From 93458a5e535186616856733f50c1dc4134925a22 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Sun, 29 Mar 2026 15:12:38 -0500 Subject: [PATCH] incorporated john-p14s, big squash merge of stuff --- .sops.yaml | 5 + flake.lock | 119 +++++++------- flake.nix | 14 +- modules/features/desktop.nix | 16 ++ modules/features/gnome.nix | 107 +++++++++++++ modules/features/greetd.nix | 28 ++++ .../{services/step-ca => features}/mtls.nix | 147 ++++++++++-------- .../{services/restic => features}/restic.nix | 9 +- .../{programs => features}/shell-tools.nix | 5 +- .../hosts/{janus.nix => janus/default.nix} | 22 ++- {keys => modules/hosts/janus}/root_ca.crt | 0 modules/hosts/john-p14s/configuration.nix | 138 ++++++++++++++++ modules/hosts/john-p14s/default.nix | 26 ++++ modules/hosts/john-p14s/hardware.nix | 59 +++++++ modules/hosts/john-p14s/secrets.yaml | 26 ++++ .../{john-pc-ubuntu.nix => default.nix} | 54 +++---- modules/hosts/soteria/soteria.nix | 20 +-- modules/nix-tools/rebuild.nix | 94 ++++++++--- modules/nix-tools/user.nix | 24 ++- modules/programs/brave.nix | 11 ++ modules/programs/desktop.nix | 12 -- modules/programs/ghostty.nix | 12 +- modules/programs/git.nix | 11 +- modules/programs/niri.nix | 33 ++++ modules/programs/noctalia.nix | 8 + modules/programs/onepassword.nix | 19 ++- modules/programs/sops.nix | 25 ++- modules/programs/steam.nix | 14 ++ modules/programs/step-client.nix | 34 +--- modules/programs/sublime.nix | 8 - modules/programs/sudo.nix | 10 ++ modules/programs/vscode.nix | 41 ++--- modules/programs/wireguard.nix | 59 +++++++ modules/services/docker.nix | 15 +- modules/services/step-ca/ssh-host.nix | 24 +-- modules/users/john.nix | 44 +++--- resticprofile/base.nix | 50 ------ 37 files changed, 924 insertions(+), 419 deletions(-) create mode 100644 modules/features/desktop.nix create mode 100644 modules/features/gnome.nix create mode 100644 modules/features/greetd.nix rename modules/{services/step-ca => features}/mtls.nix (71%) rename modules/{services/restic => features}/restic.nix (93%) rename modules/{programs => features}/shell-tools.nix (87%) rename modules/hosts/{janus.nix => janus/default.nix} (68%) rename {keys => modules/hosts/janus}/root_ca.crt (100%) create mode 100644 modules/hosts/john-p14s/configuration.nix create mode 100644 modules/hosts/john-p14s/default.nix create mode 100644 modules/hosts/john-p14s/hardware.nix create mode 100644 modules/hosts/john-p14s/secrets.yaml rename modules/hosts/john-pc/{john-pc-ubuntu.nix => default.nix} (77%) create mode 100644 modules/programs/brave.nix delete mode 100644 modules/programs/desktop.nix create mode 100644 modules/programs/niri.nix create mode 100644 modules/programs/noctalia.nix create mode 100644 modules/programs/steam.nix delete mode 100644 modules/programs/sublime.nix create mode 100644 modules/programs/sudo.nix create mode 100644 modules/programs/wireguard.nix delete mode 100644 resticprofile/base.nix diff --git a/.sops.yaml b/.sops.yaml index eb26585..55ce6d0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,6 +9,11 @@ creation_rules: - age: - *john-pc - *soteria + - path_regex: john-p14s/secrets\.yaml$ + key_groups: + - age: + - *john-p14s + - *john-pc - path_regex: john-pc/secrets\.yaml$ key_groups: - age: diff --git a/flake.lock b/flake.lock index bc1ad3d..2981bf6 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "flake-file": { "locked": { - "lastModified": 1773554778, - "narHash": "sha256-keH0VNsci9e0Uwt3Msp/N+pltaP8Lb6lt09Q3WvDPw4=", + "lastModified": 1774666175, + "narHash": "sha256-WaZxvtOvVNikiNTen2Emhds2RvzFCWIb7KU9C0eWrNA=", "owner": "vic", "repo": "flake-file", - "rev": "f4780a86bd4c756475d839b286f8a40aabdbc802", + "rev": "953d01f3ae5ba50869c5e1248062198f73e971bf", "type": "github" }, "original": { @@ -53,34 +53,16 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1773608492, - "narHash": "sha256-QZteyExJYSQzgxqdsesDPbQgjctGG7iKV/6ooyQPITk=", + "lastModified": 1774738535, + "narHash": "sha256-2jfBEZUC67IlnxO5KItFCAd7Oc+1TvyV/jQlR+2ykGQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "9a40ec3b78fc688d0908485887d355caa5666d18", + "rev": "769e07ef8f4cf7b1ec3b96ef015abec9bc6b1e2a", "type": "github" }, "original": { @@ -91,11 +73,11 @@ }, "import-tree": { "locked": { - "lastModified": 1773554199, - "narHash": "sha256-6apV5N1F5tTD8JY9AUGnkWmy56HqDPn4MNFRsq4Rg+s=", + "lastModified": 1773693634, + "narHash": "sha256-BtZ2dtkBdSUnFPPFc+n0kcMbgaTxzFNPv2iaO326Ffg=", "owner": "vic", "repo": "import-tree", - "rev": "c6ebc59c85ee54cfb68163d06d1a3149ce0fe431", + "rev": "c41e7d58045f9057880b0d85e1152d6a4430dbf1", "type": "github" }, "original": { @@ -125,13 +107,29 @@ "type": "github" } }, + "nixos-hardware": { + "flake": false, + "locked": { + "lastModified": 1774777275, + "narHash": "sha256-qogBiYFq8hZusDPeeKRqzelBAhZvREc7Cl+qlewGUCg=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "b8f81636927f1af0cca812d22c876bad0a883ccd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1773389992, - "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", + "lastModified": 1774106199, + "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda", + "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655", "type": "github" }, "original": { @@ -143,11 +141,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1773507054, - "narHash": "sha256-yzDBkI1CpeZrAt4l1nGvTOs3OFtXCS7a7Gi5Y1h878w=", - "rev": "e80236013dc8b77aa49ca90e7a12d86f5d8d64c9", + "lastModified": 1774701658, + "narHash": "sha256-5QVei2IIfVO3GqMkiiXlrZtaniOkXyMWnqbTVkItrco=", + "rev": "b63fe7f000adcfa269967eeff72c64cafecbbebe", "type": "tarball", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre963414.e80236013dc8/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre971056.b63fe7f000ad/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -156,16 +154,18 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1682134069, - "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", + "lastModified": 1774610258, + "narHash": "sha256-HaThtroVD9wRdx7KQk0B75JmFcXlMUoEdDFNOMOlsOs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", + "rev": "832efc09b4caf6b4569fbf9dc01bec3082a00611", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "root": { @@ -175,12 +175,13 @@ "home-manager": "home-manager", "import-tree": "import-tree", "nixgl": "nixgl", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "nixpkgs-lib": [ "nixpkgs" ], "sops-nix": "sops-nix", - "vscode-server": "vscode-server" + "wrapper-modules": "wrapper-modules" } }, "sops-nix": { @@ -190,11 +191,11 @@ ] }, "locked": { - "lastModified": 1773550941, - "narHash": "sha256-wa/++bL2QeMUreNFBZEWluQfOYB0MnQIeGNMuaX9sfs=", + "lastModified": 1774760784, + "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c469b6885f0dcd5c7c56bd935a0f08dbcd9e79e1", + "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5", "type": "github" }, "original": { @@ -218,37 +219,21 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "vscode-server": { + "wrapper-modules": { "inputs": { - "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1770124655, - "narHash": "sha256-yHmd2B13EtBUPLJ+x0EaBwNkQr9LTne1arLVxT6hSnY=", - "owner": "nix-community", - "repo": "nixos-vscode-server", - "rev": "92ce71c3ba5a94f854e02d57b14af4997ab54ef0", + "lastModified": 1774767209, + "narHash": "sha256-bJxBN+ebX3yZj+KT/c+LeA4xIpoNghG233szgRFAWOc=", + "owner": "BirdeeHub", + "repo": "nix-wrapper-modules", + "rev": "70795f6eb74a69d736e41ee837cd7e1a6d46c0aa", "type": "github" }, "original": { - "owner": "nix-community", - "repo": "nixos-vscode-server", + "owner": "BirdeeHub", + "repo": "nix-wrapper-modules", "type": "github" } } diff --git a/flake.nix b/flake.nix index ec58b81..3dc09aa 100644 --- a/flake.nix +++ b/flake.nix @@ -1,28 +1,30 @@ # DO-NOT-EDIT. This file was auto-generated using github:vic/flake-file. # Use `nix run .