diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..cb5008b --- /dev/null +++ b/flake.lock @@ -0,0 +1,232 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673301561, + "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "owner": "ryantm", + "repo": "agenix", + "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1673343300, + "narHash": "sha256-5Xdj6kpXYMie0MlnGwqK5FaMdsedxvyuakWtyKB3zaQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "176e455371a8371586e8a3ff0d56ee9f3ca2324e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "kpcli-py": { + "flake": false, + "locked": { + "lastModified": 1619087457, + "narHash": "sha256-iRNLq5s2WJJHwB4beP5xQDKrBPWS/42s/ozLoSa5gAE=", + "owner": "rebkwok", + "repo": "kpcli", + "rev": "e4d699e3b3d28887f74185f8fa69d0aade111d84", + "type": "github" + }, + "original": { + "owner": "rebkwok", + "repo": "kpcli", + "type": "github" + } + }, + "nixgl": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1, + "narHash": "sha256-KP+2qdZlhmRkrafuuEofg7YnNdVmGV95ipvpuqmJneI=", + "path": "out-of-tree/nixGL", + "type": "path" + }, + "original": { + "path": "out-of-tree/nixGL", + "type": "path" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1660551188, + "narHash": "sha256-a1LARMMYQ8DPx1BgoI/UN4bXe12hhZkCNqdxNi6uS0g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "441dc5d512153039f19ef198e662e4f3dbb9fd65", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1673450908, + "narHash": "sha256-b8em+kwrNtnB7gR8SyVf6WuTyQ+6tHS6dzt9D9wgKF0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6c8644fc37b6e141cbfa6c7dc8d98846c4ff0c2e", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1665296151, + "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "home-manager": "home-manager", + "kpcli-py": "kpcli-py", + "nixgl": "nixgl", + "nixpkgs": "nixpkgs_2", + "rust-overlay": "rust-overlay" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1673490397, + "narHash": "sha256-VCSmIYJy/ZzTvEGjdfITmTYfybXBgZpMjyjDndbou+8=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0833f4d063a2bb75aa31680f703ba594a384ffe6", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 67301e5..af07aeb 100644 --- a/flake.nix +++ b/flake.nix @@ -89,20 +89,20 @@ in { inherit (hosts) nixosConfigurations; - # inherit (users) homeConfigurations; + inherit (users) homeConfigurations; inherit lib proj_root; devShell."${system}" = import ./dev-shell.nix final_inputs; templates = import ./templates final_inputs; - - unit_tests = lib.runTests unit_tests; secrets = { pubKeys = { hosts = hosts.pubKeys; users = users.pubKeys; }; }; + + unit_tests = lib.runTests unit_tests; debug = { - inherit final_inputs hosts users modules lib inputs_w_pkgs unit_tests pkgs; + inherit final_inputs hosts users modules lib unit_tests pkgs; }; }; } diff --git a/hosts/default.nix b/hosts/default.nix index 8b99c29..adea74f 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -20,8 +20,6 @@ config = { ]; }; }; -# This middle function propagates variables to be used by mkHostFromPropagated -# The purpose is to debug things propagate = hostConfig@{metadata, nixosConfig}: let # req inherit (metadata) hostName; @@ -35,24 +33,8 @@ propagate = hostConfig@{metadata, nixosConfig}: let hardwareConfig = import "${proj_root.hosts.path}/${hostName}/hardware-configuration.nix"; # alias to prevent infinite recursion _nixosConfig = nixosConfig; - # debug stuffs (removable) - debugModule = ({lib, proj_root, ...}: let debugAttrOpt = debugVar: lib.mkOption { - type = lib.types.attrs; - description = "Debug for info for ${debugVar}"; - visible = false; - internal = true; - readOnly = true; - }; in { - options = { - debugLib = debugAttrOpt "lib"; - debug_proj_root = debugAttrOpt "proj_root"; - }; - config.debugLib = lib; - config.debug_proj_root = proj_root; - }); in { inherit hostName ssh_pubkey users nixosVersion system preset hardwareConfig; - debugLib = finalInputs.lib; nixosConfig = _nixosConfig // { inherit system; modules = [ @@ -68,7 +50,6 @@ in { networking.hostName = hostName; users.users = users; } - debugModule { imports = [agenix.nixosModule]; environment.systemPackages = [agenix.defaultPackage.x86_64-linux]; @@ -80,14 +61,15 @@ in { }; # we are blessed by the fact that we engulfed nixpkgs.lib.* at top level mkHostFromPropagated = propagatedHostConfig@{nixosConfig,...}: nixpkgs.lib.nixosSystem nixosConfig; +<<<<<<< HEAD mkHost = hostConfig: (lib.pipe [propagate mkHostFromPropagated] hostConfig); trimNull = lib.filterAttrsRecursive (name: value: value != null); flattenPubkey = lib.mapAttrs (hostName: meta_config: meta_config.metadata.ssh_pubkey); +======= +mkHost = hostConfig: (lib.pipe hostConfig [propagate mkHostFromPropagated]); +>>>>>>> 4619ea4 (rekey) in { nixosConfigurations = lib.mapAttrs (name: hostConfig: mkHost hostConfig) config; # {bao = "ssh-ed25519 ..."; another_host = "ssh-rsa ...";} - pubKeys = trimNull (flattenPubkey config); - debug = { - propagated = lib.mapAttrs (name: hostConfig: propagate hostConfig) config; - }; + pubKeys = lib.getPubkey config; } diff --git a/lib/default.nix b/lib/default.nix index ae90c38..37fcefb 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -6,17 +6,25 @@ ,defaultSystem? "x86_64-linux" ,...}@inputs: let lib = pkgs.lib; - serde = import ./serde.nix (inputs // {inherit lib;}); + inputs_w_lib = (inputs // {inherit lib;}); + serde = import ./serde.nix inputs_w_lib; + shellAsDrv = {script, pname}: (pkgs.callPackage ( + # just a pattern that we must remember: args to this are children of pkgs. + {writeShellScriptBin}: writeShellScriptBin pname script + ) {}); + trimNull = lib.filterAttrs (name: value: value != null); + # ssh + flattenPubkey = lib.mapAttrs (_identity: meta_config: lib.attrByPath ["metadata" "ssh_pubkey"] null meta_config); + getPubkey = config: (lib.pipe config [flattenPubkey trimNull]); # procedure = in { # short-hand to create a shell derivation # NOTE: this is pure. This means, env vars from devShells might not # be accessible unless MAYBE they are `export`ed - shellAsDrv = {script, pname}: (pkgs.callPackage ( - # just a pattern that we must remember: args to this are children of pkgs. - {writeShellScriptBin}: writeShellScriptBin pname script - ) {}); - + inherit shellAsDrv trimNull flattenPubkey getPubkey; + ssh = { + inherit flattenPubkey getPubkey; + }; # Configures hosts as nixosConfiguration # mkHost = {hostName # , nixosBareConfiguration diff --git a/modules/minimal.sys.nix b/modules/minimal.sys.nix index cdab39a..bd5a729 100644 --- a/modules/minimal.sys.nix +++ b/modules/minimal.sys.nix @@ -1,13 +1,15 @@ {pkgs ,lib ,proj_root +,modulesPath ,... }:{ + imports = ["${modulesPath}/profiles/minimal.nix"]; # prune old builds after a while - nix.settings.auto-optimize-store = true; + nix.settings.auto-optimise-store = true; nix.package = pkgs.nixFlakes; # nix flakes nix.extraOptions = '' - experimental=feature = nix-command flakes + experimental-features = nix-command flakes ''; programs.neovim = { enable = true; diff --git a/modules/ssh.sys.nix b/modules/ssh.sys.nix index 1e42a3c..7133f33 100644 --- a/modules/ssh.sys.nix +++ b/modules/ssh.sys.nix @@ -1,6 +1,6 @@ { services.openssh = { enable = true; - permitRootLogin = false; + permitRootLogin = "no"; }; } diff --git a/secrets/_nhitrl.age b/secrets/_nhitrl.age index 7b3f4d2..ba859ad 100644 Binary files a/secrets/_nhitrl.age and b/secrets/_nhitrl.age differ diff --git a/secrets/s3fs.age b/secrets/s3fs.age index 89113d0..88ed5a8 100644 --- a/secrets/s3fs.age +++ b/secrets/s3fs.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 ahbzMg 6pTVLAgOY/JZVWiCFHLo8xQ4/CL6620IMaBRpqI8Wws -CtJeQuy5VzKZhJnIH+/cjlKsAcg0RY2bhHTWVm+hUOY --> ssh-ed25519 glsjZQ we7RCgsnODTJ8rKYhU+9tu0DmLH+98mcQKQ3I2slikM -G81lsFLQR9polxme1K/MU2d8Y01PrTqtzJnVq0EMJF0 --> |-grease B\W,I9z ^Gx;$ Kk7!4,P -0Jl5Lhx7R8YOs9S+hUtQDDpNIqBhC/MM0N7w1MCtwYtkIIIWKfY9jkJ7+Cew2Ee5 -Qb04jnE ---- b7AXWRgK45a/91iwmwt5g+CWOlU/2f4nUDfXlg/bs9A -%;3RmQWhp̖V;׮V[z9al=cLvau7,tUܶh^&ֿWJP6-ң n-=] \ No newline at end of file +-> ssh-ed25519 ahbzMg Lx4TLKDZ2yk3DQsM6nOOI1o+FHu0lNtT2p3PBdao+C4 +RsTScUeLmFrO6v1OOxBbyBCMBMVhsGrtu5W9iMOw8B0 +-> ssh-ed25519 glsjZQ CdLCkzb1dBoG9gYdMisaZBZT+nnzfOX326CWq6cvN1s +UKGCxej9lZnLzsuFJnFOMpyrz7YzJrHcrFuDz8l8RQk +-> U