Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of ssh://git.lillianviolet.dev:22/Lillian-Violet/NixOS-Config

Browse source
This commit is contained in:
Lillian Violet 2024-02-23 13:58:08 +01:00
parent 05303ca601 b1e4af16d8
commit 7f9a3eb430
18 changed files with 186 additions and 222 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -6,10 +6,25 @@ The configuration of different NixOS hosts using flakes and home-manager. It is
## Building and deploying the configuration
The first step is to add your age keyfile to the /nix/var/secrets folder with the name "keys.txt" (if you don't have one, remove the imports from the configuration files; the import can be found under
``hosts/<hostname>/configuration.nix``).
If you do not have my private age key, the first step is to add your age keyfile to the /var/secrets folder with the name "keys.txt", in my case an age private key. If you don't have have an age private key you can generate one with the command
Then run this command within your cloned github repo (I put mine in /etc/nixos):
``age-keygen -o ~/.config/sops/age/keys.txt`` and copying this file to ``/var/secrets/``
**Note: make sure this key is not readable by normal users, I made it owned by root, and gave the file 400 (read only for user) permissions. eg: ``chown 400 /var/secrets/keys.txt``**
if you don't want to use [sops](https://github.com/Mic92/sops-nix) secret management remove the import from the configuration files; the import can be found under
``hosts/shared/default.nix``
Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in
``hosts/<hostname>/secrets/sops.yaml``
For the hosts EDI and GLaDOS, [lanzaboot](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboot configuration, and replace the line
``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true``
To turn secure boot back on again you can look at the [lanzaboot](https://github.com/nix-community/lanzaboote) repository and follow the install steps.
Then run this command with your cloned github repo (I put mine in /etc/nixos):
``sudo nixos-rebuild --flake .#<hostname> switch``
@ -33,10 +48,10 @@ Note: this does not build the full configuration, and errors might still happen
## Technical details
### Home manager
### [Home manager](https://github.com/nix-community/home-manager)
Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration.
### Sops
### [Sops](https://github.com/Mic92/sops-nix)
The secrets are managed in sops files within the hosts folders, there is only one sops file per host, but this can be changed quite easily. The command to edit the sops file is as follows:
``nix-shell -p sops --run "sops ./nixos/hosts/<hostname>/secrets/sops.yaml"``

44
disko/EDI/default.nix
View file

@ -19,29 +19,22 @@
];
};
};
encryptedSwap = {
size = "4G";
content = {
type = "swap";
randomEncryption = true;
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
# disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive
extraOpenArgs = [];
settings = {
allowDiscards = true;
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
#keyFile = "/tmp/secret.key";
allowDiscards = true;
};
#additionalKeyFiles = ["/tmp/additionalSecret.key"];
content = {
type = "filesystem";
format = "bcachefs";
mountpoint = "/";
type = "lvm_pv";
vg = "pool";
};
};
};
@ -49,5 +42,30 @@
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
swap = {
size = "8G";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "bcachefs";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
};
}

71
disko/EDI/lvm.nix
View file

@ -1,71 +0,0 @@
{
disko.devices = {
disk = {
nvme0n1 = {
type = "disk";
device = "/dev/disk/by-path/pci-0000:71:00.0-nvme-1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [];
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
#keyFile = "/tmp/secret.key";
allowDiscards = true;
};
#additionalKeyFiles = ["/tmp/additionalSecret.key"];
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
swap = {
size = "8G";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "bcachefs";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
};
}

