john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: john/dendritic:545a17586e16a3e8b3dabbeeb7a509b262f444ec
Branches Tags
john/dendritic:main john/dendritic:wrappers john/dendritic:forgejo
...
compare: john/dendritic:wrappers
Branches Tags
john/dendritic:wrappers john/dendritic:forgejo john/dendritic:main

24 Commits
545a17586e ... wrappers

Author SHA1 Message Date
John Lancaster 35bd80424d sha256 update 2026-05-02 09:47:23 -05:00
John Lancaster 3447b28af1 syntax fix 2026-05-02 09:45:48 -05:00
John Lancaster 2fea8238d1 systemd 2026-05-01 00:11:55 -05:00
John Lancaster cf1174d36b consolidation 2026-04-30 22:39:27 -05:00
John Lancaster bae2b3027e WIP mtls wrapper 2026-04-30 22:28:35 -05:00
John Lancaster 68483c0231 improvement 2026-04-30 16:36:38 -05:00
John Lancaster f0eba76e49 mtls-check wrapping openssl kinda working 2026-04-30 16:31:26 -05:00
John Lancaster 8357372b39 mtlsCheck wrapper 2026-04-29 21:46:11 -05:00
John Lancaster 3c4aa74b0f WIP mtls wrappers 2026-04-29 21:36:16 -05:00
John Lancaster ed473ddfae started zed-editor wrapper, package, and home-manager module 2026-04-29 17:46:01 -05:00
John Lancaster 133bad5aef started mtls wrappers 2026-04-27 09:01:19 -05:00
John Lancaster 3fc08793fe enabled tailscale ssh block 2026-04-26 19:04:01 -05:00
John Lancaster 7f4fdcf4b9 setting zsh shell 2026-04-26 19:03:44 -05:00
John Lancaster bfc5da791a added tailscale ssh block 2026-04-26 18:58:09 -05:00
John Lancaster 9a09399ca3 broke out starship 2026-04-22 23:40:35 -05:00
John Lancaster cf90d3e876 various reorgs 2026-04-20 23:52:03 -05:00
John Lancaster 443020df4d formatting 2026-04-20 22:40:08 -05:00
John Lancaster 3fc3beb4ed test and dev wrappers 2026-04-20 22:38:31 -05:00
John Lancaster 43ae292f39 rename 2026-04-20 21:17:18 -05:00
John Lancaster 026bf541e1 sops with wrappers 2026-04-20 21:13:31 -05:00
John Lancaster e75951318d better ssh certs wrappers 2026-04-20 21:13:19 -05:00
John Lancaster bd236ed977 temp 2026-04-20 16:49:31 -05:00
John Lancaster b07bf102a4 added jsl-zsh to john-p14s config 2026-04-19 23:38:32 -05:00
John Lancaster 9bfe140367 added name to silence warning 2026-04-19 23:33:57 -05:00
20 changed files with 760 additions and 534 deletions
Expand all files Collapse all files
modules/features/mtls.nix
+249 -159
View File
@@ -48,7 +48,7 @@ let
enable = lib.mkOption {
description = "Enable automatic mTLS certificate renewal using a systemd timer.";
type = lib.types.bool;
default = true;
default = cfg.enable;
};
onCalendar = lib.mkOption {
description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
@@ -115,154 +115,28 @@ let
'';
};
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication {
name = "mtls-check";
runtimeInputs = with pkgs; [ openssl ];
text = ''
openssl x509 -noout -in ${bundleFile} \
-subject -issuer \
-ext subjectAltName,extendedKeyUsage \
-enddate
'';
};
mkMtlsRenewScript = {
pkgs,
cfg,
systemctlArgs ? [ ],
}:
in
{
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
let
systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
hasReloadUnits = cfg.renew.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCmd} try-reload-or-restart "${unit}"
fi
'') cfg.renew.reloadUnits;
hasPostCommands = cfg.renew.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
in
pkgs.writeShellApplication {
name = "mtls-renew";
runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
text = ''
set -euo pipefail
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${cfg.certFile}"; then
echo "Skipping renew"
exit 0
fi
echo "Renewing mTLS certificate"
step ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
(umask 077; cat "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
chown ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
