diff --git a/home-manager/common/software/cli/ssh.nix b/home-manager/common/software/cli/ssh.nix index fc0bc998..967ade41 100644 --- a/home-manager/common/software/cli/ssh.nix +++ b/home-manager/common/software/cli/ssh.nix @@ -4,7 +4,5 @@ home.file.".ssh/config".text = '' Host 192.168.1.210 StrictHostKeyChecking no - Host nixos-vm-01 - ForwardAgent yes ''; } \ No newline at end of file diff --git a/nixos/common/services/openssh.nix b/nixos/common/services/openssh.nix index 1166739e..50561da4 100644 --- a/nixos/common/services/openssh.nix +++ b/nixos/common/services/openssh.nix @@ -1,4 +1,9 @@ { config, pkgs, hostname, ... }: { + # enable passwordless elevation + # Useful for deploy-rs + security.pam.enableSSHAgentAuth = true; + programs.ssh.startAgent = true; + programs.ssh.agentTimeout = "1h"; # By default no ports are open. # When ./tailscale.nix is imported, port 22 on the tailscale interface is then opened. services.openssh = { diff --git a/nixos/default.nix b/nixos/default.nix index 250574d0..eaf9cd37 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -25,10 +25,6 @@ ./hosts/${hostname} ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop}; - # enable passwordless elevation - # Useful for deploy-rs - security.pam.enableSSHAgentAuth = true; - # List packages installed in system profile environment.systemPackages = with pkgs; [ sbctl # Secureboot Control diff --git a/nixos/minimal.nix b/nixos/minimal.nix index c02bca62..8e5ba1cb 100644 --- a/nixos/minimal.nix +++ b/nixos/minimal.nix @@ -12,10 +12,6 @@ ./users/${username} ./hosts/${hostname} ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop}; - - # enable passwordless elevation - # Useful for deploy-rs - security.pam.enableSSHAgentAuth = true; # List packages installed in system profile environment.systemPackages = with pkgs; [ diff --git a/nixos/small.nix b/nixos/small.nix index ba76b00e..0cd299cb 100644 --- a/nixos/small.nix +++ b/nixos/small.nix @@ -18,10 +18,6 @@ ./users/${username} ./hosts/${hostname} ]; - - # enable passwordless elevation - # Useful for deploy-rs - security.pam.enableSSHAgentAuth = true; # List packages installed in system profile environment.systemPackages = with pkgs; [ diff --git a/nixos/users/albert/default.nix b/nixos/users/albert/default.nix index 5720dbe7..bb901eb7 100644 --- a/nixos/users/albert/default.nix +++ b/nixos/users/albert/default.nix @@ -3,7 +3,7 @@ let ifExists = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; in { # Define a user account. - imports = [ ] ++ lib.optional (builtins.isString desktop) ./desktop.nix; + imports = [ /*./switcher.nix*/ ] ++ lib.optional (builtins.isString desktop) ./desktop.nix; users.mutableUsers = false; users.users.albert = { isNormalUser = true; @@ -22,15 +22,17 @@ in { nix.settings.trusted-users = [ "albert" ]; # No sudo password - deploy-rs - security.sudo.extraRules = [ - { - users = [ "albert" ]; - commands = [ - { - command = "ALL"; - options = [ "NOPASSWD" ]; - } - ]; - } - ]; + # security.sudo.extraRules = [ + # { + # users = [ "albert" ]; + # commands = [ + # { + # command = "ALL"; + # options = [ "NOPASSWD" ]; + # } + # ]; + # } + # ]; + + } \ No newline at end of file diff --git a/nixos/users/albert/switcher.nix b/nixos/users/albert/switcher.nix new file mode 100644 index 00000000..9aa1cd54 --- /dev/null +++ b/nixos/users/albert/switcher.nix @@ -0,0 +1,34 @@ +{self, ...}: { + pkgs, + config, + ... +}: { + # https://github.com/NobbZ/nixos-config/blob/a1c99894088f43a0ba31812ad53f0e09dc36f15a/nixos/modules/switcher.nix#L14-L31 + _file = ./switcher.nix; + + environment.systemPackages = [self.packages."${pkgs.system}".switcher]; + + security.sudo.extraRules = let + storePrefix = "/nix/store/*"; + systemName = "nixos-system-${config.networking.hostName}-*"; + in [ + { + commands = [ + { + command = "${storePrefix}-nix-*/bin/nix-env -p /nix/var/nix/profiles/system --set ${storePrefix}-${systemName}"; + options = ["NOPASSWD"]; + } + ]; + groups = ["wheel"]; + } + { + commands = [ + { + command = "${storePrefix}-${systemName}/bin/switch-to-configuration"; + options = ["NOPASSWD"]; + } + ]; + groups = ["wheel"]; + } + ]; +} \ No newline at end of file