Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change pub key management again, centralize users, start to modularize lenovo conf

Browse Source
This commit is contained in:
andromeda
2025-12-31 02:28:00 +01:00
parent 42a93f042e
commit 4b8882d82d
9 changed files with 114 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
flake.nix
View File

@@ -35,11 +35,11 @@
noshell, noshell,
nur, nur,
nvf, nvf,
self,
stylix, stylix,
... ...
}: let }: let
machines = import ./machines.nix; machines = import ./machines.nix;
_173-249-5-230 = machines._173-249-5-230;
configuration = machine: modules: configuration = machine: modules:
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
system = machine.system; system = machine.system;
@@ -48,11 +48,13 @@
modules modules
++ [ ++ [
./machines/${machine.hostname}/configuration.nix ./machines/${machine.hostname}/configuration.nix
./users.nix
./secrets.nix
agenix.nixosModules.default
]; ];
}; };
configurationWithHomeManager = machine: (configuration machine configurationWithHomeManager = machine: (configuration machine
[ [
agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [

1
machines.nix
View File

@@ -13,6 +13,5 @@
users = [ users = [
"mtgmonkey" "mtgmonkey"
]; ];
pub-keys.ssh = [];
}; };
} }

7
machines/_173-249-5-230/configuration.nix
View File

@@ -71,13 +71,6 @@
}; };
system.stateVersion = "26.05"; system.stateVersion = "26.05";
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
users.users."mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret2.path;
extraGroups = ["wheel"];
openssh.authorizedKeys.keys = [(import ../../pub-keys.nix).ssh.andromeda];
};
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];

69
machines/lenovo/configuration.nix
View File

@@ -1,11 +1,14 @@
{ {
config, config,
lib, lib,
pkgs,
modulesPath, modulesPath,
machine, machine,
... ...
}: { }: {
imports = [
./impermanence.nix
(modulesPath + "/installer/scan/not-detected.nix")
];
age.secrets = { age.secrets = {
secret0.file = ../../secrets/secret0.age; secret0.file = ../../secrets/secret0.age;
secret1.file = ../../secrets/secret1.age; secret1.file = ../../secrets/secret1.age;
@@ -14,48 +17,6 @@
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot.enable = true; systemd-boot.enable = true;
}; };
environment.persistence."/nix/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/ssh"
];
files = [
"/etc/machine-id"
"/etc/ly/save.txt"
];
users."andromeda" = {
directories = [
".backups"
".local/share/Anki2"
".local/share/chat.fluffy.fluffychat"
".local/share/zoxide"
".ssh"
"conf"
"Downloads"
"pp"
];
files = [
".bash_history"
".brush_history"
];
};
users."mtgmonkey" = {
directories = [
".local/share/zoxide"
".ssh"
];
files = [
".bash_history"
".brush_history"
];
};
};
hardware.bluetooth = { hardware.bluetooth = {
enable = true; enable = true;
powerOnBoot = true; powerOnBoot = true;
@@ -95,28 +56,6 @@
}; };
system.stateVersion = "26.05"; system.stateVersion = "26.05";
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
users.users."andromeda" = {
isNormalUser = true;
description = "andromeda";
hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
extraGroups = [
"networkmanager"
"wheel"
];
};
users.users."mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
extraGroups = [
"networkmanager"
"wheel"
];
};
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
boot.initrd.kernelModules = []; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"]; boot.kernelModules = ["kvm-intel"];

44
machines/lenovo/impermanence.nix Normal file
View File

@@ -0,0 +1,44 @@
{
environment.persistence."/nix/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/ssh"
];
files = [
"/etc/machine-id"
"/etc/ly/save.txt"
];
users."andromeda" = {
directories = [
".backups"
".local/share/Anki2"
".local/share/chat.fluffy.fluffychat"
".local/share/zoxide"
".ssh"
"conf"
"Downloads"
"pp"
];
files = [
".bash_history"
".brush_history"
];
};
users."mtgmonkey" = {
directories = [
".local/share/zoxide"
".ssh"
];
files = [
".bash_history"
".brush_history"
];
};
};
}

6
pub-keys.nix
View File

@@ -1,6 +0,0 @@
{
ssh = {
andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
};
}

22
secrets.nix Normal file
View File

@@ -0,0 +1,22 @@
{lib, ...}: {
config = {
age.secrets = {
secret0.file = ./secrets/secret0.age;
secret1.file = ./secrets/secret1.age;
secret2.file = ./secrets/secret2.age;
};
pub-keys = {
ssh = {
andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
};
};
};
options = {
pub-keys.ssh = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {};
description = "set of public keys as `name = key`";
};
};
}

2
secrets/secrets.nix
View File

@@ -1,5 +1,5 @@
let let
pub-keys = import ../pub-keys.nix; pub-keys = (import ../secrets.nix).pub-keys;
andromeda = pub-keys.ssh.andromeda; andromeda = pub-keys.ssh.andromeda;
lenovo = pub-keys.ssh.lenovo; lenovo = pub-keys.ssh.lenovo;
in { in {

39
users.nix Normal file
View File

@@ -0,0 +1,39 @@
{
config,
lib,
machine,
...
}: let
machines = import ./machines.nix;
in {
users.users =
builtins.mapAttrs
(name: value: lib.mkIf (builtins.elem name machine.users) value)
{
"andromeda" = {
isNormalUser = true;
description = "andromeda";
hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
extraGroups = [
"networkmanager"
"wheel"
];
};
"mtgmonkey" = {
isNormalUser = true;
description = "mtgmonkey";
hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
extraGroups = [
(lib.mkIf
(machine == machines.lenovo)
"networkmanager")
"wheel"
];
openssh.authorizedKeys.keys = [
(lib.mkIf
(machine == machines._173-249-5-230)
config.pub-keys.ssh.andromeda)
];
};
};
}