From 42a93f042e2c821939fa6aa4ac8945997d5b5099 Mon Sep 17 00:00:00 2001 From: andromeda Date: Wed, 31 Dec 2025 01:14:37 +0100 Subject: better machine conf, rework key/machines management --- machines/173-249-5-230/configuration.nix | 78 ---------- machines/173-249-5-230/hardware-configuration.nix | 69 --------- machines/173-249-5-230/machine.nix | 10 -- machines/_173-249-5-230/configuration.nix | 127 +++++++++++++++ machines/laptop/configuration.nix | 114 -------------- machines/laptop/hardware-configuration.nix | 75 --------- machines/laptop/machine.nix | 8 - machines/lenovo/configuration.nix | 180 ++++++++++++++++++++++ 8 files changed, 307 insertions(+), 354 deletions(-) delete mode 100644 machines/173-249-5-230/configuration.nix delete mode 100644 machines/173-249-5-230/hardware-configuration.nix delete mode 100644 machines/173-249-5-230/machine.nix create mode 100644 machines/_173-249-5-230/configuration.nix delete mode 100644 machines/laptop/configuration.nix delete mode 100644 machines/laptop/hardware-configuration.nix delete mode 100644 machines/laptop/machine.nix create mode 100644 machines/lenovo/configuration.nix (limited to 'machines') diff --git a/machines/173-249-5-230/configuration.nix b/machines/173-249-5-230/configuration.nix deleted file mode 100644 index 570d428..0000000 --- a/machines/173-249-5-230/configuration.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ - config, - machine, - ... -}: { - age.secrets.secret2.file = ../../secrets/secret2.age; - boot.tmp.cleanOnBoot = true; - boot.loader.grub.devices = ["nodev"]; - environment.persistence."/nix/persist" = { - enable = true; - hideMounts = true; - directories = [ - "/var/log" - "/var/lib/nixos" - "/var/lib/systemd/coredump" - "/etc/NetworkManager/system-connections" - ]; - files = [ - "/etc/machine-id" - "/etc/ly/save.txt" - ]; - users."mtgmonkey" = { - directories = [ - ".local/share/zoxide" - ".ssh" - ]; - files = [ - ".bash_history" - ".brush_history" - ]; - }; - }; - i18n.defaultLocale = "de_DE.UTF-8"; - networking = { - dhcpcd.enable = true; - firewall = { - enable = true; - allowedTCPPorts = [80 443]; - allowedUDPPorts = [80 443]; - }; - hostName = machine.hostname; - domain = ""; - }; - nix.settings = { - experimental-features = [ - "nix-command" - "flakes" - ]; - allow-import-from-derivation = true; - }; - programs.noshell.enable = true; - services.openssh = { - enable = true; - allowSFTP = false; - ports = [5522]; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = true; - }; - extraConfig = '' - AllowTcpForwarding no - AllowAgentForwarding no - MaxAuthTries 3 - MaxSessions 4 - TCPKeepAlive no - ''; - }; - system.stateVersion = "26.05"; - time.timeZone = "Europe/Berlin"; - users.users."mtgmonkey" = { - isNormalUser = true; - description = "mtgmonkey"; - hashedPasswordFile = builtins.toString config.age.secrets.secret2.path; - extraGroups = ["wheel"]; - openssh.authorizedKeys.keys = machine.pub-keys.ssh; - }; -} diff --git a/machines/173-249-5-230/hardware-configuration.nix b/machines/173-249-5-230/hardware-configuration.nix deleted file mode 100644 index bde1c83..0000000 --- a/machines/173-249-5-230/hardware-configuration.nix +++ /dev/null @@ -1,69 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - #device = "none"; - #fsType = "tmpfs"; - #options = ["defaults" "size=60%" "mode=755"]; - device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7"; - fsType = "btrfs"; - options = ["subvol=root"]; - }; - - boot.initrd.postResumeCommands = lib.mkAfter '' - mkdir /btrfs_tmp - mount ${config.fileSystems."/".device} /btrfs_tmp - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi - - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" - } - - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done - - btrfs subvolume create /btrfs_tmp/root - umount /btrfs_tmp - ''; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/F425-55BA"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - - swapDevices = []; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/machines/173-249-5-230/machine.nix b/machines/173-249-5-230/machine.nix deleted file mode 100644 index 672d46b..0000000 --- a/machines/173-249-5-230/machine.