diff --git a/flake.lock b/flake.lock
index 181f08f..31f9df8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,6 +1,44 @@
{
"nodes": {
+ "deploy-rs": {
+ "inputs": {
+ "flake-compat": "flake-compat",
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "utils": "utils"
+ },
+ "locked": {
+ "lastModified": 1683779844,
+ "narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=",
+ "owner": "serokell",
+ "repo": "deploy-rs",
+ "rev": "c80189917086e43d49eece2bd86f56813500a0eb",
+ "type": "github"
+ },
+ "original": {
+ "owner": "serokell",
+ "repo": "deploy-rs",
+ "type": "github"
+ }
+ },
"flake-compat": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1668681692,
+ "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@@ -56,11 +94,11 @@
]
},
"locked": {
- "lastModified": 1683762874,
- "narHash": "sha256-EC7EDhzz/HjKppcaJFePlCOZqfVg8fooO/aWWUxwAJU=",
+ "lastModified": 1683833146,
+ "narHash": "sha256-ELF0oXgg0NYGyKtU74HW8CeLstFJwwCGbuahnQla67I=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "010c26987729d6a2e0e19da6df7c3f0465ae03b3",
+ "rev": "cc9f65d104e5227d103a529a9fc3687ef4ccb117",
"type": "github"
},
"original": {
@@ -124,6 +162,7 @@
},
"root": {
"inputs": {
+ "deploy-rs": "deploy-rs",
"home-manager": "home-manager",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs",
@@ -132,7 +171,7 @@
},
"snowfall-lib": {
"inputs": {
- "flake-compat": "flake-compat",
+ "flake-compat": "flake-compat_2",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixpkgs"
@@ -151,6 +190,21 @@
"repo": "lib",
"type": "github"
}
+ },
+ "utils": {
+ "locked": {
+ "lastModified": 1667395993,
+ "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 7f4b540..1056826 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,6 +12,9 @@
snowfall-lib.url = "github:snowfallorg/lib";
snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
+
+ deploy-rs.url = "github:serokell/deploy-rs";
+ deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs: let
@@ -29,18 +32,16 @@
home-manager.nixosModules.home-manager
];
- outputs-builder = channels: {
- devShells = {
- default = channels.nixpkgs.mkShell {
- name = "DevShell";
- buildInputs = with channels.nixpkgs; [
- alejandra
- direnv
- git
- pre-commit
- ];
- };
+ deploy.nodes.node = {
+ hostname = "node";
+ profiles.system = {
+ user = "root";
+ sshUser = "alejandro";
+ path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
+ sshOpts = [ "-A" ];
};
};
+
+ checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
};
}
diff --git a/modules/nix/default.nix b/modules/nix/default.nix
index baf71ee..c8be95e 100644
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@@ -7,7 +7,7 @@
}:
with lib; let
cfg = config.aa.nix;
- selfHostedCacheHost = "192.168.113.69";
+ selfHostedCacheHost = "http://192.168.113.69/";
in {
options.aa.nix = with types; {
enable = mkEnableOption "manage nix configuration.";
@@ -41,7 +41,7 @@ in {
if cfg.useSelfhostedCache
then [
selfHostedCacheHost
- "https://cache.nixos.org"
+ "https://cache.nixos.org/"
]
else [];
trusted-public-keys =
diff --git a/modules/services/nix-serve/default.nix b/modules/services/nix-serve/default.nix
index b2a669a..e1e12aa 100644
--- a/modules/services/nix-serve/default.nix
+++ b/modules/services/nix-serve/default.nix
@@ -22,6 +22,8 @@ in {
};
config = mkIf cfg.enable {
+ nix.settings.allowed-users = ["nix-serve"];
+
services = {
nix-serve = {
enable = true;
diff --git a/modules/services/openssh/default.nix b/modules/services/openssh/default.nix
index b472999..b510c91 100644
--- a/modules/services/openssh/default.nix
+++ b/modules/services/openssh/default.nix
@@ -21,22 +21,23 @@ in {
default = [default-key];
description = "The public keys to authorize";
};
+ };
- config = mkIf config.enable {
- services.openssh = {
- enable = true;
- settings = {
- PasswordAuthentication = false;
- PermitRootLogin =
- if format == "install-iso"
- then true
- else false;
- };
+ config = mkIf cfg.enable {
+ services.openssh = {
+ enable = true;
+ settings = {
+ PasswordAuthentication = false;
+ PermitRootLogin = mkDefault (
+ if format == "install-iso"
+ then "yes"
+ else "no"
+ );
};
+ };
- aa.home.extraOptions = {
- programs.openssh.authorizedKeys.keys = cfg.authorizedKeys;
- };
+ aa.user.extraOptions = {
+ openssh.authorizedKeys.keys = cfg.authorizedKeys;
};
};
}
diff --git a/modules/suites/utils/default.nix b/modules/suites/utils/default.nix
index 6e6322c..9d53454 100644
--- a/modules/suites/utils/default.nix
+++ b/modules/suites/utils/default.nix
@@ -14,13 +14,16 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
+ alejandra
bat
curl
+ deploy-rs
fd
file
htop
jq
killall
+ pre-commit
ripgrep
usbutils
wget
diff --git a/modules/tools/gpg/default.nix b/modules/tools/gpg/default.nix
index 73ac23b..b0312f5 100644
--- a/modules/tools/gpg/default.nix
+++ b/modules/tools/gpg/default.nix
@@ -6,7 +6,7 @@
...
}:
with lib; let
- cfg = config.aa.tools.git;
+ cfg = config.aa.tools.gpg;
user = config.aa.user;
in {
options.aa.tools.gpg = with types; {
diff --git a/modules/user/default.nix b/modules/user/default.nix
index 8a4d0dc..dac33ca 100644
--- a/modules/user/default.nix
+++ b/modules/user/default.nix
@@ -32,7 +32,7 @@ in {
extraOptions = mkOption {
type = attrs;
default = {};
- description = "Extra options passed to .";
+ description = "Extra options passed to .";
};
};
diff --git a/systems/x86_64-linux/node/default.nix b/systems/x86_64-linux/node/default.nix
index 682ef7c..6734d4e 100644
--- a/systems/x86_64-linux/node/default.nix
+++ b/systems/x86_64-linux/node/default.nix
@@ -15,10 +15,24 @@
services.openssh.enable = true;
system.zfs.enable = true;
system.monitoring.enable = true;
+
+ suites.utils.enable = true;
+
+ tools.zsh.enable = true;
+ tools.gpg.enable = true;
+ apps.yubikey.enable = true;
};
+ security.pam.enableSSHAgentAuth = true;
+ security.pam.services.${config.aa.user.name}.sshAgentAuth = true;
+
boot.loader.systemd-boot.enable = true;
+ security.sudo = {
+ wheelNeedsPassword = false;
+ execWheelOnly = true;
+ };
+
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [