more ref

srid · Feb 24, 2024 · c692bdd · c692bdd
1 parent 713c335
commit c692bdd
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 55 deletions.
diff --git a/flake.nix b/flake.nix
@@ -74,21 +74,9 @@
       flake = {
         # Configurations for Linux (NixOS) systems
         nixosConfigurations = {
-          here = self.nixos-flake.lib.mkLinuxSystem {
-            imports = [
-              self.nixosModules.common # Defined in nixos/default.nix
-              inputs.sops-nix.nixosModules.sops
-              ./systems/here.nix
-              ./nixos/server/harden
-            ];
-            sops.defaultSopsFile = ./secrets.json;
-            sops.defaultSopsFormat = "json";
-            services.tailscale.enable = true;
-          };
-
           linux-builder = self.nixos-flake.lib.mkLinuxSystem {
             imports = [
-              ./nixos/ssh-authorize.nix
+              ./nixos/self/primary-as-admin.nix
               ./nixos/server/harden/basics.nix
               ./systems/linux-builder.nix
               ({ flake, ... }: {

diff --git a/nixos/default.nix b/nixos/default.nix
@@ -8,7 +8,7 @@
       common.imports = [
         ./nix.nix
         ./caches
-        ./ssh-authorize.nix
+        ./self/primary-as-admin.nix
       ];
 
       my-home = {
@@ -24,7 +24,7 @@
         self.nixosModules.home-manager
         self.nixosModules.my-home
         self.nixosModules.common
-        ./self-ide.nix
+        ./self/self-ide.nix
         ./current-location.nix
       ];
     };

diff --git a/nixos/ssh-authorize.nix → nixos/self/primary-as-admin.nix b/nixos/ssh-authorize.nix → nixos/self/primary-as-admin.nix
@@ -1,7 +1,8 @@
+# Make flake.config.peope.myself the admin of the machine
 { flake, pkgs, lib, ... }:
 
 {
-  # Let me login
+  # Login via SSH with mmy SSH key
   users.users =
     let
       people = flake.config.people;
@@ -13,6 +14,13 @@
         openssh.authorizedKeys.keys = myKeys;
       } // lib.optionalAttrs pkgs.stdenv.isLinux {
         isNormalUser = true;
+        extraGroups = [ "wheel" ];
       };
     };
+
+  # Make me a sudoer without password
+  security = lib.optionalAttrs pkgs.stdenv.isLinux {
+    sudo.execWheelOnly = true;
+    sudo.wheelNeedsPassword = false;
+  };
 }
diff --git a/nixos/self-ide.nix → nixos/self/self-ide.nix b/nixos/self-ide.nix → nixos/self/self-ide.nix
diff --git a/nixos/server/harden/basics.nix b/nixos/server/harden/basics.nix
@@ -1,4 +1,4 @@
-{ flake, ... }: {
+{
 
   # Firewall
   networking.firewall.enable = true;
@@ -7,16 +7,9 @@
   security.auditd.enable = true;
   security.audit.enable = true;
 
-  # Make me a sudoer without password
-  security.sudo.execWheelOnly = true;
-  security.sudo.wheelNeedsPassword = false;
-  users.users.${flake.config.people.myself} = {
-    extraGroups = [ "wheel" ];
-  };
-
   # Standard openssh protections
   #
-  # Which goes with the password-less sudo above for the ssh-authorized user.
+  # See primary-as-admin.nix to setup passwordless setup.
   services = {
     openssh = {
       enable = true;

diff --git a/systems/here.nix b/systems/here.nix