mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 14:50:40 +02:00
Code Activity

refactor: merge initrd-ssh.nix with ssh.nix, remove ccid override (now upstream)

Browse source
This commit is contained in:
oddlama 2024-10-29 23:56:03 +01:00
parent ccffba4930
commit 32e9896154
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
19 changed files with 167 additions and 439 deletions
Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -139,16 +139,6 @@ Afterwards:
- Rekey the secrets for the new identity `nix run .#rekey`
- Deploy again
#### Remote encrypted unlock
If a host uses encrypted root together with the `common/initrd-ssh.nix` module,
it can be unlocked remotely by connecting via ssh on port 4 and executing `systemd-tty-ask-password-agent`.
#### Show QR for external wireguard client
nix run show-wireguard-qr
then select the host in the fzf menu
#### New secret
...

1
config/default.nix
View file

@ -23,7 +23,6 @@
./boot.nix
./home-manager.nix
./impermanence.nix
./inputrc.nix
./installer.nix
./issue.nix
./net.nix

172
config/graphical/cosmic.nix
View file

@ -1,172 +0,0 @@
{
lib,
pkgs,
config,
utils,
...
}: let
excludePackages = with pkgs; [fira];
in {
environment.pathsToLink = [
"/share/backgrounds"
"/share/cosmic"
];
environment.systemPackages =
utils.removePackagesByName (
with pkgs;
[
adwaita-icon-theme
alsa-utils
cosmic-applets
cosmic-applibrary
cosmic-bg
(cosmic-comp.override {
# avoid PATH pollution of system action keybinds (Xwayland handled below)
useXWayland = false;
})
cosmic-edit
cosmic-files
cosmic-greeter
cosmic-icons
cosmic-launcher
cosmic-notifications
cosmic-osd
cosmic-panel
cosmic-randr
cosmic-screenshot
cosmic-session
cosmic-settings
cosmic-settings-daemon
cosmic-term
cosmic-wallpapers
cosmic-workspaces-epoch
hicolor-icon-theme
playerctl
pop-icon-theme
pop-launcher
xdg-user-dirs
xwayland
]
++ lib.optionals config.services.flatpak.enable [
cosmic-store
]
)
excludePackages;
# xdg portal packages and config
xdg.portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-cosmic
xdg-desktop-portal-gtk
];
configPackages = lib.mkDefault (
with pkgs; [
xdg-desktop-portal-cosmic
]
);
};
# fonts
fonts.packages =
utils.removePackagesByName (with pkgs; [
fira
])
excludePackages;
# required features
# hardware.${
# if lib.versionAtLeast lib.version "24.11"
# then "graphics"
# else "opengl"
# }.enable =
# true;
# services.libinput.enable = true;
# xdg.mime.enable = true;
# xdg.icons.enable = true;
# optional features
# hardware.bluetooth.enable = lib.mkDefault true;
services.acpid.enable = lib.mkDefault true;
# services.pipewire = {
# enable = lib.mkDefault true;
# alsa.enable = lib.mkDefault true;
# pulse.enable = lib.mkDefault true;
# };
services.gvfs.enable = lib.mkDefault true;
# networking.networkmanager.enable = lib.mkDefault true;
services.gnome.gnome-keyring.enable = lib.mkDefault true;
# general graphical session features
# programs.dconf.enable = lib.mkDefault true;
#
# required dbus services
services.accounts-daemon.enable = true;
services.upower.enable = true;
services.power-profiles-daemon.enable = lib.mkDefault (!config.hardware.system76.power-daemon.enable);
security.polkit.enable = true;
security.rtkit.enable = true;
# session packages
services.displayManager.sessionPackages = with pkgs; [cosmic-session];
systemd.packages = with pkgs; [cosmic-session];
# TODO: remove when upstream has XDG autostart support
systemd.user.targets.cosmic-session = {
wants = ["xdg-desktop-autostart.target"];
before = ["xdg-desktop-autostart.target"];
};
# required for screen locker
security.pam.services.cosmic-greeter = {};
nix.settings.substituters = [
"https://cosmic.cachix.org/"
];
nix.settings.trusted-public-keys = [
"cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
];
# module diagnostics
warnings =
lib.optional
(
lib.elem pkgs.cosmic-files excludePackages
&& !(lib.elem pkgs.cosmic-session excludePackages)
)
''
The COSMIC session may fail to initialise with the `cosmic-files` package excluded via
`excludePackages`.
Please do one of the following:
1. Remove `cosmic-files` from `excludePackages`.
2. Add `cosmic-session` (in addition to `cosmic-files`) to
`excludePackages` and ensure whatever session starter/manager you are
using is appropriately set up.
'';
assertions = [
{
assertion = lib.elem "libcosmic-app-hook" (
lib.map (
drv: lib.optionalString (lib.isDerivation drv) (lib.getName drv)
)
pkgs.cosmic-comp.nativeBuildInputs
);
message = ''
It looks like the provided `pkgs` to the NixOS COSMIC module is not usable for a working COSMIC
desktop environment.
If you are erroneously passing in `pkgs` to `specialArgs` somewhere in your system configuration,
this is is often unnecessary and has unintended consequences for all NixOS modules. Please either
remove that in favor of configuring the NixOS `pkgs` instance via `nixpkgs.config` and
`nixpkgs.overlays`.
If you must instantiate your own `pkgs`, then please include the overlay from the NixOS COSMIC flake
when instantiating `pkgs` and be aware that the `nixpkgs.config` and `nixpkgs.overlays` options will
not function for any NixOS modules.
Note that the COSMIC packages in Nixpkgs are still largely broken as of 2024-10-16 and will not be
usable for having a fully functional COSMIC desktop environment. The overlay is therefore necessary.
'';
}
];
}

