update

modules/base/boot.nix

@@ -0,0 +1,4 @@
+_: {
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+}

modules/base/default-apps.nix

@@ -0,0 +1,8 @@
+{lib, ...}: {
+  options.fireproof.default-apps = {
+    terminal = lib.mkOption {
+      type = lib.types.str;
+      description = "The terminal to use";
+    };
+  };
+}

modules/base/envvar.nix

@@ -0,0 +1,5 @@
+{config, ...}: {
+  environment.variables = {
+    EDITOR = config.defaults.editor;
+  };
+}

modules/base/ld.nix

@@ -0,0 +1,3 @@
+_: {
+  programs.nix-ld.enable = true;
+}

modules/base/networking.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  hostname,
+  ...
+}: {
+  age.secrets.hosts-private = {
+    # Contains IP addresses that i have no business sharing
+    rekeyFile = ../../secrets/hosts-private.age;
+  };
+
+  # Inject the private hosts file, because setting networking.hostFiles doesn't work
+  system.activationScripts.hosts-private = ''
+    cat /etc/hosts > /etc/hosts.bak
+    rm /etc/hosts
+    cat /etc/hosts.bak "${config.age.secrets.hosts-private.path}" >> /etc/hosts
+    rm /etc/hosts.bak
+  '';
+
+  networking = {
+    hostName = hostname;
+  };
+}

modules/base/nix.nix

@@ -0,0 +1,3 @@
+_: {
+  nix.settings.experimental-features = "nix-command flakes";
+}

modules/base/secrets.nix

@@ -0,0 +1,20 @@
+{hostname, ...}: let
+  hostSecrets = ../../secrets/hosts + ("/" + hostname);
+  publicKey = builtins.readFile (hostSecrets + "/id_ed25519.pub");
+in {
+  age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  age.rekey = {
+    storageMode = "local";
+    hostPubkey = publicKey;
+    masterIdentities = [
+      {
+        identity = ../../secrets/yubikey-identity.pub;
+      }
+    ];
+    extraEncryptionPubkeys = [
+      "age1pzrfw28f8qvsk9g8p2stundf4ph466jut0g6q47sse76zljtqy9q2w32zr" # Backup key (bitwarden)
+    ];
+    localStorageDir = hostSecrets + /.rekey;
+    generatedSecretsDir = hostSecrets;
+  };
+}

modules/base/security.nix

@@ -0,0 +1,8 @@
+{username, ...}: {
+  security.sudo.wheelNeedsPassword = false;
+  nix.settings.trusted-users = [
+    "root"
+    "@wheel"
+    username
+  ];
+}

modules/base/ssh.nix

@@ -0,0 +1,56 @@
+{
+  config,
+  username,
+  hostname,
+  lib,
+  ...
+}: let
+  # Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
+  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
+  publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+in {
+  age.secrets.ssh-key = {
+    rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
+    path = "/home/" + username + "/.ssh/id_ed25519";
+    mode = "0600";
+    owner = username;
+  };
+  age.secrets.ssh-key-ao = {
+    rekeyFile = ../../secrets/ssh-key-ao.age;
+    mode = "0600";
+    owner = username;
+  };
+  fireproof.home-manager = {
+    home.file.".ssh/id_ed25519.pub".source = ../../secrets/hosts + ("/" + hostname) + "/id_ed25519.pub";
+    programs.ssh = {
+      enable = true;
+      forwardAgent = true;
+      matchBlocks = {
+        "*" = {
+          identityFile = "${config.age.secrets.ssh-key.path}";
+        };
+        # Work hostnames definded in ./networking.nix
+        "*.ao" = {
+          user = "nij";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "dev.ao".proxyJump = "bastion.ao";
+        "scw.ao".proxyJump = "bastion.ao";
+        "clickhouse.ao".user = "ubuntu";
+        "flex.ao" = {
+          hostname = "192.168.2.5";
+          proxyJump = "bastion.ao";
+        };
+      };
+    };
+  };
+
+  programs.ssh.startAgent = true;
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+  };
+
+  users.users.${username}.openssh.authorizedKeys.keys = publicKeys;
+}

modules/base/time.nix

@@ -0,0 +1,3 @@
+_: {
+  time.timeZone = "Europe/Copenhagen";
+}

modules/base/user.nix

@@ -0,0 +1,36 @@
+{
+  lib,
+  options,
+  username,
+  config,
+  ...
+}:
+with lib; let
+  inherit (config.age) secrets;
+in {
+  options.fireproof = {
+    home-manager = lib.mkOption {
+      type = options.home-manager.users.type.functor.wrapped;
+    };
+  };
+  config = {
+    age.secrets.hashed-user-password.rekeyFile = ../../secrets/hashed-user-password.age;
+
+    users.users.${username} = {
+      isNormalUser = true;
+      extraGroups = ["wheel"];
+      # initialPassword = "password";
+      hashedPasswordFile = secrets.hashed-user-password.path;
+    };
+
+    home-manager = {
+      useUserPackages = true;
+      useGlobalPkgs = true;
+    };
+    home-manager.users.${username} = mkAliasDefinitions options.fireproof.home-manager;
+
+    # set the same version of home-manager as the system
+    fireproof.home-manager.home.stateVersion = "24.11";
+    system.stateVersion = "24.11";
+  };
+}