so many sops

hosts/nas/apps/nextcloud/default.nix

@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 let
   adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
-  smtppassword = config.sops.templates."nextcloud-smtp".content;
+  smtppassword = builtins.readFile config.sops.secrets."jallen-nas/nextcloud/smtppassword".path;
   nextcloudUserId = config.users.users.nix-apps.uid;
   nextcloudGroupId = config.users.groups.jallen-nas.gid;
   nextcloudPackage = pkgs.unstable.nextcloud30;

hosts/nas/configuration.nix

@@ -3,15 +3,9 @@
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
 {
-  outputs,
-  config,
   pkgs,
   ...
 }:
-let
-  user = "admin";
-  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
-in
 {
   imports = [
     # Include the results of the hardware scan.
@@ -21,45 +15,15 @@ in
     ./apps.nix
     ./grafana.nix
     ./networking.nix
+    ./nixpkgs.nix
     ./ups.nix
+    ./users.nix
     ./samba.nix
     ./services.nix
     ./sops.nix
     ../default.nix
   ];
 
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  # enable cuda support
-  nixpkgs.config.cudaSupport = true;
-  nixpkgs.config.allowUnfreePredicate =
-    p:
-    builtins.all (
-      license:
-      license.free
-      || builtins.elem license.shortName [
-        "CUDA EULA"
-        "cuDNN EULA"
-        "cuTENSOR EULA"
-        "NVidia OptiX EULA"
-      ]
-    ) (if builtins.isList p.meta.license then p.meta.license else [ p.meta.license ]);
-
-  # Cockpit
-  services.cockpit = {
-    enable = false;
-    port = 9090;
-    settings = {
-      WebService = {
-        AllowUnencrypted = true;
-      };
-    };
-  };
-
-  nix.settings.trusted-users = [ "@wheel" ];
   powerManagement.cpuFreqGovernor = "powersave";
 
   share.hardware.nvidia = {
@@ -86,14 +50,9 @@ in
       hdd5 UUID=2b4be219-613d-4512-8277-0260989d5377 none tpm2-device=auto
     '';
 
-    etc.machine-id.source = ./machine-id;
-
-    # List packages installed in system profile. To search, run:
-    # $ nix search wget
-
-    sessionVariables = {
-      CACHIX_AGENT_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkYmNkZWNjYi04ZTI4LTQwOTAtYWIxOC02MTU5OTYwZTgxMTAiLCJzY29wZXMiOiJjYWNoZSJ9.G-9wCfKc3d8ld_zDJNjTxNWlkS3_yojI-6gaRpUT-i0";
-    };
+    etc.machine-id.text = ''
+      57cdf5fc27f3469f80d0a339f1238aeb
+    '';
 
     systemPackages = with pkgs; [
       authentik
@@ -158,115 +117,6 @@ in
     };
   };
 
-  # Configure nixpkgs
-  nixpkgs = {
-    overlays = [
-      outputs.overlays.nixpkgs-unstable
-      outputs.overlays.nixpkgs-stable
-    ];
-
-    config = {
-      # Enable non free
-      allowUnfree = true;
-
-      permittedInsecurePackages = [
-        # ...
-        "authentik-2024.6.4" # todo: remove these
-        "python3.12-authentik-django-2024.6.4"
-        "authentik-webui-2024.6.4"
-        "authentik-client-api-2024.6.4"
-        "authentik-website-2024.6.4"
-        "authentik-proxy-2024.6.4"
-        "aspnetcore-runtime-6.0.36"
-        "aspnetcore-runtime-wrapped-6.0.36"
-        "dotnet-sdk-6.0.428"
-        "dotnet-sdk-wrapped-6.0.428"
-      ];
-    };
-  };
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users = {
-    # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
-    mutableUsers = false;
-    groups.jallen-nas.gid = 1000; # create nas group cause truenas perms
-
-    # Admin account
-    users."${user}" = {
-      isNormalUser = true;
-      linger = true;
-      extraGroups = [
-        "wheel"
-        "networkmanager"
-        "docker"
-        "podman"
-        "libvirtd"
-        "nix-apps"
-        "jallen-nas"
-        "media"
-        "nscd"
-      ]; # Enable ‘sudo’ for the user.
-      hashedPasswordFile = passwordFile;
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
-        # macBook
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
-        # desktop windows
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
-        # desktop nixos
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
-      ];
-      packages = with pkgs; [
-        cachix
-        fastfetch
-        git
-        parted
-        aspell
-        aspellDicts.en
-        aspellDicts.en-computers
-        aspellDicts.en-science
-        aha
-        papirus-icon-theme
-        firefox
-        swtpm
-        tigervnc
-      ];
-    };
-
-    # Nix app account
-    users.nix-apps = {
-      isSystemUser = true;
-      uid = 911;
-      group = "jallen-nas";
-      extraGroups = [
-        "jallen-nas"
-        "docker"
-        "podman"
-      ]; # Enable ‘sudo’ for the user.
-      hashedPasswordFile = passwordFile;
-    };
-
-    groups.nut.name = "nut";
-    users.upsuser = {
-      group = "nut";
-      isNormalUser = false;
-      isSystemUser = true;
-      createHome = true;
-      home = "/var/lib/nut";
-      homeMode = "750";
-      hashedPasswordFile = passwordFile;
-    };
-
-    users.nextcloud = {
-      isNormalUser = true;
-      extraGroups = [
-        "jallen-nas"
-        "nix-apps"
-      ];
-      hashedPasswordFile = passwordFile;
-    };
-  };
-
   hardware.fancontrol = {
     enable = false;
     config = ''
@@ -306,8 +156,5 @@ in
     };
 