6
config/graphical/default.nix
View file

@ -4,7 +4,6 @@
lib,
minimal,
pkgs,
globals,
...
}: let
inherit
@ -30,7 +29,6 @@ in
./fonts.nix
./steam.nix
./xserver.nix
# ./cosmic.nix
];
config = {
@ -67,13 +65,13 @@ in
waylandCompositors.sway = {
prettyName = "Sway";
comment = "Sway";
binPath = lib.getExe config.home-manager.users.${globals.myuser.name}.wayland.windowManager.sway.package;
binPath = lib.getExe pkgs.sway;
};
waylandCompositors.hyprland = {
prettyName = "Hyprland";
comment = "Hyprland";
binPath = lib.getExe config.home-manager.users.${globals.myuser.name}.wayland.windowManager.hyprland.package;
binPath = lib.getExe pkgs.hyprland;
};
};

2
config/hardware/bluetooth.nix
View file

@ -1,5 +1,5 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [bluetuith];
environment.systemPackages = with pkgs; [bluetui];
environment.persistence."/persist".directories = [
"/var/lib/bluetooth"
];

105
config/inputrc Normal file
View file

@ -0,0 +1,105 @@
# /etc/inputrc: initialization file for readline
#
# For more information on how this file works, please see the
# INITIALIZATION FILE section of the readline(3) man page
#
# Quick dirty little note:
# To get the key sequence for binding, you can abuse bash.
# While running bash, hit CTRL+V, and then type the key sequence.
# So, typing 'ALT + left arrow' in Konsole gets you back:
# ^[[1;3D
# The readline entry to make this skip back a word will then be:
# "\e[1;3D" backward-word
#
# Customization note:
# You don't need to put all your changes in this file. You can create
# ~/.inputrc which starts off with the line:
# $include /etc/inputrc
# Then put all your own stuff after that.
# do not bell on tab-completion
set bell-style none
set history-size -1
set meta-flag on
set input-meta on
set convert-meta off
set output-meta on
# dont output everything on first line
set horizontal-scroll-mode off
# append slash to completed directories & symlinked directories
set mark-directories on
set mark-symlinked-directories on
# dont expand ~ in tab completion
set expand-tilde off
# instead of ringing bell, show list of ambigious completions directly, also show up to 300 items before asking
set show-all-if-ambiguous on
set completion-query-items 300
$if mode=emacs
# for linux console and RH/Debian xterm
# allow the use of the Home/End keys
"\e[1~": beginning-of-line
"\e[4~": end-of-line
# map "page up" and "page down" to search history based on current cmdline
"\e[5~": history-search-backward
"\e[6~": history-search-forward
# allow the use of the Delete/Insert keys
"\e[3~": delete-char
"\e[2~": quoted-insert
# gnome / others (escape + arrow key)
"\e[5C": forward-word
"\e[5D": backward-word
# konsole / xterm / rxvt (escape + arrow key)
"\e\e[C": forward-word
"\e\e[D": backward-word
# gnome / konsole / others (control + arrow key)
"\e[1;5C": forward-word
"\e[1;5D": backward-word
# aterm / eterm (control + arrow key)
"\eOc": forward-word
"\eOd": backward-word
# konsole (alt + arrow key)
"\e[1;3C": forward-word
"\e[1;3D": backward-word
# Chromebooks remap alt + backspace so provide alternative (alt + k)
"\ek": backward-kill-word
$if term=rxvt
"\e[8~": end-of-line
"\e[3^": kill-line
"\e[3@": backward-kill-line
$endif
# for non RH/Debian xterm, can't hurt for RH/Debian xterm
"\eOH": beginning-of-line
"\eOF": end-of-line
# for freebsd console
"\e[H": beginning-of-line
"\e[F": end-of-line
# fix Home and End for German users
"\e[7~": beginning-of-line
"\e[8~": end-of-line
# ctrl [+ shift] + del = kill line [backward]
"\e[3;5~": kill-line
"\e[3;6~": backward-kill-line
$endif
# Up and Down should search history based on current cmdline
"\e[A": history-search-backward
"\e[B": history-search-forward

110
config/inputrc.nix
View file

@ -1,110 +0,0 @@
{
environment.etc."inputrc".text = ''
# /etc/inputrc: initialization file for readline
#
# For more information on how this file works, please see the
# INITIALIZATION FILE section of the readline(3) man page
#
# Quick dirty little note:
# To get the key sequence for binding, you can abuse bash.
# While running bash, hit CTRL+V, and then type the key sequence.
# So, typing 'ALT + left arrow' in Konsole gets you back:
# ^[[1;3D
# The readline entry to make this skip back a word will then be:
# "\e[1;3D" backward-word
#
# Customization note:
# You don't need to put all your changes in this file. You can create
# ~/.inputrc which starts off with the line:
# $include /etc/inputrc
# Then put all your own stuff after that.
#
# do not bell on tab-completion
set bell-style none
set history-size -1
set meta-flag on
set input-meta on
set convert-meta off
set output-meta on
# dont output everything on first line
set horizontal-scroll-mode off
# append slash to completed directories & symlinked directories
set mark-directories on
set mark-symlinked-directories on
# dont expand ~ in tab completion
set expand-tilde off
# instead of ringing bell, show list of ambigious completions directly, also show up to 300 items before asking
set show-all-if-ambiguous on
set completion-query-items 300
$if mode=emacs
# for linux console and RH/Debian xterm
# allow the use of the Home/End keys
"\e[1~": beginning-of-line
"\e[4~": end-of-line
# map "page up" and "page down" to search history based on current cmdline
"\e[5~": history-search-backward
"\e[6~": history-search-forward
# allow the use of the Delete/Insert keys
"\e[3~": delete-char
"\e[2~": quoted-insert
# gnome / others (escape + arrow key)
"\e[5C": forward-word
"\e[5D": backward-word
# konsole / xterm / rxvt (escape + arrow key)
"\e\e[C": forward-word
"\e\e[D": backward-word
# gnome / konsole / others (control + arrow key)
"\e[1;5C": forward-word
"\e[1;5D": backward-word
# aterm / eterm (control + arrow key)
"\eOc": forward-word
"\eOd": backward-word
# konsole (alt + arrow key)
"\e[1;3C": forward-word
"\e[1;3D": backward-word
# Chromebooks remap alt + backspace so provide alternative (alt + k)
"\ek": backward-kill-word
$if term=rxvt
"\e[8~": end-of-line
"\e[3^": kill-line
"\e[3@": backward-kill-line
$endif
# for non RH/Debian xterm, can't hurt for RH/Debian xterm
"\eOH": beginning-of-line
"\eOF": end-of-line
# for freebsd console
"\e[H": beginning-of-line
"\e[F": end-of-line
# fix Home and End for German users
"\e[7~": beginning-of-line
"\e[8~": end-of-line
# ctrl [+ shift] + del = kill line [backward]
"\e[3;5~": kill-line
"\e[3;6~": backward-kill-line
$endif
# Up and Down should search history based on current cmdline
"\e[A": history-search-backward
"\e[B": history-search-forward
'';
}

29
config/optional/initrd-ssh.nix
View file

@ -1,29 +0,0 @@
{
config,
pkgs,
...
}: {
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 4;
hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
'';
deps = ["agenixInstall" "users"];
};
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
}

76
config/ssh.nix
View file

@ -1,21 +1,57 @@
{lib, ...}: {
services.openssh = {
enable = true;
# In containers, this is true by default, but we don't want that
# because we rely on ssh key generation for agenix
startWhenNeeded = lib.mkForce false;
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
sftpServerExecutable = "internal-sftp";
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
{
config,
lib,
pkgs,
...
}: {
config = lib.mkMerge [
{
services.openssh = {
enable = true;
# In containers, this is true by default, but we don't want that
# because we rely on ssh key generation for agenix. So we need
# the service to start eagerly
startWhenNeeded = lib.mkForce false;
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
sftpServerExecutable = "internal-sftp";
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}
# Enable initrd-ssh unlock for non-virtualized hosts
(lib.mkIf (config.node.type == "host") {
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 4;
hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
'';
deps = ["agenixInstall" "users"];
};
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
})
];
}