chmod 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
${lib.optionalString hasReloadUnits ''
echo "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''echo "Post commands:" ${renewPostCommands}''}
'';
};
mkNixosMtlsRenewService = { pkgs, cfg, ... }:
{
cfg = config.mtls;
mtlsRenewWrapper = inputs.self.wrappers.mtlsRenew.apply {
inherit pkgs;
inherit (cfg) certDir keyFile certFile bundleFile;
inherit (cfg.renew) user group reloadUnits postCommands;
systemd = {
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.renew.user;
Group = cfg.renew.group;
ExecStart = lib.getExe (mkMtlsRenewScript { inherit pkgs cfg; });
};
} // lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar;
};
};
mkNixosMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
description = "Periodic Smallstep renewal for the mTLS certificate";
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
};
mkHomeManagerMtlsRenewService = { pkgs, cfg, ... }:
let
renewScript = mkMtlsRenewScript {
inherit pkgs cfg;
systemctlArgs = [ "--user" ];
};
in
{
Unit = {
Description = "Renew the mTLS certificate when Smallstep marks it ready";
After = [ "network-online.target" ];
Wants = [ "network-online.target" ];
};
Service = {
Type = "oneshot";
ExecStart = lib.getExe renewScript;
};
};
mkHomeManagerMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
Unit = {
Description = "Periodic Smallstep renewal for the mTLS certificate";
};
Timer = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
Install = {
WantedBy = [ "timers.target" ];
};
};
in
{
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
options.mtls = (mkOpts config) // {
@@ -291,30 +165,44 @@ in
inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
inherit (cfg.renew) user group;
})
(mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
(mkMtlsRenewScript { inherit pkgs cfg; })
(inputs.self.wrappers.mtlsCheck.apply {
inherit pkgs;
inherit (cfg) bundleFile;
}).wrapper
mtlsRenewWrapper.wrapper
];
systemd.tmpfiles.rules = [
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable
(mkNixosMtlsRenewService { inherit pkgs cfg; });
systemd.packages = lib.mkIf cfg.renew.enable [
mtlsRenewWrapper.outputs.systemd-system
];
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec;
});
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable {
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
AccuracySec = "1us";
RandomizedDelaySec = cfg.renew.randomizedDelaySec;
};
};
};
};
flake.modules.homeManager.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
keyFile = cfg.keyFile;
certFile = cfg.certFile;
bundleFile = cfg.bundleFile;
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
mtlsRenewWrapper = inputs.self.wrappers.mtlsRenew.apply {
inherit pkgs;
inherit (cfg) certDir keyFile certFile bundleFile;
inherit (cfg.renew) reloadUnits postCommands;
systemctlArgs = [ "--user" ];
systemd = lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar;
};
};
in
{
options.mtls = (mkOpts config) // {
@@ -329,24 +217,226 @@ in
home.packages = with pkgs; lib.optionals cfg.enable [
# step-cli
(mkMtlsGenerateScript {
inherit pkgs;
inherit (cfg) keyFile certFile bundleFile;
inherit (cfg) subject provisioner san lifetime;
inherit (cfg.renew) user group;
inherit pkgs certFile keyFile bundleFile;
})
(mkMtlsCheckScript { inherit pkgs bundleFile; })
(mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
(inputs.self.wrappers.mtlsCheck.apply {
inherit pkgs;
inherit (cfg) bundleFile;
}).wrapper
];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${cfg.certDir} 0700 - - -"
"d ${cfg.certDir} 0700 - - -" # Ensure the cert directory exists and is writable by the user
];
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable
(mkHomeManagerMtlsRenewService { inherit pkgs cfg; });
# Create the systemd service files for the user.
xdg.dataFile = lib.mkIf cfg.renew.enable {
"systemd/user/mtls-renew.service".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service";
"systemd/user/mtls-renew.timer".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.timer";
"systemd/user/mtls-renew.timer.d/override.conf".text = ''
[Timer]
Persistent=true
AccuracySec=1us
RandomizedDelaySec=${cfg.renew.randomizedDelaySec}
'';
};
systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec;
# Ensure the timer gets started
home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then
if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then
run ${pkgs.systemd}/bin/systemctl --user daemon-reload
run ${pkgs.systemd}/bin/systemctl --user enable --now mtls-renew.timer
else
run ${pkgs.systemd}/bin/systemctl --user disable --now mtls-renew.timer || true
run ${pkgs.systemd}/bin/systemctl --user daemon-reload || true
fi
fi
'';
};
};
flake.wrappers = {
mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
};
};
config = {
binName = "mtls-check";
# This pattern is necessary to wrap packages like openssl that provide more than one binary
package = config.pkgs.symlinkJoin {
name = "openssl";
paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
meta.mainProgram = "openssl";
};
args = [
"x509"
"-noout"
"-in" config.bundleFile
"-subject"
"-issuer"
"-ext" "subjectAltName,extendedKeyUsage"
"-enddate"
];
};
});
mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
};
};
config = {
binName = "mtls-needs-renewal";
package = config.pkgs.step-cli;
preHook = ''
echo "Checking renewal status..."
'';
args = [ "certificate" "needs-renewal" "${config.certFile}" ];
};
});
mtlsRenew = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
imports = [ wlib.modules.systemd ];
options = {
certDir = lib.mkOption {
description = "String path to the directory where the certs will be stored";
type = lib.types.str;
};
keyFile = lib.mkOption {
description = "String path for the private key";
type = lib.types.str;
default = "${config.certDir}/key.pem";
};
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
default = "${config.certDir}/cert.pem";
};
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
default = "${config.certDir}/mtls.pem";
};
user = lib.mkOption {
description = "User that should own the renewed certificate files.";
type = lib.types.nullOr lib.types.str;
default = null;
};
group = lib.mkOption {
description = "Group that should own the renewed certificate files.";
type = lib.types.nullOr lib.types.str;
default = null;
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful renewal.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
postCommands = lib.mkOption {
description = "Shell commands to run after a successful renewal.";
type = lib.types.listOf lib.types.lines;
default = [ ];
};
systemctlArgs = lib.mkOption {
description = "Additional arguments to pass to systemctl when reloading units.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "mtls-renew";
package = let
systemctlCmd = "systemctl ${lib.escapeShellArgs config.systemctlArgs}";
hasReloadUnits = config.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCmd} try-reload-or-restart "${unit}"
fi
'') config.reloadUnits;
hasPostCommands = config.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" config.postCommands;
hasOwnership = config.user != null && config.group != null;
in
config.pkgs.writeShellApplication {
name = "mtls-renew";
runtimeInputs = with config.pkgs; [ coreutils step-cli systemd ];
text = ''
set -euo pipefail
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${config.certFile}"; then
echo "Skipping renew"
exit 0
fi
echo "Renewing mTLS certificate"
step ca renew --force "${config.certFile}" "${config.keyFile}"
(umask 077; cat "${config.certFile}" "${config.keyFile}" > "${config.bundleFile}")
${lib.optionalString hasOwnership ''
chown ${config.user}:${config.group} ${config.certFile} ${config.keyFile} ${config.bundleFile}
chmod 640 ${config.certFile} ${config.keyFile} ${config.bundleFile}
''}
${lib.optionalString hasReloadUnits ''
