From dd9348b67269b66e478510d4b0250fa5a47798e7 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Wed, 20 Mar 2024 19:42:38 +0100 Subject: [PATCH] Try this iso, remove all references to bcachefs from shodan --- flake.nix | 24 +++-- home-manager/hosts/iso/default.nix | 13 +++ home-manager/hosts/iso/lillian.nix | 29 +++++++ nixos/hosts/iso/configuration.nix | 135 +++++++++++++++++++++++++++++ nixos/hosts/iso/secrets/sops.yaml | 21 +++++ 5 files changed, 214 insertions(+), 8 deletions(-) create mode 100644 home-manager/hosts/iso/default.nix create mode 100644 home-manager/hosts/iso/lillian.nix create mode 100644 nixos/hosts/iso/configuration.nix create mode 100644 nixos/hosts/iso/secrets/sops.yaml diff --git a/flake.nix b/flake.nix index 1016c5d..13ef2c0 100644 --- a/flake.nix +++ b/flake.nix @@ -84,6 +84,7 @@ linger, pihole, lanzaboote, + jovian, nixos-hardware, conduit, ... @@ -134,9 +135,7 @@ } ]; }; - }; - nixosConfigurations = { GLaDOS = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; @@ -152,9 +151,7 @@ } ]; }; - }; - nixosConfigurations = { queen = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; @@ -166,9 +163,7 @@ simple-nixos-mailserver.nixosModule ]; }; - }; - nixosConfigurations = { shodan = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; @@ -178,15 +173,28 @@ sops-nix.nixosModules.sops lanzaboote.nixosModules.lanzaboote disko.nixosModules.disko + jovian.nixosModules.jovian + home-manager.nixosModules.home-manager + { + home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager]; + } + ]; + }; + + ISO = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [ + "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix" + "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" + ./nixos/hosts/iso/configuration.nix + sops-nix.nixosModules.sops home-manager.nixosModules.home-manager { home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager]; } ]; }; - }; - nixosConfigurations = { wheatley = nixpkgs.lib.nixosSystem { system = "armv7l-linux"; specialArgs = {inherit inputs outputs;}; diff --git a/home-manager/hosts/iso/default.nix b/home-manager/hosts/iso/default.nix new file mode 100644 index 0000000..c17b81a --- /dev/null +++ b/home-manager/hosts/iso/default.nix @@ -0,0 +1,13 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + # You can import other home-manager modules here + imports = [ + ./lillian.nix + ]; +} diff --git a/home-manager/hosts/iso/lillian.nix b/home-manager/hosts/iso/lillian.nix new file mode 100644 index 0000000..d6a4544 --- /dev/null +++ b/home-manager/hosts/iso/lillian.nix @@ -0,0 +1,29 @@ +# This is your home-manager configuration file +# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix) +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + # You can import other home-manager modules here + imports = [ + # If you want to use modules your own flake exports (from modules/home-manager): + # outputs.homeManagerModules.example + + # Or modules exported from other flakes (such as nix-colors): + # inputs.nix-colors.homeManagerModules.default + + # You can also split up your configuration and import pieces of it here: + # ./nvim.nix + ../../desktop + ]; + + home.packages = with pkgs; [ + ]; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + home.stateVersion = "24.05"; +} diff --git a/nixos/hosts/iso/configuration.nix b/nixos/hosts/iso/configuration.nix new file mode 100644 index 0000000..3f4d419 --- /dev/null +++ b/nixos/hosts/iso/configuration.nix @@ -0,0 +1,135 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + nixpkgs-stable, + ... +}: { + imports = [ + # If you want to use modules your own flake exports (from modules/home-manager): + # outputs.homeManagerModules.example + # outputs.nixosModules.contabo.wan + inputs.home-manager.nixosModules.home-manager + # Or modules exported from other flakes (such as nix-colors): + # inputs.nix-colors.homeManagerModules.defaults + + # Import shared settings + ../../shared + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = false; + networking.domain = ""; + services.openssh = { + enable = true; + # require public key authentication for better security + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + }; + + nixpkgs = { + # You can add overlays here + overlays = [ + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; + + #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys + sops.defaultSopsFile = ./secrets/sops.yaml; + + environment.systemPackages = with pkgs; [ + # Custom tools + dvd + dvt + servo + restart + install-nix + + # System tools + aha + direnv + efitools + git-filter-repo + gnupg + pciutils + sbctl + tpm2-tools + tpm2-tss + waydroid + zsh + + # KDE/QT + krunner-translator + kdePackages.discover + kdePackages.kcalc + kdePackages.kdepim-addons + kdePackages.kirigami + kdePackages.kdeconnect-kde + # kdePackages.krunner-ssh + # kdePackages.krunner-symbols + kdePackages.packagekit-qt + kdePackages.plasma-pa + kdePackages.sddm-kcm + kdePackages.dolphin-plugins + libportal-qt5 + libportal + ]; + + # Enable networking + networking.networkmanager.enable = true; + + # Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53" + + networking.firewall.enable = true; + + networking.firewall.allowedTCPPorts = [22]; + + programs.kdeconnect.enable = true; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + options = "terminate:ctrl_alt_bksp,compose:caps_toggle"; + }; + + # Enable bluetooth hardware + hardware.bluetooth.enable = true; + + security.tpm2.enable = true; + security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + programs.git = { + enable = true; + }; + + programs.direnv = { + enable = true; + }; + + # Enable completion of system packages by zsh + environment.pathsToLink = ["/share/zsh"]; + + home-manager = { + extraSpecialArgs = {inherit inputs outputs;}; + users = { + # Import your home-manager configuration + lillian = import ../../../home-manager/hosts/iso; + }; + }; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "unstable"; +} diff --git a/nixos/hosts/iso/secrets/sops.yaml b/nixos/hosts/iso/secrets/sops.yaml new file mode 100644 index 0000000..92548c8 --- /dev/null +++ b/nixos/hosts/iso/secrets/sops.yaml @@ -0,0 +1,21 @@ +lillian-password: ENC[AES256_GCM,data:eQzZwGxK9Lw2gc8HDNw57odxPzTH4sa/2O97h3VAghRwLClmCYKT91kxj2F3kQ4iEctBl0GxdS4WoL3H9eE4/CAPffXdTmkdYg==,iv:2ezB4DNHFv5ceJ2gtATV12Azm3vFFDLX1qSSy+cKuMY=,tag:zxb5agUCDpi92bYV7+DmoA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbVd5bkxmV2FSNDVCWXN1 + RGxwdVZ5ZEROQTZ1d2ptU1RJc0dTUVlVOTE4CjhjeklubEhwUFgydkFWbDJkcU1U + VnowU29NSG10a3VKbXk3RWNWY0FwZ1EKLS0tIDJYMXhGeXArRnZ1NmQwQ3NqVHdM + dXlaN3dWOUl4Mys2V0x3Z3F6UVU4MVUKEJYpX8XhSNcM+7aUuxnIwrokY0/29Cnh + yz0HAZkaj8FwvnPnafo5jmwVyi6WXECvX5E0NZfjKH4AF5vTu6Wukg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-20T18:17:48Z" + mac: ENC[AES256_GCM,data:3UHIoYPHC6n56CHguOVuoFd9VwCjGiD9VCYy2d5W+4XQEZpjnONX8fhwwWRm42COymz89tmqDmpDp88BnSU8uE14IaCIUoxfCaRiZtjAiHjouua2jr50aUV56pwyan8ZiiOjP8oP1VY/tsv1w0jWI9TjSTHvCdNLR8XEcf6bCrk=,iv:/lBJdkQgwZyiztQ9vSoHgY+WxXJKHFI93dxtOSunHNo=,tag:lLwrSdzoN9CzmyIdLOe5ig==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1