From 42a93f042e2c821939fa6aa4ac8945997d5b5099 Mon Sep 17 00:00:00 2001 From: andromeda Date: Wed, 31 Dec 2025 01:14:37 +0100 Subject: [PATCH] better machine conf, rework key/machines management --- flake.nix | 15 ++-- machines.nix | 18 +++++ .../173-249-5-230/hardware-configuration.nix | 69 ----------------- machines/173-249-5-230/machine.nix | 10 --- .../configuration.nix | 53 ++++++++++++- machines/laptop/hardware-configuration.nix | 75 ------------------- machines/laptop/machine.nix | 8 -- machines/{laptop => lenovo}/configuration.nix | 66 ++++++++++++++++ pub-keys.nix | 6 ++ secrets/secrets.nix | 5 +- 10 files changed, 152 insertions(+), 173 deletions(-) create mode 100644 machines.nix delete mode 100644 machines/173-249-5-230/hardware-configuration.nix delete mode 100644 machines/173-249-5-230/machine.nix rename machines/{173-249-5-230 => _173-249-5-230}/configuration.nix (50%) delete mode 100644 machines/laptop/hardware-configuration.nix delete mode 100644 machines/laptop/machine.nix rename machines/{laptop => lenovo}/configuration.nix (55%) create mode 100644 pub-keys.nix diff --git a/flake.nix b/flake.nix index d8682d5..328aad5 100644 --- a/flake.nix +++ b/flake.nix @@ -38,8 +38,8 @@ stylix, ... }: let - laptop = import ./machines/laptop/machine.nix; - _173-249-5-230 = import ./machines/173-249-5-230/machine.nix; + machines = import ./machines.nix; + _173-249-5-230 = machines._173-249-5-230; configuration = machine: modules: nixpkgs.lib.nixosSystem { system = machine.system; @@ -47,8 +47,7 @@ modules = modules ++ [ - machine.configuration - machine.hardware-configuration + ./machines/${machine.hostname}/configuration.nix ]; }; configurationWithHomeManager = machine: (configuration machine @@ -67,7 +66,7 @@ (name: value: value) ( nixpkgs.legacyPackages.${machine.system}.lib.genAttrs - machine.usernames + machine.users ( name: { imports = [ @@ -84,7 +83,9 @@ noshell.nixosModules.default ]); in { - nixosConfigurations.${laptop.hostname} = configurationWithHomeManager laptop; - nixosConfigurations.${_173-249-5-230.hostname} = configurationWithHomeManager _173-249-5-230; + nixosConfigurations = + builtins.mapAttrs + (hostname: value: configurationWithHomeManager value) + machines; }; } diff --git a/machines.nix b/machines.nix new file mode 100644 index 0000000..b9d1c76 --- /dev/null +++ b/machines.nix @@ -0,0 +1,18 @@ +{ + lenovo = { + hostname = "lenovo"; + system = "x86_64-linux"; + users = [ + "andromeda" + "mtgmonkey" + ]; + }; + _173-249-5-230 = { + hostname = "_173-249-5-230"; + system = "x86_64-linux"; + users = [ + "mtgmonkey" + ]; + pub-keys.ssh = []; + }; +} diff --git a/machines/173-249-5-230/hardware-configuration.nix b/machines/173-249-5-230/hardware-configuration.nix deleted file mode 100644 index bde1c83..0000000 --- a/machines/173-249-5-230/hardware-configuration.nix +++ /dev/null @@ -1,69 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - #device = "none"; - #fsType = "tmpfs"; - #options = ["defaults" "size=60%" "mode=755"]; - device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7"; - fsType = "btrfs"; - options = ["subvol=root"]; - }; - - boot.initrd.postResumeCommands = lib.mkAfter '' - mkdir /btrfs_tmp - mount ${config.fileSystems."/".device} /btrfs_tmp - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi - - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" - } - - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done - - btrfs subvolume create /btrfs_tmp/root - umount /btrfs_tmp - ''; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/F425-55BA"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - - swapDevices = []; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/machines/173-249-5-230/machine.nix b/machines/173-249-5-230/machine.nix deleted file mode 100644 index 672d46b..0000000 --- a/machines/173-249-5-230/machine.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - hostname = "173-249-5-230"; - usernames = ["mtgmonkey"]; - system = "x86_64-linux"; - configuration = ./configuration.nix; - hardware-configuration = ./hardware-configuration.nix; - pub-keys = { - ssh = []; - }; -} diff --git a/machines/173-249-5-230/configuration.nix b/machines/_173-249-5-230/configuration.nix similarity index 50% rename from machines/173-249-5-230/configuration.nix rename to machines/_173-249-5-230/configuration.nix index 570d428..0fe1e9e 100644 --- a/machines/173-249-5-230/configuration.nix +++ b/machines/_173-249-5-230/configuration.nix @@ -1,5 +1,7 @@ { config, + lib, + modulesPath, machine, ... }: { @@ -38,8 +40,9 @@ allowedTCPPorts = [80 443]; allowedUDPPorts = [80 443]; }; - hostName = machine.hostname; + hostName = lib.strings.removePrefix "_" machine.hostname; domain = ""; + useDHCP = true; }; nix.settings = { experimental-features = [ @@ -73,6 +76,52 @@ description = "mtgmonkey"; hashedPasswordFile = builtins.toString config.age.secrets.secret2.path; extraGroups = ["wheel"]; - openssh.authorizedKeys.keys = machine.pub-keys.ssh; + openssh.authorizedKeys.keys = [(import ../../pub-keys.nix).ssh.andromeda]; }; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = ["defaults" "size=30%" "mode=755"]; + }; + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount ${config.fileSystems."/".device} /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/6b481376-9716-4559-946b-62097c2380f1"; + fsType = "ext4"; + }; + fileSystems."/efi" = { + device = "systemd-1"; + fsType = "autofs"; + }; + swapDevices = []; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix deleted file mode 100644 index 8ebef80..0000000 --- a/machines/laptop/hardware-configuration.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - #device = "none"; - #fsType = "tmpfs"; - #options = ["defaults" "size=60%" "mode=755"]; - device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7"; - fsType = "btrfs"; - options = ["subvol=root"]; - }; - - boot.initrd.postResumeCommands = lib.mkAfter '' - mkdir /btrfs_tmp - mount ${config.fileSystems."/".device} /btrfs_tmp - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi - - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" - } - - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done - - btrfs subvolume create /btrfs_tmp/root - mkdir /btrfs_tmp/root/nix - mkdir /btrfs_tmp/root/etc - mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix - cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r - umount /btrfs_tmp/root/nix - rm -r /btrfs_tmp/root/nix - umount /btrfs_tmp - ''; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/F425-55BA"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - - swapDevices = []; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/machines/laptop/machine.nix b/machines/laptop/machine.nix deleted file mode 100644 index 77c15b5..0000000 --- a/machines/laptop/machine.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - hostname = "lenovo"; - usernames = ["andromeda" "mtgmonkey"]; - system = "x86_64-linux"; - configuration = ./configuration.nix; - hardware-configuration = ./hardware-configuration.nix; - pub-keys.ssh = []; -} diff --git a/machines/laptop/configuration.nix b/machines/lenovo/configuration.nix similarity index 55% rename from machines/laptop/configuration.nix rename to machines/lenovo/configuration.nix index 58b019e..1b42b9d 100644 --- a/machines/laptop/configuration.nix +++ b/machines/lenovo/configuration.nix @@ -1,6 +1,8 @@ { config, lib, + pkgs, + modulesPath, machine, ... }: { @@ -111,4 +113,68 @@ "wheel" ]; }; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + #device = "none"; + #fsType = "tmpfs"; + #options = ["defaults" "size=60%" "mode=755"]; + device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount ${config.fileSystems."/".device} /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + mkdir /btrfs_tmp/root/nix + mkdir /btrfs_tmp/root/etc + mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix + cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r + umount /btrfs_tmp/root/nix + rm -r /btrfs_tmp/root/nix + umount /btrfs_tmp + ''; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/F425-55BA"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/pub-keys.nix b/pub-keys.nix new file mode 100644 index 0000000..482d454 --- /dev/null +++ b/pub-keys.nix @@ -0,0 +1,6 @@ +{ + ssh = { + andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo"; + lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo"; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5b14f22..19c9b7b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,7 @@ let - andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo"; - lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo"; + pub-keys = import ../pub-keys.nix; + andromeda = pub-keys.ssh.andromeda; + lenovo = pub-keys.ssh.lenovo; in { "secret0.age".publicKeys = [andromeda lenovo]; "secret1.age".publicKeys = [andromeda lenovo];