3
config/system.nix
View file

@ -11,4 +11,7 @@
# Install the kitty terminfo package for all systems.
environment.systemPackages = [pkgs.kitty.terminfo];
# And a reasonable inputrc please
environment.etc."inputrc".source = ./inputrc;
}

1
hosts/envoy/default.nix
View file

@ -6,7 +6,6 @@
imports = [
../../config
../../config/hardware/hetzner-cloud.nix
../../config/optional/initrd-ssh.nix
../../config/optional/zfs.nix
./acme.nix

1
hosts/kroma/default.nix
View file

@ -20,7 +20,6 @@
../../config/dev
../../config/graphical
../../config/optional/initrd-ssh.nix
../../config/optional/laptop.nix
../../config/optional/sound.nix
../../config/optional/zfs.nix

1
hosts/nom/default.nix
View file

@ -17,7 +17,6 @@
../../config/dev
../../config/graphical
../../config/optional/initrd-ssh.nix
../../config/optional/laptop.nix
../../config/optional/sound.nix
../../config/optional/zfs.nix

1
hosts/sentinel/default.nix
View file

@ -6,7 +6,6 @@
imports = [
../../config
../../config/hardware/hetzner-cloud.nix
../../config/optional/initrd-ssh.nix
../../config/optional/zfs.nix
./acme.nix

1
hosts/sire/default.nix
View file

@ -14,7 +14,6 @@
../../config
../../config/hardware/intel.nix
../../config/hardware/physical.nix
../../config/optional/initrd-ssh.nix
../../config/optional/zfs.nix
./fs.nix

1
hosts/ward/default.nix
View file

@ -14,7 +14,6 @@
../../config
../../config/hardware/intel.nix
../../config/hardware/physical.nix
../../config/optional/initrd-ssh.nix
../../config/optional/zfs.nix
./fs.nix

1
hosts/zackbiene/default.nix
View file

@ -12,7 +12,6 @@ in {
../../config
../../config/hardware/odroid-n2plus.nix
../../config/hardware/physical.nix
../../config/optional/initrd-ssh.nix
../../config/optional/zfs.nix
#./esphome.nix

84
pkgs/ccid.nix
View file

@ -1,84 +0,0 @@
{
lib,
stdenv,
fetchurl,
flex,
gitUpdater,
libusb1,
meson,
ninja,
pcsclite,
perl,
pkg-config,
zlib,
}:
stdenv.mkDerivation rec {
pname = "ccid";
version = "1.6.1";
src = fetchurl {
url = "https://ccid.apdu.fr/files/${pname}-${version}.tar.xz";
hash = "sha256-LsqPsH6P58DTna6sp7l81zxA7Ztyc4okrT3L38kY4eo=";
};
postPatch = ''
patchShebangs .
substituteInPlace meson.build --replace-fail \
"pcsc_dep.get_variable('usbdropdir')" \
"'$out/pcsc/drivers'"
'';
mesonFlags = [
(lib.mesonBool "serial" true)
];
# error: call to undeclared function 'InterruptRead';
# ISO C99 and later do not support implicit function declarations
env = lib.optionalAttrs stdenv.cc.isClang {
NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
};
nativeBuildInputs = [
flex
perl
pkg-config
meson
ninja
];
buildInputs = [
libusb1
pcsclite
zlib
];
postInstall = ''
install -Dm 0444 -t $out/lib/udev/rules.d ../src/92_pcscd_ccid.rules
substituteInPlace $out/lib/udev/rules.d/92_pcscd_ccid.rules \
--replace-fail "/usr/sbin/pcscd" "${pcsclite}/bin/pcscd"
'';
# The resulting shared object ends up outside of the default paths which are
# usually getting stripped.
stripDebugList = ["pcsc"];
passthru.updateScript = gitUpdater {
url = "https://salsa.debian.org/rousseau/CCID.git";
};
installCheckPhase = ''
[ -f $out/etc/reader.conf.d/libccidtwin ]
[ -f $out/lib/udev/rules.d/92_pcscd_ccid.rules ]
[ -f $out/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist ]
[ -f $out/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so ]
[ -f $out/pcsc/drivers/serial/libccidtwin.so ]
'';
meta = with lib; {
description = "PC/SC driver for USB CCID smart card readers";
homepage = "https://ccid.apdu.fr/";
license = licenses.lgpl21Plus;
maintainers = [maintainers.anthonyroussel];
platforms = platforms.unix;
};
}

1
pkgs/default.nix
View file

@ -8,7 +8,6 @@ _inputs: [
segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
actual-server = prev.callPackage ./actual-server.nix {};
ccid = prev.callPackage ./ccid.nix {};
neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: {
nativeBuildInputs = (old.nativeBuildInputs or []) ++ [prev.makeWrapper];
postInstall =