Try this iso, remove all references to bcachefs from shodan

2024-03-20 19:42:38 +01:00 · 2024-03-20 19:42:38 +01:00 · dd9348b672
commit dd9348b672
parent 708e4fbefc
5 changed files with 214 additions and 8 deletions
--- a/flake.nix
+++ b/flake.nix
@ -84,6 +84,7 @@
    linger,
    pihole,
    lanzaboote,
+    jovian,
    nixos-hardware,
    conduit,
    ...
@ -134,9 +135,7 @@
          }
        ];
      };
-    };

-    nixosConfigurations = {
      GLaDOS = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = {inherit inputs outputs;};
@ -152,9 +151,7 @@
          }
        ];
      };
-    };

-    nixosConfigurations = {
      queen = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = {inherit inputs outputs;};
@ -166,9 +163,7 @@
          simple-nixos-mailserver.nixosModule
        ];
      };
-    };

-    nixosConfigurations = {
      shodan = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = {inherit inputs outputs;};
@ -178,15 +173,28 @@
          sops-nix.nixosModules.sops
          lanzaboote.nixosModules.lanzaboote
          disko.nixosModules.disko
+          jovian.nixosModules.jovian
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
+          }
+        ];
+      };
+
+      ISO = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs;};
+        modules = [
+          "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix"
+          "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
+          ./nixos/hosts/iso/configuration.nix
+          sops-nix.nixosModules.sops
          home-manager.nixosModules.home-manager
          {
            home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
          }
        ];
      };
-    };

-    nixosConfigurations = {
      wheatley = nixpkgs.lib.nixosSystem {
        system = "armv7l-linux";
        specialArgs = {inherit inputs outputs;};
--- a/home-manager/hosts/iso/default.nix
+++ b/home-manager/hosts/iso/default.nix
@ -0,0 +1,13 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  # You can import other home-manager modules here
+  imports = [
+    ./lillian.nix
+  ];
+}
--- a/home-manager/hosts/iso/lillian.nix
+++ b/home-manager/hosts/iso/lillian.nix
@ -0,0 +1,29 @@
+# This is your home-manager configuration file
+# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  # You can import other home-manager modules here
+  imports = [
+    # If you want to use modules your own flake exports (from modules/home-manager):
+    # outputs.homeManagerModules.example
+
+    # Or modules exported from other flakes (such as nix-colors):
+    # inputs.nix-colors.homeManagerModules.default
+
+    # You can also split up your configuration and import pieces of it here:
+    # ./nvim.nix
+    ../../desktop
+  ];
+
+  home.packages = with pkgs; [
+  ];
+
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  home.stateVersion = "24.05";
+}
--- a/nixos/hosts/iso/configuration.nix
+++ b/nixos/hosts/iso/configuration.nix
@ -0,0 +1,135 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  nixpkgs-stable,
+  ...
+}: {
+  imports = [
+    # If you want to use modules your own flake exports (from modules/home-manager):
+    # outputs.homeManagerModules.example
+    # outputs.nixosModules.contabo.wan
+    inputs.home-manager.nixosModules.home-manager
+    # Or modules exported from other flakes (such as nix-colors):
+    # inputs.nix-colors.homeManagerModules.defaults
+
+    # Import shared settings
+    ../../shared
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = false;
+  networking.domain = "";
+  services.openssh = {
+    enable = true;
+    # require public key authentication for better security
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PermitRootLogin = "no";
+  };
+
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+    ];
+    # Configure your nixpkgs instance
+    config = {
+      # Disable if you don't want unfree packages
+      allowUnfree = true;
+    };
+  };
+
+  #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
+  sops.defaultSopsFile = ./secrets/sops.yaml;
+
+  environment.systemPackages = with pkgs; [
+    # Custom tools
+    dvd
+    dvt
+    servo
+    restart
+    install-nix
+
+    # System tools
+    aha
+    direnv
+    efitools
+    git-filter-repo
+    gnupg
+    pciutils
+    sbctl
+    tpm2-tools
+    tpm2-tss
+    waydroid
+    zsh
+
+    # KDE/QT
+    krunner-translator
+    kdePackages.discover
+    kdePackages.kcalc
+    kdePackages.kdepim-addons
+    kdePackages.kirigami
+    kdePackages.kdeconnect-kde
+    # kdePackages.krunner-ssh
+    # kdePackages.krunner-symbols
+    kdePackages.packagekit-qt
+    kdePackages.plasma-pa
+    kdePackages.sddm-kcm
+    kdePackages.dolphin-plugins
+    libportal-qt5
+    libportal
+  ];
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53"
+
+  networking.firewall.enable = true;
+
+  networking.firewall.allowedTCPPorts = [22];
+
+  programs.kdeconnect.enable = true;
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+    options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
+  };
+
+  # Enable bluetooth hardware
+  hardware.bluetooth.enable = true;
+
+  security.tpm2.enable = true;
+  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  programs.git = {
+    enable = true;
+  };
+
+  programs.direnv = {
+    enable = true;
+  };
+
+  # Enable completion of system packages by zsh
+  environment.pathsToLink = ["/share/zsh"];
+
+  home-manager = {
+    extraSpecialArgs = {inherit inputs outputs;};
+    users = {
+      # Import your home-manager configuration
+      lillian = import ../../../home-manager/hosts/iso;
+    };
+  };
+
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  system.stateVersion = "unstable";
+}
--- a/nixos/hosts/iso/secrets/sops.yaml
+++ b/nixos/hosts/iso/secrets/sops.yaml
@ -0,0 +1,21 @@
+lillian-password: ENC[AES256_GCM,data:eQzZwGxK9Lw2gc8HDNw57odxPzTH4sa/2O97h3VAghRwLClmCYKT91kxj2F3kQ4iEctBl0GxdS4WoL3H9eE4/CAPffXdTmkdYg==,iv:2ezB4DNHFv5ceJ2gtATV12Azm3vFFDLX1qSSy+cKuMY=,tag:zxb5agUCDpi92bYV7+DmoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbVd5bkxmV2FSNDVCWXN1
+            RGxwdVZ5ZEROQTZ1d2ptU1RJc0dTUVlVOTE4CjhjeklubEhwUFgydkFWbDJkcU1U
+            VnowU29NSG10a3VKbXk3RWNWY0FwZ1EKLS0tIDJYMXhGeXArRnZ1NmQwQ3NqVHdM
+            dXlaN3dWOUl4Mys2V0x3Z3F6UVU4MVUKEJYpX8XhSNcM+7aUuxnIwrokY0/29Cnh
+            yz0HAZkaj8FwvnPnafo5jmwVyi6WXECvX5E0NZfjKH4AF5vTu6Wukg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-20T18:17:48Z"
+    mac: ENC[AES256_GCM,data:3UHIoYPHC6n56CHguOVuoFd9VwCjGiD9VCYy2d5W+4XQEZpjnONX8fhwwWRm42COymz89tmqDmpDp88BnSU8uE14IaCIUoxfCaRiZtjAiHjouua2jr50aUV56pwyan8ZiiOjP8oP1VY/tsv1w0jWI9TjSTHvCdNLR8XEcf6bCrk=,iv:/lBJdkQgwZyiztQ9vSoHgY+WxXJKHFI93dxtOSunHNo=,tag:lLwrSdzoN9CzmyIdLOe5ig==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1