#write-flake` to regenerate it. { - outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } (inputs.import-tree ./modules); inputs = { flake-file.url = "github:vic/flake-file"; flake-parts = { - inputs.nixpkgs-lib.follows = "nixpkgs-lib"; url = "github:hercules-ci/flake-parts"; + inputs.nixpkgs-lib.follows = "nixpkgs-lib"; }; home-manager.url = "github:nix-community/home-manager"; import-tree.url = "github:vic/import-tree"; nixgl = { - inputs.nixpkgs.follows = "nixpkgs"; url = "github:nix-community/nixGL"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-hardware = { + url = "github:NixOS/nixos-hardware"; + flake = false; }; nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"; nixpkgs-lib.follows = "nixpkgs"; sops-nix = { - inputs.nixpkgs.follows = "nixpkgs"; url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; }; - vscode-server.url = "github:nix-community/nixos-vscode-server"; + wrapper-modules.url = "github:BirdeeHub/nix-wrapper-modules"; }; - } diff --git a/modules/features/desktop.nix b/modules/features/desktop.nix new file mode 100644 index 0000000..1c09094 --- /dev/null +++ b/modules/features/desktop.nix @@ -0,0 +1,16 @@ +# This module is for programs with GUIs that run in a desktop environment +{ self, inputs, ... }: { + flake.modules.homeManager.desktop = { config, pkgs, lib, ... }: { + imports = with inputs.self.modules.homeManager; [ + brave + ghostty + onepassword + vscode + ]; + home.packages = with pkgs; [ + mangohud + sublime4 + proton-vpn + ]; + }; +} diff --git a/modules/features/gnome.nix b/modules/features/gnome.nix new file mode 100644 index 0000000..db003b8 --- /dev/null +++ b/modules/features/gnome.nix @@ -0,0 +1,107 @@ +{ inputs, ... }: { + flake.modules.nixos.gnome = {pkgs, ... }: { + services = { + desktopManager.gnome.enable = true; + displayManager.gdm = { + enable = true; + wayland = true; + banner = "Welcome to John's NixOS implementation"; + }; + udev.packages = [ + pkgs.gnome-settings-daemon # For gnome systray icons + ]; + }; + }; + + flake.modules.homeManager.gnome = { config, pkgs, ... }: + let + # `gnome-extensions list` for a list + extensions = with pkgs.gnomeExtensions; [ + appindicator # For gnome systray icons + dash-to-panel + gtile + space-bar + switcher + tactile + vitals + ]; + enabledExtensions = map (ext: ext.extensionUuid) extensions; + in + { + gtk = { + enable = true; + theme = { + name = "Orchis-Dark"; + package = pkgs.orchis-theme; + }; + gtk4.theme = config.gtk.theme; + }; + + home.packages = [ pkgs.gnome-tweaks ] ++ extensions; + + dconf.settings = { + "org/gnome/desktop/interface" = { + color-scheme = "prefer-dark"; + }; + + "org/gnome/shell" = { + disable-user-extensions = false; + enabled-extensions = enabledExtensions; + }; + + "org/gnome/desktop/wm/preferences" = { + button-layout = ":minimize,close"; + }; + + "org/gnome/desktop/wm/keybindings" = { + "switch-to-workspace-1" = ["1"]; + "switch-to-workspace-2" = ["2"]; + "switch-to-workspace-3" = ["3"]; + "switch-to-workspace-4" = ["4"]; + "move-to-workspace-1" = ["1"]; + "move-to-workspace-2" = ["2"]; + "move-to-workspace-3" = ["3"]; + "move-to-workspace-4" = ["4"]; + }; + + "org/gnome/settings-daemon/plugins/media-keys" = { + custom-keybindings = [ + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/edit-nix/" + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/launch-browser/" + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/ad-dev/" + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/shutdown/" + ]; + }; + + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/edit-nix" = { + binding = "n"; + command = "code /etc/nixos"; + name = "Edit Nix config"; + }; + + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/launch-browser" = { + binding = "b"; + command = "brave"; + name = "Launch Brave browser"; + }; + + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/ad-dev" = { + binding = "d"; + command = ''code --file-uri "vscode-remote://ssh-remote+ad-nix/etc/nixos/ad-nix.code-workspace"''; + name = "Launch AppDaemon Development over Tailscale"; + }; + + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/ws1" = { + binding = "1"; + command = "wmctrl -s 0"; + name = "Switch to workspace 1"; + }; + + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/shutdown" = { + binding = "p"; + command = "gnome-session-quit --power-off --force"; + name = "Shutdown immediately"; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/features/greetd.nix b/modules/features/greetd.nix new file mode 100644 index 0000000..a29ffef --- /dev/null +++ b/modules/features/greetd.nix @@ -0,0 +1,28 @@ +# https://github.com/glabrie/dotfiles/blob/main/modules/system/settings/greetd.nix +{ inputs, ... }: { + flake.module.nixos.greetd = { pkgs, lib, ... }: { + services.greetd = { + enable = true; + settings = { + default_session = { + command = "${lib.getExe pkgs.tuigreet} --time --remember --cmd niri-session"; + user = "greeter"; + }; + }; + }; + + systemd.services.greetd.serviceConfig = { + Type = "idle"; + StandardInput = "tty"; + StandardOutput = "tty"; + StandardError = "journal"; # Without this errors will spam on screen + # Without these bootlogs will spam on screen + TTYReset = true; + TTYVHangup = true; + TTYVTDisallocate = true; + }; + + # Let's allow our keyring to work from the start + security.pam.services.greetd.enableGnomeKeyring = true; + }; +} \ No newline at end of file diff --git a/modules/services/step-ca/mtls.nix b/modules/features/mtls.nix similarity index 71% rename from modules/services/step-ca/mtls.nix rename to modules/features/mtls.nix index 31a1030..56ae750 100644 --- a/modules/services/step-ca/mtls.nix +++ b/modules/features/mtls.nix @@ -1,20 +1,16 @@ -{ inputs, lib, ... }: +{ self, inputs, lib, ... }: let # Options that will be in common between opts = { enable = lib.mkEnableOption "Enable mTLS"; - ca = { - url = lib.mkOption { - type = lib.types.str; - }; - fingerprint = lib.mkOption { - type = lib.types.str; - }; - }; subject = lib.mkOption { description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN."; type = lib.types.str; }; + certDir = lib.mkOption { + description = "String path to the directory where the certs will be stored"; + type = lib.types.str; + }; keyFilename = lib.mkOption { description = "String filename for the private key"; type = lib.types.str; @@ -82,6 +78,38 @@ let }; }; + mkMtlsGenerateScript = { + pkgs, + subject, + provisioner, + san, + tlsCert, + tlsKey, + mtlsBundle, + lifetime, + }: + let + stepCmd = lib.getExe pkgs.step-cli; + sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san; + in + pkgs.writeShellScriptBin "mtls-generate" '' + set -euo pipefail + ${stepCmd} ca certificate \ + ${subject} ${tlsCert} ${tlsKey} \ + --not-before=-5m --not-after=${lifetime} \ + --provisioner ${provisioner} \ + ${sanArgs} \ + "$@" + cat ${tlsCert} ${tlsKey} > ${mtlsBundle} + ''; + + mkMtlsCheckScript = { pkgs, mtlsBundle }: pkgs.writeShellScriptBin "mtls-check" '' + ${lib.getExe pkgs.openssl} x509 \ + -noout -subject -issuer \ + -ext subjectAltName,extendedKeyUsage \ + -enddate -in ${mtlsBundle} + ''; + mkMtlsRenewScript = { pkgs, tlsCert, @@ -92,9 +120,13 @@ let systemctlArgs ? [ ], }: let + echoCmd = lib.getExe' pkgs.coreutils "echo"; + systemctl = lib.getExe' pkgs.systemd "systemctl"; + escapedArgs = lib.escapeShellArgs systemctlArgs; + systemctlCommand = "${systemctl} ${escapedArgs}"; renewReloadScript = lib.concatMapStringsSep "\n" (unit: '' - if ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} --quiet is-active "${unit}"; then - ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} try-reload-or-restart "${unit}" + if ${systemctlCommand} --quiet is-active "${unit}"; then + ${systemctlCommand} try-reload-or-restart "${unit}" fi '') reloadUnits; renewPostCommands = lib.concatStringsSep "\n" postCommands; @@ -103,9 +135,9 @@ let set -euo pipefail if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then - echo "Renewing mTLS certificate" + ${echoCmd} "Renewing mTLS certificate" else - echo "Skipping renew" + ${echoCmd} "Skipping renew" exit "$?" fi @@ -114,10 +146,10 @@ let umask 077 ${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}" - echo "Reloading units:" + ${echoCmd} "Reloading units:" ${renewReloadScript} - echo "Post commands:" + ${echoCmd} "Post commands:" ${renewPostCommands} ''; @@ -217,33 +249,33 @@ in flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - certDir = "/etc/step/certs"; - tlsKey = "${certDir}/${cfg.keyFilename}"; - tlsCert = "${certDir}/${cfg.certFilename}"; - mtlsBundle = "${certDir}/${cfg.bundleFilename}"; - rootCA = "${certDir}/root_ca.crt"; + tlsKey = "${cfg.certDir}/${cfg.keyFilename}"; + tlsCert = "${cfg.certDir}/${cfg.certFilename}"; + mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}"; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { - options.mtls = opts; + options.mtls = opts // { + certDir = lib.mkOption { + description = "String path to where the mtls certs will be stored."; + type = lib.types.str; + default = "/etc/step/certs"; + }; + }; + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; lib.optionals cfg.enable [ - (writeShellScriptBin "mtls-generate" '' - set -euo pipefail - ${lib.getExe pkgs.step-cli} ca certificate \ - ${cfg.subject} ${tlsCert} ${tlsKey} \ - --provisioner ${cfg.provisioner} \ - --not-before=-5m --not-after=${cfg.lifetime} \ - ${sanArgs} \ - "$@" - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} - '') - (writeShellScriptBin "mtls-check" '' - ${lib.getExe pkgs.openssl} x509 \ - -noout -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} - '') + step-cli + (mkMtlsGenerateScript { + inherit (cfg) subject provisioner san lifetime; + inherit pkgs tlsCert tlsKey mtlsBundle; + }) + (mkMtlsCheckScript { inherit pkgs mtlsBundle; }) + (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) + ]; + + systemd.tmpfiles.rules = [ + "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -" ]; systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { @@ -260,11 +292,9 @@ in flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - certDir = cfg.certDir; - tlsKey = "${certDir}/${cfg.keyFilename}"; - tlsCert = "${certDir}/${cfg.certFilename}"; - mtlsBundle = "${certDir}/${cfg.bundleFilename}"; - rootCA = "${certDir}/root_ca.crt"; + tlsKey = "${cfg.certDir}/${cfg.keyFilename}"; + tlsCert = "${cfg.certDir}/${cfg.certFilename}"; + mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}"; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { @@ -272,38 +302,25 @@ in certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; - default ="${config.home.homeDirectory}/.step/certs"; + default = "${config.home.homeDirectory}/.step/certs"; }; }; config = { - home.file.".step/config/defaults.json".text = builtins.toJSON { - "ca-url" = cfg.ca.url; - fingerprint = cfg.ca.fingerprint; - root = "${cfg.certDir}/root_ca.crt"; - }; - home.packages = with pkgs; lib.optionals cfg.enable [ step-cli - (writeShellScriptBin "mtls-generate" '' - set -euo pipefail - ${lib.getExe pkgs.step-cli} ca certificate \ - ${cfg.subject} ${tlsCert} ${tlsKey} \ - --not-before=-5m --not-after=${cfg.lifetime} \ - --provisioner ${cfg.provisioner} \ - ${sanArgs} \ - "$@" - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} - '') - (writeShellScriptBin "mtls-check" '' - ${lib.getExe pkgs.openssl} x509 \ - -noout -subject -issuer \ - -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} - '') + (mkMtlsGenerateScript { + inherit (cfg) subject provisioner san lifetime; + inherit pkgs tlsCert tlsKey mtlsBundle; + }) + (mkMtlsCheckScript { inherit pkgs mtlsBundle; }) (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) ]; + systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ + "d ${cfg.certDir} 0700 - - -" + ]; + systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { inherit pkgs tlsCert tlsKey mtlsBundle; inherit (cfg.renew) reloadUnits postCommands; diff --git a/modules/services/restic/restic.nix b/modules/features/restic.nix similarity index 93% rename from modules/services/restic/restic.nix rename to modules/features/restic.nix index 1c3cbc0..79dce7a 100644 --- a/modules/services/restic/restic.nix +++ b/modules/features/restic.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: { +{ self, inputs, ... }: { flake.modules.nixos.restic-server = { config, pkgs, lib, ... }: { services.restic.server = { enable = true; @@ -47,20 +47,20 @@ config = let resticRepository = "rest:https://soteria.john-stream.com/${cfg.repoName}"; caCert = "${config.mtls.certDir}/root_ca.crt"; - mtlsClientCert = "${config.mtls.certDir}/${config.mtls.bundleFilename}"; + mtlsBundle = "${config.mtls.certDir}/${config.mtls.bundleFilename}"; in { home.sessionVariables = { RESTIC_REPOSITORY = resticRepository; RESTIC_PASSWORD_FILE = cfg.passwordFile; RESTIC_CACERT = caCert; - RESTIC_TLS_CLIENT_CERT = mtlsClientCert; + RESTIC_TLS_CLIENT_CERT = mtlsBundle; }; # This is necessary because the restic service in home manager doesn't otherwise expose these options. systemd.user.services."restic-backups-${cfg.repoName}".Service.Environment = [ "RESTIC_CACERT=${caCert}" - "RESTIC_TLS_CLIENT_CERT=${mtlsClientCert}" + "RESTIC_TLS_CLIENT_CERT=${mtlsBundle}" ]; services.restic = { @@ -103,7 +103,6 @@ ]; }; }; - }; }; } \ No newline at end of file diff --git a/modules/programs/shell-tools.nix b/modules/features/shell-tools.nix similarity index 87% rename from modules/programs/shell-tools.nix rename to modules/features/shell-tools.nix index 6f34574..b17791f 100644 --- a/modules/programs/shell-tools.nix +++ b/modules/features/shell-tools.nix @@ -23,7 +23,6 @@ home.packages = with pkgs; [ wget curl - cacert busybox gnugrep dig @@ -31,6 +30,10 @@ uv xclip jq + ripgrep + (writeShellScriptBin "ds" '' + ${lib.getExe pkgs.gdu} -x -I /snap / + '') ]; }; }; diff --git a/modules/hosts/janus.nix b/modules/hosts/janus/default.nix similarity index 68% rename from modules/hosts/janus.nix rename to modules/hosts/janus/default.nix index 05a9016..ee8765a 100644 --- a/modules/hosts/janus.nix +++ b/modules/hosts/janus/default.nix @@ -2,9 +2,17 @@ let username = "john"; hostname = "janus"; - caURL = "https://janus.john-stream.com/"; in { + flake.modules.homeManager.janus-ca = { config, ... }: { + home.file.".step/config/defaults.json".text = builtins.toJSON { + "ca-url" = "https://janus.john-stream.com/"; + fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; + root = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; + }; + home.file.".step/certs/root_ca.crt".source = ./root_ca.crt; + }; + flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem { modules = with inputs.self.modules; [ nixos.lxc @@ -20,12 +28,10 @@ in networking.hostName = hostname; step-ssh-host = { hostname = hostname; - caURL = caURL; }; mtls = { enable = true; subject = hostname; - caURL = caURL; san = [ "${hostname}.john-stream.com" "192.168.1.244" @@ -36,18 +42,10 @@ in imports = with inputs.self.modules.homeManager; [ sops step-ssh-user + janus-ca ]; - shell.program = "zsh"; docker.enable = true; - # step-ssh-user = { - # enable = true; - # principals = [ "${hostname}" ]; - # }; - ssh.matchSets = { - certs = true; - homelab = true; - }; }; } ]; diff --git a/keys/root_ca.crt b/modules/hosts/janus/root_ca.crt similarity index 100% rename from keys/root_ca.crt rename to modules/hosts/janus/root_ca.crt diff --git a/modules/hosts/john-p14s/configuration.nix b/modules/hosts/john-p14s/configuration.nix new file mode 100644 index 0000000..f1f1470 --- /dev/null +++ b/modules/hosts/john-p14s/configuration.nix @@ -0,0 +1,138 @@ +{ self, inputs, ... }: +{ + flake.modules.nixos.p14sConfiguration = { config, pkgs, lib, ... }: + let + hostname = "john-p14s"; + homeDirectory = config.home-manager.users.john.home.homeDirectory; + flakeDir = "${homeDirectory}/Documents/dendritic"; + in + { + imports = [ + self.modules.nixos.p14sHardware + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nixpkgs.config = { + permittedInsecurePackages = [ "openssl-1.1.1w" ]; + allowUnfree = true; + }; + + rebuild.flakeDir = flakeDir; + + networking = { + hostName = hostname; + networkmanager.enable = true; + }; + + # Enable automatic login for the user. + # services.displayManager.autoLogin.enable = true; + # services.displayManager.autoLogin.user = "john"; + + programs.zsh.enable = true; + services.openssh.enable = true; + services.tailscale.enable = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + cacert + busybox + dig + samba + ]; + + security.pam.services.swaylock = {}; + security.pam.services.swaylock.fprintAuth = true; + + programs._1password.enable = true; + programs._1password-gui = { + enable = true; + # Certain features, including CLI integration and system authentication support, + # require enabling PolKit integration on some desktop environments (e.g. Plasma). + polkitPolicyOwners = [ "john" ]; + # TODO this should not be a hardcoded username + }; + + # This is needed for VSCode remote support. Read: https://nixos.wiki/wiki/Visual_Studio_Code + programs.nix-ld.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? + + # Set your time zone. + time.timeZone = "America/Chicago"; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + }; + + services.libinput.enable = true; # Enable touchpad support (enabled default in most desktopManager). + services.fprintd.enable = true; # Enables fingerprint sensor + + # Enable sound with pipewire. + services.pulseaudio.enable = false; + security.rtkit.enable = true; # PulseAudio server uses this to acquire realtime priority. + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + # media-session.enable = true; + }; + + home-manager.useGlobalPkgs = true; + home-manager.users.root = { + imports = with inputs.self.modules.homeManager; [ + rebuild + janus-ca + ]; + home.stateVersion = "25.11"; + }; + home-manager.users.john.imports = with inputs.self.modules.homeManager; [ + gnome + desktop + mysops + rebuild + janus-ca + { + my-vscode.enable = true; + mysops.hostSecretFile = "${flakeDir}/modules/hosts/john-p14s/secrets.yaml"; + homeManagerFlakeDir = "${flakeDir}"; + shell.program = "zsh"; + home.packages = with pkgs; [ + bash + discord + ]; + } + ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "${homeDirectory}/.ssh/id_ed25519" ]; + mtls = { + enable = true; + subject = hostname; + }; + }; +} diff --git a/modules/hosts/john-p14s/default.nix b/modules/hosts/john-p14s/default.nix new file mode 100644 index 0000000..1358df1 --- /dev/null +++ b/modules/hosts/john-p14s/default.nix @@ -0,0 +1,26 @@ +{ self, inputs, ... }: { + flake-file.inputs = { + nixos-hardware = { + url = "github:NixOS/nixos-hardware"; + flake = false; + }; + }; + + flake.nixosConfigurations.john-p14s = inputs.nixpkgs.lib.nixosSystem { + modules = [ + "${inputs.nixos-hardware}/lenovo/thinkpad/p14s" + "${inputs.nixos-hardware}/lenovo/thinkpad/p14s/amd/gen4" + ] ++ (with self.modules.nixos; [ + p14sConfiguration + rebuild + sudo + john + gnome + steam + wireguard + mtls + # greetd + # niri + ]); + }; +} \ No newline at end of file diff --git a/modules/hosts/john-p14s/hardware.nix b/modules/hosts/john-p14s/hardware.nix new file mode 100644 index 0000000..5631613 --- /dev/null +++ b/modules/hosts/john-p14s/hardware.nix @@ -0,0 +1,59 @@ +{ self, inputs, ... }: { + flake.modules.nixos.p14sHardware = { config, lib, pkgs, modulesPath, ... }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd = { + availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ]; + kernelModules = [ "amdgpu" ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + # boot.loader.systemd-boot.enable = true; + # boot.loader.efi.canTouchEfiVariables = true; + # boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ]; + # boot.initrd.kernelModules = [ "amdgpu" ]; + # boot.kernelModules = [ "kvm-amd" ]; + # boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/fbc7d8bc-080b-4554-a2b2-5f92d059ce07"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9A04-ADD8"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp102s0u2u4.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.graphics = { + enable = true; + enable32Bit = true; + extraPackages = [ pkgs.rocmPackages.clr.icd ]; + }; + environment.variables.AMD_VULKAN_ICD = "RADV"; + }; +} diff --git a/modules/hosts/john-p14s/secrets.yaml b/modules/hosts/john-p14s/secrets.yaml new file mode 100644 index 0000000..790b69a --- /dev/null +++ b/modules/hosts/john-p14s/secrets.yaml @@ -0,0 +1,26 @@ +restic_password: ENC[AES256_GCM,data:8KeL7kOMTHkK+ZpY3aq0/S4UYbkZh72FxJAolcVes79NPfdHiNi77fmAZuXb8Gxasu16vk4y6ksWFmrZquvcbg+cLt8Yze+qvuCiUW62IOppzRIBLk6w2f8uPhU41gsVuj6u4Jz/Su7miNBvJYmF8vulIwDKS7qg43dzIKXY4q1HaRHCD12PkU9EfGpIgivdNCOO0lCE6m/O3IB8Ed4R51scBnVrIj89K5OuTepvIrGElmXiWqBdsTzCIaJCZJ8fDnzJPorLhsTAzKCnQhNoIrW/aYArzj9+WmglmGuqeaoemBoNTrYC9bssUwuWAOqsf1HC7gWST/dP9FmKl7UHlgkslblRcRedFPAQjDhy/RgZCj8hs/XrVYOzwW8WJ0XeB9UPK03QPJc8EZdz9r2Q0+U3LQxMV6Jne5JZGsMpII4b+7b/WbRZTooX3G09MES/gzwD+hyBr++6EpP9QTYs+4XsNLNN+S6y5+YS/7XmRvR7xb93eZ4EfUUKiQYejVKQBl9b8QTJa3q26RPa/82O5zQlzd1w/EjA4G6Vv8H6wvK0fHNwpU3hl9V8EL7Ca7JKfJr11Vw0fNHx2nXjOLURt27wbDeWUaSrzI+z2h/0TSiKWas/Eu5+4L9n7E3H5u5Hg2uaCQkDpy6RJkW9UL6lCC1YEJw5yHTugrPNoMcRlAKRoSIeSZSPfGl0CKYAC39s422xX2f46GpJu0bO8GG/XN9Qk+SxqPHGuzx7nWghFQctZb1ssGKuvHKqaNYZvWeWqqkxyPWb6xjaBaSGxcp5MsET+RAu2F1XgX9Is11mIJETlHhRE3OpMSHh7toIiuNs8YzsgkedVFWhx+Xu27DWvOFvg/01Rh6s5RGJKMgL7WQMLTtY2KI/ko648WXVoCtVymG8d30qWnSt8319jkILX/wdB8Vqp5ceRqHwDE89jhEh0GOg07eLcREnh+gjXij1/bS66/+hHk4jhkzGtbdfEji9sro4Nm+kVRA+6fgJjCvt1sAvjuj10Scx4uH3AdDTW+y0KaniK8EHTZzaGDuaV+tk3hZEfpwpdan5mquoQvFdZWsWlDefX7gRq38szmi9LtULEai0WKOtqnnDIOnWk/3NYeNdzJ28YzrUDbkxtghkRgr7fNGEtyCGRuWRRMc5mVp2FPzAwRKk29ShILpWbvfUzwAWUOEpyAS4bstzlMybf9L8sp20+Ier8gOMGJ81eXXXmhtgMn6aWZ6EDGe1Shl0gDM0JUEAkA2+kf3oIZAvcWiFxj7vyd4Aacw3RetUSJcy8JwbV3I/isxKyy/xs8zE2PUY0z3Cwh9MpVP9G8N6Mef6v2DNDNg+2iJ/eslQdbZRQzdJwnBMhpOopzRwuUaC7jJKyGBkcNbbmNjceJWEue0XVjIcZHJ7BFe3jKluezNIJIf268V35+HIpXJA7BUJn8NPCIQXze5Frm46U2aRTQ53LU4HBGLXYPzx8QLsn0jLVy518w/TztawdT3/SmSWNwYTuZG18TmXs9v3oB6PrUr4M7kJbNRLpRb0ZelbMDwpR074FPwwud6fkjR2lLQBbufmPUBdpVJZ2xFjijle8h1h29zoFsydFNq5wSXUO/nm/S09KdKi5F2S1uKP+NL80OVEeC+QXcBdTry07meVIhsBOh+9ajy1ExaMaPs2xjB5QvTgJA9kfJOAoUygjMC33FwdRw10eGP//IsiRm9EukF1o++MfZnAtcjhoOoy79TjlO8p8YVNwEhZ14Ik/kIizyQtr0gR+pVEIc6+1W29UOWNRXb+ZavXRDq0wvxigMagfcL+zIr4gctufTfubiOmVa85qVJB,iv:VogP+OQvlsYCSqlmffO+o99C0hJm63ZqLXVd2B0oom0=,tag:+se1QHW6xLMj/dZrbY0MKQ==,type:str] +wireguard_private_key: ENC[AES256_GCM,data:sCskwDhemU1y4M4A4R9KxwiL8q+FtxnUqg1omU7yS81H1bbSM804hNzmq+A=,iv:7wNMAG+7wYYXYgKEohIAYisMN5lbz+M5RhCEaHL4yWE=,tag:FENdJTEEGD9cEJVwIIUQDA==,type:str] +sops: + age: + - recipient: age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS0F1R0NnV0gyNFlkUEhZ + UkxvN1ZLQTFsV0tnR0pLNFJycmduU1VXUlFVCjBkRGxQd1B1c3cweTRsZm9OUCt0 + anU3RTFUUkxoaXlhdlR0RkxPclVUdVkKLS0tIG9kTEVNK2piRWI5ZWFSejFFUGtD + emtTUGk0cVZWR3F5R05WTTFJUFUwNTAKrRYQAJen6QVSgaOyqPxSIniHiMLUfXuv + /O1Ebz5xLWn99EhloqW7rHhUxXlhxP2CmwfYXizyKFa6nAu6R+BCgg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNWRXZTFWREIzRVhRaWRB + anNDb3hsZzFOMFMrclhmeldaOWY4b3BJekFBCkJhbjRvRUwva3lFbzNTKzJqK2p2 + WVlMaXpvczlhdGduZHIrb2xPaEg3OUUKLS0tIHFtM09mN0FEUWdjWEVEL3VXL00w + WHpOY280S2hpVU1mNnozODRoMnB4bGMKK5RrDK2kAZlWf2igqyzWgshxLPj+f74A + mCmMLDHo5drNieFYp+guqHaHnZkf9IzpAglj7x6wCITjk+l6go5KvA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-27T03:59:09Z" + mac: ENC[AES256_GCM,data:MsPAxssWUSvsJQP0Ogrl3r/GoVqeL1L95YTJQbAJZ4FVxhRXP7KfbUnKSclzU6G8CP5WxV18TXZfB4JITKG3Lz5rtVpD/WFMdhDmve0f6BPMAimle2ajWUaWYNePvEynClX3nydLk3h31DjHGa8YvJZqW2ieDb/JDMdBXiLTrWc=,iv:82ul5CV3XXllFCDJfF6beIcAIFj71ycJJF4iEQvovMA=,tag:108L7VkAoPUTLtV74qgrrA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2 diff --git a/modules/hosts/john-pc/john-pc-ubuntu.nix b/modules/hosts/john-pc/default.nix similarity index 77% rename from modules/hosts/john-pc/john-pc-ubuntu.nix rename to modules/hosts/john-pc/default.nix index 3aed449..7d3716b 100644 --- a/modules/hosts/john-pc/john-pc-ubuntu.nix +++ b/modules/hosts/john-pc/default.nix @@ -1,52 +1,56 @@ -{ inputs, ... }: +{ self, inputs, ... }: let username = "john"; hostname = "john-pc-ubuntu"; - # testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix - testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria + + testHost = "soteria"; + testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix + # testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria + in { - flake.modules.homeManager."${hostname}" = { pkgs, config, ... }: + flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: let flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic"; certDir = "${config.mtls.certDir}"; - CACert = "${certDir}/root_ca.crt"; mtlsBundle = "${certDir}/${config.mtls.bundleFilename}"; resticPasswordFile = "${config.xdg.configHome}/restic/password.txt"; + + testPushCmd = (pkgs.writeShellScriptBin "test-push" '' + ${lib.getExe' pkgs.coreutils "mkdir"} -p /var/tmp/nix-build + ${lib.getExe' pkgs.coreutils "chmod"} 1777 /var/tmp/nix-build + ${lib.getExe pkgs.nixos-rebuild} switch \ + --flake ${flakeDir}#${testHost} \ + --target-host root@${testTarget} + ''); in { imports = with inputs.self.modules.homeManager; [ rebuild john mysops + janus-ca step-ssh-user mtls restic docker desktop ]; - targets.genericLinux.enable = true; - - shell.program = "zsh"; - - home.username = "${username}"; - home.homeDirectory = "/home/${username}"; - - home.packages = with pkgs; [ - nixos-rebuild - (writeShellScriptBin "test-push" '' - mkdir -p /var/tmp/nix-build - chmod 1777 /var/tmp/nix-build - nixos-rebuild switch \ - --flake ${flakeDir}#john-pc-ubuntu \ - --target-host root@${testTarget} - '') - ]; - # TODO: make this more restrictive, rather than allowing all unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ]; + targets.genericLinux.enable = true; + + home.username = "${username}"; + home.homeDirectory = "/home/${username}"; + home.packages = [ + pkgs.nixos-rebuild + testPushCmd + ]; + + shell.program = "zsh"; + homeManagerFlakeDir = flakeDir; docker.enable = true; @@ -91,10 +95,6 @@ in mtls = { enable = true; subject = hostname; - ca = { - url = "https://janus.john-stream.com/"; - fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; - }; san = [ "${hostname}" "192.168.1.85" diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index aa767b7..6f74633 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -7,11 +7,9 @@ in flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem { modules = with inputs.self.modules; [ nixos.lxc + nixos."${username}" nixos.mysops nixos.step-ssh-host - inputs.home-manager.nixosModules.home-manager - nixos."${username}" - nixos.zsh nixos.login-text # nixos.mtls # nixos.restic-server @@ -24,42 +22,38 @@ in ]; step-ssh-host = { hostname = hostname; - caURL = caURL; }; + # This provides the secrets at install time + sops.defaultSopsFile = ./secrets.yaml; home-manager.users."${username}" = { imports = with inputs.self.modules; [ - homeManager"${hostname}" + homeManager."${hostname}" ]; }; } ]; }; - flake.modules.homeManager."${hostname}" = { config, lib, pkgs, ... }: { + flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: { imports = with inputs.self.modules; [ homeManager.rebuild homeManager.mysops + homeManager.janus-ca homeManager.mtls homeManager.docker ]; homeManagerFlakeDir = "${config.xdg.configHome}/home-manager"; - home.username = "${username}"; - home.homeDirectory = "/home/${username}"; shell.program = "zsh"; docker.enable = true; # This will provide the edit-secrets script targeting this file - mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/modules/hosts/soteria/secrets.yaml"; + mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml"; mtls = { enable = true; subject = hostname; - ca = { - url = "https://janus.john-stream.com/"; - fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; - }; san = [ "${hostname}.john-stream.com" "192.168.1.142" diff --git a/modules/nix-tools/rebuild.nix b/modules/nix-tools/rebuild.nix index 8ef00c5..491f902 100644 --- a/modules/nix-tools/rebuild.nix +++ b/modules/nix-tools/rebuild.nix @@ -1,43 +1,91 @@ -{ inputs, ... }: +{ self, inputs, ... }: { - flake.modules.homeManager.rebuild = - { pkgs, lib, config, ... }: + flake.modules.nixos.rebuild = + { config, pkgs, lib, ... }: + let + flakeDir = config.rebuild.flakeDir; + echoCmd = lib.getExe' pkgs.coreutils "echo"; + hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)"; + nfs = (pkgs.writeShellScriptBin "nfs" '' + HOSTNAME=${hostnameCmd} + ${echoCmd} "Switching to the $HOSTNAME nixos profile" + sudo ${lib.getExe pkgs.nixos-rebuild} switch --impure --flake ${flakeDir}#$HOSTNAME + ''); + in { - options = { - homeManagerFlakeDir = lib.mkOption { + options.rebuild = { + flakeDir = lib.mkOption { + description = "Path to the flake directory."; type = lib.types.str; - default = "${config.xdg.configHome}/home-manager"; - description = "Path to the home-manager flake directory."; + default = "/etc/nixos"; }; }; - config = let - nixBin = lib.getExe pkgs.nix; - flakeDir = config.homeManagerFlakeDir; - in - { + config = { + environment.systemPackages = with pkgs; [ + nfs + (writeShellScriptBin "nfsu" '' + ${lib.getExe nix} flake update --impure --flake ${flakeDir} + ${lib.getExe git} -C ${flakeDir} add ${flakeDir}/flake.lock > /dev/null 2>&1 + ${lib.getExe nfs} + '') + ]; + }; + }; + + flake.modules.homeManager.rebuild = + { config, pkgs, lib, ... }: + let + nixBin = lib.getExe pkgs.nix; + flakeDir = config.homeManagerFlakeDir; + echoCmd = lib.getExe' pkgs.coreutils "echo"; + hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)"; + nhms = (pkgs.writeShellScriptBin "nhms" '' + HOSTNAME=${hostnameCmd} + ${echoCmd} "Switching to the $HOSTNAME home-manager profile" + ${lib.getExe pkgs.home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME + ''); + in + { + options = { + homeManagerFlakeDir = lib.mkOption { + description = "Path to the home-manager flake directory."; + type = lib.types.str; + default = "${config.xdg.configHome}/home-manager"; + }; + buildHostname = lib.mkOption { + description = "Hostname for the NixOS configuration to use."; + type = lib.types.str; + default = hostnameCmd; + }; + }; + + config = { home.activation.printFlakeDir = lib.hm.dag.entryAfter ["writeBoundary"] '' - run echo "Home Manager flake directory: ${flakeDir}" + run ${echoCmd} "Home Manager flake directory: ${flakeDir}" ''; home.packages = with pkgs; [ home-manager - (writeShellScriptBin "flake-parts-test" '' - echo "Test ${flakeDir}" - '') (writeShellScriptBin "flake-parts-check" '' cd ${flakeDir} - ${nixBin} run ".#write-flake" + ${nixBin} run "${flakeDir}#write-flake" ${nixBin} flake check '') - (writeShellScriptBin "nhms" '' - HOSTNAME=$(hostname -s) - echo "Switching to the $HOSTNAME profile" - ${lib.getExe home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME - '') + nhms (writeShellScriptBin "nhmu" '' ${nixBin} flake update --flake ${flakeDir} - nhms + ${lib.getExe nhms} + '') + + (writeShellScriptBin "test-build" '' + if [ -z "$1" ]; then + HOSTNAME=${hostnameCmd} + else + HOSTNAME="$1" + fi + ${echoCmd} "Testing the evaulation of the nixos config for $HOSTNAME" + ${lib.getExe nix} eval ${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath '') ]; }; diff --git a/modules/nix-tools/user.nix b/modules/nix-tools/user.nix index 15e614c..ab92f69 100644 --- a/modules/nix-tools/user.nix +++ b/modules/nix-tools/user.nix @@ -1,12 +1,23 @@ # Lifted from: # https://github.com/Doc-Steve/dendritic-design-with-flake-parts/blob/69edacdb5a4a6ca71d649bb8eb62cf8c630c8627/modules/users/bob%20%5BNDn%5D/bob.nix#L8 -{ self, ... }: +{ self, inputs, ... }: { - config.flake.factory.user = username: isAdmin: { - nixos."${username}" = { lib, pkgs, ... }: { + config.flake.factory.user = { + username, + isAdmin ? false, + noPassword ? false, + # homeImports ? [ ], + # homePackages ? [ ], + }: { + nixos."${username}" = { config, lib, pkgs, ... }: { + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; + users.users."${username}" = { isNormalUser = true; home = "/home/${username}"; + shell = lib.mkIf config.programs.zsh.enable pkgs.zsh; extraGroups = [ "input" "networkmanager" @@ -21,7 +32,7 @@ enable = true; extraRules = [{ users = [ "${username}" ]; - commands = [{ + commands = lib.mkIf noPassword [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; @@ -30,11 +41,10 @@ # https://github.com/Doc-Steve/dendritic-design-with-flake-parts/wiki/Dendritic_Aspects#multi-context-aspect home-manager.users."${username}" = { + imports = [ self.modules.homeManager."${username}" ]; home.username = "${username}"; home.homeDirectory = "/home/${username}"; - imports = [ - self.modules.homeManager."${username}" - ]; + # home.packages = homePackages; }; }; }; diff --git a/modules/programs/brave.nix b/modules/programs/brave.nix new file mode 100644 index 0000000..80b8014 --- /dev/null +++ b/modules/programs/brave.nix @@ -0,0 +1,11 @@ +{ self, inputs, ... }: { + flake.modules.homeManager.brave = { + programs.brave = { + enable = true; + extensions = [ + # https://chromewebstore.google.com/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa + "aeblfdkhhhdcdjpifhhbdiojplfjncoa" + ]; + }; + }; +} \ No newline at end of file diff --git a/modules/programs/desktop.nix b/modules/programs/desktop.nix deleted file mode 100644 index 6934501..0000000 --- a/modules/programs/desktop.nix +++ /dev/null @@ -1,12 +0,0 @@ -# This module is for programs with GUIs that run in a desktop environment -{ inputs, ... }: -{ - flake.modules.homeManager.desktop = - { - imports = with inputs.self.modules.homeManager; [ - onepassword - ghostty - sublime - ]; - }; -} diff --git a/modules/programs/ghostty.nix b/modules/programs/ghostty.nix index 9594303..a7c488e 100644 --- a/modules/programs/ghostty.nix +++ b/modules/programs/ghostty.nix @@ -58,11 +58,16 @@ }; # https://github.com/ghostty-org/ghostty/discussions/3763#discussioncomment-11699970 - xdg.desktopEntries."com.mitchellh.ghostty" = { + xdg.desktopEntries."com.mitchellh.ghostty" = + let + ghosttyCmd = "nixGLMesa ${lib.getExe pkgs.ghostty}"; + in + { name = "Ghostty"; type = "Application"; comment = "A terminal emulator"; - exec = "nixGLMesa ghostty"; + # exec = "nixGLMesa ghostty"; + exec = ghosttyCmd; icon = "com.mitchellh.ghostty"; terminal = false; startupNotify = true; @@ -79,7 +84,8 @@ actions = { new-window = { name = "New Window"; - exec = "nixGLMesa ghostty"; + exec = ghosttyCmd; + # exec = "nixGLMesa ghostty"; }; }; }; diff --git a/modules/programs/git.nix b/modules/programs/git.nix index 1dd7a97..c0168ab 100644 --- a/modules/programs/git.nix +++ b/modules/programs/git.nix @@ -1,6 +1,8 @@ -{ - flake.modules.homeManager.git = { config, lib, ... }: - { +{ self, inputs, ... }: { + flake.modules.homeManager.git = { config, pkgs, lib, ... }: { + home.packages = with pkgs; [ + git-credential-oauth + ]; programs.git = { enable = true; settings = { @@ -14,5 +16,8 @@ enableBashIntegration = true; enableZshIntegration = true; }; + home.shellAliases = { + "lzg" = "lazygit"; + }; }; } diff --git a/modules/programs/niri.nix b/modules/programs/niri.nix new file mode 100644 index 0000000..99a3ad0 --- /dev/null +++ b/modules/programs/niri.nix @@ -0,0 +1,33 @@ +{ self, inputs, ... }: { + flake-file.inputs = { + wrapper-modules.url = "github:BirdeeHub/nix-wrapper-modules"; + # wrapper-modules.inputs.nixpkgs.follows = "nixpkgs"; + }; + + flake.modules.nixos.niri = { pkgs, lib, ... }: { + programs.niri = { + enable = true; + package = self.packages.