ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

gpdPocket3 updates

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2024-04-25 19:22:42 -05:00
parent 57090ccde1
commit 160b567583
5 changed files with 79 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

36
readme.md
View file

@ -7,32 +7,21 @@ export HOSTNAME=desired_hostname_for_this_machine (___)
export USERNAME=desired_username_for_admin_on_this_machine (josh) export USERNAME=desired_username_for_admin_on_this_machine (josh)
- Follow nixos installation guide: https://nixos.wiki/wiki/NixOS_Installation_Guide - Follow nixos installation guide: https://nixos.wiki/wiki/NixOS_Installation_Guide
- Follow until the config is generated - Follow until the config is generated
- in hardware-configuration change to use by-labels - `curl -O https://share.joshuabell.link/nix/onboard.sh && chmod +x onboard.sh && ./onboard.sh`
```sh
# TODO command to do this in one line
```
- in configuration.nix
- set networking.hostname to HOSTNAME
- enable networkmanager
- uncomment systemPackages and add: `git` `curl`
- add `nix.settings.experimental-features = [ "nix-command" "flakes" ];`
- add `users.users.USERNAME = { ... todo, just enough to get to git clone the real nixos config into its home .config folder }
```
users.users.josh = {
initialPassword = "password1";
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "video" "input" ];
};
```
- TODO add whatever is needed for default pubkeys for onboarding later
- Install nixos: `cd /mnt` `sudo nixos-install`
- `passwd` to change root password (if not already prompted to do so)
- `reboot` - `reboot`
- login to USERNAME and git clone nixos-config `git clone __ ~/.config/nixos-config` - log into USERNAME with `password1`, use `passwd` to change the password
- Copy public keys into secrets.nix file
- `cat /etc/ssh/ssh_host_ed25519_key.pub ~/.ssh/id_ed25519.pub`
- git clone nixos-config `git clone https://github.com/RingOfStorms/dotfiles.git ~/.config/nixos-config`
- `sudo nixos-rebuild switch --flake ~/.config/nixos-config`
- TODO ONBOARD NEW MACHINE CONFIGS, secrets, etc - TODO ONBOARD NEW MACHINE CONFIGS, secrets, etc
- use hostname to make new folders in the repo, copy hardware config, and create config from template. Update flake.nix with top level info needed for this system with ARCH detected. - use hostname to make new folders in the repo, copy hardware config, and create config from template. Update flake.nix with top level info needed for this system with ARCH detected.
- Copy public keys into secrets.nix file - Copy public keys into secrets.nix file
- push changes - `cat /etc/ssh/ssh_host_ed25519_key.pub ~/.ssh/id_ed25519.pub`
- `git commit -a --author="Bot <bot@joshuabell.dev>" --email="bot@joshuabell.dev" -m "secrets update"`
- rekey system with another onboarded device... (make this offlinable?), push there, pull here - rekey system with another onboarded device... (make this offlinable?), push there, pull here
- `sudo nixos-rebuild switch --flake ~/.config/nixos-config` - `sudo nixos-rebuild switch --flake ~/.config/nixos-config`
- reboot? done - reboot? done
@ -44,6 +33,9 @@ users.users.josh = {
### ###
### ###
###
###
###
# First Install on new Machine # First Install on new Machine

49
secrets/nix2bitbucket.age
View file

@ -1,27 +1,26 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBvdm8z YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBKcjFv
MGkweENnTjlxK3lubmtXUlRHUDJLOTM0MGRJQmtOUXZpSG1IUlJZClY1amJtdkZw ZU9GWjZUbUUvS3NqTWM3c3BVM0NiTzJHV3c1WlEzTVR3NC9xMVVFClI4Y0V2RGo0
T3dWRnBqdFVlRGpxQWFydUJUcm9hRTI0WHYrVjh3ZVE5bUEKLT4gc3NoLWVkMjU1 bHBOTFNxSkRybXI5R3RqWmdhUER2VTlPU2VMSkk0NFZQWVUKLT4gc3NoLWVkMjU1
MTkgSjkxOXNRIGZQWG85d0lzZWVtWG4weXRBY0ZoQVN6WmdEemtxa2FpYm1FRHND MTkgSmh2TCtRIGJXU3oyM3cxejlwbkxZMzJ0K3ZVcGVKOVNoUHNWaXQvVkNQcHo3
SXZSd2cKbWRLbUdrTm1oMFZtNnR6eDU4ckJOK2RyTENnV1NaWjlSVTZ5eEhOQ0N0 ajZxZ3cKSGhkeVlvRXdLeDVsSEtvbjk3b1Y0amkra2V4Q0tpejhOOG5DMWVtRk5h
dwotPiBzc2gtZWQyNTUxOSBlNmUwbFEgNzJ1TG5rbllNaThwTDNtZmdVSHZuK2hp YwotPiBzc2gtZWQyNTUxOSBTcENqQlEgak1pN0NFdzRSTHZWSmVQUTliN2N2dUNF
MWw5TFJZbEtOdHdmY2g5VittWQpHRjdMelI3TURuYUYwVXFRSWVHeU1UUzRUaDFh TlZZMDZIR0Jibzd2bWR0QmlFcwpES3c4RFVPQmJPMUIyRUN2RXp3T29LOVh6Zndx
SDVWR3pmV1gvMkV2c1NBCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBXUWFJc2ljM0Nr dEVtTU83VHVONWdGQy84Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBKOU00NFp3eUNF
cUJxVWJrSjVvWkE5MnV6SmpWYit4dnZraWxJQTYwelYwClNzSGhOWGFXcXVyc3pq eisreEdWWit0NnVUWEFXSlljWWw0ZWVLdzQxY0RQMG1BCnlHaTFyT0tDelRPRTR2
bVBzeW1UNE1RdUU4SWZEd1FwUmhkb1lmKzRKalkKLT4gc3NoLWVkMjU1MTkgWHpm V1pJQ2pYY1NocDIxYnVjcnlER3ZLemFQLzRDS0UKLT4gc3NoLWVkMjU1MTkgWHpm
bWFRIFk2SkxTRjBUNUhLdDZIbituV3BGckVoaEZsSnkrQVpRQ1I1QkZmaURWR1UK bWFRIEgvTXMvaFVtakZ3TWpJL21UdUV5dUxzRHkvWkc2NUhTMnQyNDhQZVByam8K
aUpmbm1TUDlFYTBXZ2EvSWxPWmh5S0prTE5CcTFPanlZSDFpOFhtbEVEZwotPiAi ZElhLzk3RUJaUHpTbzJYY1ZobmZhOHBvbkpOSjVYalc3WEJPSk1HMzBNWQotPiA3