echo "Reloading units: ${lib.concatStringsSep ", " config.reloadUnits}"
${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''
echo "Running post commands"
${renewPostCommands}
''}
'';
};
extraPackages = [
config.pkgs.step-cli
];
systemd = {
description = "Automatic mTLS renewal service";
documentation = [
"https://smallstep.com/docs/step-ca/certificate-authority-server-production"
];
startLimitIntervalSec = 0;
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = lib.mkDefault "oneshot";
# serviceConfig.ExecCondition = "";
};
};
});
};
};
}
modules/features/shell-tools.nix
+4 -13
View File
@@ -1,29 +1,20 @@
# This module provides all the shell options
{ inputs, lib, ... }:
{
{ self, inputs, ... }: {
flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
options.shell.program = lib.mkOption {
type = lib.types.enum [ "bash" "zsh" ];
default = "zsh";
description = "Which interactive shell configuration to enable.";
};
imports = with inputs.self.modules.homeManager; [
bash
# bash
zsh
files
];
config = {
home.shell.enableShellIntegration = true;
programs.zsh.enable = lib.mkForce (config.shell.program == "zsh");
home.packages = with pkgs; [
btop
uv
xclip
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
];
};
home.shell.enableShellIntegration = true;
};
perSystem = { system, pkgs, self', ... }: {
modules/features/ssh-certs.nix
+100
View File
@@ -0,0 +1,100 @@
{ self, inputs, ... }:
let
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(inputs.self.wrappers.signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
(inputs.self.wrappers.signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
postHook = ''
systemctl reload-or-restart sshd
'';
};
});
flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
validUsers = lib.mkOption {
description = "A list of the user names that this cert will be valid for";
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-user-cert";
package = config.pkgs.step-cli;
args = [ "ssh" "certificate" "--sign" ]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.validUsers;
};
});
}
modules/features/step-client.nix
+34 -112
View File
@@ -1,8 +1,34 @@
{ self, inputs, ... }:
let
bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
{ self, inputs, ... }: {
flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
root = ../hosts/janus/root_ca.crt;
};
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
];
# sops.secrets."step-ca-defaults" = {
# sopsFile = ../hosts/janus/defaults.json;
# format = "json";
# key = ""; # This causes it to decode the whole file
# path = "${config.home.homeDirectory}/defaults.json";
# mode = "0400";
# };
};
perSystem = { system, pkgs, lib, ... }: {
packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
inherit pkgs;
ca-url = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
caURL = lib.mkOption {
ca-url = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
@@ -12,118 +38,14 @@ let
};
config = {
binName = "bootstrap";
package = config.pkgs.step-cli; # (1)!
binName = "step-bootstrap";
package = config.pkgs.step-cli;
args = [
"ca" "bootstrap"
"--ca-url" config.caURL
"--ca-url" config.ca-url
"--fingerprint" config.fingerprint
];
};
});
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
postHook = ''
systemctl reload-or-restart sshd
'';
++ lib.optional config.install "--install";
};
});
signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
validUsers = lib.mkOption {
description = "A list of the user names that this cert will be valid for";
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-user-cert";
package = config.pkgs.step-cli;
args = [ "ssh" "certificate" "--sign" ]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.validUsers;
};
});
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.step-client = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "step";
meta.mainProgram = "step";
paths = with pkgs; [
self'.packages.step-bootstrap
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
(signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
];
});
};
packages.step-bootstrap = (bootstrapWrapper.apply {
inherit pkgs;
