From e2fab02d405a20b2e32d4280c6432ae1454ef994 Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Fri, 4 Apr 2025 22:52:46 -0400
Subject: [PATCH] bah
---
bootstrap.sh | 11 ++++---
.../evanreichard@mbp-nixos/default.nix | 33 +++++++++++--------
modules/nixos/nix/default.nix | 4 +--
modules/nixos/security/sops/default.nix | 6 ++--
modules/nixos/services/openssh/default.nix | 2 +-
secrets/default.yaml | 7 ++--
systems/aarch64-linux/mbp-nixos/default.nix | 4 +--
.../x86_64-linux/nixos-builder/default.nix | 32 ++++++++++++++++--
8 files changed, 66 insertions(+), 33 deletions(-)
diff --git a/bootstrap.sh b/bootstrap.sh
index 7732f64..95b020f 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,5 +1,7 @@
#!/bin/sh
+export NIX_CONFIG="experimental-features = nix-command flakes"
+
function cmd_image() {
local usage="Usage: $0 image --name <image-name>"
local name=""
@@ -29,14 +31,13 @@ function cmd_image() {
# Validate Config Exists
if ! nix eval --json --impure \
- --experimental-features "nix-command flakes" \
- ".#packages.x86_64-linux" \
+ ".#vmwareConfigurations" \
--apply "s: builtins.hasAttr \"$name\" s" 2>/dev/null | grep -q "true"; then
echo "Error: NixOS Generator Config '$name' not found"
exit 1
fi
- build_args=(".#packages.x86_64-linux.$name")
+ build_args=(".#vmwareConfigurations.$name")
if [ "$remote" = true ]; then
build_args+=("-j0")
fi
@@ -73,16 +74,16 @@ function cmd_install() {
# Validate Config Exists
if ! nix eval --json --impure \
- --experimental-features "nix-command flakes" \
".#nixosConfigurations" \
--apply "s: builtins.hasAttr \"$name\" s" 2>/dev/null | grep -q "true"; then
echo "Error: NixOS configuration '$name' not found"
exit 1
fi
+ #$ TODO
+ #
# Validate mainDiskID Exists
if ! disk_id=$(nix eval --raw --impure \
- --experimental-features "nix-command flakes" \
".#nixosConfigurations.$name.config.mainDiskID" 2>/dev/null); then
echo "Error: mainDiskID not defined for configuration '$name'"
exit 1
diff --git a/homes/aarch64-linux/evanreichard@mbp-nixos/default.nix b/homes/aarch64-linux/evanreichard@mbp-nixos/default.nix
index b8eb2e4..47236fd 100755
--- a/homes/aarch64-linux/evanreichard@mbp-nixos/default.nix
+++ b/homes/aarch64-linux/evanreichard@mbp-nixos/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, namespace, ... }:
+{ lib, config, namespace, osConfig, ... }:
let
inherit (lib.${namespace}) enabled;
in
@@ -13,7 +13,7 @@ in
ssh-agent = enabled;
sops = {
enable = true;
- defaultSopsFile = lib.snowfall.fs.get-file "secrets/mbp-nixos/default.yaml";
+ defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
};
};
