Commit 88741dd
Changed files (14)
modules
hosts
pardofelis
users
modules/hosts/kevin/default.nix
@@ -12,6 +12,7 @@
den.hosts.x86_64-linux.kevin = {
usage = "laptop";
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOO9CyAqGo/WbJkncrt1a9jxS1E+hd550SC4A08I/l0/ root@kevin";
+ hashedPasswordAged = ./hashed-password.age;
users.hpcesia.classes = ["homeManager"];
instantiate = {modules}:
inputs.nixpkgs.lib.nixosSystem {
@@ -43,8 +44,6 @@
desktop
dev
game
- user-root
- user-hpcesia
ssh-host-pardofelis
])
++ (
@@ -63,7 +62,6 @@
desktop
dev
game
- user-hpcesia
])
++ [config.flake.modules.homeManager."hosts/kevin"];
};
modules/hosts/kevin/hashed-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 fNSSHCGWppnzCbvnOTqMXYaDDcMUDbhq9Gcpep6Ptxs
+2z9anwuqN40iehOlNJISr+H/B52jdT/Ap+F39rall/k
+-> /#KdmAou-grease -Jvn)QSy '1| yW&U8Oug
+V+Ut2sKQkI9AlIPyd3IhP3EXpTZUAcb5Lvqr4b2dwBhq8rvrHgGafsNQdxS+4w32
+u3cNo1rueQqP1nxIZTiJkYJ1HfPKqgac/Y6CPj1k57ezbhbEUL4n0i4HFQ
+--- RFilzKFUuwsnY2QbQ/FONd6afgg1SJ2k7oxE3McFNfI
+���%&�c�~����oH��\�p�4 Lcm���BΥ(/�f͑�OS(�a
+5��_����ϓ ���ҋ̔9�uXfɨA5��d5ڍ����n�W4m��L[xZE��b.�
\ No newline at end of file
modules/hosts/pardofelis/default.nix
@@ -11,8 +11,10 @@
#############################################################
den.hosts.x86_64-linux.pardofelis = {
usage = "server";
- sshPorts = [23930];
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuT/WkeA7btTeATmWJ2O9f/A6FI0Gl/1KjPGfHbWD5C root@pardofelis";
+ hashedPasswordAged = ./hashed-password.age;
+ sshPorts = [23930];
+ authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMKaGC2I3an4AJDeWzVx5vhm63+kxi6zJNdh7yEp6CK hpcesia@kevin"];
users.hpcesia = {};
instantiate = {modules}:
inputs.nixpkgs.lib.nixosSystem {
@@ -42,8 +44,6 @@
imports =
(with config.flake.modules.nixos; [
core
- user-hpcesia
- user-root
])
++ (
map
modules/hosts/pardofelis/hashed-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 +QyOuXj2AQWmrHZgzp8nSeuglcoZlMPqWilqF7FmZUo
+f+37GiPBj04YXaO5+iH+ItxkC/YIICBU34xZKDvlpm8
+-> *AeO%}-grease
+5yZGZXYlT4UiQzYT8mUVtk4+Tuz4t/AB4T9/dgnG
+--- 2mPiuGKAyE7Uepfe5VPjctaHjDxjhOKUMutqFfo2j/o
+��@,N���aԽ��y�������((�aR���?�]��>���6v�ӧ_�{pN��N�
/&\C�8���M��&�M��6`����ȧ2��q�ݸ��o�s
\ No newline at end of file
modules/hosts/default.nix
@@ -9,7 +9,21 @@ in {
};
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
};
+
den.default.includes = [
<den/hostname>
+
+ <default/host>
];
+
+ den.aspects.default.provides.host = {host, ...}: {
+ nixos = {config, ...}: {
+ users.users.root = {
+ hashedPasswordFile = config.vaultix.secrets."${host.name}-hashed-password".path;
+ openssh.authorizedKeys.keys = host.authorizedKeys;
+ };
+
+ vaultix.secrets."${host.name}-hashed-password".file = host.hashedPasswordAged;
+ };
+ };
}
modules/hosts/schema.nix
@@ -17,10 +17,19 @@
type = lib.types.str;
description = "Public SSH key for the host.";
};
+ options.hashedPasswordAged = lib.mkOption {
+ type = lib.types.pathInStore;
+ description = "Age encrypted hashed password file path for host root user.";
+ };
options.sshPorts = lib.mkOption {
type = lib.types.listOf lib.types.port;
description = "List of ports to open for SSH access.";
default = [22];
};
+ options.authorizedKeys = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ description = "List of authorized keys for host root user.";
+ default = [];
+ };
};
}
modules/users/hpcesia/default.nix
@@ -1,16 +1,20 @@
-{lib, ...}: {
- flake.modules.nixos.user-hpcesia = {config, ...}: {
+{
+ lib,
+ den,
+ ...
+}: let
+ inherit (den.lib) __findFile;
+in {
+ den.aspects.hpcesia.includes = [
+ <den/primary-user>
+ ];
+
+ den.aspects.hpcesia.nixos = {config, ...}: {
users.users.hpcesia = {
description = "HPCesia";
- home = "/home/hpcesia";
hashedPasswordFile = config.vaultix.secrets.user-hpcesia-hashed-password.path;
- isNormalUser = true;
extraGroups =
[
- "hpcesia"
- "users"
- "networkmanager"
- "wheel"
"nix-secrets-ssh-hosts"
]
++ (lib.optionals config.virtualisation.podman.enable ["podman"])
@@ -21,15 +25,8 @@
];
};
- users.groups.hpcesia = {};
-
users.groups.nix-secrets-ssh-hosts = {};
vaultix.secrets.user-hpcesia-hashed-password.file = ./hashed-password.age;
};
-
- flake.modules.homeManager.user-hpcesia = _: {
- home.username = "hpcesia";
- home.homeDirectory = "/home/hpcesia";
- };
}
modules/users/root/default.nix
@@ -1,10 +0,0 @@
-{
- flake.modules.nixos.user-root = {config, ...}: {
- users.users.root = {
- hashedPasswordFile = config.vaultix.secrets.user-root-hashed-password.path;
- openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMKaGC2I3an4AJDeWzVx5vhm63+kxi6zJNdh7yEp6CK hpcesia@kevin"];
- };
-
- vaultix.secrets.user-root-hashed-password.file = ./hashed-password.age;
- };
-}
modules/users/root/hashed-password.age
Binary file
modules/users/default.nix
@@ -0,0 +1,25 @@
+{
+ lib,
+ den,
+ ...
+}: let
+ inherit (den.lib) __findFile;
+in {
+ den.default.includes = [
+ <default/user>
+ ];
+ den.aspects.default.provides.user = {user, ...}: {
+ nixos = {
+ users.users.${user.userName} = {
+ home = lib.mkDefault "/home/${user.userName}";
+ isNormalUser = true;
+ extraGroups = [user.userName];
+ };
+ users.groups.${user.userName} = {};
+ };
+ homeManager = {
+ home.username = user.userName;
+ home.homeDirectory = "/home/${user.userName}";
+ };
+ };
+}
secrets/cache/kevin/10869e289adfacf42e7b6e77cf32a4a8cc185bff1231c2353e2df057f7f5d28d
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 WM7kiQ 3KCEWMDaXuvgmYZ2GmrSDI4uD48ntEqhMqZ2A4E6oUE
-ztXal/DUcureswG4+5cZ7KyZZL8k8dByU+DG47b/QA0
--> o7Z7m%-grease .OeqX [z9ug<DJ
-qVlDmufYwoBLfjUBTEt6Altrj/7LyKMFwalDSmflKBw
---- K1E2JiwwK4TD8mkW9TX166QEW0yqia1aW30RYS71t+M
-��6�i𠩔(�=�l���9 �%�h���jx���azZ��Uǻz�&���ПYS�_Ox˯ǔP+�['�����%�Q9o��Om�rv�tEW�[�F �����I]��
\ No newline at end of file
secrets/cache/kevin/b0c23ce6d7cb28ec4e359d72e2c3983ad3184732ce879826338d005a81327039
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 WM7kiQ xFoyEsWQQoyj/8G6Y6bSGwPtQ2hw4kPZk/1RsDIQjTc
+tmrgX3IXsVsKhNS+6wHPWX7+PHQPDLuPbo+w+EVUlcE
+-> Zq-grease /x~r!wb_ u"Rh0_"; D3oc'
+0RIshcy27GZg8XFV/v7ifZDY
+--- 9DsRhwWN6SiLIaVlEDLTNxZkPr73r7bXwxNsOK1o2Oo
+}):9zY�����X}�0�}��nc��-�j�#Z5���"nԷ�V:Ƒ�K"]���VtOtg�������iˈ�G;C|������7�K�3Iϗ�R�0h�#����
\ No newline at end of file
secrets/cache/pardofelis/051d1f6581329509b5cdb26edec3afa99418f95f2dbfc8a485f91a3c46de59fd
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw sOsec4emyZ/0jcAYa3sxBgHy5eXMLWqEfi2Hvwp3zjM
+OlI+TDgTAta5XQrFBnVHuZUdCEztWiKueMDoNlXiBYU
+-> 8J-grease
+NveZ2MDyL9UIdVz/flniSZVUAWBW3FEY5Jl5CXL6WdtQQR5TG4YgrjDcE93NTQQd
+G2QnLzt2pUYBh1lx2w9QM02SovDUPZ9WzQ7hP8A7gSLw
+--- jq2ogVEEAoEktAH/UDcfHaYZGGu7YIZRw/WzUtKzZq8
+�� �|[��@UF����[�����(k^Ej�|���S*!I�H0��S�'.hspW�+C�
+O�Kr�[�=��"��3ʆ���=�ۏ#ѷ�b����C�K�>XMYrI
\ No newline at end of file
secrets/cache/pardofelis/25f0d7cedc32deb310fc0279df14e0ed74f8bf29aa01b938b55f9f054a1cabbc
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 B1HLiw yWo1I5DPVSFLMMJSf2TGsrxPdbX4CuzEb1JSMXUTyXM
-XdG+8O+uR1afBbEi3E3Phbl1jDcs7M4553TXOOAUEII
--> hiHi-grease &z#U "X=>!]{r
-NQ
---- C7owaUL0zLaxRwqIEc+rJWK9KSmcP1uXl8cjN5V4Nxg
-�=�K��A�����#��mq�3x�
2%�t����10�X�I���������~�������A��
-��~�lDQ�TJ�>�@������p�"�#�.d��2m"B�
\ No newline at end of file