From 00f1f1be16dcdf5f64ea07eab3f731da9de5e3cb Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Tue, 20 Feb 2024 09:50:26 +0100 Subject: [PATCH 01/27] Set configuration limit in EDI --- nixos/hosts/EDI/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index b665ba5..70d0c8b 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -60,6 +60,8 @@ # generated at installation time. So we force it to false # for now. boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.systemd-boot.configurationLimit = 3; + boot.loader.efi.canTouchEfiVariables = true; boot.lanzaboote = { enable = true; From 33d4b51c00587b1cfaa5a31c570ca24c74cc6b6c Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Tue, 20 Feb 2024 09:57:29 +0100 Subject: [PATCH 02/27] T'was already in there --- nixos/hosts/EDI/configuration.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index ccc31db..70d0c8b 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -67,8 +67,6 @@ enable = true; pkiBundle = "/etc/secureboot"; }; - boot.loader.systemd-boot.configurationLimit = 3; - boot.loader.efi.canTouchEfiVariables = true; # Enable bluetooth hardware hardware.bluetooth.enable = true; From 4f22ad7e5105a8276f9e0a89cfbced969e811f05 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 10:23:51 +0100 Subject: [PATCH 03/27] Remove the old disk layout for EDI --- disko/EDI/default.nix | 44 +++++++++++++------ disko/EDI/lvm.nix | 71 ------------------------------- nixos/hosts/EDI/configuration.nix | 2 +- 3 files changed, 32 insertions(+), 85 deletions(-) delete mode 100644 disko/EDI/lvm.nix diff --git a/disko/EDI/default.nix b/disko/EDI/default.nix index 30d9181..f8cd5dc 100644 --- a/disko/EDI/default.nix +++ b/disko/EDI/default.nix @@ -19,29 +19,22 @@ ]; }; }; - encryptedSwap = { - size = "4G"; - content = { - type = "swap"; - randomEncryption = true; - }; - }; luks = { size = "100%"; content = { type = "luks"; name = "crypted"; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive + extraOpenArgs = []; settings = { - allowDiscards = true; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` #keyFile = "/tmp/secret.key"; + allowDiscards = true; }; #additionalKeyFiles = ["/tmp/additionalSecret.key"]; content = { - type = "filesystem"; - format = "bcachefs"; - mountpoint = "/"; + type = "lvm_pv"; + vg = "pool"; }; }; }; @@ -49,5 +42,30 @@ }; }; }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + swap = { + size = "8G"; + content = { + type = "swap"; + resumeDevice = true; # resume from hiberation from this device + }; + }; + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "bcachefs"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; }; } diff --git a/disko/EDI/lvm.nix b/disko/EDI/lvm.nix deleted file mode 100644 index f8cd5dc..0000000 --- a/disko/EDI/lvm.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - disko.devices = { - disk = { - nvme0n1 = { - type = "disk"; - device = "/dev/disk/by-path/pci-0000:71:00.0-nvme-1"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - extraOpenArgs = []; - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - #keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - #additionalKeyFiles = ["/tmp/additionalSecret.key"]; - content = { - type = "lvm_pv"; - vg = "pool"; - }; - }; - }; - }; - }; - }; - }; - lvm_vg = { - pool = { - type = "lvm_vg"; - lvs = { - swap = { - size = "8G"; - content = { - type = "swap"; - resumeDevice = true; # resume from hiberation from this device - }; - }; - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "bcachefs"; - mountpoint = "/"; - mountOptions = [ - "defaults" - ]; - }; - }; - }; - }; - }; - }; -} diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index 70d0c8b..aa96251 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -24,7 +24,7 @@ ../../desktop - ../../../disko/EDI/lvm.nix + ../../../disko/EDI # Import your generated (nixos-generate-config) hardware configuration ./hardware-configuration.nix From 23e5969c3f070a630c0c1bc10a5aac9ee13deadd Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 10:58:44 +0100 Subject: [PATCH 04/27] Update flake lock --- flake.lock | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index f2f5b97..13c041e 100644 --- a/flake.lock +++ b/flake.lock @@ -210,11 +210,11 @@ ] }, "locked": { - "lastModified": 1708294481, - "narHash": "sha256-DZtxmeb4OR7iCaKUUuq05ADV2rX8WReZEF7Tq//W0+Y=", + "lastModified": 1708451036, + "narHash": "sha256-tgZ38NummEdnXvxj4D0StHBzXgceAw8CptytHljH790=", "owner": "nix-community", "repo": "home-manager", - "rev": "a54e05bc12d88ff2df941d0dc1183cb5235fa438", + "rev": "517601b37c6d495274454f63c5a483c8e3ca6be1", "type": "github" }, "original": { @@ -254,11 +254,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1708343641, - "narHash": "sha256-UlTZmvuK18wc2I2Wt//Ry5CHxkbxpbE4ccwaVjix+CE=", + "lastModified": 1708388174, + "narHash": "sha256-mLROAGNyOykYwWOLga24BX05GnRE+acms0Ru10tye2o=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "470ba03c4b80ad57397af84145dc0911dc398f91", + "rev": "73fec69386e8005911e15f3abe6bb6cee7fd9711", "type": "github" }, "original": { @@ -311,11 +311,11 @@ }, "nixlib": { "locked": { - "lastModified": 1693701915, - "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", + "lastModified": 1708217146, + "narHash": "sha256-nGfEv7k78slqIR5E0zzWSx214d/4/ZPKDkObLJqVLVw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", + "rev": "e623008d8a46517470e6365505f1a3ce171fa46a", "type": "github" }, "original": { @@ -332,11 +332,11 @@ ] }, "locked": { - "lastModified": 1707873059, - "narHash": "sha256-simzllUEmzVqmQogcGCorfIbJpodAhgGSr6vuFtd4XQ=", + "lastModified": 1708402276, + "narHash": "sha256-7ZTUHdMwy8o6d8ela6H7H3UcS7cyns4D1zuWbmU1dCI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "0aa24e93f75370454f0e03747b6836ac2a2c9fca", + "rev": "fa146e1a156c83b009b398213c661d6b46d71421", "type": "github" }, "original": { @@ -347,11 +347,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1708307464, - "narHash": "sha256-OloBg9ZCoPrPqy8/ZoaoRB4kza3lKhnI0LuZq5xldhg=", + "lastModified": 1708469763, + "narHash": "sha256-wCJljz6nQdCAnfTx+3i4fWteB3TnVEq95z6d6LhwVKs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a332040396d7e3c47883e9c115c1da485712805e", + "rev": "5eeded8e3518579daa13887297efa79f5be74b41", "type": "github" }, "original": { @@ -425,11 +425,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1708118438, - "narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=", + "lastModified": 1708296515, + "narHash": "sha256-FyF489fYNAUy7b6dkYV6rGPyzp+4tThhr80KNAaF/yY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80", + "rev": "b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa", "type": "github" }, "original": { @@ -473,11 +473,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1708118438, - "narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=", + "lastModified": 1708296515, + "narHash": "sha256-FyF489fYNAUy7b6dkYV6rGPyzp+4tThhr80KNAaF/yY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80", + "rev": "b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa", "type": "github" }, "original": { @@ -671,11 +671,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1708225343, - "narHash": "sha256-Q0uVUOfumc1DcKsIJIfMCHph08MjkOvZxvPb/Vi8hWw=", + "lastModified": 1708500294, + "narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ffed177a9d2c685901781c3c6c9024ae0ffc252b", + "rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11", "type": "github" }, "original": { From a3961b0bde91ec05308dddfa7823f89e52edc796 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 11:21:08 +0100 Subject: [PATCH 05/27] Set lillian's password declaratively on EDI --- nixos/hosts/EDI/configuration.nix | 9 +++++++++ nixos/hosts/EDI/secrets/sops.yaml | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index aa96251..58350d5 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -30,6 +30,15 @@ ./hardware-configuration.nix ]; + sops.defaultSopsFile = ./secrets/sops.yaml; + sops.age.keyFile = ../../../../../../var/secrets/keys.txt; + + sops.secrets."lillian-password".neededForUsers = true; + + users.users.lillian = { + hashedPasswordFile = config.sops.secrets."lillian-password".path; + }; + home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { diff --git a/nixos/hosts/EDI/secrets/sops.yaml b/nixos/hosts/EDI/secrets/sops.yaml index 8a2082f..195607f 100644 --- a/nixos/hosts/EDI/secrets/sops.yaml +++ b/nixos/hosts/EDI/secrets/sops.yaml @@ -1,4 +1,4 @@ -password: ENC[AES256_GCM,data:4EAU7m0RF3BWnIDdcRFkC+UcwcQ=,iv:s1gF8edUjatry3h/e5ZmBXLOEJO1iX8tiyuanzuJgJY=,tag:cicC8WzOnIhG8xIM09nrTw==,type:str] +lillian-password: ENC[AES256_GCM,data:0mwqnvA+xrDD/m6uQtPbo9MpcFsOoqHE+Cg2gF6xZzNsqM3i/OmvAe7syp+mGBacZ3avoIHowLSWgXUkMcuFPeYa6XRkrX4LhA==,iv:f1kB54k6ZYWKlZ0Zowu8fOD0cf2WvNlX3GSpy1sUMdA=,tag:dsusc45E1BmYsNmiPzNccg==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +14,8 @@ sops: eUZ6b09pYlRVWFBuUm1Ua2l6Z0dacW8KeQdAVsxXsDiDMtFA2koSpDsw7Ib63vA0 GE/ubWDwwRc7wMPFGuofIe6TaDSFgtVXza+yo+i4y51+BOpwqxlYYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-04T09:24:15Z" - mac: ENC[AES256_GCM,data:SoNQ2F2hye6l4B29dLOycZYNqdpluRWgsIj0ZJ5aanExBKq8REHyoXU11X+ItZkrHkyNHyDf1cpQSwyL0AMJG6KXn0z//hKuMijOF3AQ5fXgIu4vmutvpvvIQ/7rBxATsFq43QjIWHsSOOfi1HYpBRlDwc/oTCG9G//NzR9MqOo=,iv:uhZuK1wGPUbhby++T2diyleLWvGbFE+1HCuw0y73eTQ=,tag:lkWn+nYkGP0L0HyVjjYhCA==,type:str] + lastmodified: "2024-02-21T10:15:11Z" + mac: ENC[AES256_GCM,data:AnQfufrAVvN2f2kr2KLM8toFj4BUxM1xvwH48DE1OcoenBlzQHu76R35cc9q0rJjOBWXYnZPLEHncE46XyXt56HPboH/blIEZwa9aL1pwDOV5UwbaqZTuSy7/Ylnn0ZoZtcD4gFnavWBT9iUgu3VjRso1i6eXm0Lc1mvwRbH63M=,iv:zJW4Bzm+IGzgxsFE7QP+E4RY5UoPWTUeo9RfoLpbSt8=,tag:E29Pnjtp0w05hdEQCmkj7A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 261311687b130e8414e9dfb3eec4f7661db61f11 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 11:43:24 +0100 Subject: [PATCH 06/27] Disable root password and make users immutable --- nixos/desktop/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 30b88af..9d01528 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -159,7 +159,12 @@ enable = true; }; + users.mutableuUsers = false; + users.users = { + root = { + hashedPassword = "*"; + }; lillian = { isNormalUser = true; extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"]; From 62a1b73475f3724b9be26d512926d6cc33fb997e Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 11:44:07 +0100 Subject: [PATCH 07/27] That's a typo, it's mutableUsers --- nixos/desktop/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 9d01528..3fda339 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -159,7 +159,7 @@ enable = true; }; - users.mutableuUsers = false; + users.mutableUsers = false; users.users = { root = { From 75a43bad231f148a3b1825201b08c4f26d9e4a19 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 12:04:36 +0100 Subject: [PATCH 08/27] Update plasma settings EDI --- .../EDI/package-configs/plasma-desktop/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/home-manager/hosts/EDI/package-configs/plasma-desktop/default.nix b/home-manager/hosts/EDI/package-configs/plasma-desktop/default.nix index d065b77..c1a3aba 100644 --- a/home-manager/hosts/EDI/package-configs/plasma-desktop/default.nix +++ b/home-manager/hosts/EDI/package-configs/plasma-desktop/default.nix @@ -1,11 +1,4 @@ { - inputs, - outputs, - lib, - config, - pkgs, - ... -}: { programs.plasma = { enable = true; shortcuts = { @@ -258,10 +251,12 @@ "dolphinrc"."ExtractDialog"."1536x864 screen: Height" = 560; "dolphinrc"."ExtractDialog"."1536x864 screen: Width" = 1024; "dolphinrc"."ExtractDialog"."DirHistory[$e]" = "/home/"; + "dolphinrc"."General"."RememberOpenedTabs" = false; "dolphinrc"."IconsMode"."PreviewSize" = 80; "dolphinrc"."KFileDialog Settings"."Places Icons Auto-resize" = false; "dolphinrc"."KFileDialog Settings"."Places Icons Static Size" = 22; "dolphinrc"."KFileDialog Settings"."detailViewIconSize" = 16; + "dolphinrc"."PreviewSettings"."Plugins" = "mobithumbnail,fontthumbnail,ebookthumbnail,kraorathumbnail,jpegthumbnail,windowsexethumbnail,comicbookthumbnail,djvuthumbnail,opendocumentthumbnail,windowsimagethumbnail,exrthumbnail,audiothumbnail,cursorthumbnail,svgthumbnail,blenderthumbnail,gsthumbnail,rawthumbnail,ffmpegthumbs,imagethumbnail,directorythumbnail"; "kactivitymanagerdrc"."activities"."a2cd7f51-1f1f-47a8-9544-a4c401f57a12" = "Default"; "kactivitymanagerdrc"."main"."currentActivity" = "a2cd7f51-1f1f-47a8-9544-a4c401f57a12"; "kcminputrc"."Libinput.1739.30383.CUST0001:00 06CB:76AF Touchpad"."MiddleButtonEmulation" = true; @@ -294,6 +289,7 @@ "kdeglobals"."KFileDialog Settings"."Speedbar Width" = 138; "kdeglobals"."KFileDialog Settings"."View Style" = "DetailTree"; "kdeglobals"."KShortcutsDialog Settings"."Dialog Size" = "600,480"; + "kdeglobals"."PreviewSettings"."MaximumRemoteSize" = 0; "kdeglobals"."WM"."activeBackground" = "49,54,59"; "kdeglobals"."WM"."activeBlend" = "252,252,252"; "kdeglobals"."WM"."activeForeground" = "252,252,252"; @@ -836,6 +832,7 @@ "khotkeysrc"."KShortcutsDialog Settings"."Dialog Size[$d]" = ""; "khotkeysrc"."Main"."AlreadyImported" = "defaults,kde32b1,konqueror_gestures_kde321"; "khotkeysrc"."Main"."Disabled" = false; + "khotkeysrc"."PreviewSettings"."MaximumRemoteSize[$d]" = ""; "khotkeysrc"."Voice"."Shortcut" = ""; "khotkeysrc"."WM"."activeBackground[$d]" = ""; "khotkeysrc"."WM"."activeBlend[$d]" = ""; @@ -844,6 +841,9 @@ "khotkeysrc"."WM"."inactiveBlend[$d]" = ""; "khotkeysrc"."WM"."inactiveForeground[$d]" = ""; "kiorc"."Confirmations"."ConfirmDelete" = true; + "kiorc"."Confirmations"."ConfirmEmptyTrash" = true; + "kiorc"."Confirmations"."ConfirmTrash" = false; + "kiorc"."Executable scripts"."behaviourOnLaunch" = "alwaysAsk"; "krunnerrc"."Plugins"."baloosearchEnabled" = false; "krunnerrc"."Plugins"."locationsEnabled" = true; "krunnerrc"."Plugins"."placesEnabled" = true; From 5a05a797059de2e05ece14a4c772703748230987 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 12:09:57 +0100 Subject: [PATCH 09/27] Little refactor --- nixos/hosts/EDI/configuration.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index 58350d5..fb89ba7 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -37,6 +37,7 @@ users.users.lillian = { hashedPasswordFile = config.sops.secrets."lillian-password".path; + extraGroups = ["docker"]; }; home-manager = { @@ -80,8 +81,6 @@ # Enable bluetooth hardware hardware.bluetooth.enable = true; - users.users.lillian.extraGroups = ["docker"]; - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "unstable"; } From 1e62fd28867b4b706e6c9e7a0e83cf1489a5473d Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 12:16:53 +0100 Subject: [PATCH 10/27] Little refactor to reduce reuse --- nixos/desktop/default.nix | 52 +++++++++++++++++++++++----- nixos/hosts/EDI/configuration.nix | 27 --------------- nixos/hosts/GLaDOS/configuration.nix | 23 ------------ 3 files changed, 43 insertions(+), 59 deletions(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 3fda339..e9b7baa 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -70,6 +70,9 @@ git-filter-repo gnupg pciutils + podman + podman-compose + sbctl waydroid xwaylandvideobridge yubikey-personalization @@ -89,6 +92,7 @@ # User tools noisetorch + qjackctl wireplumber ]; @@ -159,19 +163,49 @@ enable = true; }; + virtualisation.podman = { + enable = true; + dockerCompat = true; + }; + + sops.defaultSopsFile = ./secrets/sops.yaml; + sops.age.keyFile = ../../../../../../var/secrets/keys.txt; + + sops.secrets."lillian-password".neededForUsers = true; + + users.users.lillian = { + isNormalUser = true; + extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "docker"]; + shell = pkgs.zsh; + hashedPasswordFile = config.sops.secrets."lillian-password".path; + }; + users.mutableUsers = false; - users.users = { - root = { - hashedPassword = "*"; - }; - lillian = { - isNormalUser = true; - extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"]; - shell = pkgs.zsh; - }; + users.users.root = { + hashedPassword = "*"; }; + boot.bootspec.enable = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.supportedFilesystems = ["bcachefs"]; + boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out]; + boot.kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + # Set initial kernel module settings + boot.extraModprobeConfig = '' + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + options v4l2loopback exclusive_caps=1 card_label="Virtual Camera" + ''; + boot.loader.systemd-boot.configurationLimit = 3; + boot.loader.efi.canTouchEfiVariables = true; + # Enable completion of system packages by zsh environment.pathsToLink = ["/share/zsh"]; } diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index fb89ba7..40e4f31 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -30,16 +30,6 @@ ./hardware-configuration.nix ]; - sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ../../../../../../var/secrets/keys.txt; - - sops.secrets."lillian-password".neededForUsers = true; - - users.users.lillian = { - hashedPasswordFile = config.sops.secrets."lillian-password".path; - extraGroups = ["docker"]; - }; - home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { @@ -49,38 +39,21 @@ }; environment.systemPackages = with pkgs; [ - podman - podman-compose - sbctl ]; - virtualisation.podman = { - enable = true; - dockerCompat = true; - }; - networking.hostName = "EDI"; - boot.bootspec.enable = true; - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.supportedFilesystems = ["bcachefs"]; - # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false # for now. boot.loader.systemd-boot.enable = lib.mkForce false; - boot.loader.systemd-boot.configurationLimit = 3; - boot.loader.efi.canTouchEfiVariables = true; boot.lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; }; - # Enable bluetooth hardware - hardware.bluetooth.enable = true; - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "unstable"; } diff --git a/nixos/hosts/GLaDOS/configuration.nix b/nixos/hosts/GLaDOS/configuration.nix index 4de3f5b..10ec478 100644 --- a/nixos/hosts/GLaDOS/configuration.nix +++ b/nixos/hosts/GLaDOS/configuration.nix @@ -31,10 +31,6 @@ ]; environment.systemPackages = with pkgs; [ - podman - podman-compose - sbctl - qjackctl ]; services.xserver.videoDrivers = ["amdgpu"]; @@ -55,25 +51,6 @@ pkiBundle = "/etc/secureboot"; }; - boot.loader.systemd-boot.configurationLimit = 3; - boot.loader.efi.canTouchEfiVariables = true; - boot.supportedFilesystems = ["bcachefs"]; - boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out]; - boot.kernelModules = [ - # Virtual Camera - "v4l2loopback" - # Virtual Microphone, built-in - "snd-aloop" - ]; - # Set initial kernel module settings - boot.extraModprobeConfig = '' - # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming - # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams - # https://github.com/umlaeute/v4l2loopback - options v4l2loopback exclusive_caps=1 card_label="Virtual Camera" - ''; - boot.kernelPackages = pkgs.linuxPackages_latest; - home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { From 316ecdcc6c87394124603390b22b0b92424ce308 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 21 Feb 2024 12:19:42 +0100 Subject: [PATCH 11/27] Sops file needs to be in the right folder --- nixos/desktop/default.nix | 3 --- nixos/hosts/EDI/configuration.nix | 3 +++ nixos/hosts/GLaDOS/configuration.nix | 3 +++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index e9b7baa..a525c4b 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -168,9 +168,6 @@ dockerCompat = true; }; - sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ../../../../../../var/secrets/keys.txt; - sops.secrets."lillian-password".neededForUsers = true; users.users.lillian = { diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index 40e4f31..4aa7608 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -30,6 +30,9 @@ ./hardware-configuration.nix ]; + sops.defaultSopsFile = ./secrets/sops.yaml; + sops.age.keyFile = ../../../../../../var/secrets/keys.txt; + home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { diff --git a/nixos/hosts/GLaDOS/configuration.nix b/nixos/hosts/GLaDOS/configuration.nix index 10ec478..3be7c60 100644 --- a/nixos/hosts/GLaDOS/configuration.nix +++ b/nixos/hosts/GLaDOS/configuration.nix @@ -30,6 +30,9 @@ ./hardware-configuration.nix ]; + sops.defaultSopsFile = ./secrets/sops.yaml; + sops.age.keyFile = ../../../../../../var/secrets/keys.txt; + environment.systemPackages = with pkgs; [ ]; From 6dd7bfeb5c5f19e96684b2e55fbfc45dd46f2cbb Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 11:55:48 +0100 Subject: [PATCH 12/27] Put font install in the correct place --- nixos/shared/packages/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/shared/packages/default.nix b/nixos/shared/packages/default.nix index f262768..5c6c5c2 100644 --- a/nixos/shared/packages/default.nix +++ b/nixos/shared/packages/default.nix @@ -23,8 +23,17 @@ tldr # System libraries + ]; + + fonts.packages = with pkgs; [ noto-fonts noto-fonts-emoji-blob-bin noto-fonts-emoji + liberation_ttf + fira-code + fira-code-symbols + mplus-outline-fonts.githubRelease + dina-font + proggyfonts ]; } From a8a5cdec7b1e3c59772b2a2694ff381b2ed05e5c Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 12:52:10 +0100 Subject: [PATCH 13/27] Put user definition in the shared file to reduce duplicate code --- nixos/desktop/default.nix | 15 --------------- nixos/hosts/queen/configuration.nix | 12 ------------ nixos/hosts/shodan/configuration.nix | 12 +----------- nixos/hosts/wheatley/configuration.nix | 12 ------------ nixos/shared/default.nix | 18 ++++++++++++++++++ 5 files changed, 19 insertions(+), 50 deletions(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index a525c4b..6ccf2db 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -168,21 +168,6 @@ dockerCompat = true; }; - sops.secrets."lillian-password".neededForUsers = true; - - users.users.lillian = { - isNormalUser = true; - extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "docker"]; - shell = pkgs.zsh; - hashedPasswordFile = config.sops.secrets."lillian-password".path; - }; - - users.mutableUsers = false; - - users.users.root = { - hashedPassword = "*"; - }; - boot.bootspec.enable = true; boot.kernelPackages = pkgs.linuxPackages_latest; boot.supportedFilesystems = ["bcachefs"]; diff --git a/nixos/hosts/queen/configuration.nix b/nixos/hosts/queen/configuration.nix index 87201be..393080c 100644 --- a/nixos/hosts/queen/configuration.nix +++ b/nixos/hosts/queen/configuration.nix @@ -135,18 +135,6 @@ # users.groups.virtualMail = {}; - users.users = { - lillian = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGatnsrKMoZSW24Lw4meb6BAgHgeyN/8rUib4nZVT+CB lillian@EDI" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS" - ]; - isNormalUser = true; - extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"]; - shell = pkgs.zsh; - }; - }; - # Enable completion of system packages by zsh environment.pathsToLink = ["/share/zsh"]; diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix index 0eb3bed..c44bca5 100644 --- a/nixos/hosts/shodan/configuration.nix +++ b/nixos/hosts/shodan/configuration.nix @@ -211,17 +211,7 @@ enable = true; }; - users.users = { - lillian = { - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnYgErCnva8fvLvsmTMC6dHJp2Fvwja0BYL8K/58ugDxNA0PVGj5PpEMar5yhi4AFGGYL4EgD75tRgI/WQU87ZiKjJ6HFIhgX9curncB2kIJ0JoA+FIQMNOT72GFuhjcO4svanrobsMrRmcn193suXY/N6m6F+3pitxBfHPWuPKKjlZqVBzpqCdz9pXoGOk48OSYv7Zyw8roVsUw3fqJqs68LRLM/winWVhVSPabXGyX7PAAW51Nbv6M64REs+V1a+wGvK5sGhRy7lIBAIuD22tuL4/PZojST1hasKN+7cSp7F1QTi4u0yeQ2+gIclQNuhfvghzl6zcVEpOycFouSIJaJjo8jyuHkbm4I2XfALVTFHe7sLpYNNS7Mf6E6i5rHvAvtXI4UBx/LjgPOj7RWZFaotxQRk1D+N0y2xNrO4ft6mS+hrJ/+ybp1XTGdtlkpUDKjiTZkV7Z4fq9J0jtijvtxRfcPhjia50IIHtZ28wVBMCCwYzh5pR15F/XbvKCc= lillian@EDI" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS" - ]; - isNormalUser = true; - extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "decky"]; - shell = pkgs.zsh; - }; - }; + users.users.lillian.extraGroups = ["decky"]; # Enable completion of system packages by zsh environment.pathsToLink = ["/share/zsh"]; diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index a463516..83e5295 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -117,18 +117,6 @@ enable = true; }; - users.users = { - lillian = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGatnsrKMoZSW24Lw4meb6BAgHgeyN/8rUib4nZVT+CB lillian@EDI" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS" - ]; - isNormalUser = true; - extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"]; - shell = pkgs.zsh; - }; - }; - home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { diff --git a/nixos/shared/default.nix b/nixos/shared/default.nix index 281b3e1..b7e9f15 100644 --- a/nixos/shared/default.nix +++ b/nixos/shared/default.nix @@ -10,4 +10,22 @@ ./locale ./packages ]; + sops.secrets."lillian-password".neededForUsers = true; + + users.users.lillian = { + isNormalUser = true; + extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "docker"]; + shell = pkgs.zsh; + hashedPasswordFile = config.sops.secrets."lillian-password".path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGatnsrKMoZSW24Lw4meb6BAgHgeyN/8rUib4nZVT+CB lillian@EDI" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7+LEQnC/nlYp7nQ4p6hUCqaGiqfsA3Mg8bSy+zA8Fj lillian@GLaDOS" + ]; + }; + + users.mutableUsers = false; + + users.users.root = { + hashedPassword = "*"; + }; } From b21150f431169f21a3edc429efe3c66853940952 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 13:01:31 +0100 Subject: [PATCH 14/27] Set password for all hosts, made sops look at the same folder for the key file for all hosts (move in queen) --- nixos/hosts/EDI/configuration.nix | 1 - nixos/hosts/GLaDOS/configuration.nix | 1 - nixos/hosts/GLaDOS/secrets/sops.yaml | 21 +++++++++++++++++++++ nixos/hosts/queen/configuration.nix | 1 - nixos/hosts/queen/secrets/sops.yaml | 5 +++-- nixos/hosts/shodan/secrets/sops.yaml | 5 +++-- nixos/hosts/wheatley/configuration.nix | 1 - nixos/hosts/wheatley/secrets/sops.yaml | 5 +++-- nixos/shared/default.nix | 1 + 9 files changed, 31 insertions(+), 10 deletions(-) create mode 100644 nixos/hosts/GLaDOS/secrets/sops.yaml diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index 4aa7608..0c9bb0d 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -31,7 +31,6 @@ ]; sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ../../../../../../var/secrets/keys.txt; home-manager = { extraSpecialArgs = {inherit inputs outputs;}; diff --git a/nixos/hosts/GLaDOS/configuration.nix b/nixos/hosts/GLaDOS/configuration.nix index 3be7c60..94e947a 100644 --- a/nixos/hosts/GLaDOS/configuration.nix +++ b/nixos/hosts/GLaDOS/configuration.nix @@ -31,7 +31,6 @@ ]; sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ../../../../../../var/secrets/keys.txt; environment.systemPackages = with pkgs; [ ]; diff --git a/nixos/hosts/GLaDOS/secrets/sops.yaml b/nixos/hosts/GLaDOS/secrets/sops.yaml new file mode 100644 index 0000000..66274e0 --- /dev/null +++ b/nixos/hosts/GLaDOS/secrets/sops.yaml @@ -0,0 +1,21 @@ +lillian-password: ENC[AES256_GCM,data:aHJCYmnpGIWJMsNZ8aw51Rquuv4F7kgGvfIxHMELuDlEqgjkg+SAhh+UQEpv16F0WVxrYZ/EwxKFMBpfPv9M2NLZC98bav0D9g==,iv:uzYLfmxG46ubmgeFsfW7aqXZbcL+TQw0VdDcklV0/ZI=,tag:Ozcf5qXC7xh0VcsBzhyo2g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUHlSTzhndDRHOUd1WG41 + Wk9haEVmS3FlcFl5VUxRZUVDaENHcUpsYm04ClBJS3doOXRHUjhsMmIvck5ldy8y + VW9yb2NCRWZhNGNlZWlyRlk4NFJiTTgKLS0tIElLMFdiUU95ejNoUFl4US9DSWU5 + MUZWTVh0dVdMZlRzelJ4WlROUlIyNmcKphNuMN9Wh8h/gvmtUxQWjPKtgjWriLRD + +DpEEVGrmu0RJ8/wUqjxGoL4GzLAlZm4EnKlyUyA0tw8sbLZ2Lnl/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-22T11:58:42Z" + mac: ENC[AES256_GCM,data:TuNvE51hpHvOjB3G2y7UCT8BvlI1ulc8aeeBihtnGiGDjwU1Eze1bdA47hZYCZsCYdo3Tow1gY0gCkJACKeWqUXMLT8jxcUfiUWqQicQhBm/TT9m+oqLQiAqJCkh1Ez8XuaftqIg+oJstyy4wZyvMK8Bg+9EsSYiBnMrKfrgLBs=,iv:GXy93l1BBkkeKXJ1ntFI6Rw6QZmSbzDlWClJ16/Csv4=,tag:jBYynl6tLL/xN61ypMwvrw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/hosts/queen/configuration.nix b/nixos/hosts/queen/configuration.nix index 393080c..77f34b3 100644 --- a/nixos/hosts/queen/configuration.nix +++ b/nixos/hosts/queen/configuration.nix @@ -52,7 +52,6 @@ #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ../../../../../var/secrets/keys.txt; nix = { gc = { diff --git a/nixos/hosts/queen/secrets/sops.yaml b/nixos/hosts/queen/secrets/sops.yaml index 1eba722..955740b 100644 --- a/nixos/hosts/queen/secrets/sops.yaml +++ b/nixos/hosts/queen/secrets/sops.yaml @@ -7,6 +7,7 @@ mssqlpass: ENC[AES256_GCM,data:XEu4bQC5qM5Cm8UDVX3qAzTuL/t3xbx+qcEbZM4h3Hg=,iv:j mailpassunhash: ENC[AES256_GCM,data:q/P3nrNLy3hCISDmalw94nzWIFhoCdCTyflj27D2Ltr8,iv:oAFna87l3sL/42ljUF1QsRL0xBrP82uYdKLxK/8HcQE=,tag:liFFGHbNPOpOHyMsjnvMOQ==,type:str] rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str] wg-private: ENC[AES256_GCM,data:6BEuNqqG//p5UhRmQ4RPEze6jZdvzK4PEXxlbX2ANYIhFpacj0aZnCr9o/A=,iv:tPlwYdV4I5oA8qG+bfVi1Dpbf7xedByantqsmylZXKQ=,tag:k1BqKqlayOWz5QW1XiAjqQ==,type:str] +lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str] sops: kms: [] gcp_kms: [] @@ -22,8 +23,8 @@ sops: KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-04T21:18:00Z" - mac: ENC[AES256_GCM,data:ZHXg541BI94kwvLJ/CFHS7UauQN6LimqNK9rU60dil1RIArDy5xHtRki/p5uajKeGhM+Bv1t9SWAehk1n3U0PiynLGLm3npraIxItBPiRf7hyqDXmc8kG4U7BBcbIf3qvkvxVVd5auWfnPobKsRhKA+gC1Z11ylPqK37yIgK5Sw=,iv:EKacOHhgwjFDw2ioraxlyfXt89VpT+B4D/a/rC+ulNM=,tag:YvgctOLxmojg2uOAlKihkQ==,type:str] + lastmodified: "2024-02-22T11:53:17Z" + mac: ENC[AES256_GCM,data:bOrEW/yQIgJy7Jqfj/95jtXoIeEX2JNTvsnodkrtmtUQoY8Lczb47rTLpS0CM9Gh1Do38dvoNgWY08jXj3PVPO6s7Yy995ZbtgaR8n/G190PZ+p+i7EInv/OAJe/Xw4WcZlLs1XeKPashJmoX7qZi2fVPmu5UpYD1YiCMzZsWkQ=,iv:vjEJCDX8D4relmBJs569d+sklY1bUptWBjJVS7pKB70=,tag:xsQM3cDBkHymS9t9Qyyitg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/hosts/shodan/secrets/sops.yaml b/nixos/hosts/shodan/secrets/sops.yaml index 45ec605..21314df 100644 --- a/nixos/hosts/shodan/secrets/sops.yaml +++ b/nixos/hosts/shodan/secrets/sops.yaml @@ -1,4 +1,5 @@ pass: ENC[AES256_GCM,data:M7V75Q7I,iv:d59fWvFsEOOu8A+BSK0f2ZskX1SXHN1wA3EfGGsHp70=,tag:FLTogvUgI3HdKYWCJc/M1Q==,type:int] +lillian-password: ENC[AES256_GCM,data:w/1/aAcP0MXe7EUhZshMcksvyzewlvO2/0PncrSnCkHHrPl8RHWvyBqxIZDC/FHlpZOO77lIsdcQzK9ahjEc/crUmit5LZeYThP4pPyXTol3uh3RqtH1HXbeOEmBufw4Ln+yJwWXo2eK4w==,iv:jEuB/+U2xe3sP6UIK9OZZKd0RBr5W8f5y55h64pMME4=,tag:2ZzNt7Sn2LXfUMVMoaOxkw==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-28T21:33:20Z" - mac: ENC[AES256_GCM,data:4tFAJCqCAfqlIGj7kDQ9uoUg7TgXYgogkm/h0nP6fuedKiV/CRmD8CbdWInesaDP276pggZbtUY9I92pV8bpJ2h+U07qihTo79ZTPTsObUHQrrc002ZiYwCtI+14t1+2KuTQNpEJsZxoECjG1R0mjg3Zv8MQ0wj6YpnEaGmXkC0=,iv:roPZJXFjB7lLK4RQcmQaNOq5RRCvguNO4O2iasgolEU=,tag:j7G0HvAx6XqrijyZcqntXQ==,type:str] + lastmodified: "2024-02-22T11:57:17Z" + mac: ENC[AES256_GCM,data:IpF786I/i4U0oQqY1sRQAGZkK0uxHZYpZ2Hse2dzenedbwVZEOmhA1foc0fffVMd26AOrSg323vnndIEl1WTuzmZBhFlUM3fwX38wbhDrAuUJfGiyLLBVsZshW2EjkGzkdpQo2otyLNjah5qLUTsss5dUKMIUbTKpwAdkiujiqE=,iv:sA6ROO538N+XcezZUSQxwer5dLd+lmlavTVeDxiVVJA=,tag:GZZLUp3ZiUW25Tdji0tZGg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index 83e5295..92a9e7b 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -53,7 +53,6 @@ }; sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ../../../../../var/secrets/keys.txt; sops.secrets."wireless.env".mode = "0440"; sops.secrets."wireless.env".owner = config.users.users.root.name; diff --git a/nixos/hosts/wheatley/secrets/sops.yaml b/nixos/hosts/wheatley/secrets/sops.yaml index 94f8617..5594a50 100644 --- a/nixos/hosts/wheatley/secrets/sops.yaml +++ b/nixos/hosts/wheatley/secrets/sops.yaml @@ -1,4 +1,5 @@ wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str] +lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHSb9K6xhEmifmJeqpR5xGIJYW6MYciCsZ9YmRsJbuSHTIlo9PrCTYBGvXg==,iv:bzml3abPox3RdvtKBQiBAcVXHUdGAn0ETMsDpBtT8T0=,tag:2iaBJ4hFFBUbonslTvQH5Q==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-12T16:14:03Z" - mac: ENC[AES256_GCM,data:J/0+e7w8tcfsQ9xtWJifKYpWQLpLssjSgxMl/PdIyYuWKDKkF/dDr+joP7Evlk5Hg3dXL7ijGFgYVwUjhFzbgk9pUiHt0cvXj0hthgwUIUpQh42M6qKtxRaxP/Mp9Shb2CSwZfZ2GyXP4lJuMS76SDKo46xGdbejwlLPZ11oArA=,iv:rWrrB9VUxX3N2OSSep9SPfyl9Ke7hQVGkheazOrbis4=,tag:9fBYgtCoNm9Unv7ADJTb0Q==,type:str] + lastmodified: "2024-02-22T11:57:45Z" + mac: ENC[AES256_GCM,data:V9vscu55woZjJGFV3aDgdHKqmIopYw6cajdOHG1/45Qel6l5YJkt8VyLMzYlUOlFGatXBlfTB7VC9zhhaY4lduww2XLrARcTk61BT+GSHp5sawND+RIDghY6CJBuoPUbtsfmmlmg+J2DljBlSbrcVmvfjMV12Ql6Zb8PEPM9K68=,iv:TFrDt1XpuIFLUyDN6+8n+0OypBkr1OrZOmXWvnY9ApI=,tag:EfsFhToEGFCZJSXh0WBrIw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/shared/default.nix b/nixos/shared/default.nix index b7e9f15..db6995d 100644 --- a/nixos/shared/default.nix +++ b/nixos/shared/default.nix @@ -10,6 +10,7 @@ ./locale ./packages ]; + sops.age.keyFile = ../../../../../../var/secrets/keys.txt; sops.secrets."lillian-password".neededForUsers = true; users.users.lillian = { From b911aec529025aa13115e93ca8a7d5a89989d912 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 13:03:52 +0100 Subject: [PATCH 15/27] Shodan had a keyfile set that isn't right --- nixos/hosts/shodan/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix index c44bca5..f620539 100644 --- a/nixos/hosts/shodan/configuration.nix +++ b/nixos/hosts/shodan/configuration.nix @@ -52,7 +52,6 @@ #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys sops.defaultSopsFile = ./secrets/sops.yaml; - sops.age.keyFile = ./keys.txt; nix = { gc = { From 6d32c58490787008d56224b572c5b6199da920b5 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 13:06:08 +0100 Subject: [PATCH 16/27] Wheatley used the old format for importing shared, fixed --- nixos/hosts/wheatley/configuration.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index 92a9e7b..397e430 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -15,11 +15,8 @@ ./armv7l.nix ./hardware-configuration.nix - # Import locale settings - ../../shared/locale - - # Import shared packages - ../../shared/packages + # Import shared configurations + ../../shared ]; boot.loader.generic-extlinux-compatible.enable = true; From eba73661ad17f7b758b4bd568e3b7772424a3ca9 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 13:17:43 +0100 Subject: [PATCH 17/27] Use yescrypt for shodan too --- nixos/hosts/shodan/secrets/sops.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/shodan/secrets/sops.yaml b/nixos/hosts/shodan/secrets/sops.yaml index 21314df..cdc6591 100644 --- a/nixos/hosts/shodan/secrets/sops.yaml +++ b/nixos/hosts/shodan/secrets/sops.yaml @@ -1,5 +1,5 @@ pass: ENC[AES256_GCM,data:M7V75Q7I,iv:d59fWvFsEOOu8A+BSK0f2ZskX1SXHN1wA3EfGGsHp70=,tag:FLTogvUgI3HdKYWCJc/M1Q==,type:int] -lillian-password: ENC[AES256_GCM,data:w/1/aAcP0MXe7EUhZshMcksvyzewlvO2/0PncrSnCkHHrPl8RHWvyBqxIZDC/FHlpZOO77lIsdcQzK9ahjEc/crUmit5LZeYThP4pPyXTol3uh3RqtH1HXbeOEmBufw4Ln+yJwWXo2eK4w==,iv:jEuB/+U2xe3sP6UIK9OZZKd0RBr5W8f5y55h64pMME4=,tag:2ZzNt7Sn2LXfUMVMoaOxkw==,type:str] +lillian-password: ENC[AES256_GCM,data:uPNBvMyhkiX3eedduFlsFUIcas/VBVSYrsmGTlgGUOzTQST59CYZRoq0ArphIJ3+Usy6KbR5tA5FCp4PoB3qVYBfjlAq6dhZIw==,iv:TiUIo2lvdL6SiDuW4gWn0TeJXkz5MldzqGxuK3MNPnE=,tag:d3p/h+q50JxygDtk2qxIeQ==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +15,8 @@ sops: KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-22T11:57:17Z" - mac: ENC[AES256_GCM,data:IpF786I/i4U0oQqY1sRQAGZkK0uxHZYpZ2Hse2dzenedbwVZEOmhA1foc0fffVMd26AOrSg323vnndIEl1WTuzmZBhFlUM3fwX38wbhDrAuUJfGiyLLBVsZshW2EjkGzkdpQo2otyLNjah5qLUTsss5dUKMIUbTKpwAdkiujiqE=,iv:sA6ROO538N+XcezZUSQxwer5dLd+lmlavTVeDxiVVJA=,tag:GZZLUp3ZiUW25Tdji0tZGg==,type:str] + lastmodified: "2024-02-22T12:17:27Z" + mac: ENC[AES256_GCM,data:JYOxnbBK2Uj/TH9Pc6gFf0xE82lD726Jm2R7fz4WYM3pAeYoeauRVU0YoxKhOHmAjAq9ZyHZVdWg3bSMMEz9ONz/F6LZiI5qegT+SO3uAPaTRwUa639G6RGO5b86LIRPuXBw5sdePeoxDt62rOiT6UhySK5XiEysEv5NyQFijlw=,iv:1pbuTtnRbaNKRn73NLZ+s3ZW2sGAc80tRd2QWTR4688=,tag:YndVhpjQC1aUBhmv7d/4+A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From f2ff58d622c4881bf3f234ec6f0f2d4639f5f2b9 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:35:08 +0100 Subject: [PATCH 18/27] Clarified with a comment here --- nixos/hosts/queen/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/hosts/queen/configuration.nix b/nixos/hosts/queen/configuration.nix index 77f34b3..e0542b0 100644 --- a/nixos/hosts/queen/configuration.nix +++ b/nixos/hosts/queen/configuration.nix @@ -21,7 +21,7 @@ # Import shared settings ../../shared - #../../server/package-configs/akkoma/configuration.nix + # Import server settings ../../server ]; From 5e61dfeb352e6fb3e2e85f1146ae0b3c73bc8a83 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:44:50 +0100 Subject: [PATCH 19/27] Clarified the readme documentation --- README.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 5dfb5df..66f29af 100644 --- a/README.md +++ b/README.md @@ -6,10 +6,18 @@ The configuration of different NixOS hosts using flakes and home-manager. It is ## Building and deploying the configuration -The first step is to add your age keyfile to the /nix/var/secrets folder with the name "keys.txt" (if you don't have one, remove the imports from the configuration files; the import can be found under -``hosts//configuration.nix``). +The first step is to add your age keyfile to the /var/secrets folder with the name "keys.txt", in my case an age private key. If you don't have have an age private key you can generate one with the command +``age-keygen -o /var/secrets/keys.txt`` -Then run this command within your cloned github repo (I put mine in /etc/nixos): +**Note: make sure this key is not readable by normal users, I made it owned by root, and gave the file 400 (read only for user) permissions. eg: ``chown 400 /var/secrets/keys.txt``** + +if you don't want to use sops remove the import from the configuration files; the import can be found under +``hosts/shared/default.nix`` + +Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in +``hosts//secrets/sops.yaml`` + +Then run this command with your cloned github repo (I put mine in /etc/nixos): ``sudo nixos-rebuild --flake .# switch`` @@ -33,10 +41,10 @@ Note: this does not build the full configuration, and errors might still happen ## Technical details -### Home manager +### Home manager[https://github.com/nix-community/home-manager] Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration. -### Sops +### Sops[https://github.com/Mic92/sops-nix] The secrets are managed in sops files within the hosts folders, there is only one sops file per host, but this can be changed quite easily. The command to edit the sops file is as follows: ``nix-shell -p sops --run "sops ./nixos/hosts//secrets/sops.yaml"`` From 1fbaabe861811f25fbe062342d1f4daa0bb756d0 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:46:08 +0100 Subject: [PATCH 20/27] Made sure this is clear too --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 66f29af..ee2846f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ The configuration of different NixOS hosts using flakes and home-manager. It is ## Building and deploying the configuration -The first step is to add your age keyfile to the /var/secrets folder with the name "keys.txt", in my case an age private key. If you don't have have an age private key you can generate one with the command +If you do not have my private age key, the first step is to add your age keyfile to the /var/secrets folder with the name "keys.txt", in my case an age private key. If you don't have have an age private key you can generate one with the command ``age-keygen -o /var/secrets/keys.txt`` **Note: make sure this key is not readable by normal users, I made it owned by root, and gave the file 400 (read only for user) permissions. eg: ``chown 400 /var/secrets/keys.txt``** From a824b3c1a485880521a88b8550d5178be477f259 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:53:31 +0100 Subject: [PATCH 21/27] Add lanzaboot explanation --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ee2846f..64ced50 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,12 @@ if you don't want to use sops remove the import from the configuration files; th Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in ``hosts//secrets/sops.yaml`` +For the hosts EDI and GLaDOS, [lanzaboot](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboot configuration, and replace the line + + ``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true`` + + To turn secure boot back on again you can look at the [lanzaboot](https://github.com/nix-community/lanzaboote) repository and follow the install steps. + Then run this command with your cloned github repo (I put mine in /etc/nixos): ``sudo nixos-rebuild --flake .