Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add secret scheme

Browse Source
This commit is contained in:
andromeda
2025-12-30 19:46:56 +01:00
parent 89dfb0adb9 9e402fdfa3
commit 07655e5135
15 changed files with 528 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
flake.lock generated
View File

@@ -1,5 +1,28 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm",
"repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"base16": {
"inputs": {
"fromYaml": "fromYaml"
@@ -68,6 +91,28 @@
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"firefox-gnome-theme": {
"flake": false,
"locked": {
@@ -199,6 +244,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@@ -373,7 +439,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1766596669,
@@ -391,7 +457,8 @@
},
"root": {
"inputs": {
"home-manager": "home-manager",
"agenix": "agenix",
"home-manager": "home-manager_2",
"impermanence": "impermanence",
"nixpkgs": "nixpkgs",
"noshell": "noshell",
@@ -413,7 +480,7 @@
"nixpkgs"
],
"nur": "nur_2",
"systems": "systems_2",
"systems": "systems_3",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
@@ -464,6 +531,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": {
"flake": false,
"locked": {

47
flake.nix
View File

@@ -1,5 +1,9 @@
{
inputs = {
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@@ -24,6 +28,7 @@
};
};
outputs = {
agenix,
home-manager,
impermanence,
nixpkgs,
@@ -34,27 +39,39 @@
...
}: let
laptop = import ./machines/laptop/machine.nix;
in {
nixosConfigurations.${laptop.hostname} = nixpkgs.lib.nixosSystem {
system = laptop.system;
specialArgs = {machine = laptop;};
modules = [
_173-249-5-230 = import ./machines/173-249-5-230/machine.nix;
configuration = machine: modules:
nixpkgs.lib.nixosSystem {
system = machine.system;
specialArgs = {inherit machine;};
modules =
modules
++ [
machine.configuration
machine.hardware-configuration
];
};
configurationWithHomeManager = machine: (configuration machine
[
agenix.nixosModules.default
home-manager.nixosModules.home-manager
{
nixpkgs.overlays = [nur.overlays.default];
nixpkgs.overlays = [
agenix.overlays.default
nur.overlays.default
];
home-manager.useGlobalPkgs = true;
home-manager.extraSpecialArgs = {
machine = laptop;
};
home-manager.extraSpecialArgs = {inherit machine;};
home-manager.users =
builtins.mapAttrs
(name: value: value)
(
nixpkgs.legacyPackages.${laptop.system}.lib.genAttrs
laptop.usernames
nixpkgs.legacyPackages.${machine.system}.lib.genAttrs
machine.usernames
(
name: {
imports = [
agenix.homeManagerModules.default
stylix.homeModules.stylix
nvf.homeManagerModules.default
./users/${name}/home.nix
@@ -65,9 +82,9 @@
}
impermanence.nixosModules.impermanence
noshell.nixosModules.default
./configuration.nix
laptop.hardware-configuration
];
};
]);
in {
nixosConfigurations.${laptop.hostname} = configurationWithHomeManager laptop;
nixosConfigurations.${_173-249-5-230.hostname} = configurationWithHomeManager _173-249-5-230;
};
}

78
machines/173-249-5-230/configuration.nix Normal file
View File

@@ -0,0 +1,78 @@
{
config,
machine,
...
}: {
age.secrets.secret2.file = ../../secrets/secret2.age;
boot.tmp.cleanOnBoot = true;
boot.loader.grub.devices = ["nodev"];
environment.persistence."/nix/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
files = [
"/etc/machine-id"
"/etc/ly/save.txt"
];
users."mtgmonkey" = {
directories = [
".local/share/zoxide"
".ssh"
];
files = [
".bash_history"
".brush_history"
];
};
};
i18n.defaultLocale = "de_DE.UTF-8";
networking = {
dhcpcd.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [80 443];
allowedUDPPorts = [80 443];
};
hostName = machine.hostname;
domain = "";
};
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
];
allow-import-from-derivation = true;
};
programs.noshell.enable = true;
services.openssh = {
enable = true;
allowSFTP = false;
ports = [5522];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = true;
};
extraConfig = ''
AllowTcpForwarding no
AllowAgentForwarding no
MaxAuthTries 3
MaxSessions 4
TCPKeepAlive no
'';
};
system.stateVersion = "26.05";
time.timeZone = "Europe/Berlin";
users.users."mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret2.path;
extraGroups = ["wheel"];
openssh.authorizedKeys.keys = machine.pub-keys.ssh;
};
}

69
machines/173-249-5-230/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,69 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
#device = "none";
#fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
fsType = "btrfs";
options = ["subvol=root"];
};
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount ${config.fileSystems."/".device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F425-55BA";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
machines/173-249-5-230/machine.nix Normal file
View File

@@ -0,0 +1,10 @@
{
hostname = "173-249-5-230";
usernames = ["mtgmonkey"];
system = "x86_64-linux";
configuration = ./configuration.nix;
hardware-configuration = ./hardware-configuration.nix;
pub-keys = {
ssh = [];
};
}

28
configuration.nix → machines/laptop/configuration.nix
View File

@@ -1,8 +1,13 @@
{
config,
lib,
machine,
...
}: {
age.secrets = {
secret0.file = ../../secrets/secret0.age;
secret1.file = ../../secrets/secret1.age;
};
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
@@ -16,6 +21,7 @@
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/ssh"
];
files = [
"/etc/machine-id"
@@ -37,6 +43,16 @@
".brush_history"
];
};
users."mtgmonkey" = {
directories = [
".local/share/zoxide"
".ssh"
];
files = [
".bash_history"
".brush_history"
];
};
};
hardware.bluetooth = {
enable = true;
@@ -72,6 +88,7 @@
ly.enable = true;
};
libinput.enable = true;
openssh.enable = true;
printing.enable = true;
};
system.stateVersion = "26.05";
@@ -79,7 +96,16 @@
users.users."andromeda" = {
isNormalUser = true;
description = "andromeda";
initialPassword = "password";
hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
extraGroups = [
"networkmanager"
"wheel"
];
};
users.users."mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
extraGroups = [
"networkmanager"
"wheel"

8
machines/laptop/hardware-configuration.nix
View File

@@ -21,7 +21,7 @@
#device = "none";
#fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
fsType = "btrfs";
options = ["subvol=root"];
};
@@ -48,6 +48,12 @@
done
btrfs subvolume create /btrfs_tmp/root
mkdir /btrfs_tmp/root/nix
mkdir /btrfs_tmp/root/etc
mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
umount /btrfs_tmp/root/nix
rm -r /btrfs_tmp/root/nix
umount /btrfs_tmp
'';

4
machines/laptop/machine.nix
View File

@@ -1,6 +1,8 @@
{
hostname = "lenovo";
usernames = ["andromeda"];
usernames = ["andromeda" "mtgmonkey"];
system = "x86_64-linux";
configuration = ./configuration.nix;
hardware-configuration = ./hardware-configuration.nix;
pub-keys.ssh = [];
}

BIN
secrets/secret0.age Normal file
View File

Binary file not shown.

BIN
secrets/secret1.age Normal file
View File

Binary file not shown.

7
secrets/secret2.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 mT2fyg DSrFJv1cg7XUWGT8H60d+IdbQJKIGVc0FznYD3ScHxY
x75LtCRBWRH+Y541dDKE2vLk9kOZNxbFI68cDvaeJ4c
-> ssh-ed25519 UHxfvA 2jLPahOP6AKIn66RM4vUWAl4eUhNgZblKB2z/Wa6ghw
IPFBVfk+c1lO43jc58TmdUM9+pOBad8M7v5lxpNJLOE
--- Bv3SJdghwzga9GD5Fz1/62gelkFqjjgRxoiv4S7x1Nc
[<5B><>

8
secrets/secrets.nix Normal file
View File

@@ -0,0 +1,8 @@
let
andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
in {
"secret0.age".publicKeys = [andromeda lenovo];
"secret1.age".publicKeys = [andromeda lenovo];
"secret2.age".publicKeys = [andromeda lenovo];
}

1
users/andromeda/home.nix
View File

@@ -93,6 +93,7 @@ in {
stateVersion = "26.05";
packages = [
pkgs.acpi
pkgs.agenix
pkgs.alacritty
pkgs.anki
pkgs.brightnessctl

172
users/mtgmonkey/home.nix Normal file
View File

@@ -0,0 +1,172 @@
{
config,
lib,
machine,
pkgs,
...
}: {
imports = [./stylix.nix];
xdg.configFile."shell".source = lib.getExe pkgs.brush;
home = {
username = "mtgmonkey";
homeDirectory = "/home/${config.home.username}";
stateVersion = "26.05";
packages = [
pkgs.acpi
pkgs.brightnessctl
pkgs.brush
pkgs.dust
pkgs.fzf
pkgs.glow
pkgs.jmtpfs
pkgs.nix-output-monitor
pkgs.ranger
pkgs.rip2
pkgs.ripgrep
pkgs.tree
pkgs.zoxide
];
};
programs = {
bash = {
enable = true;
shellAliases = {
neofetch = "fastfetch";
ls = lib.mkForce "lsd";
ll = lib.mkForce "lsd -l";
l = "lsd -la";
cd = "z";
gg = "git log --oneline --abbrev-commit --all --graph --decorate --color";
md = "glow";
};
bashrcExtra = ''
PS1="\u@\h:\w$"
eval "$(zoxide init bash)"
'';
};
btop = {
enable = true;
settings = {
theme_background = false;
vim_keys = true;
rounded_corners = false;
graph_symbol = "braille";
update_ms = 150;
proc_sorting = "cpu lazy";
proc_gradient = false;
proc_left = true;
cpu_single_graph = true;
cpu_bottom = true;
clock_format = "/user@/host:/uptime@%H:%M";
background_update = true;
mem_graphs = false;
mem_below_net = true;
show_swap = false;
only_physical = true;
show_io_stat = true;
io_mode = false;
io_graph_combined = false;
};
};
fastfetch.enable = true;
git = {
enable = true;
settings = {
user = {
name = config.home.username;
email = "${config.home.username}@${machine.hostname}";
};
init.defaultBranch = "master";
};
};
gh.enable = true;
home-manager.enable = true;
lsd.enable = true;
nvf = {
enable = true;
settings.vim = {
autocomplete.nvim-cmp.enable = false;
formatter.conform-nvim = {
enable = true;
setupOpts.format_on_save = {
lsp_format = "fallback";
timeout_ms = 5000;
};
};
lsp.otter-nvim.enable = true;
git.enable = true;
keymaps = [
{
key = "<Down>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "<Up>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "<Left>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "<Right>";
mode = ["i" "n" "v" "c"];
action = "<NOP>";
}
{
key = "jj";
mode = ["i"];
action = "<Esc>";
}
{
key = "kk";
mode = ["i"];
action = "<Esc>";
}
{
key = "jk";
mode = ["i"];
action = "<Esc>";
}
{
key = "kj";
mode = ["i"];
action = "<Esc>";
}
{
key = "<Esc>";
mode = ["i"];
action = "<Nop>";
}
];
languages = {
nix = {
enable = true;
format.enable = true;
lsp.enable = true;
};
haskell = {
enable = true;
lsp.enable = true;
};
};
lineNumberMode = "relative";
options = {
tabstop = 2;
shiftwidth = 2;
expandtab = true;
smarttab = true;
foldmethod = "indent";
number = true;
colorcolumn = "80";
};
statusline.lualine.enable = true;
syntaxHighlighting = true;
};
};
ssh.enable = true;
};
}

29
users/mtgmonkey/stylix.nix Normal file
View File

@@ -0,0 +1,29 @@
{
pkgs,
config,
...
}: {
stylix = {
enable = true;
# rebecca has lavener bkg
# tube has dark gray bkg
# silk-light is light theme
base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-material-dark-hard.yaml";
polarity = "dark";
fonts = {
monospace = {
package = pkgs.miracode;
name = "Miracode";
};
serif = config.stylix.fonts.sansSerif;
emoji = {
package = pkgs.noto-fonts-color-emoji;
name = "Noto Color Emoji";
};
sizes = {
applications = 12;
terminal = 10;
};
};
};
}