MXYrOyVZby1ncmVhc2Ugdk1fOlIoIG9WIHFmOiBeImc1Cis0bnA0a3UvU2tlZUJl U1EzRC1ncmVhc2UgSCB9RmJbWypMIFBEZk1lWyBQYiM4PwpTb0VVa1AxNzUybmJC
REFJa2owa056UEhGbTh6ZWdtM1VpY1pJZDdpL3Q3L0gvRTJMRnQzcjNsUFY5VHZh eHJVRG5YZDNacWtMY0FNL3JoQ1EzRVl5TGhsCi0tLSBEc2xpOW5abXJKcDN5V3Y2
dVUKREE1MzF4eEtIQmh0MU1uK2NMSWtFVk0zTGxxd0sxcDhtUmhpencKLS0tIElt QnRYZEFtQVpxUzJlc3BjZHgrSXlVK21vOXdBCuechgwjNXeTperxwDba+R23mtp7
c2taOFBaWndsV0FhdXhtdy9JeFJTbFNJQ21iclI4UXVnZmZzZnlXWG8KU47pTls2 YfhBuIGYQoUMRVjhYNQ96V8iDojg7fgd/MLd8j2WVgIyWSG11wvYzNZanvXtpSLA
3ZARHmIb7/3fPTn3a5wwOmV8x4jqz+IfKcmSapkLn2y0PIptecAHSIm+a6CgkH8i rMzyy3DTGVQow/RxLcmCNOo/f81pLqdX89wlUhXVg8SRs/w/2kITY9eOWm7K8c8f
ZA/qvrB/m5AYfAIUVcbhpb6zT1jj4K1ZqY1yUP8BeCOa+wrZeiOkcGkAxtzvKIF7 PpzGvEzFVXq64PxjA7h113kjB5iknJb7UGXP8tDzFUJeAOA0yEHoLLfOSGSqscrO
4GCz92dpEayxsdFLgQKJpG+37hyWP1dlASTnk114/Nv99wGR8HG+Bg85eY2PWluz xkCwtgm7R06cp0WG1qD6AfEhUPrNLdlSxOnxwJLq9DA9WCtVjuVvg+TJd4hIZAZZ
hLI8dVKPURDmwQcXRionE8IjnEmSHI6XdggMAQwB0mh6AZRZFzK76Flb1Fr7C/fQ DC0D9kpFgjf+FD0cSMdGtlroVBeRbZNbdj+Tdhf7FFjj5tfSCMSjitqCkT2JXAWG
8ecNbhvxPUDxPNYVLpN7EGyaPiMbpxOVd8HYWfCcJWQoqGBFNUXaQI3pSy68zVQh 3KXAGGi4OJ9tumT7WHqDtVTZ0ZnxgfRXRKuJ0aIiV4mtVXoF7UypGT1sGL1L7gVl
cw+DJX6dCO7e4K+BDugS6CY2skvf58TVX0dq3SZ6dMJhtz/hCNdsnb0qVnjnSdUF A3t8xVo/pQa78RyuqlnNfewHpTKeGzedRWeQLl2pGYehXZlxZ+dWFQiwWzqo0rUW
PK06nlRRxwNwJt8m1ar+3a85gkt3/U1t2hIT5dUVtRxD4OEr5fZbtZQfVvaYclVk ghGNXPnmrYfKQiFOQs8GXOWk5AMo2+kLfWpSpyQb4ZBV43vWRoD4OvYzkAKobQZW
YbGgCWIoq4DYhNc10lwvMfq22uj1LaewEpgJKMGNQezfXf4LkDK5knnlCoaxFCpL fyACTksnZ1+GcsEJkz/j+otnQawPODQswyAz
E4DWpCI9HfZAaqElLApqdfoslkK/14Cs3BLGC0PM9/3pNP9bAyaMwMA=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