caURL = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
}
modules/hosts/janus/default.nix
+5 -6
View File
@@ -2,8 +2,6 @@
let
username = "john";
hostname = "janus";
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
in
{
flake.modules.nixos.janus-ca =
@@ -39,7 +37,8 @@ in
config = {
environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = "/etc/${certRootEtcPath}";
};
"${certRootEtcPath}".source = ./root_ca.crt;
@@ -52,10 +51,10 @@ in
flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = ./root_ca.crt;
};
home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
};
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules/hosts/john-p14s/configuration.nix
+1
View File
@@ -39,6 +39,7 @@
samba
selfPkgs.my-neovim
selfPkgs.wg-platform
selfPkgs.jsl-zsh
];
security.pam.services.swaylock = {};
modules/hosts/john-pc/default.nix
+16 -14
View File
@@ -15,23 +15,18 @@ in
selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
test-push = with pkgs; writeShellApplication {
name = "test-push";
runtimeInputs = [ nh ];
text = ''nh os switch ${flakeDir}#${testHost} --target-host root@${testTarget} -e none'';
};
in
{
imports = with inputs.self.modules.homeManager; [
rebuild
john
mysops
janus-ca
mtls
restic
docker
desktop
# sshCerts
step-client
mysops
# myPackage
# myStepClient
];
# TODO: make this more restrictive, rather than allowing all unfree packages
@@ -43,17 +38,19 @@ in
home.username = "${username}";
home.homeDirectory = "/home/${username}";
home.packages = with pkgs; [
nixos-rebuild
test-push
selfPkgs.jsl-zsh
selfPkgs.my-neovim
selfPkgs.step-client
selfPkgs.ssh-certs
# selfPkgs.step-bootstrap
# selfPkgs.wg-platform
# self'.packages.myWrappedPackage
(inputs.self.wrappers.test-push.apply {
inherit pkgs flakeDir;
host = testHost;
target = testTarget;
}).wrapper
];
shell.program = "zsh";
homeManagerFlakeDir = flakeDir;
docker.enable = true;
@@ -67,6 +64,7 @@ in
appdaemon = true;
homelab = true;
dev = true;
tailscale = true;
};
};
@@ -106,8 +104,12 @@ in
};
};
flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ system, inputs', ... }:
inputs.home-manager.lib.homeManagerConfiguration {
# pkgs = import inputs.nixpkgs {
# inherit system;
# overlays = [ inputs.self.overlays.default ];
# };
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [ inputs.self.modules.homeManager."${hostname}" ];
});
modules/hosts/john-pc/dev.nix
+33
View File
@@ -0,0 +1,33 @@
{ self, inputs, ... }: {
flake.wrappers.test-push = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
host = lib.mkOption {
type = lib.types.str;
};
target = lib.mkOption {
type = lib.types.str;
};
sshUser = lib.mkOption {
type = lib.types.str;
default = "root";
};
elevationStrategy = lib.mkOption {
type = lib.types.str;
default = "none";
};
};
config = {
binName = "test-push";
package = config.pkgs.nh;
args = [
"os" "switch" "${config.flakeDir}#${config.host}"
"--target-host" "${config.sshUser}@${config.target}"
"--elevation-strategy" "${config.elevationStrategy}"
];
};
});
}
modules/hosts/soteria/soteria.nix
+18 -21
View File
@@ -1,4 +1,4 @@
{ self, inputs, lib, ... }:
{ withSystem, self, inputs, lib, ... }:
let
username = "john";
hostname = "soteria";
@@ -84,14 +84,10 @@ in
sops.defaultSopsFile = ./secrets.yaml;
programs.zsh.enable = true;
home-manager.users."${username}" = {
imports = with inputs.self.modules; [
homeManager."${hostname}"
];
};
home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];
environment.systemPackages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
];
@@ -99,25 +95,26 @@ in
];
};
flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: {
imports = with inputs.self.modules; [
homeManager.rebuild
homeManager.mysops
];
flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
imports = [
inputs.self.modules.homeManager.rebuild
inputs.self.modules.homeManager.mysops
({ config, pkgs, lib, ... }: {
homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
shell.program = "zsh";
docker.enable = true;
# This will provide the edit-secrets script targeting this file
mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
};
flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
