76 lines
2.1 KiB
Nix
76 lines
2.1 KiB
Nix
{ inputs, lib, pkgs, hostname, stateVersion, username, desktop, system, ... }: {
|
|
imports = [
|
|
# Modules
|
|
inputs.disko.nixosModules.disko
|
|
|
|
# Services
|
|
./common/services/openssh.nix
|
|
./common/services/fail2ban.nix
|
|
./common/services/tailscale.nix
|
|
./common/services/promtail.nix
|
|
./common/services/telegraf.nix
|
|
|
|
# Software
|
|
./common/software/cli/scripts.nix
|
|
./common/packages/small.nix
|
|
|
|
# NixOS Modules
|
|
./common/modules/networking.nix # Initial Networking configs
|
|
./common/modules/nixos.nix # Common NixOS Configurations
|
|
./common/modules/remote-builders.nix # Add remote builders
|
|
|
|
./users/${username}
|
|
./hosts/${hostname}
|
|
] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
|
|
|
|
programs.fish.enable = true;
|
|
|
|
# NOTE: This user is used to remotely build NixOS using deploy-rs
|
|
|
|
# Configure sops
|
|
sops = {
|
|
secrets."deploy/ssh_key" = {
|
|
sopsFile = ../secrets/secrets.yaml;
|
|
owner = "deploy";
|
|
path = "/home/deploy/.ssh/id_ed25519";
|
|
mode = "0600"; # Correct SSH key permissions
|
|
};
|
|
};
|
|
|
|
# Configure the user
|
|
users.users.deploy = {
|
|
isNormalUser = true;
|
|
createHome = true;
|
|
home = "/home/deploy";
|
|
# Only add the minimum required groups
|
|
extraGroups = [ "deploy" ]; # Create a dedicated group
|
|
# Disable interactive login
|
|
shell = "/run/current-system/sw/bin/nologin";
|
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyjI22cErvcrjDGkdqnnDDh/L6+5GemXL0l/sGXPuIJ deploy" ];
|
|
};
|
|
|
|
# Create a dedicated group
|
|
users.groups.deploy = {};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
extraRules = [{
|
|
users = [ "deploy" ];
|
|
commands = [{
|
|
command = "/run/current-system/sw/bin/nixos-rebuild";
|
|
options = [ "NOPASSWD" ];
|
|
}];
|
|
}];
|
|
};
|
|
|
|
# Updated tmpfiles rules with Git repository access
|
|
systemd.tmpfiles.rules = [
|
|
# Give access to the Git repository directory
|
|
"Z /etc/nixos/git 0750 root nixos-rebuild"
|
|
"z /etc/nixos/git/** 0640 root nixos-rebuild"
|
|
|
|
# Ensure Git can still operate on the repository
|
|
"z /etc/nixos/git/.git/** 0640 root nixos-rebuild"
|
|
];
|
|
|
|
}
|