${pkgs.stdenv.hostPlatform.system}.myNiri; + }; + }; + + perSystem = { pkgs, lib, self', ... }: { + packages.myNiri = inputs.wrapper-modules.wrappers.niri.wrap { + inherit pkgs; + env.RUST_BACKTRACE = "full"; + settings = { + spawn-at-startup = [ + "${lib.getExe self'.packages.myNoctalia}" + ]; + xwayland-satellite.path = lib.getExe pkgs.xwayland-satellite; + input.keyboard.xkb.layout = "us,ua"; + layout.gaps = 5; + binds = { + "Mod+Return".spawn-sh = lib.getExe pkgs.ghostty; + "Mod+Q".close-window = null; + "Mod+S".spawn-sh = "${lib.getExe self'.packages.myNoctalia} ipc call launcher toggle"; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/programs/noctalia.nix b/modules/programs/noctalia.nix new file mode 100644 index 0000000..0707fb7 --- /dev/null +++ b/modules/programs/noctalia.nix @@ -0,0 +1,8 @@ +{ self, inputs, ... }: { + perSystem = { pkgs, ... }: { + packages.myNoctalia = inputs.wrapper-modules.wrappers.noctalia-shell.wrap { + inherit pkgs; + # settings = (builtins.fromJSON (builtins.readFile ./noctalia.json)).settings; + }; + }; +} \ No newline at end of file diff --git a/modules/programs/onepassword.nix b/modules/programs/onepassword.nix index d51dee4..6d07a3a 100644 --- a/modules/programs/onepassword.nix +++ b/modules/programs/onepassword.nix @@ -1,5 +1,16 @@ -{ - flake.modules.homeManager.onepassword = { - # TODO: Port `_1password = true` behavior into an explicit Home Manager module. +{ self, inputs, ... }: { + flake.modules.homeManager.onepassword = { config, pkgs, lib, ... }: { + home.file.".config/1Password/ssh/agent.toml".text = '' + # https://developer.1password.com/docs/ssh/agent/config + [[ssh-keys]] + vault = "Private" + ''; + programs.ssh = { + enable = true; + extraConfig = '' + Host * + IdentityAgent ${config.home.homeDirectory}/.1password/agent.sock + ''; + }; }; -} \ No newline at end of file +} diff --git a/modules/programs/sops.nix b/modules/programs/sops.nix index a923f8f..554bbf4 100644 --- a/modules/programs/sops.nix +++ b/modules/programs/sops.nix @@ -40,13 +40,22 @@ in default = "${config.xdg.configHome}/sops/age/keys.txt"; }; hostSecretFile = lib.mkOption { - description = "Path to the secrets file for this host"; + description = "Path to the secrets file for this host. Used to create the edit-secrets script"; type = lib.types.nullOr lib.types.str; default = null; }; }; - config = { + config = + let + echo = lib.getExe' pkgs.coreutils "echo"; + dirname = lib.getExe' pkgs.coreutils "dirname"; + mkdir = lib.getExe' pkgs.coreutils "mkdir"; + show-age-key = (pkgs.writeShellScriptBin "show-age-key" '' + ${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile} + ''); + in + { home.packages = with pkgs; [ eza age @@ -56,21 +65,21 @@ in set -eu if [ ! -f "${config.ssh.IdentityFile}" ]; then - echo "SSH identity file not found: ${config.ssh.IdentityFile}" >&2 + ${echo} "SSH identity file not found: ${config.ssh.IdentityFile}" >&2 exit 1 fi if [ -e "${cfg.ageKeyFile}" ]; then - echo "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2 + ${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2 exit 1 fi - mkdir -p "$(dirname "${cfg.ageKeyFile}")" + ${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")" ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${cfg.ageKeyFile} - echo -n "Created ${cfg.ageKeyFile}: " - echo $(show-age-key) + ${echo} -n "Created ${cfg.ageKeyFile}: " + ${echo} $(${lib.getExe show-age-key}) '') - (writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}") + show-age-key (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets") ] ++ editScript; diff --git a/modules/programs/steam.nix b/modules/programs/steam.nix new file mode 100644 index 0000000..c575361 --- /dev/null +++ b/modules/programs/steam.nix @@ -0,0 +1,14 @@ +{ self, inputs, ... }: { + flake.modules.nixos.steam = { + programs.steam = { + enable = true; + gamescopeSession.enable = true; + # Open ports in the firewall for Steam Remote Play + remotePlay.openFirewall = true; + # Open ports in the firewall for Source Dedicated Server + dedicatedServer.openFirewall = true; + # Open ports in the firewall for Steam Local Network Game Transfers + localNetworkGameTransfers.openFirewall = true; + }; + }; +} \ No newline at end of file diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix index 4c05d2f..5c322e3 100644 --- a/modules/programs/step-client.nix +++ b/modules/programs/step-client.nix @@ -1,9 +1,4 @@ -{ inputs, ... }: -let - caURL = "https://janus.john-stream.com/"; - stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; -in -{ +{ self, inputs, ... }: { # # Home Manager Module # @@ -17,42 +12,15 @@ in { options.step-ssh-user = { enable = lib.mkEnableOption "opionated step client config for SSH certs"; - caURL = lib.mkOption { - type = lib.types.str; - default = "${caURL}"; - }; - fingerprint = lib.mkOption { - type = lib.types.str; - default = "${stepFingerprint}"; - }; - rootCertFile = { - path = lib.mkOption { - type = lib.types.str; - description = "String path to where the root_ca.crt file will be stored for the user"; - default = ".step/certs/root_ca.crt"; - }; - source = lib.mkOption { - type = lib.types.path; - description = "Nix path to the root cert file within the repo"; - default = ../../keys/root_ca.crt; - }; - }; provisioner = lib.mkOption { type = lib.types.str; default = "admin"; }; principals = lib.mkOption { type = lib.types.listOf lib.types.str; - # default = [ ]; }; }; config = lib.mkIf cfg.enable { - home.file."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source; - home.file.".step/config/defaults.json".text = builtins.toJSON { - "ca-url" = cfg.caURL; - fingerprint = cfg.fingerprint; - root = "${config.home.homeDirectory}/${cfg.rootCertFile.path}"; - }; sops.secrets."janus/admin_jwk".mode = "0400"; home.packages = with pkgs; [ (writeShellScriptBin "sign-ssh-cert" '' diff --git a/modules/programs/sublime.nix b/modules/programs/sublime.nix deleted file mode 100644 index 8929b7e..0000000 --- a/modules/programs/sublime.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ inputs, pkgs, ... }: -{ - flake.modules.homeManager.sublime = { pkgs, lib, ... }: { - home.packages = with pkgs; [ - sublime4 - ]; - }; -} \ No newline at end of file diff --git a/modules/programs/sudo.nix b/modules/programs/sudo.nix new file mode 100644 index 0000000..cf6bc10 --- /dev/null +++ b/modules/programs/sudo.nix @@ -0,0 +1,10 @@ +{ self, inputs, ... }: { + flake.modules.nixos.sudo = { + security.sudo-rs = { + enable = true; + execWheelOnly = false; + wheelNeedsPassword = false; + extraConfig = "Defaults timestamp_timeout=1440"; + }; + }; +} \ No newline at end of file diff --git a/modules/programs/vscode.nix b/modules/programs/vscode.nix index 7d2c46b..1462f48 100644 --- a/modules/programs/vscode.nix +++ b/modules/programs/vscode.nix @@ -1,21 +1,26 @@ -{ - flake.modules.homeManager.vscode = { pkgs, ... }: - { - programs.vscode = { - enable = true; - package = pkgs.vscode; - profiles.default.extensions = with pkgs.vscode-extensions; [ - mhutchie.git-graph - ms-vscode-remote.vscode-remote-extensionpack - ms-python.python - ms-python.vscode-pylance - ms-toolsai.jupyter - charliermarsh.ruff - github.vscode-pull-request-github - github.vscode-github-actions - github.copilot - catppuccin.catppuccin-vsc - ]; +{ self, inputs, ... }: { + flake.modules.homeManager.vscode = { config, pkgs, lib, ... }: { + options.my-vscode = { + enable = lib.mkEnableOption "Enable nix-managed VSCode"; + }; + + config = lib.mkIf config.my-vscode.enable { + programs.vscode = { + enable = true; + package = pkgs.vscode; + profiles.default.extensions = with pkgs.vscode-extensions; [ + mhutchie.git-graph + ms-vscode-remote.vscode-remote-extensionpack + ms-python.python + ms-python.vscode-pylance + ms-toolsai.jupyter + charliermarsh.ruff + github.vscode-pull-request-github + github.vscode-github-actions + github.copilot + catppuccin.catppuccin-vsc + ]; + }; }; }; } \ No newline at end of file diff --git a/modules/programs/wireguard.nix b/modules/programs/wireguard.nix new file mode 100644 index 0000000..2410a03 --- /dev/null +++ b/modules/programs/wireguard.nix @@ -0,0 +1,59 @@ +{ self, inputs, ... }: { + flake.modules.nixos.wireguard = { config, pkgs, lib, ... }: + let + wgInterface = "platform"; + systemctl = lib.getExe' pkgs.systemd "systemctl"; + journalctl = lib.getExe' pkgs.systemd "journalctl"; + + mkConnect = interface: + let + serviceName = "wg-quick-${interface}"; + service = "${serviceName}.service"; + in + pkgs.writeShellScriptBin "wg-connect-${interface}" '' + ${systemctl} start ${service} + start_time=$(${systemctl} show -p ActiveEnterTimestamp ${serviceName} | cut -d= -f2) + ${journalctl} -u ${service} --since "$start_time" --no-pager + ''; + mkDisconnect = interface: + let + serviceName = "wg-quick-${interface}"; + service = "${serviceName}.service"; + in + pkgs.writeShellScriptBin "wg-disconnect-${interface}" '' + STOPTIME=$(${lib.getExe' pkgs.coreutils "date"} '+%Y-%m-%d %H:%M:%S') + ${systemctl} stop ${service} + start_time=$(${systemctl} show -p ActiveEnterTimestamp ${serviceName} | cut -d= -f2) + ${journalctl} -u ${service} --since "$STOPTIME" --no-pager + ''; + in + { + imports = [ inputs.sops-nix.nixosModules.sops ]; + + environment.systemPackages = with pkgs; [ + wireguard-tools + wg-netmanager + (mkConnect "platform") + (mkDisconnect "platform") + ]; + + sops.secrets.wireguard_private_key = { }; + networking.wg-quick.interfaces = { + ${wgInterface} = { + autostart = false; # Managed by dispatcher + postUp = "echo 'Post up command'"; + address = [ "192.168.3.5/32" ]; + dns = [ "192.168.1.150" ]; + privateKeyFile = config.sops.secrets.wireguard_private_key.path; + peers = [ + { + publicKey = "BD1/q18OfpoMCDusNZk9cqB1vvR8bgodZ1L7198jVic="; + allowedIPs = [ "192.168.0.0/16" ]; + endpoint = "wg.john-stream.com:51830"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/services/docker.nix b/modules/services/docker.nix index 727a11b..1937bdf 100644 --- a/modules/services/docker.nix +++ b/modules/services/docker.nix @@ -1,20 +1,13 @@ -{ inputs, ... }: +{ self, inputs, ... }: { flake.modules.nixos.docker = { - virtualisation.docker = { - enable = true; - }; - home-manager.sharedModules = with inputs.self.modules.homeManager; [ - docker - ]; + virtualisation.docker.enable = true; + home-manager.sharedModules = [ inputs.self.modules.homeManager.docker ]; }; flake.modules.homeManager.docker = { config, lib, pkgs, ... }: { - options.docker = { - enable = lib.mkEnableOption "Docker tools and utilities"; - }; - + options.docker.enable = lib.mkEnableOption "Docker tools and utilities"; config = lib.mkIf config.docker.enable { programs.lazydocker.enable = true; programs.docker-cli.enable = true; diff --git a/modules/services/step-ca/ssh-host.nix b/modules/services/step-ca/ssh-host.nix index a936895..b9134ab 100644 --- a/modules/services/step-ca/ssh-host.nix +++ b/modules/services/step-ca/ssh-host.nix @@ -2,7 +2,6 @@ flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }: let cfg = config.step-ssh-host; - rootCertPath = "/etc/step/certs/root_ca.crt"; provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path; sshKeyPath = "/etc/ssh/ssh_host_ed25519_key"; sshCertPath = "${sshKeyPath}-cert.pub"; @@ -11,25 +10,9 @@ # NixOS Options options.step-ssh-host = { hostname = lib.mkOption { - description = "Networking host name"; + description = "Networking host name to register with the CA"; type = lib.types.str; }; - caURL = lib.mkOption { - description = "URL for the certificate authority"; - type = lib.types.str; - }; - rootCertFile = { - path = lib.mkOption { - description = "String path to where the root_ca.crt file will be stored for the user"; - type = lib.types.str; - default = "step/certs/root_ca.crt"; - }; - source = lib.mkOption { - description = "Nix path to the root cert file within the repo"; - type = lib.types.path; - default = ../../../keys/root_ca.crt; - }; - }; provisioner = lib.mkOption { description = "Provisioner inside Step CA to use for the SSH certificates"; type = lib.types.str; @@ -38,6 +21,7 @@ }; imports = with inputs.self.modules.nixos; [ ssh ]; + # NixOS Config config = { ssh.certificates.enable = true; @@ -48,15 +32,11 @@ }; networking.nameservers = [ "192.168.1.150" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; - - environment.etc."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source; environment.systemPackages = with pkgs; [ step-cli (writeShellScriptBin "ssh-host-cert-renew" '' ${lib.getExe pkgs.step-cli} ssh certificate \ --host --sign \ - --root "${rootCertPath}" \ - --ca-url ${cfg.caURL} \ --provisioner "${cfg.provisioner}" \ --provisioner-password-file "${provisionerPasswordPath}" \ --principal "${cfg.hostname}" \ diff --git a/modules/users/john.nix b/modules/users/john.nix index eb74b47..fa5fabf 100644 --- a/modules/users/john.nix +++ b/modules/users/john.nix @@ -1,46 +1,48 @@ -{ inputs, ... }: +{ self, inputs, lib, ... }: let username = "john"; in { - flake = { - meta.users."${username}" = { - email = "32917998+jsl12@users.noreply.github.com"; - name = "John Lancaster"; - username = "${username}"; - key = ""; - keygrip = [ - ]; - authorizedKeys = [ - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus" - ]; - }; + flake.meta.users."${username}" = { + email = "32917998+jsl12@users.noreply.github.com"; + name = "John Lancaster"; + inherit username; + key = ""; + keygrip = [ + ]; + authorizedKeys = [ + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus" + ]; + }; - modules = { + flake.modules = lib.mkMerge [ + (self.factory.user { + username = username; + isAdmin = true; + }) + { nixos."${username}" = { imports = [ - (inputs.self.factory.user username true).nixos."${username}" + inputs.home-manager.nixosModules.home-manager ]; users.users."${username}" = { openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys; - extraGroups = [ "docker" ]; }; }; + # This module will be imported by the user factory homeManager."${username}" = with inputs.self.meta.users."${username}"; { home.stateVersion = "25.11"; xdg.enable = true; - programs.git.settings.user.name = name; programs.git.settings.user.email = email; - imports = with inputs.self.modules.homeManager; [ ssh shell-tools git ]; }; - }; - }; + } + ]; } diff --git a/resticprofile/base.nix b/resticprofile/base.nix deleted file mode 100644 index d8c577f..0000000 --- a/resticprofile/base.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - base = { - repository = "local:/mnt/backup"; - password-file = "{{ .ConfigDir }}/password.txt"; - status-file = "{{ .ConfigDir }}/backup-status.json"; - retention = { - after-backup = true; - keep-last = "10"; - keep-hourly = "8"; - keep-daily = "14"; - keep-weekly = "8"; - }; - backup = { - verbose = true; - exclude = [ - ".cache" - ".devenv" - ".rustup" - ".cargo" - ".venv" - ".pyenv" - ".vscode*" - "data/postgres" - "build" - "__pycache__" - "*.log" - "*.egg-info" - "*.csv" - "*.m4a" - - ".local/share/Steam" - ".local/share/Trash" - "build" - "dist" - "/home/*/Pictures" - "/home/*/Videos" - "/home/*/go" - "/home/*/snap" - "/home/john/john-nas" - ]; - schedule-permission = "user"; - schedule-priority = "background"; - check-after = true; - }; - prune = { - schedule-permission = "user"; - schedule-lock-wait = "1h"; - }; - }; -}