47
secrets/nix2github.age
View file

@ -1,26 +1,25 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBDVnVp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA5K2pi
ck9SRFpLSkY1MFo0cXNERWlPRi9zcHhNbHdlYVJzcWE1YmZScjFrCjEyTmtLOUkr Uklvd2ZvQTl4c3MvR1UxSW1hbDd2Vm52WThnek5BZWJ6MW51VEZVCjJmOU1KQVRH
VW5HZzdrOHFvWWs1bGFjS0FBd1kwTzA4ZEZSUVVMWWtWaDgKLT4gc3NoLWVkMjU1 Ymt2Mjc2Si9lYnlCVkkyOGVqYi9YWGdiNXNGTlRIbHhkOXcKLT4gc3NoLWVkMjU1
MTkgSjkxOXNRIDY1T00vYVN0Nm5sbEMrcEw4VzIzV241Um1QZHpnS1dSaWJYN3FF MTkgSmh2TCtRIDVxRDdtTnRlRDdZblp1ZWpCY3d0K004ZXBlZlBrNk1YbzR6VW42
S2pNRjQKQmxzaE9pTlI5L2E0NTZvNlp4QWJ0MXJHdmlwNS9HU3MzQ0NrRnJ5cjJC RkUveWMKVFErQ2ZFa21jMnRZN01pQ3lFcGh0aE41Q2N1K1RBVzdUcDhWb2ZDUmky
awotPiBzc2gtZWQyNTUxOSBlNmUwbFEgcmQyVld2b0JKbUcrWDBxZHdJNDVESU9y UQotPiBzc2gtZWQyNTUxOSBTcENqQlEgc0VHY2loWUE1bE1SWGFnK3NNd05MRWZn
Qk13Y3hicGNFV0tjMHhYQjF6dwpLSDc4VW14NVVEV21oQldHWEVxWXcwRFViTGFv aVF5YkZDSmdYS1hyUitOcnNVOApoc3ZYVEkwK0s2RGFSKzJFYVF2RTZnMTZKNGow
LzhhcjRPdlZKTWZQS3U0Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBsL3lwTURwT1Z0 NHI5MUZqL0JTY3ZNaE9ZCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBQT1g3UE5FMzhD
Vmt0czdNMk9scDZPdzJtbUNyalNhR242c0k3WTJEcmlZCmxnRDBSREFQdFB0dHFI RGYyY1Z5ak50WWZIMXJ2blZJbHF6YXIzaE1yR010RlMwCjl5SGdWZXQzN3pxQVlV
aU13NjlYeDIrUlB5WmUvZ21takkybHE3M1VlSXcKLT4gc3NoLWVkMjU1MTkgWHpm dThjdVZoa0JjMEZkU1Z6M1EzaFBHRnc2WjIrT2sKLT4gc3NoLWVkMjU1MTkgWHpm
bWFRIFhhaVA1aTUzNnFQeDZIaWV4VFZpa2pyVFIzTDJCSGhxMHpUaDNzRnlOVG8K bWFRIEJiekNLbnJJTnBhbXJRTG5PbEV2aXduUlpWeGVUbU1pU0FsV1lIdDVqeGsK
ZkNPbTd5ZEUweld3bUdRNFdkZkVuK3Jtamx5Y3lSbkxFMWs5VjhKenVkawotPiBK eWRib0M5OVpZLy9vVWlPZGlZSmpYbTdKT0laTXVPUDVETERWL3JaSkUvYwotPiBz
W1ZLNC1ncmVhc2UgZF9aNUhAdgowTHowdTVwbnM1YmJzL1VoSUlvOXpxT2lDQ21o cy1ncmVhc2UgOjtIXSUlIEQjaSA8KztFCkF2cFlySW9XcEEKLS0tIEJ3Nkt2eUpx
bmlzWkJrc21WOTlIM0xhcG50YWs0U2lqSXNtN1pWdwotLS0gQ0lTQ2tMbkgxVW9D QjRDNWlIb0VsQmhsUVFpQkQ4M1ZPL25kbWdyUm9VakYwR0UKBHyggpWP1+Q4dzNQ
ZHlRdjRkTmd0STBRR25UQTgrSXNrTnAzTjRrZUdFRQqsIz6SbS8zaf/NjwqqxgKg ECj83/w+OEw5S++7DsW+6ZCMc3of0+WJs6H6IVyTKl9QYaMjGDlvi3bM9cwsk1LW
W++hUEr40EzqYp5ubyIhSpUCuf52kBWRiDtS1aABEZbMDWNKcqYxxK7L7Bz/sDQN YRWoXS+TVx715ZV3Su5WAR2hjctX7QiogbiYqmjZ2B7t4WP7lJ2pLa5puq0uXN4r
SjR/H6HZmcxTuJWVL32c16d9rPAGcKzxfPWF7nrB5vx6KMVp/iZvuQOqtRgQuF8s Ek0wInGrCIMGhFIOxytBBJYEoNhn6KUIKzn85501ZAPHPcZSySz3DMsrlDKnvrpE
1fUHnUrLkSwQNwpqNzuHuU0kXEbrb7unPVv8ES/iKec+QR353KIM1xe62AYMRSfM /GymcBJyKk8X4B39hMjwuhW1xxJkQ43r6pSjpBu/QGbgqdxQ29VoabAKl2xo1kIg
baHlLNx1NHs2e3KiHNH8rXH58nRm+26xXpNyIksUyYGhAMNV4/0+dx/saUlmUtDg uky8M9neBg66hemZziUaMvGgCspXITln3zCuvOmZVF9Q/Ry1RIhW42SgaqnIqcC0
nm3iph8EUqCpjVuwhgRdylABgZglruSuAKYyVQceQkyd2XOePXsfn05hF9V1IyrX LIW52N3BnRv1p7vtrtPY8Khuion99ppJIIChHtbnv9rugoUB+FJsdYx9E+kYHF6R
6I2OT49WFizz67Y4tPaOe/oYOVIqLDOz7V/StJEn99LwHIZnQ4khm7+nmhQUtICH acoJgMFT2eDae4/v8CpEfG/e0y0zPvTry1crAyaHMWpqQI7qIhfNqJ+v1aMbce1f
KrOIAZmikWmou4KY2dnqGv0gWR1Gg4GYNDOXEUt9twbdUAUwU8qDzgX5MtIc+DMK i6DPAxU6+Hsb8dUhkOvsEOGxbbPLDu1/IlpviCqNARpwZ0tEQ0NELCnvXErLXPLB
JnfKQ1zNM1KJ6arg3v1ECttmfpc5nJzr1voF4oEkK2wTsKpKBlG1h8tVKkF1byIP vgPX0sw0qUeCPBztrdqWznWqlPr9TDAR2y+OysPS8wBALYY=
PPkCLKTJKJgmF80/HOLB6a9vKEMpssGRsAPY1Vq08g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

