Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add static networking, password protected users, ssh login support, and nixos-anywhere to dk1-iso

Browse Source
This commit is contained in:
Bladesy 2025-04-30 10:11:35 +01:00
parent c84cb9b723
commit 1531917a20
8 changed files with 249 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
flake.lock generated
View File

@ -20,6 +20,27 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1731242966,
@ -35,7 +56,75 @@
"type": "github"
}
},
"nixos-anywhere": {
"inputs": {
"disko": [
"disko"
],
"flake-parts": "flake-parts",
"nixos-images": "nixos-images",
"nixos-stable": [
"nixpkgs"
],
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1745505025,
"narHash": "sha256-F9IekLaLYVG/UNUiaN194qu0n1pOgeqjGkD1l5OVEgM=",
"owner": "nix-community",
"repo": "nixos-anywhere",
"rev": "edf1adb89307f921575b5fcd0c6bb4e684fbd38b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-anywhere",
"type": "github"
}
},
"nixos-images": {
"inputs": {
"nixos-stable": [
"nixos-anywhere",
"nixos-stable"
],
"nixos-unstable": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744853194,
"narHash": "sha256-NBOdBdQdxb3FdM4Ywb4cATMLfFtkPqDYh0LIQMZ7eRY=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "8f6f8060a13096934c2a502eb0508bdc3f1284a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-images",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1745991046,
"narHash": "sha256-+WiKX2uUkuWrkUdfy8XP0Lic2qN7h3pH+tWn1DfTfFg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "920a79ee9b49febd7a8b7251e210aeee9c06b644",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733261153,
"narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=",
@ -55,7 +144,8 @@
"inputs": {
"disko": "disko",
"impermanence": "impermanence",
"nixpkgs": "nixpkgs",
"nixos-anywhere": "nixos-anywhere",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
}
},
@ -78,6 +168,27 @@
"repo": "sops-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744961264,
"narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8d404a69efe76146368885110f29a2ca3700bee6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

10
flake.nix
View File

@ -12,6 +12,13 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-anywhere = {
url = "github:nix-community/nixos-anywhere";
inputs = {
nixos-stable.follows = "nixpkgs";
disko.follows = "disko";
};
};
};
outputs = {
@ -20,6 +27,7 @@
disko,
impermanence,
sops-nix,
nixos-anywhere,
}: let
lib = nixpkgs.lib.extend self.overlays.lib;
pkgs = nixpkgs.legacyPackages.x86_64-linux.extend self.overlays.pkgs;
@ -28,7 +36,7 @@
in {
overlays = import ./overlays {
nixos-config = self // {inherit library;};
inherit disko impermanence sops-nix;
inherit disko impermanence sops-nix nixos-anywhere;
};
nixosConfigurations = import ./configurations {inherit lib;};
nixosModules = import ./modules;

1
library/secrets/default.nix
View File

@ -1,4 +1,5 @@
{
sb1 = ./sb1.yaml;
network-manager = ./network-manager.yaml;
users = ./users.yaml;
}

