Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add secret scheme

Browse Source
This commit is contained in:
andromeda
2025-12-30 19:46:56 +01:00
parent 89dfb0adb9 9e402fdfa3
commit 07655e5135
15 changed files with 528 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
flake.lock generated
View File

@@ -1,5 +1,28 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm",
"repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"base16": { "base16": {
"inputs": { "inputs": {
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
@@ -68,6 +91,28 @@
"type": "github" "type": "github"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -199,6 +244,27 @@
} }
}, },
"home-manager": { "home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@@ -373,7 +439,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1766596669, "lastModified": 1766596669,
@@ -391,7 +457,8 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"home-manager": "home-manager", "agenix": "agenix",
"home-manager": "home-manager_2",
"impermanence": "impermanence", "impermanence": "impermanence",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"noshell": "noshell", "noshell": "noshell",
@@ -413,7 +480,7 @@
"nixpkgs" "nixpkgs"
], ],
"nur": "nur_2", "nur": "nur_2",
"systems": "systems_2", "systems": "systems_3",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes", "tinted-schemes": "tinted-schemes",
@@ -464,6 +531,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": { "tinted-foot": {
"flake": false, "flake": false,
"locked": { "locked": {

47
flake.nix
View File

@@ -1,5 +1,9 @@
{ {
inputs = { inputs = {
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -24,6 +28,7 @@
}; };
}; };
outputs = { outputs = {
agenix,
home-manager, home-manager,
impermanence, impermanence,
nixpkgs, nixpkgs,
@@ -34,27 +39,39 @@
... ...
}: let }: let
laptop = import ./machines/laptop/machine.nix; laptop = import ./machines/laptop/machine.nix;
in { _173-249-5-230 = import ./machines/173-249-5-230/machine.nix;
nixosConfigurations.${laptop.hostname} = nixpkgs.lib.nixosSystem { configuration = machine: modules:
system = laptop.system; nixpkgs.lib.nixosSystem {
specialArgs = {machine = laptop;}; system = machine.system;
modules = [ specialArgs = {inherit machine;};
modules =
modules
++ [
machine.configuration
machine.hardware-configuration
];
};
configurationWithHomeManager = machine: (configuration machine
[
agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
nixpkgs.overlays = [nur.overlays.default]; nixpkgs.overlays = [
agenix.overlays.default
nur.overlays.default
];
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.extraSpecialArgs = { home-manager.extraSpecialArgs = {inherit machine;};
machine = laptop;
};
home-manager.users = home-manager.users =
builtins.mapAttrs builtins.mapAttrs
(name: value: value) (name: value: value)
( (
nixpkgs.legacyPackages.${laptop.system}.lib.genAttrs nixpkgs.legacyPackages.${machine.system}.lib.genAttrs
laptop.usernames machine.usernames
( (
name: { name: {
imports = [ imports = [
agenix.homeManagerModules.default
stylix.homeModules.stylix stylix.homeModules.stylix
nvf.homeManagerModules.default nvf.homeManagerModules.default
./users/${name}/home.nix ./users/${name}/home.nix
@@ -65,9 +82,9 @@
} }
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
noshell.nixosModules.default noshell.nixosModules.default
./configuration.nix ]);
laptop.hardware-configuration in {
]; nixosConfigurations.${laptop.hostname} = configurationWithHomeManager laptop;
}; nixosConfigurations.${_173-249-5-230.hostname} = configurationWithHomeManager _173-249-5-230;
}; };
} }

78
machines/173-249-5-230/configuration.nix Normal file
View File

@@ -0,0 +1,78 @@
{
config,
machine,
...
}: {
age.secrets.secret2.file = ../../secrets/secret2.age;
boot.tmp.cleanOnBoot = true;
boot.loader.grub.devices = ["nodev"];
environment.persistence."/nix/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
files = [
"/etc/machine-id"
"/etc/ly/save.txt"
];
users."mtgmonkey" = {
directories = [
".local/share/zoxide"
".ssh"
];
files = [
".bash_history"
".brush_history"
];
};
};
i18n.defaultLocale = "de_DE.UTF-8";
networking = {
dhcpcd.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [80 443];
allowedUDPPorts = [80 443];
};
hostName = machine.hostname;
domain = "";
};
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
];
allow-import-from-derivation = true;
};
programs.noshell.enable = true;
services.openssh = {
enable = true;
allowSFTP = false;
ports = [5522];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = true;
};
extraConfig = ''
AllowTcpForwarding no
AllowAgentForwarding no
MaxAuthTries 3
MaxSessions 4
TCPKeepAlive no
'';
};
system.stateVersion = "26.05";
time.timeZone = "Europe/Berlin";
users.users."mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret2.path;
extraGroups = ["wheel"];
openssh.authorizedKeys.keys = machine.pub-keys.ssh;
};
}

