diff --git a/class/desktop/plasma.nix b/class/desktop/plasma.nix index c7b7626..ae3015b 100644 --- a/class/desktop/plasma.nix +++ b/class/desktop/plasma.nix @@ -5,13 +5,9 @@ }: { services = { desktopManager.plasma6.enable = true; - xserver = { + displayManager.sddm = { enable = true; - excludePackages = [pkgs.xterm]; - displayManager.sddm = { - enable = true; - wayland.enable = true; - }; + wayland.enable = true; }; }; diff --git a/class/desktop/users.nix b/class/desktop/users.nix index 0dd12db..c5a9c18 100644 --- a/class/desktop/users.nix +++ b/class/desktop/users.nix @@ -1,11 +1,15 @@ -{ +{config, ...}: { + age.secrets.user-guest.file = ../../secrets/user-guest.age; + users = { groups.guest = {}; users.guest = { isNormalUser = true; - password = "guest"; + hashedPasswordFile = config.age.secrets.user-guest.path; extraGroups = ["wheel" "networkmanager" "gamemode"]; }; }; + + services.displayManager.hiddenUsers = ["guest"]; } diff --git a/common/users.nix b/common/users.nix index a1cad7d..b56b3c7 100644 --- a/common/users.nix +++ b/common/users.nix @@ -14,11 +14,12 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4U9RzV/gVGBfrCOye7BlS11g5BS7SmuZ36n2ZIJyAX lukas@glacier" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAztZgcRBHqX8Wb2nAlP1qCKF205M3un/D1YnREcO7Dy lukas@flamingo" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMC6vIcPgOHiAnG1be8IQVePlrsxN/X9PEFJghS6EcOb lukas@scenery" ]; extraGroups = ["wheel" "networkmanager" "gamemode"]; linger = true; }; }; }; + + services.displayManager.sddm.settings.Autologin.User = "lukas"; } diff --git a/flake.lock b/flake.lock index 630c7b6..e9d57ee 100644 --- a/flake.lock +++ b/flake.lock @@ -247,11 +247,11 @@ }, "hardware": { "locked": { - "lastModified": 1711352745, - "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=", + "lastModified": 1712909959, + "narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0", + "rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f", "type": "github" }, "original": { @@ -482,11 +482,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1712163089, - "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", + "lastModified": 1712791164, + "narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", + "rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9919919..ebc488e 100644 --- a/flake.nix +++ b/flake.nix @@ -31,7 +31,6 @@ inputs.agenix.nixosModules.default inputs.mailserver.nixosModule - ./modules ./common ./class/${class} ./hosts/${name} @@ -43,7 +42,6 @@ nixosConfigurations = builtins.mapAttrs commonNixosSystem { glacier = "desktop"; flamingo = "desktop"; - scenery = "desktop"; abacus = "server"; vessel = "server"; }; diff --git a/hosts/abacus/default.nix b/hosts/abacus/default.nix index ba7893c..0e0538a 100644 --- a/hosts/abacus/default.nix +++ b/hosts/abacus/default.nix @@ -1,6 +1,6 @@ {modulesPath, ...}: { imports = [ - (modulesPath + "/profiles/qemu-guest.nix") + "${modulesPath}/profiles/qemu-guest.nix" ./atuin.nix ./conduit.nix diff --git a/hosts/abacus/hiraeth.nix b/hosts/abacus/hiraeth.nix deleted file mode 100644 index a0efaac..0000000 --- a/hosts/abacus/hiraeth.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ - config, - lib, - ... -}: { - # TODO - age.secrets = { - hiraeth-jwt-sign-key = { - file = ../../secrets/hiraeth-jwt-sign-key.age; - owner = "hiraeth"; - group = "hiraeth"; - }; - - hiraeth-jwt-verify-key = { - file = ../../secrets/hiraeth-jwt-verify-key.age; - owner = "hiraeth"; - group = "hiraeth"; - }; - }; - - services = { - postgresql = { - enable = lib.mkDefault true; - - ensureDatabases = ["hiraeth"]; - ensureUsers = [ - { - name = "hiraeth"; - ensureDBOwnership = true; - } - ]; - }; - - hiraeth = { - enable = true; - settings = { - address = "127.0.0.1:8040"; - name = "hiraeth"; - db_type = "postgres"; - datadir = "/var/lib/hiraeth"; - dsn = "host=/run/postgresql user=hiraeth"; - jwt_sign_key_file = config.age.secrets.hiraeth-jwt-sign-key.path; - jwt_verify_key_file = config.age.secrets.hiraeth-jwt-verify-key.path; - chunk_size = 1024 * 1024 * 128; - timeout = 60; - inline_types = [ - "application/pdf" - "audio/mpeg" - "audio/flac" - "audio/vorbis" - "image/jpeg" - "image/png" - "text/plain" - "video/mp4" - ]; - }; - }; - - nginx.virtualHosts."share.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - quic = true; - - locations."/".proxyPass = "http://${config.services.hiraeth.settings.address}"; - }; - }; -} diff --git a/hosts/flamingo/default.nix b/hosts/flamingo/default.nix index cf3d00d..bf13491 100644 --- a/hosts/flamingo/default.nix +++ b/hosts/flamingo/default.nix @@ -4,7 +4,7 @@ ... }: { imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + "${modulesPath}/installer/scan/not-detected.nix" inputs.hardware.nixosModules.lenovo-thinkpad-t480 ]; diff --git a/hosts/glacier/default.nix b/hosts/glacier/default.nix index adeb5d3..779804e 100644 --- a/hosts/glacier/default.nix +++ b/hosts/glacier/default.nix @@ -4,7 +4,7 @@ ... }: { imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + "${modulesPath}/installer/scan/not-detected.nix" inputs.hardware.nixosModules.common-cpu-amd inputs.hardware.nixosModules.common-gpu-amd diff --git a/hosts/scenery/default.nix b/hosts/scenery/default.nix deleted file mode 100644 index 4089340..0000000 --- a/hosts/scenery/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - inputs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - - inputs.hardware.nixosModules.lenovo-thinkpad-x260 - ]; - - nixpkgs.hostPlatform = "x86_64-linux"; - - boot = { - initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"]; - kernelModules = ["kvm-intel"]; - }; - - system.stateVersion = "24.05"; - - powerManagement.cpuFreqGovernor = "powersave"; - - console.keyMap = "de"; - services.xserver.layout = "de"; -} diff --git a/hosts/vessel/default.nix b/hosts/vessel/default.nix index 5e5caab..cad1e91 100644 --- a/hosts/vessel/default.nix +++ b/hosts/vessel/default.nix @@ -4,7 +4,7 @@ ... }: { imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + "${modulesPath}/installer/scan/not-detected.nix" inputs.hardware.nixosModules.common-cpu-intel inputs.hardware.nixosModules.common-gpu-intel diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index 4482bf5..