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - hostname = "173-249-5-230"; - usernames = ["mtgmonkey"]; - system = "x86_64-linux"; - configuration = ./configuration.nix; - hardware-configuration = ./hardware-configuration.nix; - pub-keys = { - ssh = []; - }; -} diff --git a/machines/_173-249-5-230/configuration.nix b/machines/_173-249-5-230/configuration.nix new file mode 100644 index 0000000..0fe1e9e --- /dev/null +++ b/machines/_173-249-5-230/configuration.nix @@ -0,0 +1,127 @@ +{ + config, + lib, + modulesPath, + machine, + ... +}: { + age.secrets.secret2.file = ../../secrets/secret2.age; + boot.tmp.cleanOnBoot = true; + boot.loader.grub.devices = ["nodev"]; + environment.persistence."/nix/persist" = { + enable = true; + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/machine-id" + "/etc/ly/save.txt" + ]; + users."mtgmonkey" = { + directories = [ + ".local/share/zoxide" + ".ssh" + ]; + files = [ + ".bash_history" + ".brush_history" + ]; + }; + }; + i18n.defaultLocale = "de_DE.UTF-8"; + networking = { + dhcpcd.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [80 443]; + allowedUDPPorts = [80 443]; + }; + hostName = lib.strings.removePrefix "_" machine.hostname; + domain = ""; + useDHCP = true; + }; + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + allow-import-from-derivation = true; + }; + programs.noshell.enable = true; + services.openssh = { + enable = true; + allowSFTP = false; + ports = [5522]; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = true; + }; + extraConfig = '' + AllowTcpForwarding no + AllowAgentForwarding no + MaxAuthTries 3 + MaxSessions 4 + TCPKeepAlive no + ''; + }; + system.stateVersion = "26.05"; + time.timeZone = "Europe/Berlin"; + users.users."mtgmonkey" = { + isNormalUser = true; + description = "mtgmonkey"; + hashedPasswordFile = builtins.toString config.age.secrets.secret2.path; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = [(import ../../pub-keys.nix).ssh.andromeda]; + }; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = ["defaults" "size=30%" "mode=755"]; + }; + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount ${config.fileSystems."/".device} /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/6b481376-9716-4559-946b-62097c2380f1"; + fsType = "ext4"; + }; + fileSystems."/efi" = { + device = "systemd-1"; + fsType = "autofs"; + }; + swapDevices = []; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix deleted file mode 100644 index 58b019e..0000000 --- a/machines/laptop/configuration.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ - config, - lib, - machine, - ... -}: { - age.secrets = { - secret0.file = ../../secrets/secret0.age; - secret1.file = ../../secrets/secret1.age; - }; - boot.loader = { - efi.canTouchEfiVariables = true; - systemd-boot.enable = true; - }; - environment.persistence."/nix/persist" = { - enable = true; - hideMounts = true; - directories = [ - "/var/log" - "/var/lib/bluetooth" - "/var/lib/nixos" - "/var/lib/systemd/coredump" - "/etc/NetworkManager/system-connections" - "/etc/ssh" - ]; - files = [ - "/etc/machine-id" - "/etc/ly/save.txt" - ]; - users."andromeda" = { - directories = [ - ".backups" - ".local/share/Anki2" - ".local/share/chat.fluffy.fluffychat" - ".local/share/zoxide" - ".ssh" - "conf" - "Downloads" - "pp" - ]; - files = [ - ".bash_history" - ".brush_history" - ]; - }; - users."mtgmonkey" = { - directories = [ - ".local/share/zoxide" - ".ssh" - ]; - files = [ - ".bash_history" - ".brush_history" - ]; - }; - }; - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - }; - i18n.defaultLocale = "de_DE.UTF-8"; - networking = { - dhcpcd.enable = true; - firewall.enable = true; - hostName = machine.hostname; - networkmanager.enable = true; - }; - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - nixpkgs.config.allowUnfreePredicate = pkg: - builtins.elem (lib.getName pkg) [ - "steam" - "steam-original" - "steam-unwrapped" - "steam-run" - ]; - programs = { - noshell.enable = true; - steam.enable = true; - sway.enable = true; - }; - services = { - blueman.enable = true; - displayManager = { - enable = true; - ly.enable = true; - }; - libinput.enable = true; - openssh.enable = true; - printing.enable = true; - }; - system.stateVersion = "26.05"; - time.timeZone = "Europe/Berlin"; - users.users."andromeda" = { - isNormalUser = true; - description = "andromeda"; - hashedPasswordFile = builtins.toString config.age.secrets.secret0.path; - extraGroups = [ - "networkmanager" - "wheel" - ]; - }; - users.users."mtgmonkey" = { - isNormalUser = true; - description = "mtgmonkey"; - hashedPasswordFile = builtins.toString config.age.secrets.secret1.path; - extraGroups = [ - "networkmanager" - "wheel" - ]; - }; -} diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix deleted file mode 100644 index 8ebef80..0000000 --- a/machines/laptop/hardware-configuration.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - #device = "none"; - #fsType = "tmpfs"; - #options = ["defaults" "size=60%" "mode=755"]; - device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7"; - fsType = "btrfs"; - options = ["subvol=root"]; - }; - - boot.initrd.postResumeCommands = lib.mkAfter '' - mkdir /btrfs_tmp - mount ${config.fileSystems."/".device} /btrfs_tmp - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi - - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" - } - - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done - - btrfs subvolume create /btrfs_tmp/root - mkdir /btrfs_tmp/root/nix - mkdir /btrfs_tmp/root/etc - mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix - cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r - umount /btrfs_tmp/root/nix - rm -r /btrfs_tmp/root/nix - umount /btrfs_tmp - ''; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/F425-55BA"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - - swapDevices = []; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/machines/laptop/machine.nix b/machines/laptop/machine.nix deleted file mode 100644 index 77c15b5..0000000 --- a/machines/laptop/machine.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - hostname = "lenovo"; - usernames = ["andromeda" "mtgmonkey"]; - system = "x86_64-linux"; - configuration = ./configuration.nix; - hardware-configuration = ./hardware-configuration.nix; - pub-keys.ssh = []; -} diff --git a/machines/lenovo/configuration.nix b/machines/lenovo/configuration.nix new file mode 100644 index 0000000..1b42b9d --- /dev/null +++ b/machines/lenovo/configuration.nix @@ -0,0 +1,180 @@ +{ + config, + lib, + pkgs, + modulesPath, + machine, + ... +}: { + age.secrets = { + secret0.file = ../../secrets/secret0.age; + secret1.file = ../../secrets/secret1.age; + }; + boot.loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + environment.persistence."/nix/persist" = { + enable = true; + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + "/etc/ssh" + ]; + files = [ + "/etc/machine-id" + "/etc/ly/save.txt" + ]; + users."andromeda" = { + directories = [ + ".backups" + ".local/share/Anki2" + ".local/share/chat.fluffy.fluffychat" + ".local/share/zoxide" + ".ssh" + "conf" + "Downloads" + "pp" + ]; + files = [ + ".bash_history" + ".brush_history" + ]; + }; + users."mtgmonkey" = { + directories = [ + ".local/share/zoxide" + ".ssh" + ]; + files = [ + ".bash_history" + ".brush_history" + ]; + }; + }; + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + i18n.defaultLocale = "de_DE.UTF-8"; + networking = { + dhcpcd.enable = true; + firewall.enable = true; + hostName = machine.hostname; + networkmanager.enable = true; + }; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nixpkgs.config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "steam" + "steam-original" + "steam-unwrapped" + "steam-run" + ]; + programs = { + noshell.enable = true; + steam.enable = true; + sway.enable = true; + }; + services = { + blueman.enable = true; + displayManager = { + enable = true; + ly.enable = true; + }; + libinput.enable = true; + openssh.enable = true; + printing.enable = true; + }; + system.stateVersion = "26.05"; + time.timeZone = "Europe/Berlin"; + users.users."andromeda" = { + isNormalUser = true; + description = "andromeda"; + hashedPasswordFile = builtins.toString config.age.secrets.secret0.path; + extraGroups = [ + "networkmanager" + "wheel" + ]; + }; + users.users."mtgmonkey" = { + isNormalUser = true; + description = "mtgmonkey"; + hashedPasswordFile = builtins.toString config.age.secrets.secret1.path; + extraGroups = [ + "networkmanager" + "wheel" + ]; + }; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + #device = "none"; + #fsType = "tmpfs"; + #options = ["defaults" "size=60%" "mode=755"]; + device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount ${config.fileSystems."/".device} /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + mkdir /btrfs_tmp/root/nix + mkdir /btrfs_tmp/root/etc + mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix + cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r + umount /btrfs_tmp/root/nix + rm -r /btrfs_tmp/root/nix + umount /btrfs_tmp + ''; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/F425-55BA"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} -- cgit v1.3