chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 04:38:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

user.chn: fix

Browse Source
This commit is contained in:
陈浩南 2024-05-30 15:38:19 +08:00
parent d77fd05405
commit a0735f00e4
2 changed files with 77 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/system/impermanence.nix
View File

@ -44,14 +44,7 @@ inputs:
{ directory = "/var/lib/docker"; mode = "0710"; }
"/var/lib/flatpak"
];
}
// (if builtins.elem "chn" inputs.config.nixos.user.users then
{
users.chn =
{
directories = [ ".cache" ".config/fontconfig" ];
};
} else {});
};
"${impermanence.nodatacow}" =
{
hideMounts = true;

154
modules/user/chn/default.nix
View File

@ -1,91 +1,89 @@
inputs:
{
imports = inputs.localLib.findModules ./.;
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) user;
inherit (builtins) listToAttrs;
in mkIf (builtins.elem "chn" user.users)
config = let inherit (inputs.config.nixos) user; in inputs.lib.mkIf (builtins.elem "chn" user.users)
{
users.users.chn =
{
users.users.chn =
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" ]
(builtins.attrNames inputs.config.users.groups);
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
openssh.authorizedKeys.keys = [(builtins.readFile ./id_ed25519_sk.pub)];
};
home-manager.users.chn =
{
config =
{
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" ]
(builtins.attrNames inputs.config.users.groups);
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
openssh.authorizedKeys.keys = [(builtins.readFile ./id_ed25519_sk.pub)];
};
home-manager.users.chn =
{
config =
programs =
{
programs =
git = { userName = "chn"; userEmail = "chn@chn.moe"; };
ssh =
{
git = { userName = "chn"; userEmail = "chn@chn.moe"; };
ssh =
matchBlocks =
{
matchBlocks =
{
# identityFile = "~/.ssh/xmuhk_id_rsa";
xmuhk = { host = "xmuhk"; hostname = "10.26.14.56"; user = "xmuhk"; };
xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; };
}
// (listToAttrs (map
(system: { name = system; value.forwardAgent = true; })
[
"vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "nas" "wireguard.nas" "pc"
"wireguard.surface" "xmupc1" "wireguard.xmupc1" "xmupc2" "wireguard.xmupc2"
]));
extraConfig =
inputs.lib.mkIf (builtins.elem inputs.config.nixos.system.networking.hostname [ "pc" "surface" ])
''
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_ed25519_sk
'';
};
# identityFile = "~/.ssh/xmuhk_id_rsa";
xmuhk = { host = "xmuhk"; hostname = "10.26.14.56"; user = "xmuhk"; };
xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; };
}
// (builtins.listToAttrs (builtins.map
(system: { name = system; value.forwardAgent = true; })
[
"vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "nas" "wireguard.nas" "pc"
"wireguard.surface" "xmupc1" "wireguard.xmupc1" "xmupc2" "wireguard.xmupc2"
]));
extraConfig =
inputs.lib.mkIf (builtins.elem inputs.config.nixos.system.networking.hostname [ "pc" "surface" ])
''
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_ed25519_sk
'';
};
home =
{
file.groupshare.enable = false;
packages =
[
(
let
servers = builtins.filter
(system: system.value.enable)
(builtins.map
(system:
{
name = system.config.nixos.system.networking.hostname;
value = system.config.nixos.system.fileSystems.decrypt.manual;
})
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
cat = "${inputs.pkgs.coreutils}/bin/cat";
gpg = "${inputs.pkgs.gnupg}/bin/gpg";
ssh = "${inputs.pkgs.openssh}/bin/ssh";
in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
(
(builtins.map (system: builtins.concatStringsSep "\n"
[
"decrypt-${system.name}() {"
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
(builtins.concatStringsSep "\n" (builtins.map
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
+ (if device.value.ssd then "--allow-discards " else "")
+ "${device.name} ${device.value.mapper} -")
(inputs.localLib.attrsToList system.value.devices)))
"}"
])
servers)
++ [ "decrypt-$1" ]
))
)
];
};
pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
};
home =
{
file.groupshare.enable = false;
packages =
[
(
let
servers = builtins.filter
(system: system.value.enable)
(builtins.map
(system:
{
name = system.config.nixos.system.networking.hostname;
value = system.config.nixos.system.fileSystems.decrypt.manual;
})
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
cat = "${inputs.pkgs.coreutils}/bin/cat";
gpg = "${inputs.pkgs.gnupg}/bin/gpg";
ssh = "${inputs.pkgs.openssh}/bin/ssh";
in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
(
(builtins.map (system: builtins.concatStringsSep "\n"
[
"decrypt-${system.name}() {"
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
(builtins.concatStringsSep "\n" (builtins.map
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
+ (if device.value.ssd then "--allow-discards " else "")
+ "${device.name} ${device.value.mapper} -")
(inputs.localLib.attrsToList system.value.devices)))
"}"
])
servers)
++ [ "decrypt-$1" ]
))
)
];
};
pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
};
};
environment.persistence =
let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
{ "${impermanence.root}".users.chn.directories = [ ".cache" ".config/fontconfig" ]; };
};
}