From f2f8c0dc7b1831e799b6bfef3dd2e78bbebeeab4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= Date: Mon, 18 Dec 2023 16:49:17 +0100 Subject: [PATCH] fix: reimplement minimal stuff --- hosts/testienix/default.nix | 31 +++++++++++++----------- hosts/testienix/secrets/host.pub | 2 +- hosts/testienix/secrets/secrets.nix.age | Bin 825 -> 903 bytes modules/config/impermanence/default.nix | 6 +++++ modules/config/ssh.nix | 3 ++- modules/services/containers.nix | 2 +- users/root/default.nix | 4 ++- 7 files changed, 30 insertions(+), 18 deletions(-) diff --git a/hosts/testienix/default.nix b/hosts/testienix/default.nix index ffc10d8..7ddeff9 100644 --- a/hosts/testienix/default.nix +++ b/hosts/testienix/default.nix @@ -1,25 +1,28 @@ { inputs, lib, + minimal, ... }: { - imports = [ - inputs.nixos-hardware.nixosModules.common-pc - inputs.nixos-hardware.nixosModules.common-pc-ssd + imports = + [ + inputs.nixos-hardware.nixosModules.common-pc + inputs.nixos-hardware.nixosModules.common-pc-ssd - ../../modules/config - ../../modules/optional/initrd-ssh.nix + ../../modules/config + ../../modules/optional/initrd-ssh.nix - ../../modules/hardware/intel.nix - ../../modules/hardware/physical.nix - ../../modules/hardware/zfs.nix + ../../modules/hardware/intel.nix + ../../modules/hardware/physical.nix + ../../modules/hardware/zfs.nix - ../../modules/services/samba.nix - ../../modules/services/nextcloud.nix - - ./net.nix - ./fs.nix - ]; + ./net.nix + ./fs.nix + ] + ++ lib.lists.optionals (!minimal) [ + ../../modules/services/samba.nix + ../../modules/services/nextcloud.nix + ]; services.xserver = { layout = "de"; xkbVariant = "bone"; diff --git a/hosts/testienix/secrets/host.pub b/hosts/testienix/secrets/host.pub index 6a271a8..84ddaa9 100644 --- a/hosts/testienix/secrets/host.pub +++ b/hosts/testienix/secrets/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9cxElcsww+AMsQ2U2ZbhZSDiqkil5bUvKG0vRSSL/T +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIOTaOyLL8TcuZAdZnPI4M2FTXnMsm/T40fLmfqBTkE diff --git a/hosts/testienix/secrets/secrets.nix.age b/hosts/testienix/secrets/secrets.nix.age index 4a2e22ae44c1b1d04246fafd26e11453814de37f..627f3479d15062d8ad4360adfecf36a9e3ee4c6d 100644 GIT binary patch delta 851 zcmV-Z1FZbH28RcbAb)m9GEY}`a4>ROR82W|MQwITG&4p*D`7WAdRSL&P;5m)c293c zGIDBcRSI-rY%okwV^wxeLTWWiL^Cf*dS+KeRWUbBb9Hn~Q%!S8X)tJ0SvN0fI0`L3 zAaH4REpRe5HXvA3QEOE}AVD@|b8j|PNNrbIXf{GlNkwN@F+^-HYfeZJ{i zHEWYk0Tov?H8W>9QEFydN-sq(D=R`tIY?-COkzeuY&B4FR%2K;a%@ajV^K6lQgaG5 zVRJN0dRb02H)>HcIXGrPRB={hIdw!xOLuciYk7E3c|&nRQ!i&wIcJkk0Tq9FSW0m* za!5x_PIgi;ZbULRGiPaXFKA?Hc5G)b7dfR3RHS&d3R1$ zMruKEO;Rv&dSOaMQ&2Kdb}@f)Hc3}RK~-*8aCb9od2?_|XnJFLPjD}EQA>F_Q%`Jl zMRQg%Qh5qFST8XzIATpxK}0iiLU>1Hcx6RwYejZZMJqQ&PcS$+Q3@?BEg(-ZdQ>oK zR%UEXZ+1d%VRvp~Z%I~qbwfyYZF6sNR!nYaG;(!vH84##FbXJwniGFQVw^7)+=IJ< z{q2MQ>*V}s!C6VqbVCJ7MS6=!zH{AlE#{MJQMY@&;kWt9puibm)x>utJc(b97*>|O zBJ#oHUlE6AI?eU?_F6cK4l^0Ju;Vr<*;}CWc%JEavv)t61NQ%li}@8Z)@qor*JPl| zr0fo7@(5n_D#A;iJxt zImd~bB>+YpL!b3CBP)io28%WGrXwl76q)E#voK%|{5a%kvN|pdxyl!VmoHh&qYqGJ=vr%wL=a$%>8g#rpdu%;2`duN795Rw;DF^c dSAfZA0I@w%ToFK-AF-^RDvhtUh(T2-nFP^wNgx0K delta 772 zcmV+f1N;1k2e}52Ab)UWPB=_tWIT(P*rR-a&u5oIATmkbu(~gb4^)t zZ7^e2MG9~^R8mSvH9~7yK}<_mVRUF^XG=*|FmGr{Vo5MjS~fN?RybjIb4E{Ta|$g! zAaH4REpRe5HXvA3QEOE}AVDitYED#jab;vfS4dcBMqzDlO+<8SMr}`2ICxcAHdQY$ zSU5#-LPuI*SY`@GIY>rFb~0LPOIUe0c5Gy5K{i%dRd!W4S$A_eWLI`^bSpVlQZsr< za&wbU0TowtNOx#LFK|OvOKVp#ZaHvgV?j@AV@^*&WqNQ~L}y`VD^o8{LUBemF?9-8 zLsm0#T5DKjSaD`|N^@dULpgd)FM3vCGgMV`bZ0_BV?jr4M>kbtV@;D!0Tq8RF>fnQ zOH^!5c4~QYVQEJ(Mp0!-GE*y4IAd*MMsqS$bT2|Sd01mva$yQ*Mpa~GWjS*(FEKGO zD@JcfQ7d|LM|W#kbwy2Bc0+S&aA!|>V>3olMrR5wJ|J~L3EiHc_V|h+?N=;-%c`XXlpO0ohKsXviO^u+vL8V_xRdi6Cn6{MX6h+3D2so|^z(NkH@Ln; zMOxGi>dg+y-WZ=Ml4F8VzlI&ig7d*17RUMMz>_ok_B&sJQ1}Lo(|Q+*4*4@2E~t7P zZY5gGkTMMc^w4fi@i9t7WiF=D;sJX#_Rftre71?ZM|N0QDR}NTQk&m6pOcz1Q2kJe z=5phgE@Q15qZwu$(vet0MnDkCLrGK6!v%~=epT0-hT0+A_{H>{B)LeJ;Y|h-+*wbu zm8eWm+_C;FbcgDol}iB(7VJmLW}o%Fsog`88qGPno0{3U8AA<(?!sw8Hq9!Vnrdd^ CRxXAB diff --git a/modules/config/impermanence/default.nix b/modules/config/impermanence/default.nix index 9ac0150..e8eae05 100644 --- a/modules/config/impermanence/default.nix +++ b/modules/config/impermanence/default.nix @@ -9,6 +9,12 @@ in { # to allow all users to access hm managed persistent folders programs.fuse.userAllowOther = true; + services.openssh.hostKeys = lib.mkForce [ + { + path = "/state/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; environment.persistence."/state" = { hideMounts = true; diff --git a/modules/config/ssh.nix b/modules/config/ssh.nix index 7d2b1e7..7704258 100644 --- a/modules/config/ssh.nix +++ b/modules/config/ssh.nix @@ -1,4 +1,4 @@ -{ +{lib, ...}: { # Enable the OpenSSH daemon. services.openssh = { enable = true; @@ -7,6 +7,7 @@ KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; }; + startWhenNeeded = lib.mkForce false; hostKeys = [ { # never set this to an actual nix type path diff --git a/modules/services/containers.nix b/modules/services/containers.nix index 19a541f..cffabbb 100644 --- a/modules/services/containers.nix +++ b/modules/services/containers.nix @@ -104,7 +104,7 @@ in { unitConfig.DefaultDependencies = "no"; serviceConfig.Type = "oneshot"; script = '' - chmod 700 ${escapeShellArg cfg.zfs.mountpoint} + chmod 755 ${escapeShellArg cfg.zfs.mountpoint} ''; }; diff --git a/users/root/default.nix b/users/root/default.nix index 08296cd..66e3602 100644 --- a/users/root/default.nix +++ b/users/root/default.nix @@ -1,6 +1,8 @@ { pkgs, config, + lib, + minimal, ... }: { users.users.root = { @@ -14,7 +16,7 @@ ]; hashedPassword = config.secrets.secrets.global.users.root.passwordHash; }; - home-manager.users.root.imports = [ + home-manager.users.root.imports = lib.lists.optionals (!minimal) [ ../common ]; }