diff --git a/flake.nix b/flake.nix index f32c5ce7..dd6bc3b6 100644 --- a/flake.nix +++ b/flake.nix @@ -74,21 +74,9 @@ flake = { # Configurations for Linux (NixOS) systems nixosConfigurations = { - here = self.nixos-flake.lib.mkLinuxSystem { - imports = [ - self.nixosModules.common # Defined in nixos/default.nix - inputs.sops-nix.nixosModules.sops - ./systems/here.nix - ./nixos/server/harden - ]; - sops.defaultSopsFile = ./secrets.json; - sops.defaultSopsFormat = "json"; - services.tailscale.enable = true; - }; - linux-builder = self.nixos-flake.lib.mkLinuxSystem { imports = [ - ./nixos/ssh-authorize.nix + ./nixos/self/primary-as-admin.nix ./nixos/server/harden/basics.nix ./systems/linux-builder.nix ({ flake, ... }: { diff --git a/nixos/default.nix b/nixos/default.nix index 1faae508..33d6f32b 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -8,7 +8,7 @@ common.imports = [ ./nix.nix ./caches - ./ssh-authorize.nix + ./self/primary-as-admin.nix ]; my-home = { @@ -24,7 +24,7 @@ self.nixosModules.home-manager self.nixosModules.my-home self.nixosModules.common - ./self-ide.nix + ./self/self-ide.nix ./current-location.nix ]; }; diff --git a/nixos/ssh-authorize.nix b/nixos/self/primary-as-admin.nix similarity index 56% rename from nixos/ssh-authorize.nix rename to nixos/self/primary-as-admin.nix index 721f0f03..6338745e 100644 --- a/nixos/ssh-authorize.nix +++ b/nixos/self/primary-as-admin.nix @@ -1,7 +1,8 @@ +# Make flake.config.peope.myself the admin of the machine { flake, pkgs, lib, ... }: { - # Let me login + # Login via SSH with mmy SSH key users.users = let people = flake.config.people; @@ -13,6 +14,13 @@ openssh.authorizedKeys.keys = myKeys; } // lib.optionalAttrs pkgs.stdenv.isLinux { isNormalUser = true; + extraGroups = [ "wheel" ]; }; }; + + # Make me a sudoer without password + security = lib.optionalAttrs pkgs.stdenv.isLinux { + sudo.execWheelOnly = true; + sudo.wheelNeedsPassword = false; + }; } diff --git a/nixos/self-ide.nix b/nixos/self/self-ide.nix similarity index 100% rename from nixos/self-ide.nix rename to nixos/self/self-ide.nix diff --git a/nixos/server/harden/basics.nix b/nixos/server/harden/basics.nix index 16d74220..a30edb78 100644 --- a/nixos/server/harden/basics.nix +++ b/nixos/server/harden/basics.nix @@ -1,4 +1,4 @@ -{ flake, ... }: { +{ # Firewall networking.firewall.enable = true; @@ -7,16 +7,9 @@ security.auditd.enable = true; security.audit.enable = true; - # Make me a sudoer without password - security.sudo.execWheelOnly = true; - security.sudo.wheelNeedsPassword = false; - users.users.${flake.config.people.myself} = { - extraGroups = [ "wheel" ]; - }; - # Standard openssh protections # - # Which goes with the password-less sudo above for the ssh-authorized user. + # See primary-as-admin.nix to setup passwordless setup. services = { openssh = { enable = true; diff --git a/systems/here.nix b/systems/here.nix deleted file mode 100644 index 9c032189..00000000 --- a/systems/here.nix +++ /dev/null @@ -1,30 +0,0 @@ -# My Linux VM running on macOS -{ flake, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - flake.inputs.disko.nixosModules.disko - ]; - system.stateVersion = "23.11"; - services.openssh.enable = true; - services.ntp.enable = true; # Accurate time in Parallels VM? - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - binfmt.emulatedSystems = [ "x86_64-linux" ]; # For cross-compiling - swraid.mdadmConf = '' - MAILADDR srid@srid.ca - ''; - }; - nixpkgs.hostPlatform = "aarch64-linux"; - - hardware.parallels.enable = true; - - networking = { - hostName = "here"; - networkmanager.enable = true; - }; - time.timeZone = "America/New_York"; - disko.devices = import ./disko/vm.nix; -}