132 lines
5.4 KiB
Nix
132 lines
5.4 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
namespace,
|
|
...
|
|
}:
|
|
let
|
|
# SSH public keys sourced from sops secrets (ssh-keys-public section).
|
|
# Baked in here since sops is not available on a live install ISO
|
|
# (no persistent host key to decrypt with).
|
|
sopsPublicKeys = [
|
|
# macbook-macos
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
|
|
# desktop-windows
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
|
|
# desktop-nixos
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
|
|
# macbook-pro-nixos
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOhX3ds1QBC5qqqtPJDZgyGr8gfGjCGnGCiIhWZNNi4 matt@macbook-pro-nixos"
|
|
# pi5
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy7r49e2dqi1UFICKZwqSRGEvNPgVB2p2KZE5bCkFsh matt@pi5"
|
|
# deck
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINF1pqrxyLTGHxsdtXP8lXiE2iHDTSMV9JVgN8GVRLKK deck@nixos"
|
|
];
|
|
in
|
|
{
|
|
${namespace} = {
|
|
# ###################################################
|
|
# # Boot # #
|
|
# ###################################################
|
|
|
|
bootloader.lanzaboote.enable = true;
|
|
|
|
# ###################################################
|
|
# # Hardware # #
|
|
# ###################################################
|
|
|
|
hardware.disko = {
|
|
enable = true;
|
|
filesystem = "btrfs";
|
|
};
|
|
|
|
# ###################################################
|
|
# # Impermanence # #
|
|
# ###################################################
|
|
|
|
impermanence = {
|
|
enable = true;
|
|
};
|
|
|
|
# ###################################################
|
|
# # Network # #
|
|
# ###################################################
|
|
|
|
network = {
|
|
hostName = "nixos";
|
|
firewall = {
|
|
enable = true;
|
|
allowPing = true;
|
|
# Allow SSH (required for nixos-anywhere)
|
|
allowedTCPPorts = [ 22 ];
|
|
};
|
|
};
|
|
|
|
# ###################################################
|
|
# # Security # #
|
|
# ###################################################
|
|
|
|
security.tpm.enable = true;
|
|
|
|
# ###################################################
|
|
# # Services # #
|
|
# ###################################################
|
|
|
|
# ###################################################
|
|
# # User # #
|
|
# ###################################################
|
|
|
|
user = {
|
|
name = "nixos";
|
|
linger = true;
|
|
# Plain-text password for the live ISO session.
|
|
# The user module assertion requires at least one password method.
|
|
password = "nixos";
|
|
# Include all sops SSH public keys so any of your machines can connect.
|
|
# commonSshKeys from the user module are also enabled by default.
|
|
sshKeys = sopsPublicKeys;
|
|
};
|
|
};
|
|
|
|
specialisation.graphical.configuation = {
|
|
# ###################################################
|
|
# # Desktop # #
|
|
# ###################################################
|
|
${namespace}.desktop.cosmic.enable = true;
|
|
};
|
|
|
|
# home-manager.users.nixos.snowfallorg.user.name = "nixos";
|
|
|
|
# ###################################################
|
|
# # Boot # #
|
|
# ###################################################
|
|
|
|
boot = {
|
|
kernelPackages = lib.mkForce pkgs.cachyosKernels.linuxPackages-cachyos-latest-lto;
|
|
supportedFilesystems.zfs = false;
|
|
};
|
|
|
|
# ###################################################
|
|
# # SSH # #
|
|
# ###################################################
|
|
# Explicit openssh settings for nixos-anywhere compatibility.
|
|
# nixos-anywhere SSHes in as root to run the install, so root login must be
|
|
# permitted. Password auth is disabled — key-only access only.
|
|
services.openssh = {
|
|
enable = lib.mkForce true;
|
|
settings = {
|
|
PermitRootLogin = lib.mkForce "yes";
|
|
PasswordAuthentication = lib.mkForce false;
|
|
};
|
|
};
|
|
|
|
# nixos-anywhere connects as root; ensure root also trusts all our keys.
|
|
users.users.root.openssh.authorizedKeys.keys = sopsPublicKeys;
|
|
|
|
# Sops is not usable on a live ISO (no persistent host key to decrypt with).
|
|
# Disable sops validation to prevent build/boot failures.
|
|
sops.defaultSopsFile = lib.mkForce "/dev/null";
|
|
sops.validateSopsFiles = false;
|
|
|
|
}
|