all: wheel can see deploy key

2022-08-29 09:48:47 -06:00 · 2022-08-29 09:48:47 -06:00 · ab34df7aea
commit ab34df7aea
parent d2f852a2c0
3 changed files with 168 additions and 1 deletions
--- a/default.nix
+++ b/default.nix
@ -52,7 +52,7 @@ in {
        sopsFile = config.xin-secrets.deploy;
        owner = "root";
        group = "wheel";
-        mode = "400";
+        mode = "440";
      };
    };

--- a/hosts/stan/default.nix
+++ b/hosts/stan/default.nix
@ -0,0 +1,124 @@
+{ config, pkgs, ... }:
+let
+  pubKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA7khawMK6P0fXjhXXPEUTA2rF2tYB2VhzseZA/EQ/OtAAAAC3NzaDpncmVhdGVy qbit@litr.bold.daemon"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI= qbit@litr.bold.daemon"
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
+  ];
+
+  userBase = { openssh.authorizedKeys.keys = pubKeys; };
+in {
+  _module.args.isUnstable = false;
+  imports = [ ./hardware-configuration.nix ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot/efi";
+    };
+
+    initrd = {
+      luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".device =
+        "/dev/disk/by-uuid/23b20980-eb1e-4390-b706-f0f42a623ddf";
+      luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".keyFile =
+        "/crypto_keyfile.bin";
+      secrets = { "/crypto_keyfile.bin" = null; };
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [ "intel_idle.max_cstate=4" ];
+
+  };
+
+  preDNS.enable = false;
+  networking = {
+    hostName = "stan";
+    networkmanager.enable = true;
+    firewall = {
+      allowedTCPPorts = [ 22 ];
+      checkReversePath = "loose";
+    };
+  };
+
+  i18n.defaultLocale = "en_US.utf8";
+
+  pantheon.enable = true;
+
+  sops.secrets = {
+    tskey = {
+      sopsFile = config.xin-secrets.litr.secrets;
+      owner = "root";
+      mode = "400";
+    };
+  };
+
+  systemd.services = {
+    "tailscale-init" = {
+      wantedBy = [ "tailscaled.service" ];
+      after = [ "tailscaled.service" ];
+      serviceConfig = {
+        ExecStart =
+          "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.tskey.path}";
+      };
+    };
+  };
+
+  users.users.abieber = {
+    isNormalUser = true;
+    description = "Aaron Bieber";
+    extraGroups = [ "networkmanager" "wheel" ];
+    packages = with pkgs; [ ];
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+    barrier
+    brave
+    fzf
+    google-chrome-dev
+    ispell
+    jitsi-meet-electron
+    keychain
+    matterhorn
+    mosh
+    mupdf
+    nmap
+    oathToolkit
+    obs-studio
+    openvpn
+    sshfs
+    virt-manager
+    wireshark
+  ];
+
+  virtualisation.libvirtd.enable = true;
+
+  programs = {
+    dconf.enable = true;
+    zsh.enable = true;
+  };
+
+  users.users.root = userBase;
+  users.users.abieber = userBase // {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    extraGroups = [ "wheel" "networkmanager" "libvirtd" ];
+  };
+
+  services = {
+    printing.enable = true;
+    fwupd.enable = true;
+    unifi.enable = true;
+    openntpd.enable = true;
+    resolved = {
+      enable = true;
+      dnssec = "allow-downgrade";
+    };
+  };
+
+  system.stateVersion = "22.05"; # Did you read the comment?
+
+}
--- a/hosts/stan/hardware-configuration.nix
+++ b/hosts/stan/hardware-configuration.nix
@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/56138f23-38c0-4e4f-8dee-4fcd57c238a0";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-e12e4b82-6f9e-4f80-b3f4-7e9a248e7827".device =
+    "/dev/disk/by-uuid/e12e4b82-6f9e-4f80-b3f4-7e9a248e7827";
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-uuid/4CFA-E61D";
+    fsType = "vfat";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/85a3b559-0c0f-485d-9107-9f6ba5ad31da"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}