# switch`` @@ -41,10 +47,10 @@ Note: this does not build the full configuration, and errors might still happen ## Technical details -### Home manager[https://github.com/nix-community/home-manager] +### [Home manager](https://github.com/nix-community/home-manager) Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration. -### Sops[https://github.com/Mic92/sops-nix] +### [Sops](https://github.com/Mic92/sops-nix) The secrets are managed in sops files within the hosts folders, there is only one sops file per host, but this can be changed quite easily. The command to edit the sops file is as follows: ``nix-shell -p sops --run "sops ./nixos/hosts//secrets/sops.yaml"`` From cd29e813f33bb6e1d17ff399fcc1ba8d3ba06bed Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:56:45 +0100 Subject: [PATCH 22/27] Clarity as to where sops looks for files --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 64ced50..ad6b592 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ The configuration of different NixOS hosts using flakes and home-manager. It is ## Building and deploying the configuration If you do not have my private age key, the first step is to add your age keyfile to the /var/secrets folder with the name "keys.txt", in my case an age private key. If you don't have have an age private key you can generate one with the command -``age-keygen -o /var/secrets/keys.txt`` + +``age-keygen -o ~/.config/sops/age/keys.txt`` and copying this file to ``/var/secrets/`` **Note: make sure this key is not readable by normal users, I made it owned by root, and gave the file 400 (read only for user) permissions. eg: ``chown 400 /var/secrets/keys.txt``** -if you don't want to use sops remove the import from the configuration files; the import can be found under +if you don't want to use [Sops](https://github.com/Mic92/sops-nix) secret management remove the import from the configuration files; the import can be found under ``hosts/shared/default.nix`` Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in From dd377bc1a5673bb09eda50172f14bf050361f3c9 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:57:20 +0100 Subject: [PATCH 23/27] small s, that would bother me --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ad6b592..44b3f5b 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ If you do not have my private age key, the first step is to add your age keyfile **Note: make sure this key is not readable by normal users, I made it owned by root, and gave the file 400 (read only for user) permissions. eg: ``chown 400 /var/secrets/keys.txt``** -if you don't want to use [Sops](https://github.com/Mic92/sops-nix) secret management remove the import from the configuration files; the import can be found under +if you don't want to use [sops](https://github.com/Mic92/sops-nix) secret management remove the import from the configuration files; the import can be found under ``hosts/shared/default.nix`` Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in From d589e1d4be887d14b452673bf3694c5dc6a717a2 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 14:58:32 +0100 Subject: [PATCH 24/27] Remove some unecessary whitespace --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 44b3f5b..31f5291 100644 --- a/README.md +++ b/README.md @@ -20,9 +20,9 @@ Upon any of the above changes; also remove/replace the secret files, they can be For the hosts EDI and GLaDOS, [lanzaboot](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboot configuration, and replace the line - ``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true`` +``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true`` - To turn secure boot back on again you can look at the [lanzaboot](https://github.com/nix-community/lanzaboote) repository and follow the install steps. +To turn secure boot back on again you can look at the [lanzaboot](https://github.com/nix-community/lanzaboote) repository and follow the install steps. Then run this command with your cloned github repo (I put mine in /etc/nixos): From 125d119e18cf6cb2d6d54cff21b73afa604d23ca Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 15:22:45 +0100 Subject: [PATCH 25/27] Add tpm tools --- nixos/desktop/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 6ccf2db..a64fd82 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -73,6 +73,7 @@ podman podman-compose sbctl + tpm2-tools waydroid xwaylandvideobridge yubikey-personalization From 5b296e8157beb164c72cc727c2078a40418ad0ed Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 15:24:39 +0100 Subject: [PATCH 26/27] tss libraries too --- nixos/desktop/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index a64fd82..9f57185 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -74,6 +74,7 @@ podman-compose sbctl tpm2-tools + tpm2-tss waydroid xwaylandvideobridge yubikey-personalization From b1e4af16d8ced4899dd14d0dfdfd6d780e9bc492 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 22 Feb 2024 15:31:14 +0100 Subject: [PATCH 27/27] Settings needed according to https://nixos.wiki/wiki/TPM --- nixos/desktop/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 9f57185..45b5a7c 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -170,6 +170,11 @@ dockerCompat = true; }; + security.tpm2.enable = true; + security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices + boot.bootspec.enable = true; boot.kernelPackages = pkgs.linuxPackages_latest; boot.supportedFilesystems = ["bcachefs"];