modules = with inputs.self.modules; [
homeManager."${username}"
homeManager."${hostname}"
})
];
};
flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [
inputs.self.modules.homeManager."${username}"
inputs.self.modules.homeManager.soteria
];
});
}
modules/nix-tools/rebuild.nix
+54 -39
View File
@@ -40,7 +40,6 @@
{ config, pkgs, lib, ... }:
let
flakeDir = config.homeManagerFlakeDir;
hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)";
flake-parts-check = with pkgs; writeShellApplication {
name = "flake-parts-check";
@@ -52,23 +51,6 @@
'';
};
nhms = with pkgs; writeShellApplication {
name = "nhms";
runtimeInputs = [ coreutils hostname nh ];
text = ''
USERNAME=''${USER:-$(whoami)}
HOSTNAME=$(hostname -s)
echo "Switching to the $HOSTNAME home-manager profile"
nh home switch ${flakeDir} -c "$USERNAME@$HOSTNAME" "$@"
'';
};
nhmu = with pkgs; writeShellApplication {
name = "nhmu";
runtimeInputs = [ nhms ];
text = ''nhms --update'';
};
test-build = with pkgs; writeShellApplication {
name = "test-build";
runtimeInputs = [ coreutils nix hostname ];
@@ -82,24 +64,6 @@
nix eval "${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath"
'';
};
cleanup = with pkgs; writeShellApplication {
name = "cleanup";
runtimeInputs = [ coreutils home-manager nix ];
text = ''
set -e
DAYS=$1
if [ -z "$DAYS" ]; then
echo "usage: cleanup <days>"
exit 1
fi
home-manager expire-generations "-$DAYS days"
nix profile wipe-history --older-than "''${DAYS}d"
nix store gc
nix store optimise
'';
};
in
{
options = {
@@ -121,13 +85,64 @@
name = "build-tools";
paths = [
flake-parts-check
nhms
nhmu
test-build
cleanup
(inputs.self.wrappers.home-switch.apply {
inherit pkgs flakeDir;
}).wrapper
(inputs.self.wrappers.home-switch.apply {
binName = lib.mkForce "nhmu";
inherit pkgs flakeDir;
extraOptions = [ "--update" ];
}).wrapper
(inputs.wrappers.lib.wrapPackage {
binName = "cleanup";
inherit pkgs;
package = nh;
args = [ "clean" "user" "--keep-since" "3days" ];
})
];
})
];
};
};
flake.wrappers.home-switch = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
user = lib.mkOption {
type = lib.types.str;
default = "$(whoami)";
};
hostname = lib.mkOption {
type = lib.types.str;
default = "$(hostname -s)";
};
configuration = lib.mkOption {
type = lib.types.str;
default = "${config.user}@${config.hostname}";
};
extraOptions = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "nhms";
extraPackages = with config.pkgs; [ coreutils hostname nh ];
preHook = ''
CONFIG=${config.configuration}
echo "Switching to $CONFIG"
'';
package = config.pkgs.nh;
args = [
"home" "switch"
"--configuration" "${config.configuration}"
"$@"
"${config.flakeDir}"
] ++ config.extraOptions;
};
});
}
modules/nix-tools/user.nix
+14 -2
View File
@@ -14,10 +14,18 @@
inputs.home-manager.nixosModules.home-manager
];
environment.shells = [
"${lib.getExe pkgs.zsh}"
"${lib.getExe inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh}"
];
users.groups."${username}" = {};
users.users."${username}" = {
isNormalUser = true;
group = username;
home = "/home/${username}";
shell = lib.mkIf config.programs.zsh.enable pkgs.zsh;
shell = pkgs.zsh;
extraGroups = [ "input" "networkmanager" ]
++ lib.optional isAdmin "wheel"
++ lib.optional config.virtualisation.docker.enable "docker"
@@ -25,6 +33,8 @@
++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres";
};
programs.zsh.enable = true;
security.sudo-rs.enable = lib.mkIf isAdmin true;
home-manager.useGlobalPkgs = true;
@@ -33,7 +43,9 @@
imports = [ self.modules.homeManager."${username}" ];
home.username = "${username}";
home.homeDirectory = "/home/${username}";
# home.packages = homePackages;
home.packages = with pkgs; [
# fzf zoxide starship
];
};
};
};
modules/nix-tools/wrappers.nix
+10 -1
View File
@@ -1,5 +1,5 @@
{ self, inputs, ... }: {
flake-file.inputs = {
config.flake-file.inputs = {
wrapper-modules = {
url = "github:BirdeeHub/nix-wrapper-modules";
inputs.nixpkgs.follows = "nixpkgs";
@@ -9,4 +9,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
};
options = {
