refactor: merge initrd-ssh.nix with ssh.nix, remove ccid override (now upstream)

2025-10-10 23:00:39 +02:00 · 2024-10-29 23:56:03 +01:00 · 2024-10-29 23:56:03 +01:00 · 32e9896154
commit 32e9896154
parent ccffba4930
19 changed files with 167 additions and 439 deletions
--- a/README.md
+++ b/README.md
@ -139,16 +139,6 @@ Afterwards:
 - Rekey the secrets for the new identity `nix run .#rekey`
 - Deploy again
 #### Remote encrypted unlock
 If a host uses encrypted root together with the `common/initrd-ssh.nix` module,
 it can be unlocked remotely by connecting via ssh on port 4 and executing `systemd-tty-ask-password-agent`.
 #### Show QR for external wireguard client
 nix run show-wireguard-qr
 then select the host in the fzf menu
 #### New secret
 ...
--- a/config/default.nix
+++ b/config/default.nix
@ -23,7 +23,6 @@
    ./boot.nix
    ./home-manager.nix
    ./impermanence.nix
    ./inputrc.nix
    ./installer.nix
    ./issue.nix
    ./net.nix
--- a/config/graphical/cosmic.nix
+++ b/config/graphical/cosmic.nix
@ -1,172 +0,0 @@
 {
  lib,
  pkgs,
  config,
  utils,
  ...
 }: let
  excludePackages = with pkgs; [fira];
 in {
  environment.pathsToLink = [
    "/share/backgrounds"
    "/share/cosmic"
  ];
  environment.systemPackages =
    utils.removePackagesByName (
      with pkgs;
        [
          adwaita-icon-theme
          alsa-utils
          cosmic-applets
          cosmic-applibrary
          cosmic-bg
          (cosmic-comp.override {
            # avoid PATH pollution of system action keybinds (Xwayland handled below)
            useXWayland = false;
          })
          cosmic-edit
          cosmic-files
          cosmic-greeter
          cosmic-icons
          cosmic-launcher
          cosmic-notifications
          cosmic-osd
          cosmic-panel
          cosmic-randr
          cosmic-screenshot
          cosmic-session
          cosmic-settings
          cosmic-settings-daemon
          cosmic-term
          cosmic-wallpapers
          cosmic-workspaces-epoch
          hicolor-icon-theme
          playerctl
          pop-icon-theme
          pop-launcher
          xdg-user-dirs
          xwayland
        ]
        ++ lib.optionals config.services.flatpak.enable [
          cosmic-store
        ]
    )
    excludePackages;
  # xdg portal packages and config
  xdg.portal = {
    enable = true;
    extraPortals = with pkgs; [
      xdg-desktop-portal-cosmic
      xdg-desktop-portal-gtk
    ];
    configPackages = lib.mkDefault (
      with pkgs; [
        xdg-desktop-portal-cosmic
      ]
    );
  };
  # fonts
  fonts.packages =
    utils.removePackagesByName (with pkgs; [
      fira
    ])
    excludePackages;
  # required features
  # hardware.${
  #   if lib.versionAtLeast lib.version "24.11"
  #   then "graphics"
  #   else "opengl"
  # }.enable =
  #   true;
  # services.libinput.enable = true;
  # xdg.mime.enable = true;
  # xdg.icons.enable = true;
  # optional features
  # hardware.bluetooth.enable = lib.mkDefault true;
  services.acpid.enable = lib.mkDefault true;
  # services.pipewire = {
  #   enable = lib.mkDefault true;
  #   alsa.enable = lib.mkDefault true;
  #   pulse.enable = lib.mkDefault true;
  # };
  services.gvfs.enable = lib.mkDefault true;
  # networking.networkmanager.enable = lib.mkDefault true;
  services.gnome.gnome-keyring.enable = lib.mkDefault true;
  # general graphical session features
  # programs.dconf.enable = lib.mkDefault true;
  #
  # required dbus services
  services.accounts-daemon.enable = true;
  services.upower.enable = true;
  services.power-profiles-daemon.enable = lib.mkDefault (!config.hardware.system76.power-daemon.enable);
  security.polkit.enable = true;
  security.rtkit.enable = true;
  # session packages
  services.displayManager.sessionPackages = with pkgs; [cosmic-session];
  systemd.packages = with pkgs; [cosmic-session];
  # TODO: remove when upstream has XDG autostart support
  systemd.user.targets.cosmic-session = {
    wants = ["xdg-desktop-autostart.target"];
    before = ["xdg-desktop-autostart.target"];
  };
  # required for screen locker
  security.pam.services.cosmic-greeter = {};
  nix.settings.substituters = [
    "https://cosmic.cachix.org/"
  ];
  nix.settings.trusted-public-keys = [
    "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
  ];
  # module diagnostics
  warnings =
    lib.optional
    (
      lib.elem pkgs.cosmic-files excludePackages
      && !(lib.elem pkgs.cosmic-session excludePackages)
    )
    ''
      The COSMIC session may fail to initialise with the `cosmic-files` package excluded via
      `excludePackages`.
      Please do one of the following:
        1. Remove `cosmic-files` from `excludePackages`.
        2. Add `cosmic-session` (in addition to `cosmic-files`) to
           `excludePackages` and ensure whatever session starter/manager you are
           using is appropriately set up.
    '';
  assertions = [
    {
      assertion = lib.elem "libcosmic-app-hook" (
        lib.map (
          drv: lib.optionalString (lib.isDerivation drv) (lib.getName drv)
        )
        pkgs.cosmic-comp.nativeBuildInputs
      );
      message = ''
        It looks like the provided `pkgs` to the NixOS COSMIC module is not usable for a working COSMIC
        desktop environment.
        If you are erroneously passing in `pkgs` to `specialArgs` somewhere in your system configuration,
        this is is often unnecessary and has unintended consequences for all NixOS modules. Please either
        remove that in favor of configuring the NixOS `pkgs` instance via `nixpkgs.config` and
        `nixpkgs.overlays`.
        If you must instantiate your own `pkgs`, then please include the overlay from the NixOS COSMIC flake
        when instantiating `pkgs` and be aware that the `nixpkgs.config` and `nixpkgs.overlays` options will
        not function for any NixOS modules.
        Note that the COSMIC packages in Nixpkgs are still largely broken as of 2024-10-16 and will not be
        usable for having a fully functional COSMIC desktop environment. The overlay is therefore necessary.
      '';
    }
  ];
 }
--- a/config/graphical/default.nix
+++ b/config/graphical/default.nix
@ -4,7 +4,6 @@
  lib,
  minimal,
  pkgs,
  globals,
  ...
 }: let
  inherit
@ -30,7 +29,6 @@ in
      ./fonts.nix
      ./steam.nix
      ./xserver.nix
      # ./cosmic.nix
    ];
    config = {
@ -67,13 +65,13 @@ in
        waylandCompositors.sway = {
          prettyName = "Sway";
          comment = "Sway";
-          binPath = lib.getExe config.home-manager.users.${globals.myuser.name}.wayland.windowManager.sway.package;
+          binPath = lib.getExe pkgs.sway;
        };
        waylandCompositors.hyprland = {
          prettyName = "Hyprland";
          comment = "Hyprland";
-          binPath = lib.getExe config.home-manager.users.${globals.myuser.name}.wayland.windowManager.hyprland.package;
+          binPath = lib.getExe pkgs.hyprland;
        };
      };
--- a/config/hardware/bluetooth.nix
+++ b/config/hardware/bluetooth.nix
@ -1,5 +1,5 @@
 {pkgs, ...}: {
-  environment.systemPackages = with pkgs; [bluetuith];
+  environment.systemPackages = with pkgs; [bluetui];
  environment.persistence."/persist".directories = [
    "/var/lib/bluetooth"
  ];
