91 lines
2.7 KiB
Nix
91 lines
2.7 KiB
Nix
{ inputs, lib, pkgs, hostname, stateVersion, username, desktop, system, ... }: {
|
|
imports = [
|
|
# Modules
|
|
inputs.disko.nixosModules.disko
|
|
|
|
# Services
|
|
./common/services/openssh.nix
|
|
./common/services/fail2ban.nix
|
|
./common/services/tailscale.nix
|
|
./common/services/promtail.nix
|
|
./common/services/telegraf.nix
|
|
|
|
# Software
|
|
./common/software/cli/scripts.nix
|
|
./common/packages/small.nix
|
|
|
|
# NixOS Modules
|
|
./common/modules/networking.nix # Initial Networking configs
|
|
./common/modules/nixos.nix # Common NixOS Configurations
|
|
./common/modules/remote-builders.nix # Add remote builders
|
|
|
|
./users/${username}
|
|
./hosts/${hostname}
|
|
] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
|
|
|
|
programs.fish.enable = true;
|
|
|
|
# NOTE: This user is used to remotely build NixOS using deploy-rs
|
|
# The private key needs to be manually copied to /home/deploy/.ssh/id_ed25519
|
|
# on any machine being used to deploy from. It is located in secrets.yaml ->
|
|
# deploy/ssh_key
|
|
|
|
# Configure the user
|
|
users.users.deploy = {
|
|
isNormalUser = true;
|
|
createHome = true;
|
|
home = "/home/deploy";
|
|
# Only add the minimum required groups
|
|
extraGroups = [ "deploy" "nixbld" ]; # Create a dedicated group
|
|
# Disable interactive login
|
|
# TODO: Need to re-enable this when things are working
|
|
# shell = "/run/current-system/sw/bin/nologin";
|
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyjI22cErvcrjDGkdqnnDDh/L6+5GemXL0l/sGXPuIJ deploy" ];
|
|
};
|
|
|
|
# Anyone in the deploy group is allowed to connect to the Nix daemon
|
|
nix.settings.trusted-users = [ "@deploy" ];
|
|
|
|
# Create a dedicated group
|
|
users.groups.deploy = {};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
extraRules = [{
|
|
users = [ "deploy" ];
|
|
commands = [
|
|
{
|
|
command = "/run/current-system/sw/bin/nixos-rebuild";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
{
|
|
command = "/run/current-system/sw/bin/home-manager";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
{
|
|
command = "/nix/store/*/bin/switch-to-configuration";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
{
|
|
command = "/nix/store/*-system/bin/switch-to-configuration";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
{
|
|
command = "/run/current-system/sw/bin/nix-env";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
{
|
|
command = "/run/current-system/sw/bin/nix-store";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
{
|
|
command = "/run/current-system/sw/bin/nix-daemon";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}];
|
|
};
|
|
|
|
# Sets permissions
|
|
systemd.tmpfiles.rules = [ "Z /etc/nixos/git - deploy deploy" ];
|
|
}
|