fireproof/nixos
1
0
Fork 0
mirror of https://github.com/nickolaj-jepsen/nixos.git synced 2026-01-22 08:06:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: split base and system module

Browse source
This commit is contained in:
Nickolaj Jepsen 2025-12-12 04:17:02 +01:00
parent d50bbb3d12
commit 742a55e5a0
17 changed files with 34 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/base/boot.nix
View file

@ -1,4 +0,0 @@
{lib, ...}: {
boot.loader.systemd-boot.enable = lib.mkDefault true;
boot.loader.efi.canTouchEfiVariables = true;
}

12
modules/base/default.nix
View file

@ -2,22 +2,10 @@ _: {
options.fireproof.base = {};
imports = [
./boot.nix
./defaults.nix
./gc.nix
./home-manager.nix
./hosts.nix
./keyd.nix
./ld.nix
./networking.nix
./nix.nix
./secrets.nix
./security.nix
./ssh.nix
./time.nix
./usb.nix
./user.nix
./yubikey.nix
./tailscale.nix
];
}

14
modules/base/hosts.nix
View file

@ -1,14 +0,0 @@
{config, ...}: {
age.secrets.hosts-private = {
# Contains IP addresses that i have no business sharing
rekeyFile = ../../secrets/hosts-private.age;
};
# Inject the private hosts file, because setting networking.hostFiles doesn't work
system.activationScripts.hosts-private = ''
cat /etc/hosts > /etc/hosts.bak
rm /etc/hosts
cat /etc/hosts.bak "${config.age.secrets.hosts-private.path}" >> /etc/hosts
rm /etc/hosts.bak
'';
}

17
modules/base/keyd.nix
View file

@ -1,17 +0,0 @@
_: {
services.keyd = {
enable = true;
keyboards.mouse = {
ids = [
"046d:c051:4ae65a29" # Work mouse
"046d:407f:ee6ee407" # Home mouse
];
settings = {
main = {
# Bind mouse-back to meta if held
mouse1 = "overload(meta, mouse1)";
};
};
};
};
}

3
modules/base/ld.nix
View file

@ -1,3 +0,0 @@
_: {
programs.nix-ld.enable = true;
}

5
modules/base/networking.nix
View file

@ -1,5 +0,0 @@
{hostname, ...}: {
networking = {
hostName = hostname;
};
}

8
modules/base/nix.nix
View file

@ -1,5 +1,11 @@
_: {
{username, ...}: {
nix.settings = {
trusted-users = [
"root"
"@wheel"
username
];
experimental-features = "nix-command flakes";
substituters = [
"https://hyprland.cachix.org"

9
modules/base/security.nix
View file

@ -1,9 +0,0 @@
{username, ...}: {
security.sudo.wheelNeedsPassword = false;
nix.settings.trusted-users = [
"root"
"@wheel"
username
];
services.gnome.gnome-keyring.enable = true;
}

104
modules/base/ssh.nix
View file

@ -1,104 +0,0 @@
{
config,
pkgs,
username,
hostname,
lib,
...
}: let
# Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
in {
age.secrets.ssh-key = {
rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
path = "/home/" + username + "/.ssh/id_ed25519";
mode = "0600";
owner = username;
};
age.secrets.ssh-key-ao = {
rekeyFile = ../../secrets/ssh-key-ao.age;
mode = "0600";
owner = username;
};
fireproof.home-manager = {
home.file.".ssh/id_ed25519.pub".source = ../../secrets/hosts + ("/" + hostname) + "/id_ed25519.pub";
programs.ssh = {
enable = true;
forwardAgent = true;
serverAliveInterval = 60;
serverAliveCountMax = 10;
matchBlocks = {
"*" = {
identityFile = "${config.age.secrets.ssh-key.path}";
};
homelab = {
hostname = "x.nickolaj.com";
user = "nickolaj";
};
# Work hostnames definded in ./networking.nix
"bastion.ao" = {
user = "nij";
identityFile = "${config.age.secrets.ssh-key-ao.path}";
};
"clickhouse.ao" = {
user = "ubuntu";
hostname = "51.158.205.48";
identityFile = "${config.age.secrets.ssh-key-ao.path}";
};
"flex.ao" = {
user = "nij";
hostname = "192.168.2.5";
proxyJump = "bastion.ao";
identityFile = "${config.age.secrets.ssh-key-ao.path}";
};
"scw.ao" = {
user = "nij";
hostname = "51.15.81.1";
proxyJump = lib.mkDefault "dev.ao";
identityFile = "${config.age.secrets.ssh-key-ao.path}";
};
"dev.ao" = {
user = "nij";
hostname = "192.168.2.28";
proxyJump = lib.mkDefault "bastion.ao";
identityFile = "${config.age.secrets.ssh-key-ao.path}";
};
"staging.ao" = {
user = "staging";
hostname = "172.16.2.102";
proxyJump = lib.mkDefault "bastion.ao";
identityFile = "${config.age.secrets.ssh-key-ao.path}";
};
};
};
};
programs.ssh.startAgent = true;
services.gnome.gcr-ssh-agent.enable = false;
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
systemd.user.services."add-ssh-keys" = {
description = "Add SSH keys to ssh-agent";
after = ["network.target" "ssh-agent.service"];
requires = ["ssh-agent.service"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "oneshot";
ExecStartPre = ''
${pkgs.coreutils}/bin/sleep 5
'';
ExecStart = ''
${pkgs.openssh}/bin/ssh-add -q ${config.age.secrets.ssh-key-ao.path}
'';
};
};
users.users.${username}.openssh.authorizedKeys.keys = publicKeys;
}

3
modules/base/tailscale.nix
View file

@ -1,3 +0,0 @@
_: {
services.tailscale.enable = true;
}

3
modules/base/time.nix
View file

@ -1,3 +0,0 @@
_: {
time.timeZone = "Europe/Copenhagen";
}

4
modules/base/usb.nix
View file

@ -1,4 +0,0 @@
_: {
services.devmon.enable = true;
services.udisks2.enable = true;
}

17
modules/base/user.nix
View file

@ -1,17 +0,0 @@
{
username,
config,
...
}: let
inherit (config.age) secrets;
in {
config = {
age.secrets.hashed-user-password.rekeyFile = ../../secrets/hashed-user-password.age;
users.users.${username} = {
isNormalUser = true;
extraGroups = ["wheel"];
hashedPasswordFile = secrets.hashed-user-password.path;
};
};
}

3
modules/base/yubikey.nix
View file

@ -1,3 +0,0 @@
_: {
services.pcscd.enable = true;
}