69
machines/173-249-5-230/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,69 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
#device = "none";
#fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
fsType = "btrfs";
options = ["subvol=root"];
};
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount ${config.fileSystems."/".device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F425-55BA";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
machines/173-249-5-230/machine.nix Normal file
View File

@@ -0,0 +1,10 @@
{
hostname = "173-249-5-230";
usernames = ["mtgmonkey"];
system = "x86_64-linux";
configuration = ./configuration.nix;
hardware-configuration = ./hardware-configuration.nix;
pub-keys = {
ssh = [];
};
}

28
configuration.nix → machines/laptop/configuration.nix
View File

@@ -1,8 +1,13 @@
{ {
config,
lib, lib,
machine, machine,
... ...
}: { }: {
age.secrets = {
secret0.file = ../../secrets/secret0.age;
secret1.file = ../../secrets/secret1.age;
};
boot.loader = { boot.loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot.enable = true; systemd-boot.enable = true;
@@ -16,6 +21,7 @@
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/etc/ssh"
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
@@ -37,6 +43,16 @@
".brush_history" ".brush_history"
]; ];
}; };
users."mtgmonkey" = {
directories = [
".local/share/zoxide"
".ssh"
];
files = [
".bash_history"
".brush_history"
];
};
}; };
hardware.bluetooth = { hardware.bluetooth = {
enable = true; enable = true;
@@ -72,6 +88,7 @@
ly.enable = true; ly.enable = true;
}; };
libinput.enable = true; libinput.enable = true;
openssh.enable = true;
printing.enable = true; printing.enable = true;
}; };
system.stateVersion = "26.05"; system.stateVersion = "26.05";
@@ -79,7 +96,16 @@
users.users."andromeda" = { users.users."andromeda" = {
isNormalUser = true; isNormalUser = true;
description = "andromeda"; description = "andromeda";
initialPassword = "password"; hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
extraGroups = [
"networkmanager"
"wheel"
];
};
users.users."mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
extraGroups = [ extraGroups = [
"networkmanager" "networkmanager"
"wheel" "wheel"

8
machines/laptop/hardware-configuration.nix
View File

@@ -21,7 +21,7 @@
#device = "none"; #device = "none";
#fsType = "tmpfs"; #fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"]; #options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7"; device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=root"]; options = ["subvol=root"];
}; };
@@ -48,6 +48,12 @@
done done
btrfs subvolume create /btrfs_tmp/root btrfs subvolume create /btrfs_tmp/root
mkdir /btrfs_tmp/root/nix
mkdir /btrfs_tmp/root/etc
mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
umount /btrfs_tmp/root/nix
rm -r /btrfs_tmp/root/nix
umount /btrfs_tmp umount /btrfs_tmp
''; '';

4
machines/laptop/machine.nix
View File

@@ -1,6 +1,8 @@
{ {
hostname = "lenovo"; hostname = "lenovo";
usernames = ["andromeda"]; usernames = ["andromeda" "mtgmonkey"];
system = "x86_64-linux"; system = "x86_64-linux";
configuration = ./configuration.nix;
hardware-configuration = ./hardware-configuration.nix; hardware-configuration = ./hardware-configuration.nix;
pub-keys.ssh = [];
} }

BIN
secrets/secret0.age Normal file
View File

Binary file not shown.

BIN
secrets/secret1.age Normal file
View File

Binary file not shown.

7
secrets/secret2.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 mT2fyg DSrFJv1cg7XUWGT8H60d+IdbQJKIGVc0FznYD3ScHxY
x75LtCRBWRH+Y541dDKE2vLk9kOZNxbFI68cDvaeJ4c
-> ssh-ed25519 UHxfvA 2jLPahOP6AKIn66RM4vUWAl4eUhNgZblKB2z/Wa6ghw
IPFBVfk+c1lO43jc58TmdUM9+pOBad8M7v5lxpNJLOE
--- Bv3SJdghwzga9GD5Fz1/62gelkFqjjgRxoiv4S7x1Nc
[<5B><>

8
secrets/secrets.nix Normal file
View File

@@ -0,0 +1,8 @@
let
andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
in {
"secret0.age".publicKeys = [andromeda lenovo];
"secret1.age".publicKeys = [andromeda lenovo];
"secret2.age".publicKeys = [andromeda lenovo];
}

1
users/andromeda/home.nix
View File

@@ -93,6 +93,7 @@ in {
stateVersion = "26.05"; stateVersion = "26.05";
packages = [ packages = [
pkgs.acpi pkgs.acpi
pkgs.agenix
pkgs.alacritty pkgs.alacritty
pkgs.anki pkgs.anki
pkgs.brightnessctl pkgs.brightnessctl

172
users/mtgmonkey/home.nix Normal file
View File

@@ -0,0 +1,172 @@
{
config,
lib,
machine,
pkgs,
...
}: {
imports = [./stylix.nix];
xdg.configFile."shell".source = lib.getExe pkgs.brush;
home = {
username = "mtgmonkey";
homeDirectory = "/home/${config.home.username}";
stateVersion = "26.05";
packages = [
pkgs.acpi
pkgs.brightnessctl
pkgs.brush
pkgs.dust
pkgs.fzf
pkgs.glow
pkgs.jmtpfs
pkgs.nix-output-monitor
pkgs.ranger
pkgs.rip2
pkgs.ripgrep
pkgs.tree
pkgs.zoxide
];
};
programs = {
bash = {
enable = true;
shellAliases = {
neofetch = "fastfetch";
ls = lib.mkForce "lsd";
ll = lib.mkForce "lsd -l";
l = "lsd -la";
cd = "z";
gg = "git log --oneline --abbrev-commit --all --graph --decorate --color";
md = "glow";
};
bashrcExtra = ''
PS1="\u@\h:\w$"
eval "$(zoxide init bash)"
'';
};
btop = {
enable = true;
settings = {
theme_background = false;
vim_keys = true;
rounded_corners = false;
graph_symbol = "braille";
update_ms = 150;
proc_sorting = "cpu lazy";
proc_gradient = false;
proc_left = true;
cpu_single_graph = true;
cpu_bottom = true;
clock_format = "/user@/host:/uptime@%H:%M";
background_update = true;
mem_graphs = false;
mem_below_net = true;
show_swap = false;
only_physical = true;
show_io_stat = true;
io_mode = false;
io_graph_combined = false;
};
};
fastfetch.enable = true;
git = {
enable = true;
settings = {
user = {
name = config.home.username;
email = "${config.home.username}@${machine.hostname}";
};
init.defaultBranch = "master";
};
};
gh.enable = true;
home-manager.enable = true;
lsd.enable = true;
nvf = {
enable = true;
settings.vim = {
autocomplete.nvim-cmp.enable = false;
formatter.conform-nvim = {
enable = true;
setupOpts.format_on_save = {
lsp_format = "fallback";
timeout_ms = 5000;
};
};
lsp.otter-nvim.enable = true;
git.enable = true;
keymaps = [
{
key = "<Down>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "<Up>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "<Left>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "<Right>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "jj";
mode = ["i"];
action = "<Esc>";
}
{
key = "kk";
mode = ["i"];
action = "<Esc>";
}
{
key = "jk";
mode = ["i"];
action = "<Esc>";
}
{
key = "kj";
mode = ["i"];
action = "<Esc>";
}
{
key = "<Esc>";
mode = ["i"];
action = "<Nop>";
}
];
languages = {
nix = {
enable = true;
format.enable = true;
lsp.enable = true;
};
haskell = {
enable = true;
lsp.enable = true;
};
};
lineNumberMode = "relative";
options = {
tabstop = 2;
shiftwidth = 2;
expandtab = true;
smarttab = true;
foldmethod = "indent";
number = true;
colorcolumn = "80";
};
statusline.lualine.enable = true;
syntaxHighlighting = true;
};
};
ssh.enable = true;
};
}

29
users/mtgmonkey/stylix.nix Normal file
View File

@@ -0,0 +1,29 @@
{
pkgs,
config,
...
}: {
stylix = {
enable = true;
# rebecca has lavener bkg
# tube has dark gray bkg
# silk-light is light theme
base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-material-dark-hard.yaml";
polarity = "dark";
fonts = {
monospace = {
package = pkgs.miracode;
name = "Miracode";
};
serif = config.stylix.fonts.sansSerif;
emoji = {
package = pkgs.noto-fonts-color-emoji;
name = "Noto Color Emoji";
};
sizes = {
applications = 12;
terminal = 10;
};
};
};
}