@@ -39,18 +39,25 @@ in
};
};
+ # Kubernetes Secrets
+ sops.secrets = lib.mkIf osConfig.${namespace}.security.sops.enable {
+ rke2_kubeconfig = {
+ path = "${config.home.homeDirectory}/.kube/rke2";
+ };
+ };
+
# Global Packages
- programs.jq = enabled;
- programs.pandoc = enabled;
- home.packages = with pkgs; [
- android-tools
- imagemagick
- mosh
- python311
- texliveSmall # Pandoc PDF Dep
- google-cloud-sdk
- tldr
- ];
+ # programs.jq = enabled;
+ # programs.pandoc = enabled;
+ # home.packages = with pkgs; [
+ # android-tools
+ # imagemagick
+ # mosh
+ # python311
+ # texliveSmall # Pandoc PDF Dep
+ # google-cloud-sdk
+ # tldr
+ # ];
# SQLite Configuration
home.file.".sqliterc".text = ''
diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix
index 8e5d92f..87af8bb 100644
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@@ -26,10 +26,10 @@ in
buildMachines = lib.optional (host != "nixos-builder") {
hostName = "10.0.50.130";
systems = [ "x86_64-linux" ];
- sshUser = "root";
+ sshUser = "evanreichard";
speedFactor = 1;
protocol = "ssh";
- sshKey = config.sops.secrets.reichard_ssh_key.path;
+ sshKey = config.sops.secrets.builder_ssh_key.path;
supportedFeatures = [
"benchmark"
"big-parallel"
diff --git a/modules/nixos/security/sops/default.nix b/modules/nixos/security/sops/default.nix
index d7d1885..7efad11 100644
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@@ -24,10 +24,8 @@ in
};
};
- sops.secrets = {
- "reichard_ssh_key" = {
- sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
- };
+ sops.secrets.builder_ssh_key = {
+ sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
};
};
}
diff --git a/modules/nixos/services/openssh/default.nix b/modules/nixos/services/openssh/default.nix
index b46bbb6..3c22359 100644
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@@ -11,7 +11,7 @@ let
authorizedKeys = [
# MBP-Personal NixOS
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
];
in
{
diff --git a/secrets/default.yaml b/secrets/default.yaml
index 6504171..f7ca193 100644
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -1,4 +1,5 @@
-reichard_ssh_key: ENC[AES256_GCM,data:IS2/bjFWiqLKDxmg0ucKOMzJWqlMbrUw72qLy7hZaJ5O9pPmEFDtQY7gMV1jZZhmlTr6Ay5LthLNe+38/5lttVOQ/B4EtZHSPlPyFKgvUkVtAjTSSjpxI+Md5lsUHgjP3uL+C6qHPzPeBrm0xtdsUo4GBCwhSuKQCNlUAmX6xy4i5/NI2RD6DGRKF17fKpsKj/6XZlbrKQXcDDmnXQdsMw9f1grBQpacCJ/qwUVM3zojuGd0Ei3mGvMq26ralmDUKwu5dsI3PDJWDNF4+B6Wk7NlBRJDna2lRQDNEA8x7wOV3EpaTFpluKmABTxgEmxx8ZbB+9zlLiG6m09iSU86QQLRLQGP7VuejBYLmvxlydrLaxzlZaVDWrYtFEBWSlaC+jkbanOpcVp0QQVBdJRGg3XEP4NidIAbGVv+Ejz9i3o2ayTuMUKShLKv2NoxUE5lCNX2TDp/pZw4UYW/J2d3WXqpQ2KaWdahqBai2JcYk1Otn3ia0X+T1i1dXDitT45AEI/n4z/gKeGWSDiLJ62uJejSuNXBk879SLQf,iv:wziTYwyTQXKRFrUP4HohZtXnp7sk+vLbJiQd0PLKg1o=,tag:irpzHqh3kocNGKQIeo+kRA==,type:str]
+builder_ssh_key: ENC[AES256_GCM,data:7WoeR4Fc9FQrTHsujqlIm/b0ASJuLQcWUwIeMqQ4wk9WEFrwycnMyoxzPyZ2oxRqmUp0LY2DFWaByOAABhKRN6oQFFse8ol4KOr4EZkFR131bFy8WhJaJWq6VZo8gLv+1hHo1etLeoNl/fwBVixqrqBibEWWBtTSlvEE6PYFPV/BcW/LfFaabnhmRjIEL5hCqcQTlBqPq9jMt6ALWcj42mdzsbamRWbaN0/W5QkcKDPTIfALMdJ36VR38+slOkkmxPGJFUMhgL08SgOcnitSevvo+hq6xkGhXY8hnV1lk9nC9o8MXYURacPobqW88fx145ez8a+o2xSjm3E/+KoGfGsWSatqrKqTMfm6pJndvf5JeCTCMER2sCZCF620OJ2fZM6VS/XwMzQjLQICFGMCKZm8RQEKhPjyPVVbu5voa9KNxdWp7l40Ya86dty2oUR56CB8lHB32uWiZAMR9v8LytUkoOy/8LZpfbRVIHm7nnywNirnve+81egixUz9t+vgZ2u7vL2LzzApWUjcLa/1pFVTPwspYJDohMSGtpHtmAInN80=,iv:emhMHi7Htuy7quNbKPNb/TdqkuDeHbYym1ubEeDOfls=,tag:pJGBVr69QbT1FerG153gUA==,type:str]
+rke2_kubeconfig: ENC[AES256_GCM,data:ZfqWAsIcx2h/cyrfkcyQXrO+dzYF7JRkplj3Y9mm4oEiQKeG7xeYdtNAE112PdFfLcI00HQRaKbzrcNBbG1M+kUQZROUk47sr7AqpeRxJIob1ZoTgwN98gQ1W0ikPFYBUw4HIVxmY9wuNyqDk54LNwu47A3hMUmCLEv8sPkk8r7lhA9Vf3HTtTbQBK8VBa5059YJyEIpZjMMaXPZReIR6Gka9qsZ4d1F1B8VYu+fBH2ZIKtG1HMCXzl/RvjaCqtlrk5AptooSQ/upOMq6omHWfBf8oty/0o6yasxYldMawetUW55TOm12QlgdmbDkXqeMAai03N3tj8zMESOVEHVxRzjosVTq4u5DzPAMmLFAk5NYaPpd5c6jlM2Gk7pT9v+X+n+GGYW9xfYLURe1sSy/yWmLXhEhOzLXkyc1T3M1bHWqnXDXfU1bhXWVLKwNDmuS96YWHb1o+Qr+3HTUCPQa70M9Va18O+pERD0Yj/Jz1HxwyAHKClRs06Lo73gl3eY7lOGhnafRSyxR91oMXs+ijSfFk8CNEA/PxKPaXUoKpDLpM6+iPnEmnsAT/kV9IrqnevsIABtzWMR6XHQbRodPowsx2zlSgzJfLkVZ37dsZawALv1FN/XOtrW53Zt8BGK3dIwIM1tRy6nR+UKoN8mQ4KI43MNZ7A7CagCAkWbs3AserDqU+4VYIF/biLVA9q+tZZory7lLraLpByVa2Mi1/JFUW23PyW6fa9nVvBDonzs5M4N7p4/Yw9rdWBWC/1ZQIvSKbTIla+mtDKX6GTlEAsaoJOFc+F8fX8FxGEZtxoXENshoyAvsQSihUbdsKkjDQAIcZ0lHAUKLJyJZSWFRkQsl64MkvBJwGedsMq/zzU8K96iBojYLQspPq8Yp612nxQahRyxAXWFvYAfMmxMqhSbEYuJA62DSUA1KwILZx7yPfKZWXLQzGDnpGyFRuORP+ZjANGXo1eqAED4cHqwZCHTo6q6Zh9zN4Y4jrO/z4G16PwheAi/WTJswzdI83J9FAR3TrKAGyf3a5hR03BNVHBbO+I6dX/Rhwp0eIdR0MPVXJE+CshcTixQNKWK7SRmpDQemAQq3g6c4i5DWB9PUlipkry+pcQzsz1omPLGjf/2Mz2CAdvPnjCYfeTeFxz42s6VJHBBd5Sgg/7ONQTj6QpvFhpP2u8aWmgbPnV3n0phejq9Bpj1lEEEN5JZlU2Swj6t6rtFD5fAZUu3L5FRPg5xZhCV0zu4VXuaEflPdidK35b0jIiz22qpAkw+/0vh36u+kkUOabgpnt+I3CqeCilRuq6tIvtIx2AHFZ4Y9WdfXpjd/BEl2GY8VrxSWzpXS0YYWiNwypJx/J1zzmZZO6G7QcKSpIuoULM4uneBlaZurjXdVT8QzupUmX+CVyXHZUTXX3tM0rFnuDG3uGjOUM+67kS/zd3LJk8fnY1awU08gTOrs7qIDIzqEaEVxvK60XcBqc4dDYG+FTKEOEOi88WGIZH12gFy49epciPaTQMxcKbRftE9R1fZNdze1PwX2lrm891KTBD7YwFJkUin88Ype7bQNI4Djyca0TumZjYKok1AoSzjLTJGYOmiZg9wYyN+6m/FrdM0krgUQzvErtfSFryX4XaLbpPJnpRcdzoiNzwwuVYMLn5mBhj4m08gjiiHQlVlSMSJxpXi6GdXqrMCDudDHyPX5LHh21e2wajZ59p1Y42Gew1dOOP+M/5/0PrwDvqKhUWgAp2q8PzQuQ+ZyCq63jVpTI0/BskiD1iQBwQFDN2A32V9xymnkuS1pKn9xnosNMWVR3R9l6sLQDxH6vJcCEqWvCmxg8n5nfPtgx0E+clmmFFHVQ/xmXbe1lKS1o/M5dLHDG3CdrUpSEf8IC7/qkhaG8d3EmKGFskwJcbpPSzCJfMLS1JuYGJL/m7jqSI5JJ+KzTlPQCjubW74+EEvScTIaQP7e+RtE60LbgkwLprIEfCao3I+P0W4YgqLfE/xF4NQ3qVy3vrXOVGJSR4e0R3rI9RiuHmYoduldqtLr8rhqVqbU33q9s1ifL/62Rh2ZnXcnP4w75eH1EtunucZ2ml9QwHbpG0liKrthvPlmUNVsOhWdwlUfHrCUs8sgLNwW98mgG+7Kva4edejNmaEq/43TtN/RBmrNanB0Dp2SIeEbYRFfLqWGCtIRJpeJF227ggJXxt3fZnCW1eiEihDLKfc3hz+7zo/QlkBkbbj9D1BRURieH7DCr8cvymKa1QL9nRl0aJzWvMg//Q8/nMA23qBays34s4EUrcDin6AnUZIu63eAvxtcesPDTVq31+NatLmty21VG3mk7s7yw1dDwJncCXQ6zYp+SOC90xMFUR++FYcpX6qFiRGk7qNln9hnllwu1SqQYgV/w9MmD6GYLk+/xCUWK3kbCjWZ0Nhxkk+A3snUealYeeK75fZfL8TlAkgKqpRL1KlY3jrDe2rgzQyrHb7AoLukf2RJcXwu3GBP9PLQjJSSJw3vEHltCDnt7YR2KRA5NvJw429brs/4RvkBlX2a593swY63YthWinhCs6I3kgiDVaycpiQit4HCwMATAnhkzD590QLgf/am+7vcQlxl1MCtG6V+mBSIDQw17kxfrq/P18MyKixtREI/TW2lT127JvMlH3Te3f5KDQNyWc5oUP8bsfvxpZ6nO6xrUY1pZ+1eCsapkNalLH5x4yk3viGHiWS7ow44jjaCDraL/YCvGN+7SHjDBIWRpt+/ncrjezxWJa2yN29y+JrJgRxHYmfmZVMHxPGZ9aexCRHxnTVgwlT577VTDltqYi9CC0kQmTPt3CZzSiOP8ht4gwHNuNjNus8qGT9w7nYd81ViCYV/VpMRKmq9cR3rY75U6BU8QO74hFTfDigmGBPxXwGuhWZEWMbmK1Xl867xybVj9UTHhdbgnhta0J9RXm29A9YL3RMdL/DDZNQGq2eMK4CDq2l9X7UdPqbJphXfCv1AmCdufdvzEAq8kVEw5+RQxEOVV0g84G8bH5dOKfOwr7b9Bogtg37+j5pLPJzcoRKl3NynlWMGZVcnkEgRqmzFreXAYIyScE16rIzeEHdL5ngvm9EcPQfAWz6CvylrK7Bl91pJonNYprSqHUO0F4K4/kscm4j90kD5wpGOcrwke2+OI3oqez7QPmfzKnYoSrtcXqbt9lnluqobdYsCHY6mUjn4utROUD+g7gW5yYkxC7R1ySvvt5t63rOX6QH4UP9Uz7dCpo831vMHQ8Am+VFNbLXirq6/2P4TKTnScSQh/OnJ8Sx0/zxbPAb3jwzmx/eFAd+eazL0hCGTnh/D0WxcqfxTItOllsKUGX+md2VAoJQLra07gMJlh1tuDk2+ZXjvOsoGOMAzswpKPLf6TVe5Yi4eEosDM8ZFkVSngF3qx4TB2NcuKl739qUvLf0eL461y7+doJcdC+sl19scJjlEBFmEU9YNoJ8T0m9nT5UIi7l0tuek2i9SpzQRjHym1Y12JsiYoTR83mTBMR33hChE9aMc0FBkNesVJ9SBWOtLsd1i/UxUyZIk/C8shVGPmYplT9QOO/RqwJtvTeOkhrEWQq9zRoGqKQJs+j6VatHOdqVweX4/0icBN5QamXwgH61c7RbT79MDCZHvHSKkAe+eNVw7y6+0ZgCxtiIbo3RJwdRGqy6XHGnRfzRbzjO9H26gBmWX+Z7ZfeHLghen/tOW/qEh+uT1TR+O71GnhOgd1QQh84vyE2U+lAzneHI2gVG8EzA8Ho/UGiXJALQPElkJzR3GXDXVAHAw8Q6wCjLnxpmpkJZEJiJ9uDktKkNdF5uM6oEfQbxpP8uWJQnK4sCaZOTBsqEzyBm+KUXOpt0PbGFmb+gfPHIpO6rNGdWJ/C9F63ZbWhMXfONuLCjMis86lLJimwYH9G0PQWrmh7ENuZB3/giYbVqUjD3yP44axfw,iv:zfbeDFKb3hHQFi9wEuDj8XRqTLhc+2AnJU1roGJVZkU=,tag:mwNz9UCO6lCDK5hMWNLfNw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -14,8 +15,8 @@ sops:
SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-03-30T15:06:18Z"
