diff --git a/readme.md b/readme.md index 601c388..740c52c 100644 --- a/readme.md +++ b/readme.md @@ -17,6 +17,13 @@ export USERNAME=desired_username_for_admin_on_this_machine (josh) - uncomment systemPackages and add: `git` `curl` - add `nix.settings.experimental-features = [ "nix-command" "flakes" ];` - add `users.users.USERNAME = { ... todo, just enough to get to git clone the real nixos config into its home .config folder } +``` +users.users.josh = { + initialPassword = "password1"; + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" "input" ]; +}; +``` - TODO add whatever is needed for default pubkeys for onboarding later - Install nixos: `cd /mnt` `sudo nixos-install` - `passwd` to change root password (if not already prompted to do so) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f1d81ab..fa3a51f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ let ]; in { + # TODO come up with a rotate method/encrypt the device keys bette. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model. "nix2github.age" = { inherit publicKeys; }; "nix2bitbucket.age" = { inherit publicKeys; }; } diff --git a/users/_common/home.nix b/users/_common/home_manager/_home_manager.nix similarity index 72% rename from users/_common/home.nix rename to users/_common/home_manager/_home_manager.nix index b7cd79a..2377d0a 100644 --- a/users/_common/home.nix +++ b/users/_common/home_manager/_home_manager.nix @@ -4,9 +4,4 @@ home.username = settings.user.username; home.homeDirectory = "/home/${settings.user.username}"; - - imports = ylib.umport { - paths = [ ./programs ]; - recursive = true; - }; } diff --git a/users/_common/programs/direnv.nix b/users/_common/home_manager/direnv.nix similarity index 100% rename from users/_common/programs/direnv.nix rename to users/_common/home_manager/direnv.nix diff --git a/users/_common/programs/git.nix b/users/_common/home_manager/git.nix similarity index 100% rename from users/_common/programs/git.nix rename to users/_common/home_manager/git.nix diff --git a/users/_common/home_manager/ssh.nix b/users/_common/home_manager/ssh.nix new file mode 100644 index 0000000..bb28163 --- /dev/null +++ b/users/_common/home_manager/ssh.nix @@ -0,0 +1,15 @@ +{ age, ... }: +{ + programs.ssh = { + enable = true; + matchBlocks = { + "github.com" = { + identityFile = age.secrets.nix2github.path; + }; + "bitbucket.org" = { + identityFile = age.secrets.nix2bitbucket.path; + }; + }; + }; +} + diff --git a/users/_common/nix_modules/ssh-key.nix b/users/_common/nix_modules/ssh-key.nix new file mode 100644 index 0000000..1ee5790 --- /dev/null +++ b/users/_common/nix_modules/ssh-key.nix @@ -0,0 +1,30 @@ +{ settings, pkgs, ... }: +let + sshScript = pkgs.writeScript "ssh-key-generation" '' + #!${pkgs.stdenv.shell} + if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then + if [ -v DRY_RUN ]; then + echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}." + else + echo "Generating SSH key for ${settings.user.username}." + mkdir -p /home/${settings.user.username}/.ssh + chmod 700 /home/${settings.user.username}/.ssh + /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N "" + fi + else + echo "SSH key already exists for ${settings.user.username}." + fi + ''; +in +{ + # Ensure SSH key pair generation for non-root users + systemd.services.generate_ssh_key = { + description = "Generate SSH key pair for ${settings.user.username}"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "${settings.user.username}"; + Type = "oneshot"; + ExecStart = sshScript; + }; + }; +} diff --git a/users/_common/programs/ssh.nix b/users/_common/programs/ssh.nix deleted file mode 100644 index 495de48..0000000 --- a/users/_common/programs/ssh.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ lib, settings, age, pkgs, ... } @ args: -{ - # We always want a standard ssh key-pair used for secret management, create it if not there. - home.activation.generateSshKey = lib.hm.dag.entryAfter [ "writeBoundary" ] '' - if [ ! -f $HOME/.ssh/id_ed25519 ]; then - if [ -v DRY_RUN ]; then - echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}." - else - echo "Generating SSH key for ${settings.user.username}." - mkdir -p $HOME/.ssh - chmod 700 $HOME/.ssh - ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -N "" - fi - else - echo "SSH key already exists for ${settings.user.username}." - fi - ''; - - programs.ssh = { - enable = true; - matchBlocks = { - "github.com" = { - identityFile = age.secrets.nix2github.path; - }; - "bitbucket.org" = { - identityFile = age.secrets.nix2bitbucket.path; - }; - }; - }; -} - diff --git a/users/_common/readme.md b/users/_common/readme.md new file mode 100644 index 0000000..e69de29 diff --git a/users/josh/by_hosts/gpdPocket3/nix_modules/sudo_no_passwd.nix b/users/josh/by_hosts/gpdPocket3/disabled_nix_modules/sudo_no_passwd.nix similarity index 100% rename from users/josh/by_hosts/gpdPocket3/nix_modules/sudo_no_passwd.nix rename to users/josh/by_hosts/gpdPocket3/disabled_nix_modules/sudo_no_passwd.nix diff --git a/users/josh/configuration.nix b/users/josh/configuration.nix index 390db88..632c954 100644 --- a/users/josh/configuration.nix +++ b/users/josh/configuration.nix @@ -1,33 +1,37 @@ -{ config, lib, ylib, pkgs, settings, ... } @ args: +{ lib, ylib, settings, ... }: { - users.users.${settings.user.username} = { - initialPassword = "password1"; - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "video" "input" ]; - shell = pkgs.zsh; - }; - - # TODO how to do this from home manager file instead - environment.pathsToLink = [ "/share/zsh" ]; - programs.zsh = { - enable = true; - }; - - imports = ylib.umport { - path = lib.fileset.maybeMissing ./by_hosts/${settings.system.hostname}/nix_modules; - recursive = true; - }; + imports = + [ ] + ## Common nix modules + ++ ylib.umport { + path = lib.fileset.maybeMissing (settings.usersDir + "/_common/nix_modules"); + recursive = true; + } + # Nix modules for this user + ++ ylib.umport { + path = lib.fileset.maybeMissing ./nix_modules; + recursive = true; + } + # Nix modules by host for this user + ++ ylib.umport { + path = lib.fileset.maybeMissing ./by_hosts/${settings.system.hostname}/nix_modules; + recursive = true; + }; home-manager.users.${settings.user.username} = { imports = - # Common settings all users share - [ (settings.usersDir + "/_common/home.nix") ] - # Programs + [ ] + # Common home manager ++ ylib.umport { - path = ./home_manager; + path = lib.fileset.maybeMissing (settings.usersDir + "/_common/home_manager"); recursive = true; } - # Programs by host + # Home manger for this user + ++ ylib.umport { + path = lib.fileset.maybeMissing ./home_manager; + recursive = true; + } + # Home manager by host for this user ++ ylib.umport { path = lib.fileset.maybeMissing ./by_hosts/${settings.system.hostname}/home_manager; recursive = true; diff --git a/users/josh/nix_modules/_user.nix b/users/josh/nix_modules/_user.nix new file mode 100644 index 0000000..522260e --- /dev/null +++ b/users/josh/nix_modules/_user.nix @@ -0,0 +1,16 @@ +{ pkgs, settings, ... }: +{ + users.users.${settings.user.username} = { + initialPassword = "password1"; + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" "input" ]; + shell = pkgs.zsh; + }; + + # TODO how to do this from home manager file instead + environment.pathsToLink = [ "/share/zsh" ]; + programs.zsh = { + enable = true; + }; +} +