--- a/config/inputrc
+++ b/config/inputrc
@ -0,0 +1,105 @@
 # /etc/inputrc: initialization file for readline
 #
 # For more information on how this file works, please see the
 # INITIALIZATION FILE section of the readline(3) man page
 #
 # Quick dirty little note:
 #  To get the key sequence for binding, you can abuse bash.
 #  While running bash, hit CTRL+V, and then type the key sequence.
 #  So, typing 'ALT + left arrow' in Konsole gets you back:
 #    ^[[1;3D
 #  The readline entry to make this skip back a word will then be:
 #    "\e[1;3D" backward-word
 #
 # Customization note:
 #  You don't need to put all your changes in this file.  You can create
 #  ~/.inputrc which starts off with the line:
 #    $include /etc/inputrc
 #  Then put all your own stuff after that.
 # do not bell on tab-completion
 set bell-style none
 set history-size -1
 set meta-flag on
 set input-meta on
 set convert-meta off
 set output-meta on
 # dont output everything on first line
 set horizontal-scroll-mode off
 # append slash to completed directories & symlinked directories
 set mark-directories on
 set mark-symlinked-directories on
 # dont expand ~ in tab completion
 set expand-tilde off
 # instead of ringing bell, show list of ambigious completions directly, also show up to 300 items before asking
 set show-all-if-ambiguous on
 set completion-query-items 300
 $if mode=emacs
 # for linux console and RH/Debian xterm
 # allow the use of the Home/End keys
 "\e[1~": beginning-of-line
 "\e[4~": end-of-line
 # map "page up" and "page down" to search history based on current cmdline
 "\e[5~": history-search-backward
 "\e[6~": history-search-forward
 # allow the use of the Delete/Insert keys
 "\e[3~": delete-char
 "\e[2~": quoted-insert
 # gnome / others (escape + arrow key)
 "\e[5C": forward-word
 "\e[5D": backward-word
 # konsole / xterm / rxvt (escape + arrow key)
 "\e\e[C": forward-word
 "\e\e[D": backward-word
 # gnome / konsole / others (control + arrow key)
 "\e[1;5C": forward-word
 "\e[1;5D": backward-word
 # aterm / eterm (control + arrow key)
 "\eOc": forward-word
 "\eOd": backward-word
 # konsole (alt + arrow key)
 "\e[1;3C": forward-word
 "\e[1;3D": backward-word
 # Chromebooks remap alt + backspace so provide alternative (alt + k)
 "\ek": backward-kill-word
 $if term=rxvt
 "\e[8~": end-of-line
 "\e[3^": kill-line
 "\e[3@": backward-kill-line
 $endif
 # for non RH/Debian xterm, can't hurt for RH/Debian xterm
 "\eOH": beginning-of-line
 "\eOF": end-of-line
 # for freebsd console
 "\e[H": beginning-of-line
 "\e[F": end-of-line
 # fix Home and End for German users
 "\e[7~": beginning-of-line
 "\e[8~": end-of-line
 # ctrl [+ shift] + del = kill line [backward]
 "\e[3;5~": kill-line
 "\e[3;6~": backward-kill-line
 $endif
 # Up and Down should search history based on current cmdline
 "\e[A": history-search-backward
 "\e[B": history-search-forward
--- a/config/inputrc.nix
+++ b/config/inputrc.nix
@ -1,110 +0,0 @@
 {
  environment.etc."inputrc".text = ''
