Compare commits

...

4 commits

11 changed files with 122 additions and 52 deletions

View file

@ -2,7 +2,6 @@ keys:
- &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
- &not522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
- &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
- &root age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
- &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
creation_rules:
@ -31,6 +30,7 @@ creation_rules:
- path_regex: programs/ssh/shared-keys.yaml$
key_groups:
- age:
- *root
- *darkkirb
- *base
- *not522
- *pc-installer

View file

@ -3,5 +3,6 @@
isGraphical = true;
imports = [
./kde
./graphical/plymouth.nix
];
}

View file

@ -0,0 +1,17 @@
{config, ...}: {
boot = {
plymouth.enable = true;
consoleLogLevel = 0;
initrd.verbose = false;
kernelParams = [
"quiet"
"splash"
"boot.shell_on_fail"
"loglevel=3"
"rd.systemd.show_status=false"
"rd.udev.log_level=3"
"udev.log_priority=3"
];
loader.timeout = 0;
};
}

5
config/verbose.nix Normal file
View file

@ -0,0 +1,5 @@
{...}: {
disabledModules = [
./graphical/plymouth.nix
];
}

View file

@ -18,5 +18,11 @@
./graphical.nix
];
};
specialisation.graphical-verbose = {
configuration.imports = [
./graphical.nix
"${nixos-config}/config/verbose.nix"
];
};
isInstaller = true;
}

View file

@ -106,21 +106,27 @@ in {
settings = {
"extensions.autoDisableScopes" = 0;
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"browser.tabs.inTitlebar" = 0;
"widget.use-xdg-desktop-portal.file-picker" = 1;
"widget.use-xdg-desktop-portal.location" = 1;
"widget.use-xdg-desktop-portal.mime-handler" = 1;
"widget.use-xdg-desktop-portal.open-uri" = 1;
"widget.use-xdg-desktop-portal.settings" = 1;
};
userChrome = ''
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
#main-window #titlebar {
overflow: hidden;
transition: height 0.3s 0.3s !important;
#TabsToolbar {
visibility: collapse;
}
#titlebar {
display: none;
}
#sidebar-header {
display: none;
}
/* Default state: Set initial height to enable animation */
#main-window #titlebar { height: 3em !important; }
#main-window[uidensity="touch"] #titlebar { height: 3.35em !important; }
#main-window[uidensity="compact"] #titlebar { height: 2.7em !important; }
/* Hidden state: Hide native tabs strip */
#main-window[titlepreface*=""] #titlebar { height: 0 !important; }
/* Hidden state: Fix z-index of active pinned tabs */
#main-window[titlepreface*=""] #tabbrowser-tabs { z-index: 0 !important; }
'';
};
};

View file

@ -1,39 +1,51 @@
{config, ...}: {
{
config,
systemConfig,
lib,
...
}: let
identityFile =
if config.home.username == "root"
then systemConfig.sops.secrets.".ssh/builder_id_ed25519".path
else config.sops.secrets.".ssh/builder_id_ed25519".path;
in {
programs.ssh = {
enable = true;
matchBlocks = {
"build-nas" = {
hostname = "nas.int.chir.rs";
identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
inherit identityFile;
port = 22;
user = "remote-build";
};
"build-rainbow-resort" = {
hostname = "rainbow-resort.int.chir.rs";
identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
inherit identityFile;
port = 22;
user = "remote-build";
};
"build-aarch64" = {
hostname = "instance-20221213-1915.int.chir.rs";
identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
inherit identityFile;
port = 22;
user = "remote-build";
};
"build-riscv" = {
hostname = "not522.tailbab65.ts.net";
identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
inherit identityFile;
port = 22;
user = "remote-build";
};
};
};
sops.secrets.".ssh/builder_id_ed25519" = {
sops.secrets = lib.mkIf (config.home.username != "root") {
".ssh/builder_id_ed25519" = {
mode = "600";
sopsFile = ./shared-keys.yaml;
};
};
}

View file

@ -1,6 +1,7 @@
{
lib,
config,
systemConfig,
...
}: {
imports = [
@ -10,12 +11,17 @@
controlMaster = "auto";
controlPersist = "10m";
matchBlocks."*" = lib.hm.dag.entryAfter ["build-nas" "build-rainbow-resort" "build-aarch64" "build-riscv"] {
identityFile = config.sops.secrets.".ssh/id_ed25519_sk".path;
identityFile =
if config.home.username == "root"
then systemConfig.sops.secrets.".ssh/id_ed25519_sk".path
else config.sops.secrets.".ssh/id_ed25519_sk".path;
};
enable = true;
};
sops.secrets.".ssh/id_ed25519_sk" = {
sops.secrets = lib.mkIf (config.home.username != "root") {
".ssh/id_ed25519_sk" = {
mode = "600";
sopsFile = ./shared-keys.yaml;
};
};
}

