diff --git a/flake.nix b/flake.nix index d7c29fa..0779022 100644 --- a/flake.nix +++ b/flake.nix @@ -73,12 +73,21 @@ bootstrap = nixpkgs.lib.nixosSystem { inherit specialArgs; modules = [ - disko.nixosModules.disko + #disko.nixosModules.disko #./hosts/common/disks/gpt-bios-compact.nix - ./hosts/common/disks/std-disk-config.nix + #./hosts/common/disks/std-disk-config.nix ./hosts/bootstrap ]; }; + media = nixpkgs.lib.nixosSystem { + inherit specialArgs; + modules = [ + #disko.nixosModules.disko + #./hosts/common/disks/gpt-bios-compact.nix + #./hosts/common/disks/std-disk-config.nix + ./hosts/media + ]; + }; }; # # Standalone home-manager configuration entrypoint diff --git a/home/media.nix b/home/media.nix new file mode 100644 index 0000000..38d3a2f --- /dev/null +++ b/home/media.nix @@ -0,0 +1,16 @@ +{ + pkgs, + config, + lib, + ... +}: { + imports = [ + ./common/core + ./common/optional/sops.nix + + # Import optional + ./common/optional/git.nix + + # Import users + ./users/media + ]; diff --git a/home/users/media/default.nix b/home/users/media/default.nix new file mode 100644 index 0000000..c4f50f8 --- /dev/null +++ b/home/users/media/default.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, outputs, ... }: + +{ + home.username = "media"; + home.homeDirectory = "/home/media"; + home.stateVersion = "23.11"; + + imports = [ + ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? + + home.packages = [ + ]; + + programs.zsh = { + enable = true; + enableCompletion = true; + autosuggestion.enable = true; + syntaxHighlighting.enable = true; + + shellAliases = { + ll = "ls -l"; + }; + history.size = 10000; + history.path = "${config.xdg.dataHome}/zsh/history"; + + initExtra = '' + bindkey -v + bindkey "^H" backward-delete-char + bindkey "^?" backward-delete-char + set -o vi + export TERM=xterm + ''; + }; + + + home.file = { + }; + + home.sessionPath = [ + ]; + + home.sessionVariables = { + }; + + programs.home-manager.enable = true; +} + diff --git a/hosts/common/disks/std-disk-config.nix b/hosts/common/disks/std-disk-config.nix index e8b080e..1f30607 100644 --- a/hosts/common/disks/std-disk-config.nix +++ b/hosts/common/disks/std-disk-config.nix @@ -1,11 +1,9 @@ +{device ? throw "Must define a device, e.g. /dev/sda"}: { disko.devices = { - disk = { - #FIXME change to proper device or make dynamic like figdetingbits - vda = { + disk.main = { + inherit device; type = "disk"; - # FIXME change to proper device or make dynamic like figdetingbits - device = "/dev/vda"; content = { type = "gpt"; partitions = { @@ -26,8 +24,6 @@ content = { type = "btrfs"; extraArgs = [ "-f" ]; # Override existing partition - # Subvolumes must set a mountpoint in order to be mounted, - # unless their parent is mounted subvolumes = { "/root" = { mountpoint = "/"; @@ -51,7 +47,6 @@ }; }; }; - }; }; }; }; diff --git a/hosts/common/users/media/default.nix b/hosts/common/users/media/default.nix new file mode 100644 index 0000000..9c47b84 --- /dev/null +++ b/hosts/common/users/media/default.nix @@ -0,0 +1,24 @@ +{ pkgs, inputs, config, lib, ... }: +let + pubKeys = lib.filesystem.listFilesRecursive (../keys); +in +{ + users.users.media = { + isNormalUser = true; + password = "nixos"; # Overridden if sops is working + shell = pkgs.zsh; # default shell + + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + + extraGroups = + [ "qemu-libvirtd" "libvirtd" + "wheel" "video" "audio" "disk" "networkmanager" + ]; + + }; + + programs.zsh.enable = true; + + environment.systemPackages = [ + ]; +} diff --git a/hosts/media/default.nix b/hosts/media/default.nix index 1369a5b..d24cbb4 100644 --- a/hosts/media/default.nix +++ b/hosts/media/default.nix @@ -3,18 +3,16 @@ { imports = [ + # Disk configuration + inputs.disko.nixosModules.disko + (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) + # Import core options ./hardware-configuration.nix ../common/core - # Import optional options - ../common/optional/pipewire.nix - ../common/optional/hyprland.nix - ../common/optional/displayManager/sddm.nix - ../common/optional/openssh - # Create users for this host - ../common/users/sam + ../common/users/media ]; @@ -29,4 +27,60 @@ }; }; + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + timeout = 3; + }; + }; + + i18n.defaultLocale = "en_GB.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "uk"; + useXkbConfig = false; + }; + + networking = { + hostName = "media"; + networkmanager.enable = true; + enableIPv6 = false; + }; + + services = { + qemuGuest.enable = true; + openssh = { + enable = true; + ports = [22]; # FIXME: Make this use configVars.networking + settings.PermitRootLogin = "yes"; + # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611 + # this mitigates the security issue caused by enabling u2fAuth in pam + authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; + }; + }; + + security.pam = { + sshAgentAuth.enable = true; + #FIXME the above is deprecated in 24.05 but we will wait until release + #sshAgentAuth.enable = true; + services = { + sudo.u2fAuth = true; + }; + }; + + # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config. + # programs.ssh.startAgent = true; + + environment.systemPackages = builtins.attrValues { + inherit(pkgs) + wget + curl + git + rsync; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + system.stateVersion = "23.11"; +} diff --git a/hosts/media/hardware-configuration.nix b/hosts/media/hardware-configuration.nix new file mode 100644 index 0000000..f9c2647 --- /dev/null +++ b/hosts/media/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index efc6c3b..6ae4165 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -16,11 +16,10 @@ cd ~ read -p "Enter hostname: " hostname read -p "Enter username: " username read -p "Enter ip address: " ip -read -p "Enter nixosSystem to build, e.g. 'bootstrap'" config +read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config KEY_DIR="$HOME/keys/$hostname/" mkdir -p $KEY_DIR -ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip" echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR KEY_NAME="ssh_ed25519_key_$hostname" @@ -31,6 +30,9 @@ confirm_delete="" [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts +echo "Copying pubkey to target host" +ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip" + overwrite="" [ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite