From 58efac7f13c247605a4dfdb9c74926f94c90a951 Mon Sep 17 00:00:00 2001 From: Alejandro Angulo Date: Sun, 16 Apr 2023 10:07:42 -0700 Subject: [PATCH] Configured remote deployments Also includes some misc fixes for bugs I ran into along the way. --- flake.lock | 62 ++++++++++++++++++++++++-- flake.nix | 23 +++++----- modules/nix/default.nix | 4 +- modules/services/nix-serve/default.nix | 2 + modules/services/openssh/default.nix | 27 +++++------ modules/suites/utils/default.nix | 3 ++ modules/tools/gpg/default.nix | 2 +- modules/user/default.nix | 2 +- systems/x86_64-linux/node/default.nix | 14 ++++++ 9 files changed, 107 insertions(+), 32 deletions(-) diff --git a/flake.lock b/flake.lock index 181f08f..31f9df8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,44 @@ { "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1683779844, + "narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "c80189917086e43d49eece2bd86f56813500a0eb", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -56,11 +94,11 @@ ] }, "locked": { - "lastModified": 1683762874, - "narHash": "sha256-EC7EDhzz/HjKppcaJFePlCOZqfVg8fooO/aWWUxwAJU=", + "lastModified": 1683833146, + "narHash": "sha256-ELF0oXgg0NYGyKtU74HW8CeLstFJwwCGbuahnQla67I=", "owner": "nix-community", "repo": "home-manager", - "rev": "010c26987729d6a2e0e19da6df7c3f0465ae03b3", + "rev": "cc9f65d104e5227d103a529a9fc3687ef4ccb117", "type": "github" }, "original": { @@ -124,6 +162,7 @@ }, "root": { "inputs": { + "deploy-rs": "deploy-rs", "home-manager": "home-manager", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", @@ -132,7 +171,7 @@ }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "nixpkgs" @@ -151,6 +190,21 @@ "repo": "lib", "type": "github" } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 7f4b540..1056826 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,9 @@ snowfall-lib.url = "github:snowfallorg/lib"; snowfall-lib.inputs.nixpkgs.follows = "nixpkgs"; + + deploy-rs.url = "github:serokell/deploy-rs"; + deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs: let @@ -29,18 +32,16 @@ home-manager.nixosModules.home-manager ]; - outputs-builder = channels: { - devShells = { - default = channels.nixpkgs.mkShell { - name = "DevShell"; - buildInputs = with channels.nixpkgs; [ - alejandra - direnv - git - pre-commit - ]; - }; + deploy.nodes.node = { + hostname = "node"; + profiles.system = { + user = "root"; + sshUser = "alejandro"; + path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node; + sshOpts = [ "-A" ]; }; }; + + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib; }; } diff --git a/modules/nix/default.nix b/modules/nix/default.nix index baf71ee..c8be95e 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -7,7 +7,7 @@ }: with lib; let cfg = config.aa.nix; - selfHostedCacheHost = "192.168.113.69"; + selfHostedCacheHost = "http://192.168.113.69/"; in { options.aa.nix = with types; { enable = mkEnableOption "manage nix configuration."; @@ -41,7 +41,7 @@ in { if cfg.useSelfhostedCache then [ selfHostedCacheHost - "https://cache.nixos.org" + "https://cache.nixos.org/" ] else []; trusted-public-keys = diff --git a/modules/services/nix-serve/default.nix b/modules/services/nix-serve/default.nix index b2a669a..e1e12aa 100644 --- a/modules/services/nix-serve/default.nix +++ b/modules/services/nix-serve/default.nix @@ -22,6 +22,8 @@ in { }; config = mkIf cfg.enable { + nix.settings.allowed-users = ["nix-serve"]; + services = { nix-serve = { enable = true; diff --git a/modules/services/openssh/default.nix b/modules/services/openssh/default.nix index b472999..b510c91 100644 --- a/modules/services/openssh/default.nix +++ b/modules/services/openssh/default.nix @@ -21,22 +21,23 @@ in { default = [default-key]; description = "The public keys to authorize"; }; + }; - config = mkIf config.enable { - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = - if format == "install-iso" - then true - else false; - }; + config = mkIf cfg.enable { + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = mkDefault ( + if format == "install-iso" + then "yes" + else "no" + ); }; + }; - aa.home.extraOptions = { - programs.openssh.authorizedKeys.keys = cfg.authorizedKeys; - }; + aa.user.extraOptions = { + openssh.authorizedKeys.keys = cfg.authorizedKeys; }; }; } diff --git a/modules/suites/utils/default.nix b/modules/suites/utils/default.nix index 6e6322c..9d53454 100644 --- a/modules/suites/utils/default.nix +++ b/modules/suites/utils/default.nix @@ -14,13 +14,16 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ + alejandra bat curl + deploy-rs fd file htop jq killall + pre-commit ripgrep usbutils wget diff --git a/modules/tools/gpg/default.nix b/modules/tools/gpg/default.nix index 73ac23b..b0312f5 100644 --- a/modules/tools/gpg/default.nix +++ b/modules/tools/gpg/default.nix @@ -6,7 +6,7 @@ ... }: with lib; let - cfg = config.aa.tools.git; + cfg = config.aa.tools.gpg; user = config.aa.user; in { options.aa.tools.gpg = with types; { diff --git a/modules/user/default.nix b/modules/user/default.nix index 8a4d0dc..dac33ca 100644 --- a/modules/user/default.nix +++ b/modules/user/default.nix @@ -32,7 +32,7 @@ in { extraOptions = mkOption { type = attrs; default = {}; - description = "Extra options passed to ."; + description = "Extra options passed to ."; }; }; diff --git a/systems/x86_64-linux/node/default.nix b/systems/x86_64-linux/node/default.nix index 682ef7c..6734d4e 100644 --- a/systems/x86_64-linux/node/default.nix +++ b/systems/x86_64-linux/node/default.nix @@ -15,10 +15,24 @@ services.openssh.enable = true; system.zfs.enable = true; system.monitoring.enable = true; + + suites.utils.enable = true; + + tools.zsh.enable = true; + tools.gpg.enable = true; + apps.yubikey.enable = true; }; + security.pam.enableSSHAgentAuth = true; + security.pam.services.${config.aa.user.name}.sshAgentAuth = true; + boot.loader.systemd-boot.enable = true; + security.sudo = { + wheelNeedsPassword = false; + execWheelOnly = true; + }; + # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [