droppie: reinstall droppie, update keys

This commit is contained in:
Benjamin Yule Bädorf 2024-02-03 20:58:18 +01:00
parent f197c7ec75
commit 6f75453e7c
Signed by: b12f
GPG key ID: 729956E1124F8F26
10 changed files with 97 additions and 62 deletions

View file

@ -15,6 +15,7 @@
self.nixosModules.graphical self.nixosModules.graphical
self.nixosModules.nextcloud self.nixosModules.nextcloud
self.nixosModules.office self.nixosModules.office
self.nixosModules.persistence
self.nixosModules.printing self.nixosModules.printing
self.nixosModules.wireguard-client self.nixosModules.wireguard-client
]; ];
@ -66,6 +67,7 @@
./droppie ./droppie
self.nixosModules.yule self.nixosModules.yule
self.nixosModules.wireguard-client self.nixosModules.wireguard-client
self.nixosModules.persistence
]; ];
}; };

View file

@ -9,16 +9,9 @@ with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.systemd-boot.enable = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
device = "nodev";
};
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
services.openssh.openFirewall = true; services.openssh.openFirewall = true;
pub-solar.core.disk-encryption-active = false; pub-solar.core.disk-encryption-active = false;
@ -27,6 +20,20 @@ in {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
]; ];
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=dhcp"
];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 2222;
authorizedKeys = psCfg.user.publicKeys;
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
shell = "/bin/cryptsetup-askpass";
};
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
age.secrets."droppie-ssh-root.key" = { age.secrets."droppie-ssh-root.key" = {
file = "${flake.self}/secrets/droppie-ssh-root.key.age"; file = "${flake.self}/secrets/droppie-ssh-root.key.age";

View file

@ -1,30 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
config, imports =
lib, [ (modulesPath + "/installer/scan/not-detected.nix")
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = ["ahci" "usbhid" "uas"]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" "tg3" ];
boot.initrd.kernelModules = ["dm-snapshot"]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = ["kvm-amd"]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = []; boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot".device = "/dev/sdb2";
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694"; { device = "none";
fsType = "xfs"; fsType = "tmpfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A24C-F252";
fsType = "vfat";
}; };
fileSystems."/media/internal" = fileSystems."/media/internal" =
@ -32,10 +25,39 @@
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/837cc93f-6d9a-4bfd-b089-29ac6d68127c";
fsType = "ext4";
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/a7711118-51b0-4d84-8f18-ef2e06084e05";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0965d496-ffad-4a8d-9de7-28af903baf16";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/991E-79C1";
fsType = "vfat";
};
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852"; } [ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; }
]; ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

View file

@ -24,6 +24,7 @@
# Allow pub.solar restic backups # Allow pub.solar restic backups
services.openssh.allowSFTP = true; services.openssh.allowSFTP = true;
services.openssh.openFirewall = true;
pub-solar.wireguard-client = { pub-solar.wireguard-client = {
ownIPs = [ ownIPs = [

View file

@ -23,7 +23,7 @@ in {
boot.kernelParams = [ boot.kernelParams = [
"boot.shell_on_fail=1" "boot.shell_on_fail=1"
"ip=192.168.178.2::192.168.178.1:255.255.255.255:pie.b12f.io::off" "ip=192.168.178.2::192.168.178.1:255.255.255.255:pie-initrd.b12f.io::off"
]; ];
boot.initrd.network.enable = true; boot.initrd.network.enable = true;

View file

@ -2,31 +2,5 @@
{ {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L /etc/nixos - - - - /home/${config.pub-solar.user.name}/Workspace/os" "L /etc/nixos - - - - /home/${config.pub-solar.user.name}/Workspace/os"
"L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
"d /persist/var/lib/bluetooth 0500 root root"
"L /var/lib/docker - - - - /persist/var/lib/docker"
"d /persist/var/lib/docker 0510 root root"
"L /etc/NetworkManager/system-connections - - - - /persist/etc/NetworkManager/system-connections"
"d /persist/etc/NetworkManager/system-connections 0700 root root"
"d /persist/etc/ssh 0400 root root"
]; ];
services.openssh = {
enable = true;
hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
} }

View file

@ -20,6 +20,7 @@
nix = import ./nix; nix = import ./nix;
nextcloud = import ./nextcloud; nextcloud = import ./nextcloud;
office = import ./office; office = import ./office;
persistence = import ./persistence;
printing = import ./printing; printing = import ./printing;
terminal-life = import ./terminal-life; terminal-life = import ./terminal-life;
user = import ./user; user = import ./user;

View file

@ -0,0 +1,30 @@
{ lib, config, ... }:
{
systemd.tmpfiles.rules = [
"L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
"d /persist/var/lib/bluetooth 0500 root root"
"L /var/lib/docker - - - - /persist/var/lib/docker"
"d /persist/var/lib/docker 0510 root root"
"L /etc/NetworkManager/system-connections - - - - /persist/etc/NetworkManager/system-connections"
"d /persist/etc/NetworkManager/system-connections 0700 root root"
"d /persist/etc/ssh 0400 root root"
];
services.openssh = {
enable = true;
hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
}

View file

@ -37,9 +37,6 @@ in {
email = "git@benjaminbaedorf.eu"; email = "git@benjaminbaedorf.eu";
gpgKeyId = "FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B"; gpgKeyId = "FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B";
publicKeys = [ publicKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"

View file

@ -20,8 +20,9 @@ in {
email = "hello@benjaminbaedorf.eu"; email = "hello@benjaminbaedorf.eu";
gpgKeyId = "4406E80E13CD656C"; gpgKeyId = "4406E80E13CD656C";
publicKeys = [ publicKeys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
]; ];
}; };
}; };