    # /etc/inputrc: initialization file for readline
    #
    # For more information on how this file works, please see the
    # INITIALIZATION FILE section of the readline(3) man page
    #
    # Quick dirty little note:
    #  To get the key sequence for binding, you can abuse bash.
    #  While running bash, hit CTRL+V, and then type the key sequence.
    #  So, typing 'ALT + left arrow' in Konsole gets you back:
    #    ^[[1;3D
    #  The readline entry to make this skip back a word will then be:
    #    "\e[1;3D" backward-word
    #
    # Customization note:
    #  You don't need to put all your changes in this file.  You can create
    #  ~/.inputrc which starts off with the line:
    #    $include /etc/inputrc
    #  Then put all your own stuff after that.
    #
    # do not bell on tab-completion
    set bell-style none
    set history-size -1
    set meta-flag on
    set input-meta on
    set convert-meta off
    set output-meta on
    # dont output everything on first line
    set horizontal-scroll-mode off
    # append slash to completed directories & symlinked directories
    set mark-directories on
    set mark-symlinked-directories on
    # dont expand ~ in tab completion
    set expand-tilde off
    # instead of ringing bell, show list of ambigious completions directly, also show up to 300 items before asking
    set show-all-if-ambiguous on
    set completion-query-items 300
    $if mode=emacs
    # for linux console and RH/Debian xterm
    # allow the use of the Home/End keys
    "\e[1~": beginning-of-line
    "\e[4~": end-of-line
    # map "page up" and "page down" to search history based on current cmdline
    "\e[5~": history-search-backward
    "\e[6~": history-search-forward
    # allow the use of the Delete/Insert keys
    "\e[3~": delete-char
    "\e[2~": quoted-insert
    # gnome / others (escape + arrow key)
    "\e[5C": forward-word
    "\e[5D": backward-word
    # konsole / xterm / rxvt (escape + arrow key)
    "\e\e[C": forward-word
    "\e\e[D": backward-word
    # gnome / konsole / others (control + arrow key)
    "\e[1;5C": forward-word
    "\e[1;5D": backward-word
    # aterm / eterm (control + arrow key)
    "\eOc": forward-word
    "\eOd": backward-word
    # konsole (alt + arrow key)
    "\e[1;3C": forward-word
    "\e[1;3D": backward-word
    # Chromebooks remap alt + backspace so provide alternative (alt + k)
    "\ek": backward-kill-word
    $if term=rxvt
    "\e[8~": end-of-line
    "\e[3^": kill-line
    "\e[3@": backward-kill-line
    $endif
    # for non RH/Debian xterm, can't hurt for RH/Debian xterm
    "\eOH": beginning-of-line
    "\eOF": end-of-line
    # for freebsd console
    "\e[H": beginning-of-line
    "\e[F": end-of-line
    # fix Home and End for German users
    "\e[7~": beginning-of-line
    "\e[8~": end-of-line
    # ctrl [+ shift] + del = kill line [backward]
    "\e[3;5~": kill-line
    "\e[3;6~": backward-kill-line
    $endif
    # Up and Down should search history based on current cmdline
    "\e[A": history-search-backward
    "\e[B": history-search-forward
  '';
 }
--- a/config/optional/initrd-ssh.nix
+++ b/config/optional/initrd-ssh.nix
@ -1,29 +0,0 @@
 {
  config,
  pkgs,
  ...
 }: {
  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
    enable = true;
    port = 4;
    hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
  };
  # Make sure that there is always a valid initrd hostkey available that can be installed into
  # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
  # whatever is given, since the correct hostkey doesn't even exist yet. We still require
  # a valid hostkey to be available so that the initrd can be generated successfully.
  # The correct initrd host-key will be installed with the next update after the host is booted
  # for the first time, and the secrets were rekeyed for the the new host identity.
  system.activationScripts.agenixEnsureInitrdHostkey = {
    text = ''
      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
    '';
    deps = ["agenixInstall" "users"];
  };
  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
 }
--- a/config/ssh.nix
+++ b/config/ssh.nix
@ -1,21 +1,57 @@
-{lib, ...}: {
+{
-  services.openssh = {
+  config,
-    enable = true;
+  lib,
-    # In containers, this is true by default, but we don't want that
+  pkgs,
-    # because we rely on ssh key generation for agenix
+  ...
-    startWhenNeeded = lib.mkForce false;
+}: {
-    authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
+  config = lib.mkMerge [
-    sftpServerExecutable = "internal-sftp";
+    {
-    settings = {
+      services.openssh = {
-      PasswordAuthentication = false;
+        enable = true;
-      KbdInteractiveAuthentication = false;
+        # In containers, this is true by default, but we don't want that
-      PermitRootLogin = "yes";
+        # because we rely on ssh key generation for agenix. So we need
-    };
+        # the service to start eagerly
-    hostKeys = [
+        startWhenNeeded = lib.mkForce false;
-      {
+        authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
-        path = "/etc/ssh/ssh_host_ed25519_key";
+        sftpServerExecutable = "internal-sftp";
-        type = "ed25519";
+        settings = {
-      }
+          PasswordAuthentication = false;
-    ];
+          KbdInteractiveAuthentication = false;
-  };
+          PermitRootLogin = "yes";
        };
        hostKeys = [
          {
            path = "/etc/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
        ];
      };
    }
    # Enable initrd-ssh unlock for non-virtualized hosts
    (lib.mkIf (config.node.type == "host") {
      age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
      boot.initrd.network.enable = true;
      boot.initrd.network.ssh = {
        enable = true;
        port = 4;
        hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
      };