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./hiraeth.nix - ]; -} diff --git a/modules/hiraeth.nix b/modules/hiraeth.nix deleted file mode 100644 index 08db537..0000000 --- a/modules/hiraeth.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.services.hiraeth; - settingsFormat = pkgs.formats.toml {}; -in { - options.services.hiraeth = { - enable = lib.mkEnableOption "hiraeth"; - package = lib.mkPackageOption pkgs "hiraeth" {}; - settings = lib.mkOption { - type = settingsFormat.type; - default = {}; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.hiraeth = { - description = "Hiraeth File Sharing Service"; - after = ["network.target"]; - wantedBy = ["multi-user.target"]; - - serviceConfig = { - Type = "simple"; - User = config.users.users.hiraeth.name; - Group = config.users.groups.hiraeth.name; - StateDirectory = "hiraeth"; - StateDirectoryMode = "0700"; - UMask = "0077"; - WorkingDirectory = "/var/lib/hiraeth"; - ExecStart = "${pkgs.getExe' cfg.package "hiraeth"} run"; - Restart = "always"; - TimeoutSec = 10; - ReadOnlyPaths = "/etc/hiraeth/hiraeth.toml"; - DevicePolicy = "closed"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectHome = "read-only"; - PrivateTmp = true; - PrivateUsers = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - }; - }; - - users = { - users.hiraeth = { - isSystemUser = true; - group = config.users.groups.hiraeth.name; - }; - groups.hiraeth = {}; - }; - - environment.etc."hiraeth/hiraeth.toml" = { - source = settingsFormat.generate "hiraeth.toml" cfg.settings; - - mode = "0440"; - user = config.users.users.hiraeth.name; - group = config.users.users.hiraeth.group; - }; - }; -} diff --git a/secrets/mail-lukas.age b/secrets/mail-lukas.age index ba2bbb8..097c9e0 100644 --- a/secrets/mail-lukas.age +++ b/secrets/mail-lukas.age @@ -1,11 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 SFHVrw 3JZ4vApGhqF9iRQvfhkg8gIonZLGrBp9i9E1RZM7zn8 -3v08N6zWIuEIs+bt2GeWF60it9sDE4E2+hgoTbayv4k --> ssh-ed25519 S+dwQQ NfiaomfNXA5cJKzdPWJmJlHK4r2ZN24E2tymgROlogM -29EKJivtkdnWOtTee56peTOgEjBM4gXVSlzUekBUKZU --> ssh-ed25519 5IO6QQ DifPg5bQ5C0h2URSfei3NV+sfBkeNs6tz/OSJzACcDw -yV4UkgUsUUdZOpPoLgmJy9sJIrHIN/5esobFFJfsMC8 --> ssh-ed25519 ffmsLw 1/Ur807TPTjuapdynnicK8k2ACiMRDZ4CQpgAyiAql0 -9/4FKZqBnk2Q/VY6j/UOCuwUpbwmOMrhNh7zIdRTvqk ---- PXMswgq0lbERBdFOFPnc48j3r2t9aR3+SPenu0karWg -~指20((C_W#WNIsRp74Jԝ >cp"C8+7:CƓJj \ No newline at end of file +-> ssh-ed25519 SFHVrw LiDCAhLHNnb0AbtKaSxP32Erwaqpm9rkVqqTYsg7VX4 +rgZBcTW88Zynex2AWXHpJ5VdlLAe3MtNN4vRhV03/yw +-> ssh-ed25519 S+dwQQ b1tjzc5ipNB1O5+sj+NTdPquv842V1SNfVLwlhllpmo +q0KI/Rb1D359bRSsrwJrG0Sfy7YFe1y2qZZY6e5SySE +-> ssh-ed25519 ffmsLw OLoQCT99w3kM1wyzCWGeh6tO7fH46GbIzLSWJNxA+V8 ++hfzOs8JPE5/Paag/7PkIYmRG8ppJMouvxDcyyfrzv4 +--- Q2ZHMtaw0pwEOOGBxnRRNzjfEbcQqzP82QNFPRgazGw +D$|dtS}N{`vbfn5ߝR*O@ހXwyזj?O4b  ]8N|+% \ No newline at end of file diff --git a/secrets/nextcloud-lukas.age b/secrets/nextcloud-lukas.age index 97f3358..dda3b74 100644 --- a/secrets/nextcloud-lukas.age +++ b/secrets/nextcloud-lukas.age @@ -1,12 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 SFHVrw F1EZXe0gnSNWIhPqxkSPLUpU7yROj8mSClFjFjpvdV8 -4McyaDtxvEOI9CBLNMEimnFTtXGoUcVzfQ3zfmMl3o8 --> ssh-ed25519 S+dwQQ WT+jOjytoIKg2cPlD1bchFYaKxTJ63nixignaTNOqBM -kf5FYspdW859XaZL+mbnkchoUg4mFONuV8axas7RuLI --> ssh-ed25519 5IO6QQ b8cU+T+50PZ24o2YflQ9EEojxHDdnB9hlPdcggruhHM -qPjpL4q6+0osKkseBlY0ACSZbnhHoPo7RMP31t7l/T4 --> ssh-ed25519 ffmsLw 3Y8iqWTYOJUCNexfOkd3QfG4P5onmanDbh7gdUPYwzE -smKtEI17pzGvXkiJT9jC4hoECCHm1sEd7rEu92BUBSY ---- BEki7iC6CxE/6NEdkkjAVkBKgO5nuxqLxRu4JiGBcaY -\zsGz3VRӔ - &Xq0 ;TK \ No newline at end of file +-> ssh-ed25519 SFHVrw jUO5Z4j1ADd4QMPziuvNDh0iUirvrV32Z1+xbnkoVks +FJGle7Kr6knbPrgCg6Lk1ge+jV7Im4Z8FAmkQKlP6Ik +-> ssh-ed25519 S+dwQQ wKH3jZM/aruNPE5tYSROFGUdXw2o3lws76OvAXubhxk +Jhv2kqxgHM26iuvDs0LTf4ahlaiRacN6wpH7iHuknF4 +-> ssh-ed25519 ffmsLw kNKHrTEm4pFyC1r6Kjah3pl+0xnTuFt9ccha0uh0Z3Q +bLP4RrHR5gUm2ZuFNcK2m6tnC24PiGdevnuNTQ9Kb0g +--- FznEfHzpAG79LYYxIBJYgCFeUrb9Tn9yS5wXfJVeeEU ++c8:vbT]4$\)Є[T@W;FfNFG \ No newline at end of file diff --git a/secrets/restic-vessel.age b/secrets/restic-vessel.age index d1a469e..ba151dc 100644 Binary files a/secrets/restic-vessel.age and b/secrets/restic-vessel.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 263fb3d..056ce9d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,18 +2,25 @@ let users = { "lukas@flamingo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAztZgcRBHqX8Wb2nAlP1qCKF205M3un/D1YnREcO7Dy"; "lukas@glacier" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4U9RzV/gVGBfrCOye7BlS11g5BS7SmuZ36n2ZIJyAX"; - "lukas@scenery" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMC6vIcPgOHiAnG1be8IQVePlrsxN/X9PEFJghS6EcOb"; }; hosts = { glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8"; abacus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoUgClpkOlBEffQOb9KkVn970RwnIhU0OiVr7P2WVzg"; - scenery = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHDS4LGl73WhC7NSzFe0ghZ0EwLjuP/43GGS65pPpu0"; vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d"; flamingo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInV+UpCZhoTwgkgnCzCPEu3TD5b5mu6tagRslljrFJ/"; }; + + desktops = { + inherit (hosts) glacier flamingo; + }; + + servers = { + inherit (hosts) abacus vessel; + }; in { "user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts); + "user-guest.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues desktops); "mail-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; "vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; "nextcloud-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; diff --git a/secrets/user-guest.age b/secrets/user-guest.age new file mode 100644 index 0000000..63f9ff5 --- /dev/null +++ b/secrets/user-guest.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 SFHVrw XwFbvZ91rDE2Ux6BOxWqa0tpmp9W93n6c15WewMd83g +bHU1wwzxwEc2Ie6KcGBWhRv2IeQDKEtzWpRSujPvzLk +-> ssh-ed25519 S+dwQQ O9Nd+LXDcf7fP8xgqcmVpM44LEk1KaB8p9RHRfp+6Bw +LOmhTxVX93XgM6lmr26MrNOMG2jf0ZAOAMiYR7KxRro +-> ssh-ed25519 d2fKsw 5jpAhGTQ7VqJrT7SWfaAudYrVtIFYRRv1R5FgL8FeCs +rRJe5oiSVtjPBGTJOdgFTXOzld0SxKpqAtXz7hHgB6c +-> ssh-ed25519 US6ATA jol1HBmQUl3qjxLkSOZ17r9dqxu7lB/dDBqrccuq4Qk +EyPFGHi1jI2fIRCourzGvvMJGQYsAjttEGiOUachi9Q +--- lhZyqOVkSJS/30/cyWdLTVNMltAIHYF4DOIyK32VR/0 + 50 0 +=0MKFu \ No newline at end of file diff --git a/secrets/user-lukas.age b/secrets/user-lukas.age index f81036e..46e44f4 100644 --- a/secrets/user-lukas.age +++ b/secrets/user-lukas.age @@ -1,19 +1,17 @@ age-encryption.org/v1 --> ssh-ed25519 SFHVrw /QFzbfKzJnpIMXadEiDJyQJneVbQWwaoQlQ8B85mFiQ -0pH7idWoz/hQFa9lsdJoc3vN36znranVkOtiGaQpCxs --> ssh-ed25519 S+dwQQ /4ZF8giAG2BGML1Fy73ucSb4jZK0EDgAmgj05ymbJzA -lVi9ad3aPL4G/GFS6eAcxdJ9jDHWco0m+UHTOfkfNbQ --> ssh-ed25519 5IO6QQ mPE6sTVXzyVe6UdKhhmFifaETPcgTcNtn2Ybwf+nQyY -Zh2PzFw2zP/MiVpqRLANXe9jGj4GdtnyOxBsDemgoM4 --> ssh-ed25519 ffmsLw rj8FVCxSa49C30ZNW+gKlHXj5fOiTfHuecfumr0TTWo -JqzlRhRXMgdzmn8mic7CFzLfMHPHbH0q7Vo1dB4byaY --> ssh-ed25519 d2fKsw +jbHllavLuC5zykfwzCe3r7c+4mEn3D6FmFdgAKWCz0 -lkwdDPkFxlXlwwZ6cvJ+AxgtGqMvNtO9/PdNPjhYvRM --> ssh-ed25519 US6ATA PKNAfoRfY6MfnRLSOUAhX1EDpXNbPC8EVTtNZ1KoIEA -6rYHtwcdt0qXJr9S8UZ/q3xmTo416sY2unOlnN+/oa0 --> ssh-ed25519 2ktApw uDF57fuv7fq+LlQm93McI8xsBlZPDimeI7uXajXC9iM -gr7aVLkhgZmyv0Q7KlHEJt370NeWXH22A0Avns7mN6U --> ssh-ed25519 Sm0lOA t0uGXeSo6JhBQh5FsH6Z3ZRR/eEm+MVwSyS8TVDj+kg -2aSkF1Hk8NGdNh2RNlBByGgBasKvLPhhdDQRmHe/fUc ---- x+N3g8ekH9yUa3vXP/2u4PtCeVKMEJLlEaLf2Nb1vHo --3OIg)M7cy9(i,Ezr,aK԰zbU3t]"{*t!Ӈ(3`ylU;[8f>EɛmU2{+Tk^WN,]d֝Q : Ш_u \ No newline at end of file +-> ssh-ed25519 SFHVrw RbCDTFm8etGA6wAA26l52Ezrj5g151L/uYmkCC57rh0 +az9uaQvCJy8ocB0ij+qmu1MayhkFYVK2NHvlB0+8RhA +-> ssh-ed25519 S+dwQQ xUmmLtRfmdxSWv9sU2OIgced3+hn6H2fvHxtlrThF3Q +hr3tB+uqcv3JNBFyjf2O6xanN2hnlbCdHH5wLidcbfk +-> ssh-ed25519 ffmsLw NxXG3+tjYTxrAnZ/gIy/E08ozfSkl2GbUaaCAextd1E +fKwGEIu4I1sczSvu2bsGcMZSkuYuO5gWFRyg1PoLfV4 +-> ssh-ed25519 d2fKsw glKuNTvDZxE7SsxBKP+0P4Ldl/a4MwvpzwkgbqFNuEM +8XqemFkix1MjVJm42fQ0vtWaxiFGZWOer+OoRaVLccg +-> ssh-ed25519 US6ATA J5l4UYEZVCUS4J69YTwEyTdFvPRoWlpp88iWgEEDe0Y +ogUa74Vg22CN2zyDZzIoxUokMVPXzllfb1Vj53/CbmM +-> ssh-ed25519 Sm0lOA 5YoOeiPiEfqT9mWUTSUusm9h5CceeeCVJS1iofooTHw +A47tIbHSaQzaxrBatwqQEE2JIa67sqMlstkDyWIuE7Q +--- QzbsNPZn7A5mPNUXOkkSZYt/mx/KrLiBHtI4wi2ynLE +p