ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

user specifics

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2024-12-29 01:21:06 -06:00
parent 1b1bd60f4b
commit eaa2e08f5d
28 changed files with 946 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

15
modules/common/flake.nix
View file

@ -36,6 +36,11 @@
# default = "josh";
description = "The primary user of the system.";
};
primaryAuthorizedKeys = mkOption {
type = types.listOf types.str;
default = [ ];
description = "The primary user's authorized keys.";
};
defaultLocal = mkOption {
type = types.str;
default = "en_US.UTF-8";
@ -47,6 +52,12 @@
description = "Open the ssh port.";
};
docker = mkEnableOption (lib.mdDoc "Enable docker");
zsh = mkEnableOption (lib.mdDoc "Enable zsh");
users = mkOption {
type = types.attrsOf types.attrs;
default = { };
description = "Users to configure. Should match nix options of users.userser.<name>.*";
};
};
imports = [
@ -58,7 +69,9 @@
./shell/common.nix
./tty_caps_esc.nix
./docker.nix
./zsh.nix
./fonts.nix
./users.nix
];
config = {
_module.args = {
@ -169,7 +182,7 @@
'';
# Some basics
nixpkgs.config.allowUnfree = settings.allowUnfree;
nixpkgs.config.allowUnfree = cfg.allowUnfree;
nixpkgs.config.allowUnfreePredicate = (pkg: true);
};
};

28
modules/common/ssh.nix
View file

@ -24,5 +24,33 @@ with lib;
PermitRootLogin = "yes";
};
};
# Ensure SSH key pair generation for non-root users
systemd.services = mapAttrs' (name: _: {
name = "generate_ssh_key_${name}";
value = {
description = "Generate SSH key pair for ${name}";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = name;
Type = "oneshot";
};
script = ''
#!/run/current-system/sw/bin/bash
if [ ! -f /home/${name}/.ssh/id_ed25519 ]; then
if [ -v DRY_RUN ]; then
echo "DRY_RUN is set. Would generate SSH key for ${name}.";
else
echo "Generating SSH key for ${name}.";
mkdir -p /home/${name}/.ssh;
chmod 700 /home/${name}/.ssh;
/run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${name}/.ssh/id_ed25519 -N "";
fi
else
echo "SSH key already exists for ${name}.";
fi
'';
};
}) config.mods.common.users;
};
}

17
modules/common/users.nix Normal file
View file

@ -0,0 +1,17 @@
{
lib,
config,
...
}:
with lib;
{
config = {
users.users = mapAttrs (
name: config:
{
inherit name;
}
// config
) config.mods.common.users;
};
}

15
modules/common/zsh.nix Normal file
View file

@ -0,0 +1,15 @@
{
config,
lib,
...
}:
with lib;
let
cfg = config.mods.common;
in
{
config = mkIf cfg.zsh {
programs.zsh.enable = true;
environment.pathsToLink = [ "/share/zsh" ];
};
}

57
modules/home_manager/flake.nix Normal file
View file

@ -0,0 +1,57 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = {
url = "github:rycee/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
home-manager,
...
}:
{
nixosModules = {
default =
{
config,
pkgs,
lib,
...
}:
with lib;
{
options.mods.home_manager = {
users = mkOption {
type = types.attrsOf types.attrs;
default = { };
description = "Home manager users to configure. Should match nix options of home-manager.users.<name>.*";
};
};
imports = [ home-manager.nixosModules.home-manager ];
config = {
# Home manager options
security.polkit.enable = true;
home-manager.useUserPackages = true;
home-manager.useGlobalPkgs = true;
home-manager.extraSpecialArgs = {
nixConfig = config;
};
home-manager.users = mapAttrs' (name: user: {
inherit name;
value = user // {
# TODO does this need to be per user per machine and updated better?
home.stateVersion = "23.11";
programs.home-manager.enable = true;
home.username = name;
home.homeDirectory = lib.mkForce "/home/${name}";
};
}) config.mods.home_manager.users;
};
};
};
};
}

73
modules/nebula/flake.nix Normal file
View file

@ -0,0 +1,73 @@
{
inputs = {
};
outputs =
{
...
}:
{
nixosModules = {
default =
{
config,
pkgs,
lib,
...
}:
with lib;
{
config = {
environment.systemPackages = with pkgs; [
nebula
traceroute # for debugging
];
networking.firewall.allowedUDPPorts = [ 4242 ];
systemd.services."nebula" = {
description = "Nebula VPN service";
wants = [ "basic.target" ];
after = [
"basic.target"
"network.target"
];
before = [ "sshd.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
Restart = "always";
RestartSec = 1;
ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula/config.yml";
UMask = "0027";
CapabilityBoundingSet = "CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_ADMIN";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = false; # needs access to /dev/net/tun (below)
DeviceAllow = "/dev/net/tun rw";
DevicePolicy = "closed";
PrivateTmp = true;
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictSUIDSGID = true;
};
unitConfig = {
StartLimitIntervalSec = 5;
StartLimitBurst = 3;
};
};
};
};
};
};
}