View file

@ -7,32 +7,41 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OGN5azZvMFZlY0wxZ0xX
b2lGakZzY1FCdnhTZlU0RTB3aUVhUlROYTJJCnlZdDk1K28wTjBVR09rVlRLT3J3
WU1FeDJWRlNjb2lyMGpCVVlJYVhLNGcKLS0tIEt1VVlkY3FsYk1aeUcvaFlDS3Ju
SFVHWnpMdXlQcXdaNUtwOUh3Sjg1YUEKEiO3ohjqoNg5lu/2Yyg07HMuvo+qtsMR
2e0CBnuUT8g2kIsN8IYgY6sMX3yNvpuL0AmjiL+ncF/w38JFBzJmCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UkcrcENqckkxcXJHcG0z
b0hzZ0JPWjg4RjREMENmeVRyUmJvNWc2WVhJCkVoM3lhb2VpUXUvNTR2K2pwUVVU
MzRrMm5XWTRSdXppcXdvWmlYWXNrcEEKLS0tIG92c3VOYkVvRG1Bd0Z6U2ZZRG14
dHQvc3JMU0JRUEFNWHVjQkNOYmdYQzAKSWERLI8m2IzLdmGCel7ca12JeOTBm5mg
qmjtjTTRRZc+decLAgpZd0CUza3hZcJjRWyKUXP4yeItCaAmOgJ7VQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeUl2SHFQVDZEUnB6aGtT
dnh4V3JObG5QVTFNWUJZNEVCZ0ZSN0RrZXdrCmZLeHVEMTl5Uk13eVZzZUhYQUpV
ZEFjWGtvQXB4S0lPNTF6dkRuTURCaE0KLS0tIGxTRXBBQ3kvUjUya05YREUrRDVR
dHJLcWF3QTBNNTNMTElPckZsNTVuZlkKv+O1BXdVBAhQA98crwWC8h5EHy8XT7FZ
PB7KEKxI/K5Gk+mBEYmipU1sUIgDOlZxXqC1kDKdmZmhHbKDEC2irQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWVZVRXoyVSsyMlVEU3NF
SHFMMGVVeHdMcUtvQ0ZNdHFzYlI4ZjdNL1hnCnFQK0pzaGovTHV0K1A3cUtEQVRE
N09hZ1BjUEtnbGdaWTJQSXJHMHZQaW8KLS0tIDlZc2RteFgycnhrMFdSR0RjOTBK
SEtJZWVEZ3dsbkUyM09JVnI1WnN6RXcK+odcorNYMvm21CWVDlO48ubj3X3nuhRh
m0giyDyxRRXFye7XptZayT64Vcx6wRXXMm3SOZL2BVwuLibZeIagrg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVHlBeHJTODVBQ1hhYkFF
emFWczVmblR6VW5rbkF6MnUwejA3Wjc3aXpBCmI2Wm1xc2VFeDdXcUZEN0dJOWF0
V3RON2FKY1U4YmhPQldTWWNZaUZ5dEUKLS0tIDJRQVJreE9JV0FLcnRWQzhFRGtK
cFhyUlBMQVg1a2pPdXI3SW5KSmsvNVUK86u53KET36rjOqB7Ecp//vk+fr7sSxyR
luP5xkQKNCECQxsSMuFO3T4qY8Kso93mO9vajv51rXBOK/8mQ2Q/CQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQlVwem1tQ3NqSHViQm1a
bkR2MnVZT1ZLM0Q2V0tiUEg4UC8zTjBIbUFNCkZ4REhYb2hNTFFCSFF0VmZnbSty
SklVZ0JQWXRka0pSajV2TlU1aUJSeVEKLS0tIHFEWHdteW50WVArcmtISEFoNTVa
d3hwK2F1VVNWbUxpZmY3cjNKMHd3L1kKyqHhER26gbDrmn+bDHVlhG3/MP5hL2OF
OuqVrOI1wBFwFN5BCbSnvnG4QOkqFnhh9O+zmGzPfw95nsLVF2wjng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VzA2VUNoRVFNNUlaTyt1
VEVyRmJxYlBPZ2RwQkFKU2JFbDEyYU8wZjE4Cm54a29ZaGRueFRtaHI4RXFEN1FB
U3RUYjRQM2hDY0RHd0FiZ0VBWmtwTHcKLS0tIG1sejZtWTJReVA0ZmlYVmFNSzIx
MkNpV3pYYlNCQ05QN0NyQXM3Q2Nzb00K9o3t7LNSk8A9MTGUicE1KmyQdWnBOypn
PCyV+1tAfQeDaKCHR0Wvxlfqz3EEb8KzCK1tAohxGeSJywl9PF4unQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-06T08:58:58Z"
mac: ENC[AES256_GCM,data:yzeJcuRDNbPebTJ4wwT4yiOuFMplSOf/XJcdw+g04S3ELj8tWwmQszv/gYJfCTI7kfeREbggyddF/2g4T7dzwCK2dWvGNRvGz96JFvYalWwI8a1ZSDk2DCS1ahKzcXisLG1WtVqVpr7i5ttkWGUjrgcRJrekLCCHGz228JnlUvE=,iv:EQs/TLqF8Hzah5YDZ2GqSrpr8FGkZgHt/Q/4bMlWe8U=,tag:AWsIaUAphZ2g95idHnhNSQ==,type:str]

View file

@ -1,4 +1,9 @@
{config, ...}: {
{
nixos-config,
config,
lib,
...
}: {
users.users.root = {
createHome = true;
openssh.authorizedKeys.keys = [
@ -10,10 +15,14 @@
neededForUsers = true;
sopsFile = ./system.yaml;
};
sops.secrets."users/users/root/age-key" = {
owner = "root";
sopsFile = ./system.yaml;
sops.secrets.".ssh/builder_id_ed25519" = {
mode = "600";
sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml";
};
home-manager.users.root.sops.age.keyFile = config.sops.secrets."users/users/root/age-key".path;
sops.secrets.".ssh/id_ed25519_sk" = {
mode = "600";
sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml";
};
home-manager.users.root.sops.secrets = lib.mkForce {};
environment.impermanence.users = ["root"];
}

View file

@ -2,7 +2,6 @@ users:
users:
root:
hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str]
age-key: ENC[AES256_GCM,data:A0G/R9o2Qray5kk7lqwu00EOJD0mRQ5cYWRDBzvw0gMTIq+JU16m5QrXLgzK3M/oURxPbBUOC+Wy7ZdiPAHVj5i353bsVLzGi6wIuwQpL2HA0RUwcos/bBnPTcvRriErBIpMYxgkxEVvgb4NpS0523V09AiXgX5DSY/z6pmQ1ERtXl1YRW+lCRqewgUUweC4WE31iG82NDOXkPZM+oaFginQeUy0Ruy4Kya4xQjC/+pzbxRdJwQKGkf/5fLl,iv:1TnvWbolHgQgOMmOBxpqxUlKmD14oCd+Yo/Jn2AHuL8=,tag:ML2ifWFpzHHxJ4F2OQ3+jA==,type:str]
sops:
kms: []
gcp_kms: []
@ -36,8 +35,8 @@ sops:
MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx
ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-06T08:34:07Z"
mac: ENC[AES256_GCM,data:U3+GUzxyPL7infWqht48rQ7Oe7E7Fu3WU883VZjJSKLM46ilDf0mWhpIWX7JDwhFzii/fSyF3+FsJvBDD4bcnK8L0UiS7C9z6yH9RGtOXI6is6jitfgm4qOuPP+aZa99hEDUf/ZO5uEzE/Psayf4aVAxEyL3L+SgVdiWf2MIFmk=,iv:XQavrryRBHnSf/xPMGY/lk/ep1qdRdgDtzUVwde4vXE=,tag:yWScrP9lTH1SiHpUiQuAXw==,type:str]
lastmodified: "2024-11-07T07:35:18Z"
mac: ENC[AES256_GCM,data:fGS1pQBHJ6vausZUbARxt7J/69tcFk1kkzrHLox12J+QQfgZYAm8xoue343Jw2NH+OgeYyOfAz8nKfKmZiibQIGPbV/JPkFvI7KQL7sEy7PLYLFU0cWF5DXwG4Y4z71rfgnNcX7emc2iQWwEcXMU6wM84ltkqf5zPPelvphXz+I=,iv:mVOFo1PtYVqMTvHmrmTO+eOqZ3N57kuc0KP5/XAN1b0=,tag:OJBY9qGxkVVNqJlDmDOJGQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1