refactor nixos

nixos/common/global/age.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+let
+  hostname = config.networking.hostName;
+in
+{
+  environment.systemPackages = with pkgs; [
+    agenix-rekey
+  ];
+
+  age = {
+    # Master identity used for decryption
+    rekey.masterIdentities = [ ../users/sajenim/agenix-rekey.pub ];
+    # Pubkey for rekeying
+    rekey.hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
+    # As user not a trusted-users in our nix.conf
+    # we must add age.rekey.cacheDir as a global extra sandbox path
+    rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
+  };
+
+  # Required to persist `/var/tmp/agenix-rekey`
+  environment.persistence."/persist".directories = [
+    { directory = "/var/tmp/agenix-rekey"; mode = "1777"; }
+  ];
+}

nixos/common/global/default.nix

@@ -1,14 +1,21 @@
-{ outputs, ... }:
+{ inputs, outputs, ... }:
 
 {
   imports = [
+    inputs.home-manager.nixosModules.home-manager
+    inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
+    ./age.nix
+    ./env.nix
     ./nix.nix
     ./ssh.nix
-    ./system-tools.nix
   ];
 
   nixpkgs = {
     overlays = [
+      # Overlays exported from other flakes
+      inputs.agenix-rekey.overlays.default
+      # Overlays our own flake exports
       outputs.overlays.additions
       outputs.overlays.modifications
       outputs.overlays.unstable-packages

nixos/common/global/env.nix

@@ -2,6 +2,8 @@
 
 {
   environment = {
+    binsh = "${pkgs.bash}/bin/bash";
+    shells = with pkgs; [ zsh ];
     systemPackages = with pkgs; [
       # Ensure home-manager is on all systems
       home-manager
@@ -25,5 +27,6 @@
       unrar   # extract roshal archive
       unzip   # extract zip archive
     ];
+    pathsToLink = [ "/share/zsh" ];
   };
 }

nixos/common/global/ssh.nix

@@ -7,7 +7,6 @@
       PermitRootLogin = "no";
       PasswordAuthentication = false;
     };
-    ports = [ 48654 ];
     openFirewall = true;
   };
 }