# This is what allows wrappers to be defined in flake.wrappers.<wrapper-name> throughout different flake-parts modules
flake = inputs.flake-parts.lib.mkSubmoduleOptions {
wrappers = inputs.nixpkgs.lib.mkOption {
default = {};
};
};
};
}
modules/programs/bash.nix
+1 -2
View File
@@ -1,10 +1,9 @@
{
flake.modules.homeManager.bash = { pkgs, lib, config, ... }:
{
programs.bash = lib.mkIf (config.shell.program == "bash") {
programs.bash = {
enable = true;
enableCompletion = true;
package = pkgs.bash;
};
};
}
modules/programs/sops.nix
+52 -51
View File
@@ -1,4 +1,4 @@
{ inputs, ... }:
{ self, inputs, ... }:
let
inputs' = inputs; # save a reference before it's shadowed
in
@@ -14,18 +14,10 @@ in
imports = [ inputs.sops-nix.nixosModules.sops ];
};
# Define the homeModules that are used by flake-parts
# https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
flake.modules.homeManager.mysops =
{ config, pkgs, lib, ... }:
let
cfg = config.mysops;
sopsBin = lib.getExe pkgs.sops;
sopsConfigPath = ../../.sops.yaml;
sopsSecretsPath = ../../keys/secrets.yaml;
editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin "edit-secrets" ''
${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
'');
in
{
imports = [
@@ -34,11 +26,6 @@ in
];
options.mysops = {
ageKeyFile = lib.mkOption {
description = "Default location for the age key";
type = lib.types.str;
default = "${config.xdg.configHome}/sops/age/keys.txt";
};
hostSecretFile = lib.mkOption {
description = "Path to the secrets file for this host. Used to create the edit-secrets script";
type = lib.types.nullOr lib.types.str;
@@ -48,49 +35,63 @@ in
config =
let
echo = lib.getExe' pkgs.coreutils "echo";
dirname = lib.getExe' pkgs.coreutils "dirname";
mkdir = lib.getExe' pkgs.coreutils "mkdir";
show-age-key = (pkgs.writeShellScriptBin "show-age-key" ''
${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}
'');
my-sops = (inputs.self.wrappers.mySops.apply {
inherit pkgs;
sshKey = config.ssh.identityFile;
}).wrapper;
in
{
home.packages = with pkgs; [
age
sops # This is necessary to make the sops binary available
ssh-to-age
(writeShellScriptBin "gen-age-key" ''
set -eu
if [ ! -f "${config.ssh.identityFile}" ]; then
${echo} "SSH identity file not found: ${config.ssh.identityFile}" >&2
exit 1
fi
if [ -e "${cfg.ageKeyFile}" ]; then
${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
exit 1
fi
${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")"
${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.identityFile} -private-key > ${cfg.ageKeyFile}
${echo} -n "Created ${cfg.ageKeyFile}: "
${echo} $(${lib.getExe show-age-key})
'')
show-age-key
(writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
] ++ editScript;
home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
# Option definitions for the sops home-manager module:
# https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
sops = {
defaultSopsFile = sopsSecretsPath;
defaultSopsFile = ../../keys/secrets.yaml;
defaultSopsFormat = "yaml";
age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
};
home.packages = with pkgs; [
my-sops
(inputs.wrappers.lib.wrapPackage {
binName = "ls-secrets";
inherit pkgs;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
args = [
"-T" "--follow-symlinks"
"${config.xdg.configHome}/sops-nix/secrets"
];
})
]
++ lib.optional (cfg.hostSecretFile != null) (inputs.wrappers.lib.wrapPackage {
binName = "edit-secrets";
inherit pkgs;
package = my-sops;
args = [ cfg.hostSecretFile ];
});
};
};
flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
sshKey = lib.mkOption {
type = lib.types.str;
description = "String path to the SSH key to use for creating an AGE key at runtime";
};
};
config = {
# binName = "my-sops";
package = config.pkgs.sops;
extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
preHook = ''
AGE_KEY=$(umask 077; mktemp)
ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
'';
flags."--config" = "${../../.sops.yaml}";
postHook = ''
rm "$AGE_KEY"
echo "Removed $AGE_KEY"
'';
};
});
}
modules/programs/starship.nix
+54
View File
@@ -0,0 +1,54 @@
{ self, inputs, ... }: {
perSystem = { system, pkgs, lib, ... }: {
