.displayManager.defaultSession = "cinnamon";
services.xserver = {
enable = true;
#libinput.enable = true;
displayManager.lightdm.enable = true;
desktopManager = {
cinnamon.enable = true;
};
#displayManager.defaultSession = "cinnamon";
};
security.pam = {
sshAgentAuth.enable = true;
#FIXME the above is deprecated in 24.05 but we will wait until release
#sshAgentAuth.enable = true;
services = {
sudo.u2fAuth = true;
};
};
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
# programs.ssh.startAgent = true;
environment.systemPackages = builtins.attrValues {
inherit(pkgs)
wget
curl
git
rsync;
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "23.11";
}

View File

@ -13,38 +13,6 @@
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/d6657061-a847-49f8-9219-f9e668fe34aa";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7619-58F2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction

View File

@ -21,8 +21,8 @@ read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
KEY_DIR="$HOME/keys/$hostname/"
mkdir -p $KEY_DIR
echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR
KEY_NAME="ssh_ed25519_key_$hostname"
echo "Creating ssh keys for new host."
KEY_NAME="$username@$hostname-ssh-ed25519"
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
confirm_delete=""
@ -30,8 +30,8 @@ confirm_delete=""
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip"
echo "Copying deploy_key pubkey to target host"
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
overwrite=""
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
@ -39,7 +39,7 @@ overwrite=""
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
echo "Copying ssh key to target host:"
scp -i "$KEY_DIR/ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/"
scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
echo "Generating age key from ssh key"
@ -76,12 +76,12 @@ done
echo "$ip is now online and port 22 is open!"
echo "Configuring ssh keys on target host to enable connection to gitea:"
ssh-copy-id -i "$HOME/.ssh/gitea.pub" "$username@$ip"
ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
read -r -d '' config << EOM
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/gitea
IdentityFile ~/.ssh/deploy_key-ssh-ed25519
EOM
# Append the string to file on target machine
@ -119,7 +119,7 @@ done
echo "Copying gitea private ssh key to host"
echo "New password is 'nixos'"
rsync -av "$(readlink -n "$HOME/.ssh/gitea" )" "$username@$ip":~/.ssh/gitea
rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"