From caba04d49350194a8d86f5ec845242fc321f3f9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20SALVI?= Date: Wed, 23 Jul 2025 04:27:38 +0200 Subject: [PATCH] first commit --- README.md | 71 +++++++++++++++ flake.lock | 88 +++++++++++++++++++ flake.nix | 56 ++++++++++++ hosts/generic/default.nix | 88 +++++++++++++++++++ hosts/generic/disk-config.nix | 36 ++++++++ hosts/generic/hardware-configuration.nix | 17 ++++ hosts/test-kvm/default.nix | 44 ++++++++++ hosts/test-kvm/disk-config.nix | 36 ++++++++ hosts/test-kvm/hardware-configuration.nix | 29 ++++++ iso/config/nvim/init.lua | 102 ++++++++++++++++++++++ iso/customiso.nix | 87 ++++++++++++++++++ modules/core/default.nix | 10 +++ modules/core/grub.nix | 18 ++++ modules/core/packages.nix | 19 ++++ modules/core/users.nix | 27 ++++++ modules/optionnal/hosts/test-kvm.nix | 9 ++ modules/optionnal/sops-desktop.nix | 68 +++++++++++++++ modules/optionnal/sudo-nopasswd.nix | 24 +++++ 18 files changed, 829 insertions(+) create mode 100644 README.md create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/generic/default.nix create mode 100644 hosts/generic/disk-config.nix create mode 100644 hosts/generic/hardware-configuration.nix create mode 100644 hosts/test-kvm/default.nix create mode 100644 hosts/test-kvm/disk-config.nix create mode 100644 hosts/test-kvm/hardware-configuration.nix create mode 100644 iso/config/nvim/init.lua create mode 100644 iso/customiso.nix create mode 100644 modules/core/default.nix create mode 100644 modules/core/grub.nix create mode 100644 modules/core/packages.nix create mode 100644 modules/core/users.nix create mode 100644 modules/optionnal/hosts/test-kvm.nix create mode 100644 modules/optionnal/sops-desktop.nix create mode 100644 modules/optionnal/sudo-nopasswd.nix diff --git a/README.md b/README.md new file mode 100644 index 0000000..5175e83 --- /dev/null +++ b/README.md @@ -0,0 +1,71 @@ +# NixOS dotfiles + +## Structure des fichiers + ++ hosts +| | +| + generic <- Iso minimal pour nixos-anywhere +| | +| + myhost <- Tout ce qui est unique à une machine vient ici +| ++ modules +| | +| + core <- Modules partagés entre toutes les machines +| | +| + optionnal <- Modules pour au moins deux machines +| ++ flake.nix +| ++ custom.iso + +Si un seul fichier nix, pas de sous dossier (openfortivpn) +Si plusieurs fihchiers nix, un sous dossier (ex desktop) + +## Workflow + +1. Création d'une iso (push en ligne pour kexec) +2. Copie de l'iso sur le repo +3. nixos-anywhere (pour déployer une install minimale) +4. copie du disk-config.nix et du hardware-config.nix dans le dossier host qui va bien +5. deploy-rs pour push une config sur une image generic ou maj existant. + +## Création d'une iso + +``` +nixos-generate --format iso --configuration ./customiso.nix -o ~/Downloads/nixos.iso +``` + +si on veut utiliser kexec, il faut pousser l'iso en ligne pour que le serveur cible puisse la télécharger. + +## Nixos anywhere + +On ajoute à `~/.ssh/config` + +``` +nixos-anywhere --flake .#generic --target-host root@192.168.122.204 -i ~/.ssh/id_ed25519_beastie --generate-hardware-config nixos-generate-config ./hosts/generic/hardware-configuration.nix +``` + +si l'installation est en local, on peux créer le partitionnement avec la commande suivante : +``` +sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --yes-wipe-all-disks --mode destroy,format,mount ./disko.nix +``` +et faire une installation standard. +Le mieux est de download le repo et de faire un nixos-anywhere en ssh sur localhost ou depuis un autre pc + +Une fois la manipulation finie, on copie `hosts/generic` dans `hosts/hostname`. Ainsi, on garde le bon `disk-config.nix` et `hardware-configuration.nix` + +## déployer la bonne configuration + +Avant de déployer la configuration, il faut ajouter la clé sops-nix + +``` + +``` + +On édite `hosts/hostname/default.nix` et on inclus les bons modules. + +On lance le rebuild : + +``` +nixos-rebuild switch --flake ~/dev#test-kvm --target-host beastie@192.168.122.204 --sudo +``` diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b123a59 --- /dev/null +++ b/flake.lock @@ -0,0 +1,88 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752718651, + "narHash": "sha256-PkaR0qmyP9q/MDN3uYa+RLeBA0PjvEQiM0rTDDBXkL8=", + "owner": "nix-community", + "repo": "disko", + "rev": "d5ad4485e6f2edcc06751df65c5e16572877db88", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "mysecrets": { + "flake": false, + "locked": { + "lastModified": 1753141577, + "narHash": "sha256-MNbm7KCEqML5l72GppVoxXX03UtVGIzUsgaW+A+FBDQ=", + "ref": "main", + "rev": "c1edf4983cba959f93daa9c7ef0c1acbd958c755", + "shallow": true, + "type": "git", + "url": "ssh://gitea@git.unixyourbrain.org/beastie/nixos-secrets.git" + }, + "original": { + "ref": "main", + "shallow": true, + "type": "git", + "url": "ssh://gitea@git.unixyourbrain.org/beastie/nixos-secrets.git" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1752364307, + "narHash": "sha256-o0Cm4fhz/ukV/excbnwkRB2sqknenkb/0T4pcgXjrp0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b6071be3c0d9404113988e5e253eb6d71d1ddbef", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "mysecrets": "mysecrets", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..09388a7 --- /dev/null +++ b/flake.nix @@ -0,0 +1,56 @@ +{ + description = "A very basic flake"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + mysecrets = { + url = "git+ssh://gitea@git.unixyourbrain.org/beastie/nixos-secrets.git?ref=main&shallow=1"; + flake = false; + }; + }; + + outputs = + { ... }@inputs: + let + mkSystem = + pkgs: system: hostname: username: + pkgs.lib.nixosSystem { + # inherit system; + pkgs = import pkgs { + inherit system; + config.allowUnfree = true; + }; + specialArgs = { + inherit hostname username inputs; + }; + modules = [ + # General configuration, for all machines + inputs.sops-nix.nixosModules.sops + inputs.disko.nixosModules.disko + ./hosts/${hostname} + ]; + }; + + in + { + nixosConfigurations = { + #nixos-anywhere -- --flake './#generic' --generate-hardware-config nixos-generate-config ./hosts/generic/hardware-configuration.nix --target-host beastie@192.168.122.204 + generic = mkSystem inputs.nixpkgs "x86_64-linux" "generic" "beastie"; + test-kvm = mkSystem inputs.nixpkgs "x86_64-linux" "test-kvm" "beastie"; + # live-usb = mkSystem inputs.nixpkgs "x86_64-linux" "live-usb" "beastie"; + #nixos-rebuild switch --flake ./#home-nix --sudo + #home-nix = mkSystem inputs.nixpkgs "x86_64-linux" "home-nix" "beastie"; + }; + }; +} diff --git a/hosts/generic/default.nix b/hosts/generic/default.nix new file mode 100644 index 0000000..93c26f6 --- /dev/null +++ b/hosts/generic/default.nix @@ -0,0 +1,88 @@ +{ + pkgs, + username, + hostname, + ... +}: +{ + imports = [ + ./disk-config.nix + ./hardware-configuration.nix + ../../modules/core/grub.nix + ../../modules/optionnal/sops-desktop.nix + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + time.timeZone = "Europe/Paris"; + + nix = { + settings = { + ## Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + ## Users trusted to use flake command + trusted-users = [ + "root" + "${username}" + ]; + }; + }; + + users.users = { + ${username} = { + isNormalUser = true; + createHome = true; + description = "Admin account"; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ" + ]; + }; + root = { + password = null; + }; + }; + + system.activationScripts.setup-ssh-keys = { + text = '' + mkdir -p /home/${username}/.ssh + chown ${username}:users /home/${username}/.ssh + chmod 700 /home/${username}/.ssh + ''; + }; + + security.sudo = { + enable = true; + extraRules = [ + { + users = [ "${username}" ]; + host = "ALL"; + runAs = "ALL:ALL"; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + #extraConfig = "#includedir /etc/sudoers.d"; + }; + environment.systemPackages = [ + pkgs.neovim + pkgs.git + pkgs.curl + pkgs.nixos-anywhere + pkgs.nixos-generators + ]; + + services.openssh.enable = true; + + networking.hostName = "${hostname}"; + system.stateVersion = "25.11"; +} diff --git a/hosts/generic/disk-config.nix b/hosts/generic/disk-config.nix new file mode 100644 index 0000000..bc5f3a2 --- /dev/null +++ b/hosts/generic/disk-config.nix @@ -0,0 +1,36 @@ +{ + ... +}: +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + type = "8300"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/generic/hardware-configuration.nix b/hosts/generic/hardware-configuration.nix new file mode 100644 index 0000000..85f3eaf --- /dev/null +++ b/hosts/generic/hardware-configuration.nix @@ -0,0 +1,17 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/test-kvm/default.nix b/hosts/test-kvm/default.nix new file mode 100644 index 0000000..19bdba9 --- /dev/null +++ b/hosts/test-kvm/default.nix @@ -0,0 +1,44 @@ +{ + pkgs, + username, + hostname, + modulesPath, + inputs, + ... +}: +let +in +{ + imports = builtins.trace "${inputs.mysecrets}" [ + (modulesPath + "/installer/scan/not-detected.nix") + ./disk-config.nix + ./hardware-configuration.nix + ../../modules/core + ../../modules/optionnal/hosts/${hostname}.nix + ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + time.timeZone = "Europe/Paris"; + + nix = { + settings = { + ## Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + ## Users trusted to use flake command + trusted-users = [ + "root" + "${username}" + ]; + }; + }; + + services.openssh.enable = true; + + networking.hostName = "${hostname}"; + + system.stateVersion = "25.11"; +} diff --git a/hosts/test-kvm/disk-config.nix b/hosts/test-kvm/disk-config.nix new file mode 100644 index 0000000..bc5f3a2 --- /dev/null +++ b/hosts/test-kvm/disk-config.nix @@ -0,0 +1,36 @@ +{ + ... +}: +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + type = "8300"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/test-kvm/hardware-configuration.nix b/hosts/test-kvm/hardware-configuration.nix new file mode 100644 index 0000000..f5b54dc --- /dev/null +++ b/hosts/test-kvm/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/iso/config/nvim/init.lua b/iso/config/nvim/init.lua new file mode 100644 index 0000000..ade0bf8 --- /dev/null +++ b/iso/config/nvim/init.lua @@ -0,0 +1,102 @@ +vim.g.mapleader = " " +vim.opt.title = true +vim.opt.mouse = "" +vim.opt.wrap = true +vim.opt.fileencoding = "utf-8" +vim.opt.clipboard = "unnamedplus" +vim.opt.completeopt = { "menu", "menuone", "preview", "noselect" } +vim.opt.termguicolors = false +vim.opt.laststatus = 3 +--- Search +vim.opt.ignorecase = true +vim.opt.smartcase = true +--- Numbers +vim.opt.number = true +vim.opt.relativenumber = true +--- Tab Options +vim.opt.smartindent = true +vim.opt.smarttab = true +vim.opt.expandtab = true +vim.opt.tabstop = 2 +vim.opt.shiftwidth = 2 +vim.opt.softtabstop = 2 +vim.opt.showtabline = 2 +--- Explorer +vim.g.netrw_banner = 0 +vim.g.netrw_browse_split = 4 +vim.g.netrw_altv = 1 +vim.g.netrw_liststyle = 3 +vim.g.netrw_winsize = 20 +vim.opt.scrolloff = 6 +vim.opt.sidescrolloff = 8 +--- Swapfile +vim.opt.swapfile = false +vim.opt.backup = false +--- Keymap +-- Resource +vim.keymap.set("n", "r", ":source ~/.config/nvim/init.lua") +-- Explorer +vim.keymap.set("n", "", ":Lexplore") +-- Windows +vim.keymap.set("n", "", "h") +vim.keymap.set("n", "", "l") +vim.keymap.set("n", "", "k") +vim.keymap.set("n", "", "j") +-- Resize +vim.keymap.set("n", "-", ":vertical resize -3") +vim.keymap.set("n", "+", ":vertical resize +3") +-- Buffer +vim.keymap.set("n", "", ":buffer ") +-- Tabs +vim.keymap.set("n", "tn", ":tabnew") +vim.keymap.set("n", "tc", ":tabclose") +vim.keymap.set("n", "", ":tabnext") +-- Cheatsheet +vim.keymap.set("n", "", ":terminal ~/.config/nvim/nvim_help.shi") +-- No highlight +vim.keymap.set("n", "nh", ":nohl") + +--- Automaticly close brackets +vim.keymap.set("i", "'", "''") +vim.keymap.set("i", "\"", "\"\"") +vim.keymap.set("i", "(", "()") +vim.keymap.set("i", "{", "{}") +vim.keymap.set("i", "[", "[]") + +--- Statusline +vim.cmd("highlight StatusNormal ctermbg=blue ctermfg=black") +vim.cmd("highlight StatusModified ctermbg=red ctermfg=black") +vim.cmd("highlight StatusGitBranch ctermbg=yellow ctermfg=black") +vim.cmd("highlight StatusGitDiffAdd ctermbg=green ctermfg=black") +vim.cmd("highlight StatusGitdiffRemove ctermbg=red ctermfg=black") + +local function command(cmd) + local handle = io.popen(cmd) + local result = handle:read() + handle:close() + return result or "" +end + +vim.o.statusline = "%#StatusNormal# " + .. "%#StatusGitBranch#" + .. command("git branch 2> /dev/null | sed -e 's/..//'") + .. "%#StatusNormal# " + .. "%#StatusGitDiffAdd#" + .. command("git diff --numstat | awk '{print \"+\"$1}'") + .. "%#StatusNormal# " + .. "%#StatusGitDiffRemove#" + .. command("git diff --numstat | awk '{print \"-\"$2}'") + .. "%#StatusNormal# " + .. ">>" + .. " %F " + .. "%#StatusModified#" + .. "%M" + .. "%#StatusNormal#" + .. " >>" + .. "%=" + .. "<<" + .. " %Y " + .. "<<" + .. " %l,%c " + .. "<<" + .. " %p%% " diff --git a/iso/customiso.nix b/iso/customiso.nix new file mode 100644 index 0000000..61b2452 --- /dev/null +++ b/iso/customiso.nix @@ -0,0 +1,87 @@ +{ + pkgs, + modulesPath, + lib, + ... +}: +{ + imports = [ + "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" + ]; + + # Use the latest Linux kernel + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Create admin user + users.users = { + nixos = { + isNormalUser = true; + description = "Admin account"; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ" + ]; + }; + root = { + password = null; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ" + ]; + }; + }; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + }; + }; + + # Allow sudo from admin user without password + security.sudo = { + enable = true; + extraRules = [ + { + users = [ "nixos" ]; + host = "ALL"; + runAs = "ALL:ALL"; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + }; + + # Packages for maintenance mode + environment.systemPackages = [ + pkgs.neovim + pkgs.git + pkgs.curl + pkgs.nixos-anywhere + pkgs.nixos-generators + ]; + + # Needed for https://github.com/NixOS/nixpkgs/issues/58959 + boot.supportedFilesystems = lib.mkForce [ + "btrfs" + "reiserfs" + "vfat" + "f2fs" + "xfs" + "ntfs" + "cifs" + "nfs" + ]; + + environment.etc."xdg/nvim/init.lua" = { + source = ./config/nvim/init.lua; + mode = "0440"; + }; +} + +# Config nvim diff --git a/modules/core/default.nix b/modules/core/default.nix new file mode 100644 index 0000000..54ba2e8 --- /dev/null +++ b/modules/core/default.nix @@ -0,0 +1,10 @@ +{ + ... +}: +{ + imports = [ + ./grub.nix + ./packages.nix + ./users.nix + ]; +} diff --git a/modules/core/grub.nix b/modules/core/grub.nix new file mode 100644 index 0000000..4c76d7a --- /dev/null +++ b/modules/core/grub.nix @@ -0,0 +1,18 @@ +{ + ... +}: +{ + ## Configure boot loader + boot.loader = { + # Use grub without NVRAM + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + efiInstallAsRemovable = true; + useOSProber = true; + }; + # Do not edit NVRAM + efi.canTouchEfiVariables = false; + }; +} diff --git a/modules/core/packages.nix b/modules/core/packages.nix new file mode 100644 index 0000000..263ab08 --- /dev/null +++ b/modules/core/packages.nix @@ -0,0 +1,19 @@ +{ + pkgs, + ... +}: +{ + environment.systemPackages = [ + pkgs.curl + pkgs.pciutils + # pkgs.clinfo <- IDC info, move to GPU + pkgs.git + pkgs.htop + pkgs.killall + pkgs.bind + pkgs.git + pkgs.neovim + pkgs.unzip + + ]; +} diff --git a/modules/core/users.nix b/modules/core/users.nix new file mode 100644 index 0000000..d09c805 --- /dev/null +++ b/modules/core/users.nix @@ -0,0 +1,27 @@ +{ + config, + username, + ... +}: +{ + users = { + users = { + ${username} = { + isNormalUser = true; + createHome = true; + hashedPasswordFile = config.sops.secrets."users_password/beastie".path; + description = "Admin account"; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ" + ]; + }; + root = { + password = null; + }; + }; + mutableUsers = false; + }; +} diff --git a/modules/optionnal/hosts/test-kvm.nix b/modules/optionnal/hosts/test-kvm.nix new file mode 100644 index 0000000..68192c1 --- /dev/null +++ b/modules/optionnal/hosts/test-kvm.nix @@ -0,0 +1,9 @@ +{ + ... +}: +{ + imports = [ + ../sops-desktop.nix + ../sudo-nopasswd.nix + ]; +} diff --git a/modules/optionnal/sops-desktop.nix b/modules/optionnal/sops-desktop.nix new file mode 100644 index 0000000..8aade6e --- /dev/null +++ b/modules/optionnal/sops-desktop.nix @@ -0,0 +1,68 @@ +{ + inputs, + username, + ... +}: +let + secretsPath = builtins.toString inputs.mysecrets; +in +{ + sops = { + defaultSopsFile = "${secretsPath}/secrets.yaml"; + age = { + sshKeyPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + secrets = { + "ldap_password/beastie" = { + }; + "users_password/beastie" = { + neededForUsers = true; + }; + "ssh_keys/default_pub" = { + owner = "${username}"; + mode = "0644"; + path = "/home/${username}/.ssh/id_ed25519.pub"; + }; + "ssh_keys/default_priv" = { + owner = "${username}"; + mode = "0600"; + path = "/home/${username}/.ssh/id_ed25519"; + }; + "ssh_keys/ansible_pub" = { + owner = "${username}"; + mode = "0644"; + path = "/home/${username}/.ssh/id_ed25519_ansible.pub"; + }; + "ssh_keys/ansible_priv" = { + owner = "${username}"; + mode = "0600"; + path = "/home/${username}/.ssh/id_ed25519_ansible"; + }; + "ssh_keys/beastie_pub" = { + owner = "${username}"; + mode = "0644"; + path = "/home/${username}/.ssh/id_ed25519_beastie.pub"; + }; + "ssh_keys/beastie_priv" = { + owner = "${username}"; + mode = "0600"; + path = "/home/${username}/.ssh/id_ed25519_beastie"; + }; + "ssh_keys/gitea_semaphore_pub" = { + owner = "${username}"; + mode = "0644"; + path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub"; + }; + "ssh_keys/gitea_semaphore_priv" = { + owner = "${username}"; + mode = "0600"; + path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore"; + }; + }; + }; +} diff --git a/modules/optionnal/sudo-nopasswd.nix b/modules/optionnal/sudo-nopasswd.nix new file mode 100644 index 0000000..738a323 --- /dev/null +++ b/modules/optionnal/sudo-nopasswd.nix @@ -0,0 +1,24 @@ +{ + username, + ... +}: +{ + # https://dev.to/patimapoochai/how-to-edit-the-sudoers-file-in-nixos-with-examples-4k34 + security.sudo = { + enable = true; + extraRules = [ + { + users = [ "${username}" ]; + host = "ALL"; + runAs = "ALL:ALL"; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + #extraConfig = "#includedir /etc/sudoers.d"; + }; +}