refactor nixos

nixos/common/global/age.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+let
+  hostname = config.networking.hostName;
+in
+{
+  environment.systemPackages = with pkgs; [
+    agenix-rekey
+  ];
+
+  age = {
+    # Master identity used for decryption
+    rekey.masterIdentities = [ ../users/sajenim/agenix-rekey.pub ];
+    # Pubkey for rekeying
+    rekey.hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
+    # As user not a trusted-users in our nix.conf
+    # we must add age.rekey.cacheDir as a global extra sandbox path
+    rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
+  };
+
+  # Required to persist `/var/tmp/agenix-rekey`
+  environment.persistence."/persist".directories = [
+    { directory = "/var/tmp/agenix-rekey"; mode = "1777"; }
+  ];
+}

nixos/common/global/default.nix

@@ -1,14 +1,21 @@
-{ outputs, ... }:
+{ inputs, outputs, ... }:
 
 {
   imports = [
+    inputs.home-manager.nixosModules.home-manager
+    inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
+    ./age.nix
+    ./env.nix
     ./nix.nix
     ./ssh.nix
-    ./system-tools.nix
   ];
 
   nixpkgs = {
     overlays = [
+      # Overlays exported from other flakes
+      inputs.agenix-rekey.overlays.default
+      # Overlays our own flake exports
       outputs.overlays.additions
       outputs.overlays.modifications
       outputs.overlays.unstable-packages

nixos/common/global/env.nix

@@ -2,6 +2,8 @@
 
 {
   environment = {
+    binsh = "${pkgs.bash}/bin/bash";
+    shells = with pkgs; [ zsh ];
     systemPackages = with pkgs; [
       # Ensure home-manager is on all systems
       home-manager
@@ -25,5 +27,6 @@
       unrar   # extract roshal archive
       unzip   # extract zip archive
     ];
+    pathsToLink = [ "/share/zsh" ];
   };
 }

nixos/common/global/ssh.nix

@@ -7,7 +7,6 @@
       PermitRootLogin = "no";
       PasswordAuthentication = false;
     };
-    ports = [ 48654 ];
     openFirewall = true;
   };
 }

nixos/common/optional/key.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    # Configure your YubiKey via the command line
+    yubikey-manager
+    # Enables files to be encrypted to age identities stored on YubiKeys
+    age-plugin-yubikey
+  ];
+
+  # GPG and SSH support
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Use our yubikey as a user login or for sudo access 
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+}

nixos/common/optional/persist.nix

@@ -1,6 +1,10 @@
-{ ... }:
+{ inputs, ... }:
 
 {
+  imports = [
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
   # Files and directories we with to keep between reboots
   environment.persistence."/persist" = {
     hideMounts = true;
@@ -19,4 +23,5 @@
       "/etc/ssh/ssh_host_ed25519_key.pub"
     ];
   };
+  programs.fuse.userAllowOther = true;
 }

nixos/common/optional/wireguard/default.nix

@@ -0,0 +1,44 @@
+{ pkgs, config, ... }:
+
+{
+  age.secrets.wireguard = {
+    rekeyFile = ./private.age;
+    owner = "root";
+    group = "root";
+  };
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "wlp2s0";
+      internalInterfaces = [ "wg0" ];
+    };
+    wireguard.interfaces = {
+      wg0 = {
+        # IP address and subnet of the server's end of the tunnel interface
+        ips = [ "10.100.0.1/24" ];
+        listenPort = 51820;
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE
+       '';
+        # This undoes the above command
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE
+        '';
+        # Path to the private key file.
+        privateKeyFile = config.age.secrets.wireguard.path;
+        peers = [
+          { # Pixel 6 Pro
+            publicKey = "VaXMnFAXdbJCllNY5sIjPp9AcSM7ap2oA0tU9SIMK3E=";
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+          { # Samsung S23 Ultra
+            publicKey = "dL91i7+VDWfeLCOr53JlzQ32WJ3lRJGqdecoqUpEnlQ=";
+            allowedIPs = [ "10.100.0.3/32" ];
+          }
+        ];
+      };
+    };
+  };
+}

nixos/common/optional/wireguard/private.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 hdSnGw A/NcMAzxWqwfIj8WgcgfTBJvEnL5WgdKHwUnYfXN68pi
+P6/BFTnqTakpTcVNayWomuXrE8E8dSHftODD+3E8aps
+-> ]@Y:GoO$-grease 6
+v+HE7AkcnlS/pBdhL19CdYHTJGL7EZrvPfRs8j54LnxzJ9hjaBtydX4N/sIo6mjI
+444BncysktRop1LB7A
+--- 0sHzYGeQ0FGC5gJFdFNs5PZfVuR5cleMoPz7ry29fXU
+qZçöóQ3Â’DF;žõ±þCÊ6%Æ
«âspïgSRmP¾4»Œ8]:ÌMZåPƒ»G>òd«Å—g?ß(¢Œ93öM¯7÷,

nixos/common/users/sajenim/agenix-rekey.pub

@@ -0,0 +1 @@
+AGE-PLUGIN-YUBIKEY-1S6XLYQYZSH22WXCHDCFRJ

nixos/common/users/sajenim/default.nix

@@ -1,16 +1,12 @@
-{ inputs, outputs, pkgs, ... }:
+{ inputs, outputs, pkgs, config, ... }:
 
 {
-  imports = [
-    "${inputs.self}/nixos/common/optional/steam.nix"
-  ];
-
   users.users.sajenim = {
       isNormalUser = true;
       extraGroups = [ "audio" "docker" "networkmanager" "wheel" ];
       shell = pkgs.zsh;
       openssh.authorizedKeys.keyFiles = [
-        "${inputs.self}/home-manager/sabrina/id_ed25519.pub"
+        "${inputs.self}/home-manager/sajenim/sajenim_sk.pub"
       ];
       hashedPassword = "$y$j9T$qIhW5qL9J9w.w6JWa.bGo/$oddG3HJyOZ1mwHzYnYPJ/MzN38oHEBEvPDc0sB3rAf9";
   };
@@ -19,7 +15,7 @@
   home-manager = {
     extraSpecialArgs = { inherit inputs outputs; };
     users = {
-      sajenim = import "${inputs.self}/home-manager/sajenim/home.nix";
+      sajenim = import "${inputs.self}/home-manager/sajenim/${config.networking.hostName}.nix";
     };
   };
 }