     libvirtd.enable = true;
-
-    # tpm.enable = true;
-    # useSecureBoot = true;
   };
 }

hosts/nas/home.nix

@@ -1,12 +1,48 @@
 { ... }:
-{
+let
+  shellAliases = {
+    ll = "ls -alh";
+    update-boot = "sudo nixos-rebuild boot --max-jobs 10";
+    update-switch = "sudo nixos-rebuild switch --max-jobs 10";
+    update-flake = "nix flake update ~/nix-config";
+    ducks = "du -cksh * | sort -hr | head -n 15";
+  };
 
+  gitAliases = {
+    co = "checkout";
+    ci = "commit";
+    cia = "commit --amend";
+    s = "status";
+    st = "status";
+    b = "branch";
+    p = "pull --rebase";
+    pu = "push";
+  };
+in
+{
   home.username = "admin";
   home.homeDirectory = "/home/admin";
   home.stateVersion = "23.11";
-  programs.home-manager.enable = true;
+
+  sops = {
+    age.keyFile = "/home/admin/.config/sops/age/keys.txt";
+    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      "ssh-keys-public/desktop-nixos" = {
+        path = "/home/admin/.ssh/id_ed25519.pub";
+        mode = "0644";
+      };
+      "ssh-keys-private/desktop-nixos" = {
+        path = "/home/admin/.ssh/id_ed25519";
+        mode = "0600";
+      };
+    };
+  };
 
   programs = {
+    home-manager.enable = true;
+    command-not-found.enable = true;
     fish.enable = false;
     mangohud.enable = true;
     java.enable = true;
@@ -19,10 +55,7 @@
       autosuggestion.enable = true;
       syntaxHighlighting.enable = true;
 
-      shellAliases = {
-        update = "sudo nixos-rebuild switch";
-        ducks = "du -cksh * | sort -hr | head -n 15";
-      };
+      shellAliases = shellAliases;
 
       oh-my-zsh = {
         enable = true;
@@ -30,23 +63,12 @@
         theme = "fishy";
       };
     };
-  };
 
-  programs.git = {
-    enable = true;
-    userName = "mjallen18";
-    userEmail = "matt.l.jallen@gmail.com";
-    aliases = {
-      co = "checkout";
-      ci = "commit";
-      cia = "commit --amend";
-      s = "status";
-      st = "status";
-      b = "branch";
-      p = "pull --rebase";
-      pu = "push";
+    git = {
+      enable = true;
+      userName = "mjallen18";
+      userEmail = "matt.l.jallen@gmail.com";
+      aliases = gitAliases;
     };
   };
-
-  programs.command-not-found.enable = true;
 }

hosts/nas/machine-id

@@ -1 +0,0 @@
-57cdf5fc27f3469f80d0a339f1238aeb

hosts/nas/nixpkgs.nix

@@ -0,0 +1,43 @@
+{ outputs, ... }:
+{
+  # Configure nixpkgs
+  nixpkgs = {
+    overlays = [
+      outputs.overlays.nixpkgs-unstable
+      outputs.overlays.nixpkgs-stable
+    ];
+
+    config = {
+      # Enable non free
+      allowUnfree = true;
+
+      # enable cuda support
+      cudaSupport = true;
+      allowUnfreePredicate = p:
+        builtins.all (
+          license:
+          license.free
+          || builtins.elem license.shortName [
+            "CUDA EULA"
+            "cuDNN EULA"
+            "cuTENSOR EULA"
+            "NVidia OptiX EULA"
+          ]
+        ) (if builtins.isList p.meta.license then p.meta.license else [ p.meta.license ]);
+
+      permittedInsecurePackages = [
+        # ...
+        "authentik-2024.6.4" # todo: remove these
+        "python3.12-authentik-django-2024.6.4"
+        "authentik-webui-2024.6.4"
+        "authentik-client-api-2024.6.4"
+        "authentik-website-2024.6.4"
+        "authentik-proxy-2024.6.4"
+        "aspnetcore-runtime-6.0.36"
+        "aspnetcore-runtime-wrapped-6.0.36"
+        "dotnet-sdk-6.0.428"
+        "dotnet-sdk-wrapped-6.0.428"
+      ];
+    };
+  };
+}

hosts/nas/services.nix

@@ -130,6 +130,16 @@ in
         '';
       };
     };
+    
+    cockpit = {
+      enable = false;
+      port = 9090;
+      settings = {
+        WebService = {
+          AllowUnencrypted = true;
+        };
+      };
+    };
 
     tailscale = {
       enable = true;

hosts/nas/sops.nix

@@ -92,6 +92,26 @@
     ${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path}
   '';
 
+  sops.secrets."ssh-keys-public/desktop-nixos" = {
+    mode = "0644";
+  };
+  sops.secrets."ssh-keys-public/desktop-windows" = {
+    mode = "0644";
+  };
+  sops.secrets."ssh-keys-public/macbook-macos" = {
+    mode = "0644";
+  };
+
+  sops.secrets."ssh-keys-public/jallen-nas-root" = {
+    path = "/root/.ssh/id_ed25519.pub";
+    mode = "0600";
+  };
+
+  sops.secrets."ssh-keys-private/jallen-nas-root" = {
+    path = "/root/.ssh/id_ed25519";
+    mode = "0600";
+  };
+
   # Permission modes are in octal representation (same as chmod),
   # the digits represent: user|group|others
   # 7 - full (rwx)

hosts/nas/users.nix

@@ -0,0 +1,93 @@
+{ pkgs, config, ... }:
+let
+  user = "admin";
+  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
+  authorizedKeyFiles = [
+    config.sops.secrets."ssh-keys-public/desktop-nixos".path 
+    config.sops.secrets."ssh-keys-public/desktop-nixos-root".path 
+    config.sops.secrets."ssh-keys-public/desktop-windows".path
+    config.sops.secrets."ssh-keys-public/macbook-macos".path
+  ];
+in
+{
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users = {
+    # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
+    mutableUsers = false;
+    groups.jallen-nas.gid = 1000; # create nas group cause truenas perms
+
+    # Admin account
+    users."${user}" = {
+      isNormalUser = true;
+      linger = true;
+      extraGroups = [
+        "wheel"
+        "networkmanager"
+        "docker"
+        "podman"
+        "libvirtd"
+        "nix-apps"
+        "jallen-nas"
+        "media"
+        "nscd"
+        "grafana"
+        "traefik"
+        "avahi"
+        "62900"
+        "1001"
+      ];
+      hashedPasswordFile = passwordFile;
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keyFiles = authorizedKeyFiles;
+      packages = with pkgs; [
+        cachix
+        fastfetch
+        git
+        parted
+        aspell
+        aspellDicts.en
+        aspellDicts.en-computers
+        aspellDicts.en-science
+        aha
+        papirus-icon-theme
+        firefox
+        swtpm
+        tigervnc
+      ];
+    };
+
+    # Nix app account
+    users.nix-apps = {
+      isSystemUser = true;
+      uid = 911;
+      group = "jallen-nas";
+      extraGroups = [
+        "jallen-nas"
+        "docker"
+        "podman"
+      ];
+      hashedPasswordFile = passwordFile;
+    };
+
+    groups.nut.name = "nut";
+    users.upsuser = {
+      group = "nut";
+      isNormalUser = false;
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/nut";
+      homeMode = "750";
+      hashedPasswordFile = passwordFile;
+    };
+
+    users.nextcloud = {
+      isNormalUser = true;
+      extraGroups = [
+        "jallen-nas"
+        "nix-apps"
+      ];
+      hashedPasswordFile = passwordFile;
+    };
+  };
+}