From 1531917a204c7b0a4aeb695313660facf080a32f Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 30 Apr 2025 10:11:35 +0100 Subject: [PATCH] feat: add static networking, password protected users, ssh login support, and nixos-anywhere to dk1-iso --- flake.lock | 113 ++++++++++++++++++++++++++- flake.nix | 10 ++- library/secrets/default.nix | 1 + library/secrets/network-manager.yaml | 8 +- library/secrets/users.yaml | 31 ++++++++ modules/dk1-iso.nix | 91 ++++++++++++++++++--- overlays/default.nix | 3 +- overlays/pkgs.nix | 11 ++- 8 files changed, 249 insertions(+), 19 deletions(-) create mode 100644 library/secrets/users.yaml diff --git a/flake.lock b/flake.lock index 58663ab..82a86ab 100644 --- a/flake.lock +++ b/flake.lock @@ -20,6 +20,27 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1731242966, @@ -35,7 +56,75 @@ "type": "github" } }, + "nixos-anywhere": { + "inputs": { + "disko": [ + "disko" + ], + "flake-parts": "flake-parts", + "nixos-images": "nixos-images", + "nixos-stable": [ + "nixpkgs" + ], + "nixpkgs": "nixpkgs", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1745505025, + "narHash": "sha256-F9IekLaLYVG/UNUiaN194qu0n1pOgeqjGkD1l5OVEgM=", + "owner": "nix-community", + "repo": "nixos-anywhere", + "rev": "edf1adb89307f921575b5fcd0c6bb4e684fbd38b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-anywhere", + "type": "github" + } + }, + "nixos-images": { + "inputs": { + "nixos-stable": [ + "nixos-anywhere", + "nixos-stable" + ], + "nixos-unstable": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744853194, + "narHash": "sha256-NBOdBdQdxb3FdM4Ywb4cATMLfFtkPqDYh0LIQMZ7eRY=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "8f6f8060a13096934c2a502eb0508bdc3f1284a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1745991046, + "narHash": "sha256-+WiKX2uUkuWrkUdfy8XP0Lic2qN7h3pH+tWn1DfTfFg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "920a79ee9b49febd7a8b7251e210aeee9c06b644", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1733261153, "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", @@ -55,7 +144,8 @@ "inputs": { "disko": "disko", "impermanence": "impermanence", - "nixpkgs": "nixpkgs", + "nixos-anywhere": "nixos-anywhere", + "nixpkgs": "nixpkgs_2", "sops-nix": "sops-nix" } }, @@ -78,6 +168,27 @@ "repo": "sops-nix", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744961264, + "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "8d404a69efe76146368885110f29a2ca3700bee6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 0cd2c21..d5883fc 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,13 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-anywhere = { + url = "github:nix-community/nixos-anywhere"; + inputs = { + nixos-stable.follows = "nixpkgs"; + disko.follows = "disko"; + }; + }; }; outputs = { @@ -20,6 +27,7 @@ disko, impermanence, sops-nix, + nixos-anywhere, }: let lib = nixpkgs.lib.extend self.overlays.lib; pkgs = nixpkgs.legacyPackages.x86_64-linux.extend self.overlays.pkgs; @@ -28,7 +36,7 @@ in { overlays = import ./overlays { nixos-config = self // {inherit library;}; - inherit disko impermanence sops-nix; + inherit disko impermanence sops-nix nixos-anywhere; }; nixosConfigurations = import ./configurations {inherit lib;}; nixosModules = import ./modules; diff --git a/library/secrets/default.nix b/library/secrets/default.nix index 92de8fd..af7129d 100644 --- a/library/secrets/default.nix +++ b/library/secrets/default.nix @@ -1,4 +1,5 @@ { sb1 = ./sb1.yaml; network-manager = ./network-manager.yaml; + users = ./users.yaml; } diff --git a/library/secrets/network-manager.yaml b/library/secrets/network-manager.yaml index 94ac56c..2a4a581 100644 --- a/library/secrets/network-manager.yaml +++ b/library/secrets/network-manager.yaml @@ -1,5 +1,5 @@ -home_ssid: ENC[AES256_GCM,data:KB/wa+XEw7KGD3sO,iv:OavELC88DUOzPkj5dQsZbpolo4k5uKPVfEmIt6nWP/0=,tag:4towJ8hav0Vj2DpFpLUF5A==,type:str] -home_psk: ENC[AES256_GCM,data:GA7ZED/cFaA=,iv:0EU06LM0MfTAmmafasPKq0xxl7w2h1Y45tBi4NVDvmA=,tag:cMGUOVlUANybdkcp7Cmd5w==,type:str] +home-ssid: ENC[AES256_GCM,data:zi9AkDx7lInM8Qpn,iv:/ivnuq0L2fc8UQZtjlw073EbzslN+GBl4dYOZm+MYQQ=,tag:X9MztKFvdG1aKuYMa94h8w==,type:str] +home-psk: ENC[AES256_GCM,data:GEY/+0imm1o=,iv:FsUyy479GQ+PfXwdEvXqX1qPcRcYKGIiMCyTf7wYVTs=,tag:2d7LtoiRrF0NhwKhfYQnkA==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +24,8 @@ sops: enEyWkRVT014Vk1FTktmVU5kbjVaUTAKJKIIMjBDLJxXv6y9nIzirH5vaqkQyZ6a pF45ayqxXOAdonrnn0hbyxW8NcKp0Jjy0ehTd6AfAnNCrxPomPbflw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-26T11:02:52Z" - mac: ENC[AES256_GCM,data:kC+tWF+5JVFJigJHKf5RxDggOQPHbSKvllWxWCrL0DvL/FS1a0W0Xi35d473DfxkUUUKSHDguan3V0YlL64103sXlMU3hxdquFmNUjYl08s5fuzGDIpX56ROLpxtKCaDsDFgsvq41mwSSZQuT0qS7DULzAgE7PKW5luhJBxMXu8=,iv:z1OnnhP8cKZrn51FBEooiUSk8puOTqVoyXPfittM/RM=,tag:iLoN6Vh6PkXC0Gk4f2JoQA==,type:str] + lastmodified: "2025-04-27T13:55:15Z" + mac: ENC[AES256_GCM,data:sV9QVvQTeHAqPVluN+RHyUXI9zmMw3P6ok1VQ+XHnOcJb4GSWkUdOmWT4XcAMWUSPKEIbexei97rfj46BMT+2VbJS414buoOxvKSx17UVEdFwlXGVIv3jvmyrfp3jd66gSYzznJe8wBakbdKWCHb5kLnF4tqGpdgKprAxwaYnlU=,iv:wEk4qVEF20OZzdjRCRjMzZgipI76hIew39GF/dknKr4=,tag:jJU5JBHsElMxgIgANDcuJg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/library/secrets/users.yaml b/library/secrets/users.yaml new file mode 100644 index 0000000..11d0db8 --- /dev/null +++ b/library/secrets/users.yaml @@ -0,0 +1,31 @@ +root-password: ENC[AES256_GCM,data:SaK/GlzszoYqf1l+fxqXe24ipAhU6xicqwXjTeeABIag4ZOqc6fYp6h1faPDOzNqfKX0D2wrWVahTcZ5eJM8Jc3mi8AJi9VrLg==,iv:no4IU8AolKrvuTediCOQgrJkuRX4BInmVnRLER3QVjI=,tag:l2zWu7ieqiT9dsjVe80T4g==,type:str] +user-password: ENC[AES256_GCM,data:0kN3tnoZ2OD1YO/xz9WnvJixShopigtDGVnvaTRvib2vkO7pMl2Jlg5WIFo37Bb3zwWw0OkIiA2exXcBiSRJiIxmoWR8mmBI4Q==,iv:qHbE6GqJPUHTUgMd/ty+clg5roJLswoCw2xO5M1KKqo=,tag:85KUx5wrd9SnRITsUAMUPg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBveHVjN2EwYjgrc2FLRVpL + cVBUNStRRkI2RnpBb3YzZUx6dnpJUHhiamwwCkJ1L3lubWZ3Y0YyWXNQWmJkMjhL + TkxTejRWUWIzajBNcFBqSnJBQ1BFL2cKLS0tIEl0TllEcStwTWF0NngxWVM1cUdI + M2E5TG56S3FMaFVhUG5JQmw2SWpKQjAKNmddLTfypjo3wU84jOsCQULX5cmUunWt + WM712sCFeJShWTA47zBg9um4+dWhY+QungDiuJO2+zoj6UMuE31vew== + -----END AGE ENCRYPTED FILE----- + - recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cUFWeDJ2L1lWazE1eFZC + MEZSQmRiNDhuY0VvWStMUkUrQ0Z0V1BrYVdZCitFTDB4d2ZWVE5lLzhMbWFVSFZ3 + RkdxTzlYQkRyclFFclhnRXdqa1o3Z0kKLS0tIEFmNUFTWkl4K3dtTWhJK2ptWXpJ + NUdwczNJNDVEQkk5cnl4Mmh3UGMra1EKFEIbff+6kGo67KCd1Dj+dRaqlfM5Rmi5 + MiYibYIb5Ff47HG/uEA/u5nt/DHE8yUGeBldbJoqE92arA18st8dgg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-27T13:58:51Z" + mac: ENC[AES256_GCM,data:uMCeMLYJrfAHQ037NZKmXTuPuZnSU1GOCFMsVE/xjGBkZnXJ4yYh3Fec3ncyuD0HWHgEeFGh4lRi3YNu6nkiK2R/mCrIrm4A3Ry0k0yGjam6Q8dfigaV9RkmMf50bV+JA6j03G5pxfyrBq5OTSWohYSmsvOTJXRKvIJalxfn+f0=,iv:AUcoar5Ls3qLtcg6WkHjElYefwsHN2GNKIMinvF0bps=,tag:qDCpTXRMsjS8880csWRTpw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/dk1-iso.nix b/modules/dk1-iso.nix index a03ee1a..3db4931 100644 --- a/modules/dk1-iso.nix +++ b/modules/dk1-iso.nix @@ -1,6 +1,7 @@ { lib, config, + pkgs, modulesPath, ... }: { @@ -9,10 +10,6 @@ sops ]; - boot.extraModulePackages = with config.boot.kernelPackages; [ - rtl88xxau-aircrack - ]; - sops = { gnupg.sshKeyPaths = []; age = { @@ -20,15 +17,27 @@ keyFile = "/iso/key"; }; secrets = { - home_ssid.sopsFile = lib.secrets.network-manager; - home_psk.sopsFile = lib.secrets.network-manager; + root-password = { + sopsFile = lib.secrets.users; + neededForUsers = true; + }; + user-password = { + sopsFile = lib.secrets.users; + neededForUsers = true; + }; + home-ssid.sopsFile = lib.secrets.network-manager; + home-psk.sopsFile = lib.secrets.network-manager; }; - templates.networkManager.content = '' - home_ssid="${config.sops.placeholder.home_ssid}" - home_psk="${config.sops.placeholder.home_psk}" + templates.network-manager.content = '' + home_ssid="${config.sops.placeholder.home-ssid}" + home_psk="${config.sops.placeholder.home-psk}" ''; }; + boot.extraModulePackages = with config.boot.kernelPackages; [ + rtl88xxau-aircrack + ]; + networking = { hostName = "dk1-iso"; wireless.enable = false; @@ -40,6 +49,12 @@ id = "home"; type = "wifi"; }; + ipv4 = { + method = "manual"; + address1 = "192.168.0.200/24"; + gateway = "192.168.0.1"; + dns = "192.168.0.1"; + }; wifi = { ssid = "$home_ssid"; mode = "infrastructure"; @@ -50,8 +65,64 @@ psk = "$home_psk"; }; }; - environmentFiles = [config.sops.templates.networkManager.path]; + environmentFiles = [config.sops.templates.network-manager.path]; }; }; }; + + time.timeZone = "Europe/London"; + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "uk"; + + users = { + mutableUsers = false; + users = { + root = { + isSystemUser = true; + hashedPasswordFile = config.sops.secrets.root-password.path; + openssh.authorizedKeys.keys = with lib.sshKeys; [ + lp1.user + lp2.user + ]; + }; + user = { + isNormalUser = true; + extraGroups = ["wheel"]; + hashedPasswordFile = config.sops.secrets.user-password.path; + openssh.authorizedKeys.keys = with lib.sshKeys; [ + lp1.user + lp2.user + ]; + }; + nixos.hashedPasswordFile = config.sops.secrets.user-password.path; + }; + }; + + services = { + openssh = { + enable = true; + settings.PermitRootLogin = lib.mkForce "without-password"; + }; + getty = { + helpLine = lib.mkForce ""; + autologinUser = lib.mkForce null; + }; + }; + + nixpkgs.overlays = [lib.overlays.pkgs]; + environment.systemPackages = with pkgs; [ + git + my-vim + nixos-anywhere + ]; + + nix.settings = { + trusted-users = ["root"]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + + system.stateVersion = "24.11"; } diff --git a/overlays/default.nix b/overlays/default.nix index 3abf2f3..a571873 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -3,7 +3,8 @@ disko, impermanence, sops-nix, + nixos-anywhere, }: { lib = import ./lib.nix {inherit nixos-config disko impermanence sops-nix;}; - pkgs = import ./pkgs.nix {inherit nixos-config;}; + pkgs = import ./pkgs.nix {inherit nixos-config nixos-anywhere;}; } diff --git a/overlays/pkgs.nix b/overlays/pkgs.nix index 43cc01d..ff80026 100644 --- a/overlays/pkgs.nix +++ b/overlays/pkgs.nix @@ -1,4 +1,11 @@ -{nixos-config}: final: prev: let +{ + nixos-config, + nixos-anywhere, +}: final: prev: let inherit (nixos-config) overlays packages; in - packages.x86_64-linux // {lib = prev.lib.extend overlays.lib;} + packages.x86_64-linux + // { + lib = prev.lib.extend overlays.lib; + inherit (nixos-anywhere.packages.x86_64-linux) nixos-anywhere; + }