complete rework v3

2026-01-22 16:16:50 +01:00 · 2025-02-18 20:17:57 +01:00 · 2025-02-18 20:17:57 +01:00 · 366a0e221a
commit 366a0e221a
parent 7409e9ca10
131 changed files with 20171 additions and 585 deletions
--- a/parts/modules/base/default-apps.nix
+++ b/parts/modules/base/default-apps.nix
@ -0,0 +1,8 @@
+{lib, ...}: {
+  options.fireproof.default-apps = {
+    terminal = lib.mkOption {
+      type = lib.types.str;
+      description = "The terminal to use";
+    };
+  };
+}
--- a/parts/modules/base/defaults.nix
+++ b/parts/modules/base/defaults.nix
@ -1,21 +0,0 @@
-{lib, ...}: let
-  inherit (lib) mkOption types;
-in {
-  options.defaults = {
-    terminal = mkOption {
-      type = types.nullOr types.str;
-    };
-
-    fileManager = mkOption {
-      type = types.nullOr types.str;
-    };
-
-    browser = mkOption {
-      type = types.nullOr types.str;
-    };
-
-    editor = mkOption {
-      type = types.nullOr types.str;
-    };
-  };
-}
--- a/parts/modules/base/networking.nix
+++ b/parts/modules/base/networking.nix
@ -0,0 +1,22 @@
+{
+  config,
+  hostname,
+  ...
+}: {
+  age.secrets.hosts-private = {
+    # Contains IP addresses that i have no business sharing
+    rekeyFile = ../../../secrets/hosts-private.age;
+  };
+
+  # Inject the private hosts file, because setting networking.hostFiles doesn't work
+  system.activationScripts.hosts-private = ''
+    cat /etc/hosts > /etc/hosts.bak
+    rm /etc/hosts
+    cat /etc/hosts.bak "${config.age.secrets.hosts-private.path}" >> /etc/hosts
+    rm /etc/hosts.bak
+  '';
+
+  networking = {
+    hostName = hostname;
+  };
+}
--- a/parts/modules/base/secrets.nix
+++ b/parts/modules/base/secrets.nix
@ -0,0 +1,20 @@
+{hostname, ...}: let
+  hostSecrets = ../../../secrets/hosts + ("/" + hostname);
+  publicKey = builtins.readFile (hostSecrets + "/id_ed25519.pub");
+in {
+  age.rekey = {
+    storageMode = "local";
+    hostPubkey = publicKey;
+    masterIdentities = [
+      {
+        identity = ../../../secrets/yubikey-identity.pub;
+        # pubkey = "age1yubikey1q25a8ax2t0ujv7q5wvpmlpa52h599n6682jprxuftlw4zpxy2xu9s6lhrel";
+      }
+    ];
+    extraEncryptionPubkeys = [
+      "age1pzrfw28f8qvsk9g8p2stundf4ph466jut0g6q47sse76zljtqy9q2w32zr" # Backup key (bitwarden)
+    ];
+    localStorageDir = hostSecrets + /.rekey;
+    generatedSecretsDir = hostSecrets;
+  };
+}
--- a/parts/modules/base/security.nix
+++ b/parts/modules/base/security.nix
@ -1,7 +1,8 @@
-{config, ...}: {
+{username, ...}: {
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = [
    "root"
-    config.user.username
+    "@wheel"
+    username
  ];
 }
--- a/parts/modules/base/ssh.nix
+++ b/parts/modules/base/ssh.nix
@ -1,25 +1,53 @@
-{config, ...}: {
+{
+  config,
+  username,
+  hostname,
+  lib,
+  ...
+}: let
+  # Load all public keys from ../../../secrets/hosts/*/id_ed25519.pub
+  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../../secrets/hosts));
+  publicKeys = map (x: builtins.readFile (../../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+in {
+  age.secrets.ssh-key = {
+    rekeyFile = ../../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
+    mode = "0600";
+    owner = username;
+  };
+  age.secrets.ssh-key-ao = {
+    rekeyFile = ../../../secrets/ssh-key-ao.age;
+    mode = "0600";
+    owner = username;
+  };
+  fireproof.home-manager = {
+    programs.ssh = {
+      enable = true;
+      forwardAgent = true;
+      matchBlocks = {
+        "*" = {
+          identityFile = "${config.age.secrets.ssh-key.path}";
+        };
+        # Work hostnames definded in ./networking.nix
+        "*.ao" = {
+          user = "nij";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "dev.ao,scw.ao".proxyJump = "bastion.ao";
+        "clickhouse.ao".user = "ubuntu";
+        "flex.ao" = {
+          hostname = "192.168.2.5";
+          proxyJump = "bastion.ao";
+        };
+      };
+    };
+  };
+
  programs.ssh.startAgent = true;
-  services.openssh.hostKeys = [
-    {
-      type = "ed25519";
-      inherit (config.age.secrets.id_ed25519) path;
-    }
-  ];
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
  };

-  users.users.${config.user.username}.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/oT15GWYcRvWCTchReh5rnkXTC9Ukm6Zfufei9bq1fWB0EjpvosCMupADw+jvqiP/ttyBKewHwZQxiw9oeRPSphUtKB0UlQXFPASNf1VxrFlsbkDOSEa+FB+PBS3eeP0TTyNJh18oYszt/OFDzCvr1n53iGXTX9xm76bkBxVfAvhm/5vadjmXKGOpdM/OWNF8rCqSgwkME6PXdT1UAFVj+FBdLrNCqYh1pe1ZdRxYlYL5b4uHwQmuz57AkvWwRNKipzdtxMCkT3LNiCQzuOhv3QaqxQ6fgJ+ktkbcTLZtY7HdT+CRUuC+APr266jeLAz1yUxFH693QifbBdn8v7wWD++UnbP23QqNwdXEMnCjEPRFgnK4ERnhIq6jVR328f5DTRJHZZ9spEx7pWsiT2iQC8MxK0gk9xul4fduJsPETWXe84YaHe6wLK92SQKQMdLh6p+TBvhMhPW2PrH5C6iH2w1oXVGlhc4wvoB1leiKNVHf4m9CWRFgznSmVbxFHFk= nickolaj@arch-desktop"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtjpdHPRXg75YBonNshQdeuNZ3W3k/RzdYY+8QuQ3Pc nickolaj1177@gmail.com"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdBiNbNPcMdI/hp4zgBS3ShqYuVVRvUAA1ffrdiBQ0k nickolaj@fireproof.website"
-  ];
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/oT15GWYcRvWCTchReh5rnkXTC9Ukm6Zfufei9bq1fWB0EjpvosCMupADw+jvqiP/ttyBKewHwZQxiw9oeRPSphUtKB0UlQXFPASNf1VxrFlsbkDOSEa+FB+PBS3eeP0TTyNJh18oYszt/OFDzCvr1n53iGXTX9xm76bkBxVfAvhm/5vadjmXKGOpdM/OWNF8rCqSgwkME6PXdT1UAFVj+FBdLrNCqYh1pe1ZdRxYlYL5b4uHwQmuz57AkvWwRNKipzdtxMCkT3LNiCQzuOhv3QaqxQ6fgJ+ktkbcTLZtY7HdT+CRUuC+APr266jeLAz1yUxFH693QifbBdn8v7wWD++UnbP23QqNwdXEMnCjEPRFgnK4ERnhIq6jVR328f5DTRJHZZ9spEx7pWsiT2iQC8MxK0gk9xul4fduJsPETWXe84YaHe6wLK92SQKQMdLh6p+TBvhMhPW2PrH5C6iH2w1oXVGlhc4wvoB1leiKNVHf4m9CWRFgznSmVbxFHFk= nickolaj@arch-desktop"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtjpdHPRXg75YBonNshQdeuNZ3W3k/RzdYY+8QuQ3Pc nickolaj1177@gmail.com"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdBiNbNPcMdI/hp4zgBS3ShqYuVVRvUAA1ffrdiBQ0k nickolaj@fireproof.website"
-  ];
+  users.users.${username}.openssh.authorizedKeys.keys = publicKeys;
 }
--- a/parts/modules/base/user.nix
+++ b/parts/modules/base/user.nix
@ -1,34 +1,46 @@
 {
-  config,
  lib,
  options,
+  username,
+  config,
  ...
 }:
 with lib; let
-  cfg = config.user;
+  inherit (config.age) secrets;
 in {
-  options.user = {
-    username = mkOption {
-      type = types.str;
+  options.fireproof = {
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "nickolaj";
      description = "The username of the user";
    };
-    home-manager = mkOption {
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "users";
+    };
+
+    home-manager = lib.mkOption {
      type = options.home-manager.users.type.functor.wrapped;
    };
  };
-
  config = {
-    users.users.${cfg.username} = {
+    age.secrets.hashed-user-password.rekeyFile = ../../../secrets/hashed-user-password.age;
+
+    users.users.${username} = {
      isNormalUser = true;
      extraGroups = ["wheel"];
-      hashedPasswordFile = config.age.secrets.hashed-user-password.path;
+      # initialPassword = "password";
+      hashedPasswordFile = secrets.hashed-user-password.path;
    };

    home-manager = {
      useUserPackages = true;
      useGlobalPkgs = true;
    };
-    home-manager.users.${cfg.username} = mkAliasDefinitions options.user.home-manager;
-    user.home-manager.home.stateVersion = config.system.stateVersion;
+    home-manager.users.${username} = mkAliasDefinitions options.fireproof.home-manager;
+
+    # set the same version of home-manager as the system
+    fireproof.home-manager.home.stateVersion = "24.11";
+    system.stateVersion = "24.11";
  };
 }