8
secrets/secrets.nix
View file

@ -4,15 +4,13 @@
# System key: `cat /etc/ssh/ssh_host_ed25519_key.pub` # System key: `cat /etc/ssh/ssh_host_ed25519_key.pub`
# #
# from authority # from authority
# `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>> # `nix run github:yaxitech/ragenix -- -i ~/.ssh/ragenix_authority --rules ~/.config/nixos-config/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>>
let let
publicKeys = [ publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key"
# gpdPocket3 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzAQ2Dzl8EvQtYLjEZS5K0bQeNop8QRkwrfxMkBagW2 root@gpdPocket3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhgYzACsd0GPuF8bl9SFB5y9KDwv+pU9UihoInzhRok josh@gpdPocket3" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIr/aS0qyn5hCLR6wH1P2GhH3hGOqniewMkIseGZ23HB josh@gpdPocket3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnV4aVyKStFH1KySfnuqBq+DLvyvJhRfKtMs7PCKlIq root@nixos"
# joe
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4PwrrOuZJWRjlc2dKBUKKE4ybqifJeVOn7x9J5IxIS josh@joe" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4PwrrOuZJWRjlc2dKBUKKE4ybqifJeVOn7x9J5IxIS josh@joe"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+GYfPPKxR/18RdD736G7IQhImX/CYU3A+Gifud3CHg root@joe" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+GYfPPKxR/18RdD736G7IQhImX/CYU3A+Gifud3CHg root@joe"
]; ];

33
users/_common/nix_modules/ssh-key.nix
View file

@ -1,21 +1,4 @@
{ settings, pkgs, ... }: { settings, pkgs, ... }:
let
sshScript = pkgs.writeScript "ssh-key-generation" ''
#!${pkgs.stdenv.shell}
if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then
if [ -v DRY_RUN ]; then
echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
else
echo "Generating SSH key for ${settings.user.username}."
mkdir -p /home/${settings.user.username}/.ssh
chmod 700 /home/${settings.user.username}/.ssh
/run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N ""
fi
else
echo "SSH key already exists for ${settings.user.username}."
fi
'';
in
{ {
# Ensure SSH key pair generation for non-root users # Ensure SSH key pair generation for non-root users
systemd.services.generate_ssh_key = { systemd.services.generate_ssh_key = {
@ -24,7 +7,21 @@ in
serviceConfig = { serviceConfig = {
User = "${settings.user.username}"; User = "${settings.user.username}";
Type = "oneshot"; Type = "oneshot";
ExecStart = sshScript;
}; };
script = ''
#!/run/current-system/sw/bin/bash
if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519bbb ]; then
if [ -v DRY_RUN ]; then
echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
else
echo "Generating SSH key for ${settings.user.username}."
mkdir -p /home/${settings.user.username}/.ssh
chmod 700 /home/${settings.user.username}/.ssh
/run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519bbb -N ""
fi
else
echo "SSH key already exists for ${settings.user.username}."
fi
'';
}; };
} }