48
flake.lock
View file

@ -210,11 +210,11 @@
]
},
"locked": {
"lastModified": 1708294481,
"narHash": "sha256-DZtxmeb4OR7iCaKUUuq05ADV2rX8WReZEF7Tq//W0+Y=",
"lastModified": 1708451036,
"narHash": "sha256-tgZ38NummEdnXvxj4D0StHBzXgceAw8CptytHljH790=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a54e05bc12d88ff2df941d0dc1183cb5235fa438",
"rev": "517601b37c6d495274454f63c5a483c8e3ca6be1",
"type": "github"
},
"original": {
@ -254,11 +254,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1708343641,
"narHash": "sha256-UlTZmvuK18wc2I2Wt//Ry5CHxkbxpbE4ccwaVjix+CE=",
"lastModified": 1708388174,
"narHash": "sha256-mLROAGNyOykYwWOLga24BX05GnRE+acms0Ru10tye2o=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "470ba03c4b80ad57397af84145dc0911dc398f91",
"rev": "73fec69386e8005911e15f3abe6bb6cee7fd9711",
"type": "github"
},
"original": {
@ -311,11 +311,11 @@
},
"nixlib": {
"locked": {
"lastModified": 1693701915,
"narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
"lastModified": 1708217146,
"narHash": "sha256-nGfEv7k78slqIR5E0zzWSx214d/4/ZPKDkObLJqVLVw=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
"rev": "e623008d8a46517470e6365505f1a3ce171fa46a",
"type": "github"
},
"original": {
@ -332,11 +332,11 @@
]
},
"locked": {
"lastModified": 1707873059,
"narHash": "sha256-simzllUEmzVqmQogcGCorfIbJpodAhgGSr6vuFtd4XQ=",
"lastModified": 1708402276,
"narHash": "sha256-7ZTUHdMwy8o6d8ela6H7H3UcS7cyns4D1zuWbmU1dCI=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "0aa24e93f75370454f0e03747b6836ac2a2c9fca",
"rev": "fa146e1a156c83b009b398213c661d6b46d71421",
"type": "github"
},
"original": {
@ -347,11 +347,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1708307464,
"narHash": "sha256-OloBg9ZCoPrPqy8/ZoaoRB4kza3lKhnI0LuZq5xldhg=",
"lastModified": 1708469763,
"narHash": "sha256-wCJljz6nQdCAnfTx+3i4fWteB3TnVEq95z6d6LhwVKs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a332040396d7e3c47883e9c115c1da485712805e",
"rev": "5eeded8e3518579daa13887297efa79f5be74b41",
"type": "github"
},
"original": {
@ -425,11 +425,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1708118438,
"narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=",
"lastModified": 1708296515,
"narHash": "sha256-FyF489fYNAUy7b6dkYV6rGPyzp+4tThhr80KNAaF/yY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80",
"rev": "b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa",
"type": "github"
},
"original": {
@ -473,11 +473,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1708118438,
"narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=",
"lastModified": 1708296515,
"narHash": "sha256-FyF489fYNAUy7b6dkYV6rGPyzp+4tThhr80KNAaF/yY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80",
"rev": "b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa",
"type": "github"
},
"original": {
@ -671,11 +671,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1708225343,
"narHash": "sha256-Q0uVUOfumc1DcKsIJIfMCHph08MjkOvZxvPb/Vi8hWw=",
"lastModified": 1708500294,
"narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "ffed177a9d2c685901781c3c6c9024ae0ffc252b",
"rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11",
"type": "github"
},
"original": {

14
home-manager/hosts/EDI/package-configs/plasma-desktop/default.nix
View file

@ -1,11 +1,4 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
programs.plasma = {
enable = true;
shortcuts = {
@ -258,10 +251,12 @@
"dolphinrc"."ExtractDialog"."1536x864 screen: Height" = 560;
"dolphinrc"."ExtractDialog"."1536x864 screen: Width" = 1024;
"dolphinrc"."ExtractDialog"."DirHistory[$e]" = "/home/";
"dolphinrc"."General"."RememberOpenedTabs" = false;
"dolphinrc"."IconsMode"."PreviewSize" = 80;
"dolphinrc"."KFileDialog Settings"."Places Icons Auto-resize" = false;
"dolphinrc"."KFileDialog Settings"."Places Icons Static Size" = 22;
"dolphinrc"."KFileDialog Settings"."detailViewIconSize" = 16;
"dolphinrc"."PreviewSettings"."Plugins" = "mobithumbnail,fontthumbnail,ebookthumbnail,kraorathumbnail,jpegthumbnail,windowsexethumbnail,comicbookthumbnail,djvuthumbnail,opendocumentthumbnail,windowsimagethumbnail,exrthumbnail,audiothumbnail,cursorthumbnail,svgthumbnail,blenderthumbnail,gsthumbnail,rawthumbnail,ffmpegthumbs,imagethumbnail,directorythumbnail";
"kactivitymanagerdrc"."activities"."a2cd7f51-1f1f-47a8-9544-a4c401f57a12" = "Default";
"kactivitymanagerdrc"."main"."currentActivity" = "a2cd7f51-1f1f-47a8-9544-a4c401f57a12";
"kcminputrc"."Libinput.1739.30383.CUST0001:00 06CB:76AF Touchpad"."MiddleButtonEmulation" = true;
@ -294,6 +289,7 @@
"kdeglobals"."KFileDialog Settings"."Speedbar Width" = 138;
"kdeglobals"."KFileDialog Settings"."View Style" = "DetailTree";
"kdeglobals"."KShortcutsDialog Settings"."Dialog Size" = "600,480";
"kdeglobals"."PreviewSettings"."MaximumRemoteSize" = 0;
"kdeglobals"."WM"."activeBackground" = "49,54,59";
"kdeglobals"."WM"."activeBlend" = "252,252,252";
"kdeglobals"."WM"."activeForeground" = "252,252,252";
@ -836,6 +832,7 @@
"khotkeysrc"."KShortcutsDialog Settings"."Dialog Size[$d]" = "";
"khotkeysrc"."Main"."AlreadyImported" = "defaults,kde32b1,konqueror_gestures_kde321";
"khotkeysrc"."Main"."Disabled" = false;
"khotkeysrc"."PreviewSettings"."MaximumRemoteSize[$d]" = "";
"khotkeysrc"."Voice"."Shortcut" = "";
"khotkeysrc"."WM"."activeBackground[$d]" = "";
"khotkeysrc"."WM"."activeBlend[$d]" = "";
@ -844,6 +841,9 @@
"khotkeysrc"."WM"."inactiveBlend[$d]" = "";
"khotkeysrc"."WM"."inactiveForeground[$d]" = "";
"kiorc"."Confirmations"."ConfirmDelete" = true;
"kiorc"."Confirmations"."ConfirmEmptyTrash" = true;
"kiorc"."Confirmations"."ConfirmTrash" = false;
"kiorc"."Executable scripts"."behaviourOnLaunch" = "alwaysAsk";
"krunnerrc"."Plugins"."baloosearchEnabled" = false;
"krunnerrc"."Plugins"."locationsEnabled" = true;
"krunnerrc"."Plugins"."placesEnabled" = true;

40
nixos/desktop/default.nix
View file

@ -70,6 +70,11 @@
git-filter-repo
gnupg
pciutils
podman
podman-compose
sbctl
tpm2-tools
tpm2-tss
waydroid
xwaylandvideobridge
yubikey-personalization
@ -89,6 +94,7 @@
# User tools
noisetorch
qjackctl
wireplumber
];
@ -159,14 +165,36 @@
enable = true;
};
users.users = {
lillian = {
isNormalUser = true;
extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"];
shell = pkgs.zsh;
};
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
boot.bootspec.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.supportedFilesystems = ["bcachefs"];
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
boot.kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
boot.extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];
}

23
nixos/hosts/EDI/configuration.nix
View file

@ -24,12 +24,14 @@
../../desktop
../../../disko/EDI/lvm.nix
../../../disko/EDI
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
sops.defaultSopsFile = ./secrets/sops.yaml;
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
@ -39,22 +41,10 @@
};
environment.systemPackages = with pkgs; [
podman
podman-compose
sbctl
];
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
networking.hostName = "EDI";
boot.bootspec.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.supportedFilesystems = ["bcachefs"];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
@ -65,13 +55,6 @@
enable = true;
pkiBundle = "/etc/secureboot";
};
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
users.users.lillian.extraGroups = ["docker"];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "unstable";

6
nixos/hosts/EDI/secrets/sops.yaml
View file

@ -1,4 +1,4 @@
password: ENC[AES256_GCM,data:4EAU7m0RF3BWnIDdcRFkC+UcwcQ=,iv:s1gF8edUjatry3h/e5ZmBXLOEJO1iX8tiyuanzuJgJY=,tag:cicC8WzOnIhG8xIM09nrTw==,type:str]
lillian-password: ENC[AES256_GCM,data:0mwqnvA+xrDD/m6uQtPbo9MpcFsOoqHE+Cg2gF6xZzNsqM3i/OmvAe7syp+mGBacZ3avoIHowLSWgXUkMcuFPeYa6XRkrX4LhA==,iv:f1kB54k6ZYWKlZ0Zowu8fOD0cf2WvNlX3GSpy1sUMdA=,tag:dsusc45E1BmYsNmiPzNccg==,type:str]
sops:
kms: []
gcp_kms: []
@ -14,8 +14,8 @@ sops:
eUZ6b09pYlRVWFBuUm1Ua2l6Z0dacW8KeQdAVsxXsDiDMtFA2koSpDsw7Ib63vA0
GE/ubWDwwRc7wMPFGuofIe6TaDSFgtVXza+yo+i4y51+BOpwqxlYYA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-04T09:24:15Z"
mac: ENC[AES256_GCM,data:SoNQ2F2hye6l4B29dLOycZYNqdpluRWgsIj0ZJ5aanExBKq8REHyoXU11X+ItZkrHkyNHyDf1cpQSwyL0AMJG6KXn0z//hKuMijOF3AQ5fXgIu4vmutvpvvIQ/7rBxATsFq43QjIWHsSOOfi1HYpBRlDwc/oTCG9G//NzR9MqOo=,iv:uhZuK1wGPUbhby++T2diyleLWvGbFE+1HCuw0y73eTQ=,tag:lkWn+nYkGP0L0HyVjjYhCA==,type:str]
lastmodified: "2024-02-21T10:15:11Z"
mac: ENC[AES256_GCM,data:AnQfufrAVvN2f2kr2KLM8toFj4BUxM1xvwH48DE1OcoenBlzQHu76R35cc9q0rJjOBWXYnZPLEHncE46XyXt56HPboH/blIEZwa9aL1pwDOV5UwbaqZTuSy7/Ylnn0ZoZtcD4gFnavWBT9iUgu3VjRso1i6eXm0Lc1mvwRbH63M=,iv:zJW4Bzm+IGzgxsFE7QP+E4RY5UoPWTUeo9RfoLpbSt8=,tag:E29Pnjtp0w05hdEQCmkj7A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

25
nixos/hosts/GLaDOS/configuration.nix
View file

@ -30,11 +30,9 @@
./hardware-configuration.nix
];
sops.defaultSopsFile = ./secrets/sops.yaml;
environment.systemPackages = with pkgs; [
podman
podman-compose
sbctl
qjackctl
];
services.xserver.videoDrivers = ["amdgpu"];
@ -55,25 +53,6 @@
pkiBundle = "/etc/secureboot";
};
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = ["bcachefs"];
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
boot.kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
boot.extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
boot.kernelPackages = pkgs.linuxPackages_latest;
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {

21
nixos/hosts/GLaDOS/secrets/sops.yaml Normal file
View file

@ -0,0 +1,21 @@
lillian-password: ENC[AES256_GCM,data:aHJCYmnpGIWJMsNZ8aw51Rquuv4F7kgGvfIxHMELuDlEqgjkg+SAhh+UQEpv16F0WVxrYZ/EwxKFMBpfPv9M2NLZC98bav0D9g==,iv:uzYLfmxG46ubmgeFsfW7aqXZbcL+TQw0VdDcklV0/ZI=,tag:Ozcf5qXC7xh0VcsBzhyo2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUHlSTzhndDRHOUd1WG41
Wk9haEVmS3FlcFl5VUxRZUVDaENHcUpsYm04ClBJS3doOXRHUjhsMmIvck5ldy8y
VW9yb2NCRWZhNGNlZWlyRlk4NFJiTTgKLS0tIElLMFdiUU95ejNoUFl4US9DSWU5
MUZWTVh0dVdMZlRzelJ4WlROUlIyNmcKphNuMN9Wh8h/gvmtUxQWjPKtgjWriLRD
+DpEEVGrmu0RJ8/wUqjxGoL4GzLAlZm4EnKlyUyA0tw8sbLZ2Lnl/w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-22T11:58:42Z"
mac: ENC[AES256_GCM,data:TuNvE51hpHvOjB3G2y7UCT8BvlI1ulc8aeeBihtnGiGDjwU1Eze1bdA47hZYCZsCYdo3Tow1gY0gCkJACKeWqUXMLT8jxcUfiUWqQicQhBm/TT9m+oqLQiAqJCkh1Ez8XuaftqIg+oJstyy4wZyvMK8Bg+9EsSYiBnMrKfrgLBs=,iv:GXy93l1BBkkeKXJ1ntFI6Rw6QZmSbzDlWClJ16/Csv4=,tag:jBYynl6tLL/xN61ypMwvrw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

15
nixos/hosts/queen/configuration.nix
View file

@ -21,7 +21,7 @@
# Import shared settings
../../shared
#../../server/package-configs/akkoma/configuration.nix
# Import server settings
../../server
];
@ -52,7 +52,6 @@
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
sops.age.keyFile = ../../../../../var/secrets/keys.txt;
nix = {
gc = {
@ -135,18 +134,6 @@
# users.groups.virtualMail = {};
users.users = {
lillian = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGatnsrKMoZSW24Lw4meb6BAgHgeyN/8rUib4nZVT+CB lillian@EDI"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS"
];
isNormalUser = true;
extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"];
shell = pkgs.zsh;
};
};
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];

5
nixos/hosts/queen/secrets/sops.yaml
View file

@ -7,6 +7,7 @@ mssqlpass: ENC[AES256_GCM,data:XEu4bQC5qM5Cm8UDVX3qAzTuL/t3xbx+qcEbZM4h3Hg=,iv:j
mailpassunhash: ENC[AES256_GCM,data:q/P3nrNLy3hCISDmalw94nzWIFhoCdCTyflj27D2Ltr8,iv:oAFna87l3sL/42ljUF1QsRL0xBrP82uYdKLxK/8HcQE=,tag:liFFGHbNPOpOHyMsjnvMOQ==,type:str]
rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str]
wg-private: ENC[AES256_GCM,data:6BEuNqqG//p5UhRmQ4RPEze6jZdvzK4PEXxlbX2ANYIhFpacj0aZnCr9o/A=,iv:tPlwYdV4I5oA8qG+bfVi1Dpbf7xedByantqsmylZXKQ=,tag:k1BqKqlayOWz5QW1XiAjqQ==,type:str]
lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -22,8 +23,8 @@ sops:
KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-04T21:18:00Z"
mac: ENC[AES256_GCM,data:ZHXg541BI94kwvLJ/CFHS7UauQN6LimqNK9rU60dil1RIArDy5xHtRki/p5uajKeGhM+Bv1t9SWAehk1n3U0PiynLGLm3npraIxItBPiRf7hyqDXmc8kG4U7BBcbIf3qvkvxVVd5auWfnPobKsRhKA+gC1Z11ylPqK37yIgK5Sw=,iv:EKacOHhgwjFDw2ioraxlyfXt89VpT+B4D/a/rC+ulNM=,tag:YvgctOLxmojg2uOAlKihkQ==,type:str]
lastmodified: "2024-02-22T11:53:17Z"
mac: ENC[AES256_GCM,data:bOrEW/yQIgJy7Jqfj/95jtXoIeEX2JNTvsnodkrtmtUQoY8Lczb47rTLpS0CM9Gh1Do38dvoNgWY08jXj3PVPO6s7Yy995ZbtgaR8n/G190PZ+p+i7EInv/OAJe/Xw4WcZlLs1XeKPashJmoX7qZi2fVPmu5UpYD1YiCMzZsWkQ=,iv:vjEJCDX8D4relmBJs569d+sklY1bUptWBjJVS7pKB70=,tag:xsQM3cDBkHymS9t9Qyyitg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

13
nixos/hosts/shodan/configuration.nix
View file

@ -52,7 +52,6 @@
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
sops.age.keyFile = ./keys.txt;
nix = {
gc = {
@ -211,17 +210,7 @@
enable = true;
};
users.users = {
lillian = {
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnYgErCnva8fvLvsmTMC6dHJp2Fvwja0BYL8K/58ugDxNA0PVGj5PpEMar5yhi4AFGGYL4EgD75tRgI/WQU87ZiKjJ6HFIhgX9curncB2kIJ0JoA+FIQMNOT72GFuhjcO4svanrobsMrRmcn193suXY/N6m6F+3pitxBfHPWuPKKjlZqVBzpqCdz9pXoGOk48OSYv7Zyw8roVsUw3fqJqs68LRLM/winWVhVSPabXGyX7PAAW51Nbv6M64REs+V1a+wGvK5sGhRy7lIBAIuD22tuL4/PZojST1hasKN+7cSp7F1QTi4u0yeQ2+gIclQNuhfvghzl6zcVEpOycFouSIJaJjo8jyuHkbm4I2XfALVTFHe7sLpYNNS7Mf6E6i5rHvAvtXI4UBx/LjgPOj7RWZFaotxQRk1D+N0y2xNrO4ft6mS+hrJ/+ybp1XTGdtlkpUDKjiTZkV7Z4fq9J0jtijvtxRfcPhjia50IIHtZ28wVBMCCwYzh5pR15F/XbvKCc= lillian@EDI"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS"
];
isNormalUser = true;
extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "decky"];
shell = pkgs.zsh;
};
};
users.users.lillian.extraGroups = ["decky"];
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];

5
nixos/hosts/shodan/secrets/sops.yaml
View file

@ -1,4 +1,5 @@
pass: ENC[AES256_GCM,data:M7V75Q7I,iv:d59fWvFsEOOu8A+BSK0f2ZskX1SXHN1wA3EfGGsHp70=,tag:FLTogvUgI3HdKYWCJc/M1Q==,type:int]
lillian-password: ENC[AES256_GCM,data:uPNBvMyhkiX3eedduFlsFUIcas/VBVSYrsmGTlgGUOzTQST59CYZRoq0ArphIJ3+Usy6KbR5tA5FCp4PoB3qVYBfjlAq6dhZIw==,iv:TiUIo2lvdL6SiDuW4gWn0TeJXkz5MldzqGxuK3MNPnE=,tag:d3p/h+q50JxygDtk2qxIeQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -14,8 +15,8 @@ sops:
KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-28T21:33:20Z"
mac: ENC[AES256_GCM,data:4tFAJCqCAfqlIGj7kDQ9uoUg7TgXYgogkm/h0nP6fuedKiV/CRmD8CbdWInesaDP276pggZbtUY9I92pV8bpJ2h+U07qihTo79ZTPTsObUHQrrc002ZiYwCtI+14t1+2KuTQNpEJsZxoECjG1R0mjg3Zv8MQ0wj6YpnEaGmXkC0=,iv:roPZJXFjB7lLK4RQcmQaNOq5RRCvguNO4O2iasgolEU=,tag:j7G0HvAx6XqrijyZcqntXQ==,type:str]
lastmodified: "2024-02-22T12:17:27Z"
mac: ENC[AES256_GCM,data:JYOxnbBK2Uj/TH9Pc6gFf0xE82lD726Jm2R7fz4WYM3pAeYoeauRVU0YoxKhOHmAjAq9ZyHZVdWg3bSMMEz9ONz/F6LZiI5qegT+SO3uAPaTRwUa639G6RGO5b86LIRPuXBw5sdePeoxDt62rOiT6UhySK5XiEysEv5NyQFijlw=,iv:1pbuTtnRbaNKRn73NLZ+s3ZW2sGAc80tRd2QWTR4688=,tag:YndVhpjQC1aUBhmv7d/4+A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

20
nixos/hosts/wheatley/configuration.nix
View file

@ -15,11 +15,8 @@
./armv7l.nix
./hardware-configuration.nix
# Import locale settings
../../shared/locale
# Import shared packages
../../shared/packages
# Import shared configurations
../../shared
];
boot.loader.generic-extlinux-compatible.enable = true;
@ -53,7 +50,6 @@
};
sops.defaultSopsFile = ./secrets/sops.yaml;
sops.age.keyFile = ../../../../../var/secrets/keys.txt;
sops.secrets."wireless.env".mode = "0440";
sops.secrets."wireless.env".owner = config.users.users.root.name;
@ -117,18 +113,6 @@
enable = true;
};
users.users = {
lillian = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGatnsrKMoZSW24Lw4meb6BAgHgeyN/8rUib4nZVT+CB lillian@EDI"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS"
];
isNormalUser = true;
extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"];
shell = pkgs.zsh;
};
};
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {

5
nixos/hosts/wheatley/secrets/sops.yaml
View file

@ -1,4 +1,5 @@
wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str]
lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHSb9K6xhEmifmJeqpR5xGIJYW6MYciCsZ9YmRsJbuSHTIlo9PrCTYBGvXg==,iv:bzml3abPox3RdvtKBQiBAcVXHUdGAn0ETMsDpBtT8T0=,tag:2iaBJ4hFFBUbonslTvQH5Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -14,8 +15,8 @@ sops:
Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div
bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-12T16:14:03Z"
mac: ENC[AES256_GCM,data:J/0+e7w8tcfsQ9xtWJifKYpWQLpLssjSgxMl/PdIyYuWKDKkF/dDr+joP7Evlk5Hg3dXL7ijGFgYVwUjhFzbgk9pUiHt0cvXj0hthgwUIUpQh42M6qKtxRaxP/Mp9Shb2CSwZfZ2GyXP4lJuMS76SDKo46xGdbejwlLPZ11oArA=,iv:rWrrB9VUxX3N2OSSep9SPfyl9Ke7hQVGkheazOrbis4=,tag:9fBYgtCoNm9Unv7ADJTb0Q==,type:str]
lastmodified: "2024-02-22T11:57:45Z"
mac: ENC[AES256_GCM,data:V9vscu55woZjJGFV3aDgdHKqmIopYw6cajdOHG1/45Qel6l5YJkt8VyLMzYlUOlFGatXBlfTB7VC9zhhaY4lduww2XLrARcTk61BT+GSHp5sawND+RIDghY6CJBuoPUbtsfmmlmg+J2DljBlSbrcVmvfjMV12Ql6Zb8PEPM9K68=,iv:TFrDt1XpuIFLUyDN6+8n+0OypBkr1OrZOmXWvnY9ApI=,tag:EfsFhToEGFCZJSXh0WBrIw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

19
nixos/shared/default.nix
View file

@ -10,4 +10,23 @@
./locale
./packages
];
sops.age.keyFile = ../../../../../../var/secrets/keys.txt;
sops.secrets."lillian-password".neededForUsers = true;
users.users.lillian = {
isNormalUser = true;
extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "docker"];
shell = pkgs.zsh;
hashedPasswordFile = config.sops.secrets."lillian-password".path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGatnsrKMoZSW24Lw4meb6BAgHgeyN/8rUib4nZVT+CB lillian@EDI"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS"
];
};
users.mutableUsers = false;
users.users.root = {
hashedPassword = "*";
};
}

9
nixos/shared/packages/default.nix
View file

@ -23,8 +23,17 @@
tldr
# System libraries
];
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-emoji-blob-bin
noto-fonts-emoji
liberation_ttf
fira-code
fira-code-symbols
mplus-outline-fonts.githubRelease
dina-font
proggyfonts
];
}