- mac: ENC[AES256_GCM,data:ZqN6MbVcPst/zvr4KNl5AygtC8Icb1BELHg5o6rDOOb6qmB2d75Vk59ve8EiBosMhPdYAXaTCViRLxeWoG3WzEWK0bYAUBI27UBgYqaUTLXTDhohihtAwwWD37S2wFslHWddl5PngbTho8n+uMwyaeBdj53h4GbvQPC2Ji95D5A=,iv:boTLI3IXdQoBfPEqkay9jkm85AFahcNOmBBPwWbJaEw=,tag:Hic4+9Uuh8I2KokfdsZIsg==,type:str]
+ lastmodified: "2025-04-05T02:29:22Z"
+ mac: ENC[AES256_GCM,data:2rI+pEYmQIPmtcnDTuyroAbfIvLIZKvsyAMEbQM2y9xYXhLyK8Vt7IzmdHy//hQRBSWdBV7/HfCMWJcg9i1B/P9fXrKx+OxaIb654SkthWhkORq32Sr1Gee3Yj195MffIUrEZ4rVauCeprzdEXqN6oTVXjHvnqV2/VXuTkkbztE=,iv:gCgo+8uLH6H9R3OQvzf2K9SgXb3tXG7Lvu6lxL0P2xo=,tag:ev+vMOn6UAfKexfyUnMP5Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
diff --git a/systems/aarch64-linux/mbp-nixos/default.nix b/systems/aarch64-linux/mbp-nixos/default.nix
index 642dda6..78251c4 100755
--- a/systems/aarch64-linux/mbp-nixos/default.nix
+++ b/systems/aarch64-linux/mbp-nixos/default.nix
@@ -34,8 +34,8 @@ in
security = {
sops = {
enable = true;
- sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
- defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+ # sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+ defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-mbp-personal/default.yaml";
};
};
diff --git a/systems/x86_64-linux/nixos-builder/default.nix b/systems/x86_64-linux/nixos-builder/default.nix
index afb3140..595798a 100755
--- a/systems/x86_64-linux/nixos-builder/default.nix
+++ b/systems/x86_64-linux/nixos-builder/default.nix
@@ -1,6 +1,8 @@
-{ namespace, pkgs, lib, ... }:
+{ namespace, config, pkgs, lib, ... }:
let
inherit (lib.${namespace}) enabled;
+
+ cfg = config.${namespace}.user;
in
{
reichard = {
@@ -16,17 +18,38 @@ in
networking = enabled; # TODO - Network Config
};
+ security = {
+ sops = {
+ enable = true;
+ sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+ defaultSopsFile = lib.snowfall.fs.get-file "secrets/nixos-builder/default.yaml";
+ };
+ };
+
services = {
openssh = {
enable = true;
authorizedKeys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGGGpRpDQRstoqnCAQioSnh6PZRzNQL7lGJHksIkcoF builder"
+ # MBP-Personal NixOS
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+ # NixOS Builder
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDF8QjeN8lpT+Mc70zwEJQqN9W/GKvTOTd32VgfNhVdN"
];
};
};
};
+ users.users.${cfg.name} = {
+ openssh = {
+ authorizedKeys.keys = [
+ # MBP-Personal NixOS
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+ # NixOS Builder
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDF8QjeN8lpT+Mc70zwEJQqN9W/GKvTOTd32VgfNhVdN"
+ ];
+ };
+ };
+
networking = {
defaultGateway = {
address = "10.0.50.254";
@@ -44,4 +67,7 @@ in
tmux
vim
];
+
+ time.timeZone = "America/New_York";
+ system.stateVersion = "24.11";
}