8
library/secrets/network-manager.yaml
View File

@ -1,5 +1,5 @@
home_ssid: ENC[AES256_GCM,data:KB/wa+XEw7KGD3sO,iv:OavELC88DUOzPkj5dQsZbpolo4k5uKPVfEmIt6nWP/0=,tag:4towJ8hav0Vj2DpFpLUF5A==,type:str]
home_psk: ENC[AES256_GCM,data:GA7ZED/cFaA=,iv:0EU06LM0MfTAmmafasPKq0xxl7w2h1Y45tBi4NVDvmA=,tag:cMGUOVlUANybdkcp7Cmd5w==,type:str]
home-ssid: ENC[AES256_GCM,data:zi9AkDx7lInM8Qpn,iv:/ivnuq0L2fc8UQZtjlw073EbzslN+GBl4dYOZm+MYQQ=,tag:X9MztKFvdG1aKuYMa94h8w==,type:str]
home-psk: ENC[AES256_GCM,data:GEY/+0imm1o=,iv:FsUyy479GQ+PfXwdEvXqX1qPcRcYKGIiMCyTf7wYVTs=,tag:2d7LtoiRrF0NhwKhfYQnkA==,type:str]
sops:
kms: []
gcp_kms: []
@ -24,8 +24,8 @@ sops:
enEyWkRVT014Vk1FTktmVU5kbjVaUTAKJKIIMjBDLJxXv6y9nIzirH5vaqkQyZ6a
pF45ayqxXOAdonrnn0hbyxW8NcKp0Jjy0ehTd6AfAnNCrxPomPbflw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-26T11:02:52Z"
mac: ENC[AES256_GCM,data:kC+tWF+5JVFJigJHKf5RxDggOQPHbSKvllWxWCrL0DvL/FS1a0W0Xi35d473DfxkUUUKSHDguan3V0YlL64103sXlMU3hxdquFmNUjYl08s5fuzGDIpX56ROLpxtKCaDsDFgsvq41mwSSZQuT0qS7DULzAgE7PKW5luhJBxMXu8=,iv:z1OnnhP8cKZrn51FBEooiUSk8puOTqVoyXPfittM/RM=,tag:iLoN6Vh6PkXC0Gk4f2JoQA==,type:str]
lastmodified: "2025-04-27T13:55:15Z"
mac: ENC[AES256_GCM,data:sV9QVvQTeHAqPVluN+RHyUXI9zmMw3P6ok1VQ+XHnOcJb4GSWkUdOmWT4XcAMWUSPKEIbexei97rfj46BMT+2VbJS414buoOxvKSx17UVEdFwlXGVIv3jvmyrfp3jd66gSYzznJe8wBakbdKWCHb5kLnF4tqGpdgKprAxwaYnlU=,iv:wEk4qVEF20OZzdjRCRjMzZgipI76hIew39GF/dknKr4=,tag:jJU5JBHsElMxgIgANDcuJg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

31
library/secrets/users.yaml Normal file
View File

@ -0,0 +1,31 @@
root-password: ENC[AES256_GCM,data:SaK/GlzszoYqf1l+fxqXe24ipAhU6xicqwXjTeeABIag4ZOqc6fYp6h1faPDOzNqfKX0D2wrWVahTcZ5eJM8Jc3mi8AJi9VrLg==,iv:no4IU8AolKrvuTediCOQgrJkuRX4BInmVnRLER3QVjI=,tag:l2zWu7ieqiT9dsjVe80T4g==,type:str]
user-password: ENC[AES256_GCM,data:0kN3tnoZ2OD1YO/xz9WnvJixShopigtDGVnvaTRvib2vkO7pMl2Jlg5WIFo37Bb3zwWw0OkIiA2exXcBiSRJiIxmoWR8mmBI4Q==,iv:qHbE6GqJPUHTUgMd/ty+clg5roJLswoCw2xO5M1KKqo=,tag:85KUx5wrd9SnRITsUAMUPg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBveHVjN2EwYjgrc2FLRVpL
cVBUNStRRkI2RnpBb3YzZUx6dnpJUHhiamwwCkJ1L3lubWZ3Y0YyWXNQWmJkMjhL
TkxTejRWUWIzajBNcFBqSnJBQ1BFL2cKLS0tIEl0TllEcStwTWF0NngxWVM1cUdI
M2E5TG56S3FMaFVhUG5JQmw2SWpKQjAKNmddLTfypjo3wU84jOsCQULX5cmUunWt
WM712sCFeJShWTA47zBg9um4+dWhY+QungDiuJO2+zoj6UMuE31vew==
-----END AGE ENCRYPTED FILE-----
- recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cUFWeDJ2L1lWazE1eFZC
MEZSQmRiNDhuY0VvWStMUkUrQ0Z0V1BrYVdZCitFTDB4d2ZWVE5lLzhMbWFVSFZ3
RkdxTzlYQkRyclFFclhnRXdqa1o3Z0kKLS0tIEFmNUFTWkl4K3dtTWhJK2ptWXpJ
NUdwczNJNDVEQkk5cnl4Mmh3UGMra1EKFEIbff+6kGo67KCd1Dj+dRaqlfM5Rmi5
MiYibYIb5Ff47HG/uEA/u5nt/DHE8yUGeBldbJoqE92arA18st8dgg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-27T13:58:51Z"
mac: ENC[AES256_GCM,data:uMCeMLYJrfAHQ037NZKmXTuPuZnSU1GOCFMsVE/xjGBkZnXJ4yYh3Fec3ncyuD0HWHgEeFGh4lRi3YNu6nkiK2R/mCrIrm4A3Ry0k0yGjam6Q8dfigaV9RkmMf50bV+JA6j03G5pxfyrBq5OTSWohYSmsvOTJXRKvIJalxfn+f0=,iv:AUcoar5Ls3qLtcg6WkHjElYefwsHN2GNKIMinvF0bps=,tag:qDCpTXRMsjS8880csWRTpw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

91
modules/dk1-iso.nix
View File

@ -1,6 +1,7 @@
{
lib,
config,
pkgs,
modulesPath,
...
}: {
@ -9,10 +10,6 @@
sops
];
boot.extraModulePackages = with config.boot.kernelPackages; [
rtl88xxau-aircrack
];
sops = {
gnupg.sshKeyPaths = [];
age = {
@ -20,15 +17,27 @@
keyFile = "/iso/key";
};
secrets = {
home_ssid.sopsFile = lib.secrets.network-manager;
home_psk.sopsFile = lib.secrets.network-manager;
root-password = {
sopsFile = lib.secrets.users;
neededForUsers = true;
};
user-password = {
sopsFile = lib.secrets.users;
neededForUsers = true;
};
home-ssid.sopsFile = lib.secrets.network-manager;
home-psk.sopsFile = lib.secrets.network-manager;
};
templates.networkManager.content = ''
home_ssid="${config.sops.placeholder.home_ssid}"
home_psk="${config.sops.placeholder.home_psk}"
templates.network-manager.content = ''
home_ssid="${config.sops.placeholder.home-ssid}"
home_psk="${config.sops.placeholder.home-psk}"
'';
};
boot.extraModulePackages = with config.boot.kernelPackages; [
rtl88xxau-aircrack
];
networking = {
hostName = "dk1-iso";
wireless.enable = false;
@ -40,6 +49,12 @@
id = "home";
type = "wifi";
};
ipv4 = {
method = "manual";
address1 = "192.168.0.200/24";
gateway = "192.168.0.1";
dns = "192.168.0.1";
};
wifi = {
ssid = "$home_ssid";
mode = "infrastructure";
@ -50,8 +65,64 @@
psk = "$home_psk";
};
};
environmentFiles = [config.sops.templates.networkManager.path];
environmentFiles = [config.sops.templates.network-manager.path];
};
};
};
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
users = {
mutableUsers = false;
users = {
root = {
isSystemUser = true;
hashedPasswordFile = config.sops.secrets.root-password.path;
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
user = {
isNormalUser = true;
extraGroups = ["wheel"];
hashedPasswordFile = config.sops.secrets.user-password.path;
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
nixos.hashedPasswordFile = config.sops.secrets.user-password.path;
};
};
services = {
openssh = {
enable = true;
settings.PermitRootLogin = lib.mkForce "without-password";
};
getty = {
helpLine = lib.mkForce "";
autologinUser = lib.mkForce null;
};
};
nixpkgs.overlays = [lib.overlays.pkgs];
environment.systemPackages = with pkgs; [
git
my-vim
nixos-anywhere
];
nix.settings = {
trusted-users = ["root"];
experimental-features = [
"nix-command"
"flakes"
];
};
system.stateVersion = "24.11";
}

3
overlays/default.nix
View File

@ -3,7 +3,8 @@
disko,
impermanence,
sops-nix,
nixos-anywhere,
}: {
lib = import ./lib.nix {inherit nixos-config disko impermanence sops-nix;};
pkgs = import ./pkgs.nix {inherit nixos-config;};
pkgs = import ./pkgs.nix {inherit nixos-config nixos-anywhere;};
}

11
overlays/pkgs.nix
View File

@ -1,4 +1,11 @@
{nixos-config}: final: prev: let
{
nixos-config,
nixos-anywhere,
}: final: prev: let
inherit (nixos-config) overlays packages;
in
packages.x86_64-linux // {lib = prev.lib.extend overlays.lib;}
packages.x86_64-linux
// {
lib = prev.lib.extend overlays.lib;
inherit (nixos-anywhere.packages.x86_64-linux) nixos-anywhere;
}