Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better machine conf, rework key/machines management

Browse Source
This commit is contained in:
andromeda
2025-12-31 01:14:37 +01:00
parent 07655e5135
commit 42a93f042e
10 changed files with 152 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
flake.nix
View File

@@ -38,8 +38,8 @@
stylix, stylix,
... ...
}: let }: let
laptop = import ./machines/laptop/machine.nix; machines = import ./machines.nix;
_173-249-5-230 = import ./machines/173-249-5-230/machine.nix; _173-249-5-230 = machines._173-249-5-230;
configuration = machine: modules: configuration = machine: modules:
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
system = machine.system; system = machine.system;
@@ -47,8 +47,7 @@
modules = modules =
modules modules
++ [ ++ [
machine.configuration ./machines/${machine.hostname}/configuration.nix
machine.hardware-configuration
]; ];
}; };
configurationWithHomeManager = machine: (configuration machine configurationWithHomeManager = machine: (configuration machine
@@ -67,7 +66,7 @@
(name: value: value) (name: value: value)
( (
nixpkgs.legacyPackages.${machine.system}.lib.genAttrs nixpkgs.legacyPackages.${machine.system}.lib.genAttrs
machine.usernames machine.users
( (
name: { name: {
imports = [ imports = [
@@ -84,7 +83,9 @@
noshell.nixosModules.default noshell.nixosModules.default
]); ]);
in { in {
nixosConfigurations.${laptop.hostname} = configurationWithHomeManager laptop; nixosConfigurations =
nixosConfigurations.${_173-249-5-230.hostname} = configurationWithHomeManager _173-249-5-230; builtins.mapAttrs
(hostname: value: configurationWithHomeManager value)
machines;
}; };
} }

18
machines.nix Normal file
View File

@@ -0,0 +1,18 @@
{
lenovo = {
hostname = "lenovo";
system = "x86_64-linux";
users = [
"andromeda"
"mtgmonkey"
];
};
_173-249-5-230 = {
hostname = "_173-249-5-230";
system = "x86_64-linux";
users = [
"mtgmonkey"
];
pub-keys.ssh = [];
};
}

69
machines/173-249-5-230/hardware-configuration.nix
View File

@@ -1,69 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
#device = "none";
#fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
fsType = "btrfs";
options = ["subvol=root"];
};
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount ${config.fileSystems."/".device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F425-55BA";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
machines/173-249-5-230/machine.nix
View File

@@ -1,10 +0,0 @@
{
hostname = "173-249-5-230";
usernames = ["mtgmonkey"];
system = "x86_64-linux";
configuration = ./configuration.nix;
hardware-configuration = ./hardware-configuration.nix;
pub-keys = {
ssh = [];
};
}

53
machines/173-249-5-230/configuration.nix → machines/_173-249-5-230/configuration.nix
View File

@@ -1,5 +1,7 @@
{ {
config, config,
lib,
modulesPath,
machine, machine,
... ...
}: { }: {
@@ -38,8 +40,9 @@
allowedTCPPorts = [80 443]; allowedTCPPorts = [80 443];
allowedUDPPorts = [80 443]; allowedUDPPorts = [80 443];
}; };
hostName = machine.hostname; hostName = lib.strings.removePrefix "_" machine.hostname;
domain = ""; domain = "";
useDHCP = true;
}; };
nix.settings = { nix.settings = {
experimental-features = [ experimental-features = [
@@ -73,6 +76,52 @@
description = "mtgmonkey"; description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret2.path; hashedPasswordFile = builtins.toString config.age.secrets.secret2.path;
extraGroups = ["wheel"]; extraGroups = ["wheel"];
openssh.authorizedKeys.keys = machine.pub-keys.ssh; openssh.authorizedKeys.keys = [(import ../../pub-keys.nix).ssh.andromeda];
}; };
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = ["defaults" "size=30%" "mode=755"];
};
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount ${config.fileSystems."/".device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/6b481376-9716-4559-946b-62097c2380f1";
fsType = "ext4";
};
fileSystems."/efi" = {
device = "systemd-1";
fsType = "autofs";
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

75
machines/laptop/hardware-configuration.nix
View File

@@ -1,75 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
#device = "none";
#fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
fsType = "btrfs";
options = ["subvol=root"];
};
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount ${config.fileSystems."/".device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
mkdir /btrfs_tmp/root/nix
mkdir /btrfs_tmp/root/etc
mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
umount /btrfs_tmp/root/nix
rm -r /btrfs_tmp/root/nix
umount /btrfs_tmp
'';
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F425-55BA";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

8
machines/laptop/machine.nix
View File

@@ -1,8 +0,0 @@
{
hostname = "lenovo";
usernames = ["andromeda" "mtgmonkey"];
system = "x86_64-linux";
configuration = ./configuration.nix;
hardware-configuration = ./hardware-configuration.nix;
pub-keys.ssh = [];
}

66
machines/laptop/configuration.nix → machines/lenovo/configuration.nix
View File

@@ -1,6 +1,8 @@
{ {
config, config,
lib, lib,
pkgs,
modulesPath,
machine, machine,
... ...
}: { }: {
@@ -111,4 +113,68 @@
"wheel" "wheel"
]; ];
}; };
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
#device = "none";
#fsType = "tmpfs";
#options = ["defaults" "size=60%" "mode=755"];
device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
fsType = "btrfs";
options = ["subvol=root"];
};
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount ${config.fileSystems."/".device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
mkdir /btrfs_tmp/root/nix
mkdir /btrfs_tmp/root/etc
mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
umount /btrfs_tmp/root/nix
rm -r /btrfs_tmp/root/nix
umount /btrfs_tmp
'';
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F425-55BA";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

6
pub-keys.nix Normal file
View File

@@ -0,0 +1,6 @@
{
ssh = {
andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
};
}

5
secrets/secrets.nix
View File

@@ -1,6 +1,7 @@
let let
andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo"; pub-keys = import ../pub-keys.nix;
lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo"; andromeda = pub-keys.ssh.andromeda;
lenovo = pub-keys.ssh.lenovo;
in { in {
"secret0.age".publicKeys = [andromeda lenovo]; "secret0.age".publicKeys = [andromeda lenovo];
"secret1.age".publicKeys = [andromeda lenovo]; "secret1.age".publicKeys = [andromeda lenovo];