      # Make sure that there is always a valid initrd hostkey available that can be installed into
      # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
      # whatever is given, since the correct hostkey doesn't even exist yet. We still require
      # a valid hostkey to be available so that the initrd can be generated successfully.
      # The correct initrd host-key will be installed with the next update after the host is booted
      # for the first time, and the secrets were rekeyed for the the new host identity.
      system.activationScripts.agenixEnsureInitrdHostkey = {
        text = ''
          [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
            || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
        '';
        deps = ["agenixInstall" "users"];
      };
      system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
    })
  ];
 }
--- a/config/system.nix
+++ b/config/system.nix
@ -11,4 +11,7 @@
  # Install the kitty terminfo package for all systems.
  environment.systemPackages = [pkgs.kitty.terminfo];
  # And a reasonable inputrc please
  environment.etc."inputrc".source = ./inputrc;
 }
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -6,7 +6,6 @@
  imports = [
    ../../config
    ../../config/hardware/hetzner-cloud.nix
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/zfs.nix
    ./acme.nix
--- a/hosts/kroma/default.nix
+++ b/hosts/kroma/default.nix
@ -20,7 +20,6 @@
    ../../config/dev
    ../../config/graphical
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/laptop.nix
    ../../config/optional/sound.nix
    ../../config/optional/zfs.nix
--- a/hosts/nom/default.nix
+++ b/hosts/nom/default.nix
@ -17,7 +17,6 @@
    ../../config/dev
    ../../config/graphical
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/laptop.nix
    ../../config/optional/sound.nix
    ../../config/optional/zfs.nix
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -6,7 +6,6 @@
  imports = [
    ../../config
    ../../config/hardware/hetzner-cloud.nix
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/zfs.nix
    ./acme.nix
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -14,7 +14,6 @@
    ../../config
    ../../config/hardware/intel.nix
    ../../config/hardware/physical.nix
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/zfs.nix
    ./fs.nix
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -14,7 +14,6 @@
    ../../config
    ../../config/hardware/intel.nix
    ../../config/hardware/physical.nix
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/zfs.nix
    ./fs.nix
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@ -12,7 +12,6 @@ in {
    ../../config
    ../../config/hardware/odroid-n2plus.nix
    ../../config/hardware/physical.nix
    ../../config/optional/initrd-ssh.nix
    ../../config/optional/zfs.nix
    #./esphome.nix
--- a/pkgs/ccid.nix
+++ b/pkgs/ccid.nix
@ -1,84 +0,0 @@
 {
  lib,
  stdenv,
  fetchurl,
  flex,
  gitUpdater,
  libusb1,
  meson,
  ninja,
  pcsclite,
  perl,
  pkg-config,
  zlib,
 }:
 stdenv.mkDerivation rec {
  pname = "ccid";
  version = "1.6.1";
  src = fetchurl {
    url = "https://ccid.apdu.fr/files/${pname}-${version}.tar.xz";
    hash = "sha256-LsqPsH6P58DTna6sp7l81zxA7Ztyc4okrT3L38kY4eo=";
  };
  postPatch = ''
    patchShebangs .
    substituteInPlace meson.build --replace-fail \
      "pcsc_dep.get_variable('usbdropdir')" \
      "'$out/pcsc/drivers'"
  '';
  mesonFlags = [
    (lib.mesonBool "serial" true)
  ];
  # error: call to undeclared function 'InterruptRead';
  # ISO C99 and later do not support implicit function declarations
  env = lib.optionalAttrs stdenv.cc.isClang {
    NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
  };
  nativeBuildInputs = [
    flex
    perl
    pkg-config
    meson
    ninja
  ];
  buildInputs = [
    libusb1
    pcsclite
    zlib
  ];
  postInstall = ''
    install -Dm 0444 -t $out/lib/udev/rules.d ../src/92_pcscd_ccid.rules
    substituteInPlace $out/lib/udev/rules.d/92_pcscd_ccid.rules \
      --replace-fail "/usr/sbin/pcscd" "${pcsclite}/bin/pcscd"
  '';
  # The resulting shared object ends up outside of the default paths which are
  # usually getting stripped.
  stripDebugList = ["pcsc"];
  passthru.updateScript = gitUpdater {
    url = "https://salsa.debian.org/rousseau/CCID.git";
  };
  installCheckPhase = ''
    [ -f $out/etc/reader.conf.d/libccidtwin ]
    [ -f $out/lib/udev/rules.d/92_pcscd_ccid.rules ]
    [ -f $out/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist ]
    [ -f $out/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so ]
    [ -f $out/pcsc/drivers/serial/libccidtwin.so ]
  '';
  meta = with lib; {
    description = "PC/SC driver for USB CCID smart card readers";
    homepage = "https://ccid.apdu.fr/";
    license = licenses.lgpl21Plus;
    maintainers = [maintainers.anthonyroussel];
    platforms = platforms.unix;
  };
 }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -8,7 +8,6 @@ _inputs: [
    segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
    zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
    actual-server = prev.callPackage ./actual-server.nix {};
    ccid = prev.callPackage ./ccid.nix {};
    neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: {
      nativeBuildInputs = (old.nativeBuildInputs or []) ++ [prev.makeWrapper];
      postInstall =