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "1jzbbzm3nwdlldq43aj3csp0ps23fsa6x2225z85l0s9qbj4cdy2";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
cmd_duration.show_notifications = false;
hostname = {
disabled = false;
ssh_symbol = "🌐";
format = "[$ssh_symbol$hostname]($style)";
style = "bg:red fg:crust";
};
os.symbols.NixOS = " ";
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
};
}
modules/programs/wireguard.nix
+1
View File
@@ -57,6 +57,7 @@
runtimeInputs = with pkgs; [ coreutils systemd wireguard-tools ];
package = pkgs.symlinkJoin {
name = "wg-platform";
meta.mainProgram = "wg-platform-connect";
paths = [
connect
disconnect
modules/programs/zed-editor.nix
+33
View File
@@ -0,0 +1,33 @@
{ self, inputs, ... }:
let
packageName = "zed-editor";
zedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
text-to-say = lib.mkOption {
type = lib.types.str;
description = "Text for the ascii cow to say.";
};
};
config = {
binName = "my-pkg";
package = config.pkgs.cowsay;
args = [ config.text-to-say ];
};
});
in
{
perSystem = { system, pkgs, lib, ... }: {
packages."${packageName}" = (zedWrapper.apply {
inherit pkgs;
text-to-say = "Hello from wrapped module!";
}).wrapper;
};
flake.modules.homeManager."${packageName}" = { config, pkgs, lib, ... }: {
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}."${packageName}"
];
};
}
modules/programs/zsh.nix
+1 -50
View File
@@ -35,7 +35,7 @@ in
homeManager.zsh = { pkgs, config, ... }: {
programs.zsh = {
enable = true;
package = pkgs.zsh;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh;
enableCompletion = true;
autosuggestion.enable = true;
# syntaxHighlighting.enable = true;
@@ -139,54 +139,5 @@ in
self'.packages.shell-tools
];
}).wrapper;
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "0bd8zx0bpri63rnb9dva0rav75d3i2wrzw44h63m75hq5220r26g";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
hostname = {
disabled = false;
ssh_symbol = "🌐";
format = "[$ssh_symbol$hostname]($style)";
style = "bg:red fg:crust";
};
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
};
}
modules/services/ssh.nix
+15
View File
@@ -102,6 +102,7 @@ in
certs = mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = mkEnableOption "Enable various Homelab targets";
dev = mkEnableOption "Enable development targets";
tailscale = mkEnableOption "Enable tailscale targets";
};
};
@@ -197,6 +198,20 @@ in
"test-nix" = {
hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "/run/current-system/sw/bin/jsl-zsh";
};
};
})
(lib.mkIf cfg.matchSets.tailscale {
"jdl-docker" = {
hostname = "jdl-docker.tailcf205.ts.net";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "~/.nix-profile/bin/jsl-zsh";
};
};
})
];
modules/users/john.nix
+19 -18
View File
@@ -1,6 +1,10 @@
{ self, inputs, lib, ... }:
let
username = "john";
baseUserModules = self.factory.user {
username = username;
isAdmin = true;
};
in
{
flake.meta.users."${username}" = {
@@ -8,23 +12,17 @@ in
name = "John Lancaster";
inherit username;
key = "";
keygrip = [
];
keygrip = [ ];
authorizedKeys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
];
};
flake.modules = lib.mkMerge [
(self.factory.user {
username = username;
isAdmin = true;
})
{
nixos."${username}" = {
flake.modules = {
nixos."${username}" = { ... }: {
imports = [
inputs.home-manager.nixosModules.home-manager
baseUserModules.nixos."${username}"
];
users.users."${username}" = {
openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
@@ -32,17 +30,20 @@ in
};
# This module will be imported by the user factory
homeManager."${username}" = with inputs.self.meta.users."${username}"; {
homeManager."${username}" = { pkgs, ... }:
with inputs.self.meta.users."${username}"; {
home.stateVersion = "25.11";
imports = [
inputs.self.modules.homeManager.shell-tools
inputs.self.modules.homeManager.ssh
inputs.self.modules.homeManager.git
];
# home.packages = [
# inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
# ];
xdg.enable = true;
programs.git.settings.user.name = name;
programs.git.settings.user.email = email;
imports = with inputs.self.modules.homeManager; [
ssh
shell-tools
git
];
};
}
];
};
}