Gabe/nix-config
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity

inital steps into sops-nix. figured out ssh pubkey management.

Browse source
This commit is contained in:
Gabe Venberg 2024-05-31 21:05:06 -05:00
parent a04727757b
commit 3d9e197056
11 changed files with 117 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

22
configs/home-manager/sops.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
pkgs,
lib,
inputs,
...
}: let
secretsPath = builtins.toString inputs.nix-secrets;
in {
imports = [
inputs.sops-nix.homeManagerModules.sops
];
sops={
defaultSopsFile="${secretsPath}/secrets.yaml";
age={
sshKeyPaths=["${config.home.homeDirectory}/keys/age/master.txt"];
keyFile="/var/lib/sops-nix/key.txt";
generateKey=true;
};
};
}

18
flake.lock generated
View file

@ -237,6 +237,23 @@
"type": "github"
}
},
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1717206943,
"narHash": "sha256-TtBaZMGhA8fkQbt/RKJml992JFr/sdz4gqdIJeu6ltk=",
"ref": "refs/heads/main",
"rev": "3e19bf8fce17779c5f6fce5f8f894de8a5193fa2",
"shallow": true,
"type": "git",
"url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
},
"original": {
"shallow": true,
"type": "git",
"url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
}
},
"nixos-wsl": {
"inputs": {
"flake-compat": [
@ -361,6 +378,7 @@
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"nix-secrets": "nix-secrets",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs",
"nixvim": "nixvim",

25
flake.nix
View file

@ -42,6 +42,12 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nix-secrets = {
url = "git+ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git?shallow=1";
# url = "git+https://git.venberg.xyz/Gabe/nix-secrets.git?shallow=1";
flake = false;
};
# just for follows statements
flake-utils.url = "github:numtide/flake-utils";
flake-compat.url = "github:edolstra/flake-compat";
@ -58,6 +64,8 @@
"x86_64-linux"
"aarch64-linux"
];
inherit (nixpkgs) lib;
configLib=import ./lib {inherit lib;};
in {
formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
@ -69,9 +77,6 @@
packages = with pkgs; [
just
deploy-rs.packages.${system}.deploy-rs
age
ssh-to-age
sops
];
};
}
@ -82,18 +87,18 @@
# NixOS configuration entrypoint
# Available through 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = {
archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs;};
workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs;};
gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs;};
archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs configLib;};
workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs configLib;};
gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs configLib;};
};
# Standalone home-manager configuration entrypoint
# Available through 'home-manager --flake .#your-username@your-hostname'
homeConfigurations = {
"gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs;};
"gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs;};
"gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs;};
"gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs;};
"gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;};
"gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;};
"gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;};
"gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;};
};
templates = import ./templates {inherit inputs outputs;};

8
hosts/archlaptop-vm/default.nix
View file

@ -1,11 +1,12 @@
{
inputs,
outputs,
configLib,
...
}:
inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
specialArgs = {inherit inputs outputs configLib;};
# > Our main nixos configuration file <
modules = [
inputs.home-manager.nixosModules.home-manager
@ -19,6 +20,7 @@ inputs.nixpkgs.lib.nixosSystem {
({
config,
pkgs,
configLib,
...
}: {
host = {
@ -39,6 +41,9 @@ inputs.nixpkgs.lib.nixosSystem {
xkb.variant = "";
};
users.users.root.openssh.authorizedKeys.keys =
configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
programs.zsh.enable = true;
environment.shells = with pkgs; [zsh];
# Define a user account. Don't forget to set a password with passwd.
@ -51,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
firefox
# thunderbird
];
openssh.authorizedKeys.keys=config.users.users.root.openssh.authorizedKeys.keys;
};
home-manager.users.${config.host.user} = {

4
hosts/home-personal.nix
View file

@ -1,16 +1,18 @@
{
inputs,
outputs,
configLib,
...
}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
extraSpecialArgs = {inherit inputs outputs;};
extraSpecialArgs = {inherit inputs outputs configLib;};
modules = [
({
config,
pkgs,
lib,
configLib,
...
}: {
# machine specific options

4
hosts/home-workstation.nix
View file

@ -1,17 +1,19 @@
{
inputs,
outputs,
configLib,
...
}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
extraSpecialArgs = {inherit inputs outputs;};
extraSpecialArgs = {inherit inputs outputs configLib;};
modules = [
inputs.nixvim.homeManagerModules.nixvim
({
config,
pkgs,
lib,
configLib,
...
}: {
# machine specific options

12
hosts/workstation-vm/default.nix
View file

@ -4,11 +4,12 @@
{
inputs,
outputs,
configLib,
...
}:
inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
specialArgs = {inherit inputs outputs configLib;};
# > Our main nixos configuration file <
modules = [
inputs.home-manager.nixosModules.home-manager
@ -20,10 +21,13 @@ inputs.nixpkgs.lib.nixosSystem {
../../configs/nixos/nfsv2.nix
../../configs/nixos/i3
../../configs/nixos/common.nix
./secrets.nix
({
config,
pkgs,
lib,
inputs,
configLib,
...
}: {
host = {
@ -44,10 +48,15 @@ inputs.nixpkgs.lib.nixosSystem {
xkb.variant = "";
};
users.users.root.openssh.authorizedKeys.keys =
configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
programs.zsh.enable = true;
environment.shells = with pkgs; [zsh];
# Define a user account. Don't forget to set a password with passwd.
users.mutableUsers = false;
users.users.${config.host.user} = {
hashedPasswordFile = config.sops.secrets.gv-password.path;
isNormalUser = true;
description = "Gabe Venberg";
shell = pkgs.zsh;
@ -56,6 +65,7 @@ inputs.nixpkgs.lib.nixosSystem {
firefox
# thunderbird
];
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
};
home-manager.users.${config.host.user} = {

20
hosts/workstation-vm/secrets.nix Normal file
View file

@ -0,0 +1,20 @@
{
inputs,
config,
lib,
pkgs,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
in {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = "${secretsDirectory}/common.yaml";
validateSopsFiles = false;
secrets.gv-password={
neededForUsers=true;
};
};
}

4
hosts/wsl-workstation.nix
View file

@ -1,10 +1,11 @@
{
inputs,
outputs,
configLib,
}:
inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
specialArgs = {inherit inputs outputs configLib;};
# > Our main nixos configuration file <
modules = [
inputs.home-manager.nixosModules.home-manager
@ -13,6 +14,7 @@ inputs.nixpkgs.lib.nixosSystem {
({
config,
pkgs,
configLib,
...
}: {
wsl.enable = true;

3
justfile
View file

@ -3,14 +3,17 @@ default:
nixos target=`hostname`:
git add -AN
nix flake lock --update-input nix-secrets
sudo nixos-rebuild --flake .#{{target}} switch
home-manager target=(`whoami`+"@"+`hostname`):
git add -AN
nix flake lock --update-input nix-secrets
home-manager --flake .#{{target}} switch
check:
git add -AN
nix flake lock --update-input nix-secrets
nix flake check --keep-going
bootstrap-home-manager target=(`whoami`+"@"+`hostname`):

12
lib/default.nix Normal file
View file

@ -0,0 +1,12 @@
{lib}: {
dirToStrings = dir: (map (v: builtins.readFile "${dir}/${v}")
(builtins.filter (v:
(builtins.readFileType "${dir}/${v}") == "regular") (
if (builtins.pathExists dir && (builtins.readFileType dir) == "directory")
then
builtins.attrNames (
builtins.readDir dir
)
else []
)));
}