droppie: reinstall droppie, update keys
This commit is contained in:
parent
f197c7ec75
commit
6f75453e7c
|
@ -15,6 +15,7 @@
|
||||||
self.nixosModules.graphical
|
self.nixosModules.graphical
|
||||||
self.nixosModules.nextcloud
|
self.nixosModules.nextcloud
|
||||||
self.nixosModules.office
|
self.nixosModules.office
|
||||||
|
self.nixosModules.persistence
|
||||||
self.nixosModules.printing
|
self.nixosModules.printing
|
||||||
self.nixosModules.wireguard-client
|
self.nixosModules.wireguard-client
|
||||||
];
|
];
|
||||||
|
@ -66,6 +67,7 @@
|
||||||
./droppie
|
./droppie
|
||||||
self.nixosModules.yule
|
self.nixosModules.yule
|
||||||
self.nixosModules.wireguard-client
|
self.nixosModules.wireguard-client
|
||||||
|
self.nixosModules.persistence
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -9,16 +9,9 @@ with lib; let
|
||||||
psCfg = config.pub-solar;
|
psCfg = config.pub-solar;
|
||||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||||
in {
|
in {
|
||||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.grub = {
|
|
||||||
enable = true;
|
|
||||||
efiSupport = true;
|
|
||||||
device = "nodev";
|
|
||||||
};
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
hardware.cpu.intel.updateMicrocode = true;
|
|
||||||
|
|
||||||
services.openssh.openFirewall = true;
|
services.openssh.openFirewall = true;
|
||||||
|
|
||||||
pub-solar.core.disk-encryption-active = false;
|
pub-solar.core.disk-encryption-active = false;
|
||||||
|
@ -27,6 +20,20 @@ in {
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
boot.kernelParams = [
|
||||||
|
"boot.shell_on_fail=1"
|
||||||
|
"ip=dhcp"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.network.enable = true;
|
||||||
|
boot.initrd.network.ssh = {
|
||||||
|
enable = true;
|
||||||
|
port = 2222;
|
||||||
|
authorizedKeys = psCfg.user.publicKeys;
|
||||||
|
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
|
||||||
|
shell = "/bin/cryptsetup-askpass";
|
||||||
|
};
|
||||||
|
|
||||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
|
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
|
||||||
age.secrets."droppie-ssh-root.key" = {
|
age.secrets."droppie-ssh-root.key" = {
|
||||||
file = "${flake.self}/secrets/droppie-ssh-root.key.age";
|
file = "${flake.self}/secrets/droppie-ssh-root.key.age";
|
||||||
|
|
|
@ -1,30 +1,23 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
# and may be overwritten by future invocations. Please make changes
|
# and may be overwritten by future invocations. Please make changes
|
||||||
# to /etc/nixos/configuration.nix instead.
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
config,
|
imports =
|
||||||
lib,
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
pkgs,
|
|
||||||
modulesPath,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
imports = [
|
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = ["ahci" "usbhid" "uas"];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" "tg3" ];
|
||||||
boot.initrd.kernelModules = ["dm-snapshot"];
|
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||||
boot.kernelModules = ["kvm-amd"];
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
boot.extraModulePackages = [];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
boot.initrd.luks.devices."cryptroot".device = "/dev/sdb2";
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694";
|
{ device = "none";
|
||||||
fsType = "xfs";
|
fsType = "tmpfs";
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/A24C-F252";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/media/internal" =
|
fileSystems."/media/internal" =
|
||||||
|
@ -32,10 +25,39 @@
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "/dev/disk/by-uuid/837cc93f-6d9a-4bfd-b089-29ac6d68127c";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/persist" =
|
||||||
|
{ device = "/dev/disk/by-uuid/a7711118-51b0-4d84-8f18-ef2e06084e05";
|
||||||
|
fsType = "ext4";
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/home" =
|
||||||
|
{ device = "/dev/disk/by-uuid/0965d496-ffad-4a8d-9de7-28af903baf16";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/991E-79C1";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852"; }
|
[ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
# networking.useDHCP = lib.mkDefault true;
|
||||||
|
networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
|
||||||
|
networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
|
|
||||||
# Allow pub.solar restic backups
|
# Allow pub.solar restic backups
|
||||||
services.openssh.allowSFTP = true;
|
services.openssh.allowSFTP = true;
|
||||||
|
services.openssh.openFirewall = true;
|
||||||
|
|
||||||
pub-solar.wireguard-client = {
|
pub-solar.wireguard-client = {
|
||||||
ownIPs = [
|
ownIPs = [
|
||||||
|
|
|
@ -23,7 +23,7 @@ in {
|
||||||
|
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [
|
||||||
"boot.shell_on_fail=1"
|
"boot.shell_on_fail=1"
|
||||||
"ip=192.168.178.2::192.168.178.1:255.255.255.255:pie.b12f.io::off"
|
"ip=192.168.178.2::192.168.178.1:255.255.255.255:pie-initrd.b12f.io::off"
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.network.enable = true;
|
boot.initrd.network.enable = true;
|
||||||
|
|
|
@ -2,31 +2,5 @@
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"L /etc/nixos - - - - /home/${config.pub-solar.user.name}/Workspace/os"
|
"L /etc/nixos - - - - /home/${config.pub-solar.user.name}/Workspace/os"
|
||||||
|
|
||||||
"L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
|
|
||||||
"d /persist/var/lib/bluetooth 0500 root root"
|
|
||||||
|
|
||||||
"L /var/lib/docker - - - - /persist/var/lib/docker"
|
|
||||||
"d /persist/var/lib/docker 0510 root root"
|
|
||||||
|
|
||||||
"L /etc/NetworkManager/system-connections - - - - /persist/etc/NetworkManager/system-connections"
|
|
||||||
"d /persist/etc/NetworkManager/system-connections 0700 root root"
|
|
||||||
|
|
||||||
"d /persist/etc/ssh 0400 root root"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
hostKeys = [
|
|
||||||
{
|
|
||||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
|
||||||
type = "ed25519";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
path = "/persist/etc/ssh/ssh_host_rsa_key";
|
|
||||||
type = "rsa";
|
|
||||||
bits = 4096;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@
|
||||||
nix = import ./nix;
|
nix = import ./nix;
|
||||||
nextcloud = import ./nextcloud;
|
nextcloud = import ./nextcloud;
|
||||||
office = import ./office;
|
office = import ./office;
|
||||||
|
persistence = import ./persistence;
|
||||||
printing = import ./printing;
|
printing = import ./printing;
|
||||||
terminal-life = import ./terminal-life;
|
terminal-life = import ./terminal-life;
|
||||||
user = import ./user;
|
user = import ./user;
|
||||||
|
|
30
modules/persistence/default.nix
Normal file
30
modules/persistence/default.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ lib, config, ... }:
|
||||||
|
{
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
|
||||||
|
"d /persist/var/lib/bluetooth 0500 root root"
|
||||||
|
|
||||||
|
"L /var/lib/docker - - - - /persist/var/lib/docker"
|
||||||
|
"d /persist/var/lib/docker 0510 root root"
|
||||||
|
|
||||||
|
"L /etc/NetworkManager/system-connections - - - - /persist/etc/NetworkManager/system-connections"
|
||||||
|
"d /persist/etc/NetworkManager/system-connections 0700 root root"
|
||||||
|
|
||||||
|
"d /persist/etc/ssh 0400 root root"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
hostKeys = [
|
||||||
|
{
|
||||||
|
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||||
|
type = "ed25519";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
path = "/persist/etc/ssh/ssh_host_rsa_key";
|
||||||
|
type = "rsa";
|
||||||
|
bits = 4096;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -37,9 +37,6 @@ in {
|
||||||
email = "git@benjaminbaedorf.eu";
|
email = "git@benjaminbaedorf.eu";
|
||||||
gpgKeyId = "FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B";
|
gpgKeyId = "FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B";
|
||||||
publicKeys = [
|
publicKeys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
|
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
|
||||||
|
|
|
@ -20,8 +20,9 @@ in {
|
||||||
email = "hello@benjaminbaedorf.eu";
|
email = "hello@benjaminbaedorf.eu";
|
||||||
gpgKeyId = "4406E80E13CD656C";
|
gpgKeyId = "4406E80E13CD656C";
|
||||||
publicKeys = [
|
publicKeys = [
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
|
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue