Configured remote deployments

Also includes some misc fixes for bugs I ran into along the way.

flake.lock

@@ -1,6 +1,44 @@
 {
   "nodes": {
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1683779844,
+        "narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "c80189917086e43d49eece2bd86f56813500a0eb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1650374568,
@@ -56,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683762874,
+        "lastModified": 1683833146,
-        "narHash": "sha256-EC7EDhzz/HjKppcaJFePlCOZqfVg8fooO/aWWUxwAJU=",
+        "narHash": "sha256-ELF0oXgg0NYGyKtU74HW8CeLstFJwwCGbuahnQla67I=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "010c26987729d6a2e0e19da6df7c3f0465ae03b3",
+        "rev": "cc9f65d104e5227d103a529a9fc3687ef4ccb117",
         "type": "github"
       },
       "original": {
@@ -124,6 +162,7 @@
     },
     "root": {
       "inputs": {
+        "deploy-rs": "deploy-rs",
         "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
@@ -132,7 +171,7 @@
     },
     "snowfall-lib": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "flake-utils-plus": "flake-utils-plus",
         "nixpkgs": [
           "nixpkgs"
@@ -151,6 +190,21 @@
         "repo": "lib",
         "type": "github"
       }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -12,6 +12,9 @@
 
     snowfall-lib.url = "github:snowfallorg/lib";
     snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
+
+    deploy-rs.url = "github:serokell/deploy-rs";
+    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = inputs: let
@@ -29,18 +32,16 @@
         home-manager.nixosModules.home-manager
       ];
 
-      outputs-builder = channels: {
+      deploy.nodes.node = {
-        devShells = {
+        hostname = "node";
-          default = channels.nixpkgs.mkShell {
+        profiles.system = {
-            name = "DevShell";
+          user = "root";
-            buildInputs = with channels.nixpkgs; [
+          sshUser = "alejandro";
-              alejandra
+          path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
-              direnv
+          sshOpts = [ "-A" ];
-              git
-              pre-commit
-            ];
-          };
         };
       };
+
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
     };
 }

modules/nix/default.nix

@@ -7,7 +7,7 @@
 }:
 with lib; let
   cfg = config.aa.nix;
-  selfHostedCacheHost = "192.168.113.69";
+  selfHostedCacheHost = "http://192.168.113.69/";
 in {
   options.aa.nix = with types; {
     enable = mkEnableOption "manage nix configuration.";
@@ -41,7 +41,7 @@ in {
           if cfg.useSelfhostedCache
           then [
             selfHostedCacheHost
-            "https://cache.nixos.org"
+            "https://cache.nixos.org/"
           ]
           else [];
         trusted-public-keys =

modules/services/nix-serve/default.nix

@@ -22,6 +22,8 @@ in {
   };
 
   config = mkIf cfg.enable {
+    nix.settings.allowed-users = ["nix-serve"];
+
     services = {
       nix-serve = {
         enable = true;

modules/services/openssh/default.nix

@@ -21,22 +21,23 @@ in {
       default = [default-key];
       description = "The public keys to authorize";
     };
+  };
 
-    config = mkIf config.enable {
+  config = mkIf cfg.enable {
-      services.openssh = {
+    services.openssh = {
-        enable = true;
+      enable = true;
-        settings = {
+      settings = {
-          PasswordAuthentication = false;
+        PasswordAuthentication = false;
-          PermitRootLogin =
+        PermitRootLogin = mkDefault (
-            if format == "install-iso"
+          if format == "install-iso"
-            then true
+          then "yes"
-            else false;
+          else "no"
-        };
+        );
       };
+    };
 
-      aa.home.extraOptions = {
+    aa.user.extraOptions = {
-        programs.openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
-      };
     };
   };
 }

modules/suites/utils/default.nix

@@ -14,13 +14,16 @@ in {
 
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs; [
+      alejandra
       bat
       curl
+      deploy-rs
       fd
       file
       htop
       jq
       killall
+      pre-commit
       ripgrep
       usbutils
       wget

modules/tools/gpg/default.nix

@@ -6,7 +6,7 @@
   ...
 }:
 with lib; let
-  cfg = config.aa.tools.git;
+  cfg = config.aa.tools.gpg;
   user = config.aa.user;
 in {
   options.aa.tools.gpg = with types; {

modules/user/default.nix

@@ -32,7 +32,7 @@ in {
     extraOptions = mkOption {
       type = attrs;
       default = {};
-      description = "Extra options passed to <option>users.user.<name></option>.";
+      description = "Extra options passed to <option>users.users.<name></option>.";
     };
   };
 

systems/x86_64-linux/node/default.nix

@@ -15,10 +15,24 @@
     services.openssh.enable = true;
     system.zfs.enable = true;
     system.monitoring.enable = true;
+
+    suites.utils.enable = true;
+
+    tools.zsh.enable = true;
+    tools.gpg.enable = true;
+    apps.yubikey.enable = true;
   };
 
+  security.pam.enableSSHAgentAuth = true;
+  security.pam.services.${config.aa.user.name}.sshAgentAuth = true;
+
   boot.loader.systemd-boot.enable = true;
 
+  security.sudo = {
+    wheelNeedsPassword = false;
+    execWheelOnly = true;
+  };
+
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [