2023-05-18 06:57:58 +02:00
|
|
|
{
|
|
|
|
|
inputs,
|
|
|
|
|
lib,
|
2024-01-11 22:42:03 +01:00
|
|
|
stateVersion,
|
2023-05-18 06:57:58 +02:00
|
|
|
pkgs,
|
2023-08-26 14:01:58 +02:00
|
|
|
config,
|
2023-05-18 06:57:58 +02:00
|
|
|
...
|
2024-07-26 22:12:48 +02:00
|
|
|
}:
|
|
|
|
|
{
|
2024-01-11 22:42:03 +01:00
|
|
|
system.stateVersion = stateVersion;
|
|
|
|
|
|
2023-07-28 16:21:31 +02:00
|
|
|
age.rekey = {
|
2024-07-26 22:12:48 +02:00
|
|
|
inherit (inputs.self.secretsConfig) masterIdentities extraEncryptionPubkeys;
|
2023-05-18 06:57:58 +02:00
|
|
|
|
2024-03-02 16:09:11 +01:00
|
|
|
storageMode = "derivation";
|
|
|
|
|
|
2023-05-18 06:57:58 +02:00
|
|
|
forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
|
2024-07-26 22:12:48 +02:00
|
|
|
hostPubkey =
|
|
|
|
|
let
|
|
|
|
|
pubkeyPath = config.node.secretsDir + "/host.pub";
|
|
|
|
|
in
|
|
|
|
|
lib.mkIf (
|
|
|
|
|
lib.pathExists pubkeyPath
|
|
|
|
|
|| lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false
|
|
|
|
|
) pubkeyPath;
|
2023-09-20 21:49:49 +02:00
|
|
|
generatedSecretsDir = config.node.secretsDir + "/generated/";
|
2023-09-25 13:53:07 +02:00
|
|
|
cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
|
2023-05-18 06:57:58 +02:00
|
|
|
};
|
|
|
|
|
security.sudo.enable = false;
|
2023-09-20 21:49:49 +02:00
|
|
|
security.tpm2 = {
|
|
|
|
|
enable = true;
|
|
|
|
|
pkcs11.enable = true;
|
|
|
|
|
};
|
2023-09-21 01:43:10 +02:00
|
|
|
# Just before switching, remove the agenix directory if it exists.
|
|
|
|
|
# This can happen when a secret is used in the initrd because it will
|
|
|
|
|
# then be copied to the initramfs under the same path. This materializes
|
|
|
|
|
# /run/agenix as a directory which will cause issues when the actual system tries
|
|
|
|
|
# to create a link called /run/agenix. Agenix should probably fail in this case,
|
|
|
|
|
# but doesn't and instead puts the generation link into the existing directory.
|
|
|
|
|
# TODO See https://github.com/ryantm/agenix/pull/187.
|
2024-07-26 22:12:48 +02:00
|
|
|
system.activationScripts = lib.mkIf (config.age.secrets != { }) {
|
2023-10-10 21:01:12 +02:00
|
|
|
removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix";
|
2024-07-26 22:12:48 +02:00
|
|
|
agenixNewGeneration.deps = [ "removeAgenixLink" ];
|
2023-10-10 21:01:12 +02:00
|
|
|
};
|
2023-05-18 06:57:58 +02:00
|
|
|
|
|
|
|
|
time.timeZone = lib.mkDefault "Europe/Berlin";
|
|
|
|
|
i18n.defaultLocale = "C.UTF-8";
|
|
|
|
|
console = {
|
2023-10-10 18:37:55 +02:00
|
|
|
font = "${pkgs.terminus_font}/share/consolefonts/ter-v28n.psf.gz";
|
2024-07-26 22:12:48 +02:00
|
|
|
packages = with pkgs; [ terminus_font ];
|
2023-05-18 06:57:58 +02:00
|
|
|
useXkbConfig = true; # use xkbOptions in tty.
|
|
|
|
|
keyMap = lib.mkDefault "de-latin1-nodeadkeys";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
wget
|
|
|
|
|
tree
|
|
|
|
|
rage
|
|
|
|
|
file
|
|
|
|
|
ripgrep
|
|
|
|
|
killall
|
|
|
|
|
fd
|
2023-09-25 13:53:07 +02:00
|
|
|
kitty.terminfo
|
2023-10-15 18:34:34 +02:00
|
|
|
nvd
|
2024-02-05 21:16:50 +01:00
|
|
|
unzip
|
2024-12-04 22:47:40 +01:00
|
|
|
bat
|
2024-01-15 20:46:53 +01:00
|
|
|
# fix pcscd
|
|
|
|
|
pcscliteWithPolkit.out
|
2024-04-01 15:01:59 +02:00
|
|
|
wireguard-tools
|
2023-05-18 06:57:58 +02:00
|
|
|
];
|
|
|
|
|
|
2024-12-04 22:47:40 +01:00
|
|
|
environment.ldso32 = null;
|
|
|
|
|
|
2023-05-18 06:57:58 +02:00
|
|
|
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
2023-05-27 07:12:18 +02:00
|
|
|
|
2024-07-26 22:12:48 +02:00
|
|
|
secrets.secretFiles =
|
|
|
|
|
let
|
|
|
|
|
local = config.node.secretsDir + "/secrets.nix.age";
|
|
|
|
|
in
|
2024-12-20 20:40:27 +01:00
|
|
|
lib.optionalAttrs (config.node.name != null && lib.pathExists local) { inherit local; };
|
2023-05-18 06:57:58 +02:00
|
|
|
}
|
