From a6c600303374c556530f888477aff17f92e09cd0 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Wed, 28 Aug 2024 05:44:22 +0800 Subject: [PATCH] nixos/servers: dont use home-manager --- home/applications/fish/default.nix | 23 ++++++++- home/applications/ssh/default.nix | 8 ++- home/default.nix | 71 ++++++++++++++------------ {hosts/dust/home => home}/theme.nix | 0 {hosts/dust/home => home}/xdg-mime.nix | 0 hosts/dust/default.nix | 26 +++++++++- hosts/dust/home/default.nix | 32 ------------ nixos/profiles/core/default.nix | 46 ----------------- nixos/profiles/server/default.nix | 19 +++---- nixos/profiles/sing-box/default.nix | 2 +- 10 files changed, 102 insertions(+), 125 deletions(-) rename {hosts/dust/home => home}/theme.nix (100%) rename {hosts/dust/home => home}/xdg-mime.nix (100%) delete mode 100644 hosts/dust/home/default.nix diff --git a/home/applications/fish/default.nix b/home/applications/fish/default.nix index 0c95e11..2bcef89 100644 --- a/home/applications/fish/default.nix +++ b/home/applications/fish/default.nix @@ -1,10 +1,12 @@ -{ pkgs, ... }: +{ lib, pkgs, ... }: { programs.fish = { enable = true; + interactiveShellInit = '' set fish_greeting ''; + plugins = [ { name = "autopair"; @@ -19,5 +21,24 @@ inherit (pkgs.fishPlugins.puffer) src; } ]; + + functions = + let + jq = lib.getExe pkgs.jq; + nix = lib.getExe pkgs.nix; + curl = lib.getExe pkgs.curl; + in + { + "pb" = '' + ${jq} -Rns '{text: inputs}' | \ + ${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \ + ${jq} -r '. | "https://pb.ny4.dev\(.path)"' + ''; + + "getmnter" = '' + ${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \ + ${jq} '.[].github | "@" + .' -r + ''; + }; }; } diff --git a/home/applications/ssh/default.nix b/home/applications/ssh/default.nix index 41b4d83..139811d 100644 --- a/home/applications/ssh/default.nix +++ b/home/applications/ssh/default.nix @@ -5,10 +5,14 @@ matchBlocks = let inherit (config.home) homeDirectory; + serverConfig = { + identityFile = "${homeDirectory}/.ssh/id_github_signing"; + user = "root"; + }; in { - "blacksteel".identityFile = "${homeDirectory}/.ssh/id_github_signing"; - "tyo0.ny4.dev".identityFile = "${homeDirectory}/.ssh/id_github_signing"; + "blacksteel" = serverConfig; + "tyo0.ny4.dev" = serverConfig; }; }; } diff --git a/home/default.nix b/home/default.nix index bb2e547..b557533 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,5 +1,4 @@ { - lib, pkgs, ... }: @@ -10,46 +9,52 @@ stateVersion = "23.05"; }; - imports = [ - ./applications/atuin - ./applications/bash - ./applications/bat - ./applications/eza - ./applications/fish - ./applications/git - ./applications/gpg - ./applications/neovim - ./applications/ssh - ./applications/starship - ./applications/tealdeer - ./applications/tmux - ]; + imports = + [ + ./theme.nix + ./xdg-mime.nix + ] + ++ map (n: ./applications/${n}) [ + "atuin" + "bash" + "bat" + "eza" + "fcitx5" + "firefox" + "fish" + "foot" + "git" + "go" + "gpg" + "mpv" + "nautilus" + "neovim" + "nix" + "ssh" + "starship" + "sway" + "tealdeer" + "thunderbird" + "tmux" + "ydict" + ]; programs.jq.enable = true; + programs.obs-studio.enable = true; programs.ripgrep.enable = true; programs.skim.enable = true; programs.zoxide.enable = true; + home.packages = with pkgs; [ fastfetch fd + dconf-editor + file-roller + fractal + gnome-calculator + hyperfine + loupe + seahorse ]; - programs.fish.functions = - let - jq = lib.getExe pkgs.jq; - nix = lib.getExe pkgs.nix; - curl = lib.getExe pkgs.curl; - in - { - "pb" = '' - ${jq} -Rns '{text: inputs}' | \ - ${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \ - ${jq} -r '. | "https://pb.ny4.dev\(.path)"' - ''; - - "getmnter" = '' - ${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \ - ${jq} '.[].github | "@" + .' -r - ''; - }; } diff --git a/hosts/dust/home/theme.nix b/home/theme.nix similarity index 100% rename from hosts/dust/home/theme.nix rename to home/theme.nix diff --git a/hosts/dust/home/xdg-mime.nix b/home/xdg-mime.nix similarity index 100% rename from hosts/dust/home/xdg-mime.nix rename to home/xdg-mime.nix diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix index 85af147..792453e 100644 --- a/hosts/dust/default.nix +++ b/hosts/dust/default.nix @@ -1,6 +1,8 @@ { lib, + config, pkgs, + inputs, ... }: { @@ -19,7 +21,27 @@ time.timeZone = "Asia/Shanghai"; system.stateVersion = "24.05"; - home-manager.users.guanranwang = import ./home; + users.users = { + "guanranwang" = { + isNormalUser = true; + description = "Guanran Wang"; + hashedPasswordFile = config.sops.secrets."hashed-passwd".path; + shell = pkgs.fish; + extraGroups = [ + "wheel" + "nix-access-tokens" + ]; + }; + }; + + home-manager = { + users.guanranwang = import ../../home; + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { + inherit inputs; + }; + }; boot.tmp.useTmpfs = true; @@ -36,6 +58,8 @@ networking.firewall.allowedUDPPorts = [ 53317 ]; programs.adb.enable = true; + programs.dconf.enable = true; + programs.fish.enable = true; programs.localsend.enable = true; programs.seahorse.enable = true; programs.ssh = { diff --git a/hosts/dust/home/default.nix b/hosts/dust/home/default.nix deleted file mode 100644 index 2419724..0000000 --- a/hosts/dust/home/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ pkgs, ... }: -{ - imports = - [ - ./theme.nix - ./xdg-mime.nix - ] - ++ map (n: ../../../home/applications/${n}) [ - "fcitx5" - "firefox" - "foot" - "go" - "mpv" - "nautilus" - "nix" - "sway" - "thunderbird" - "ydict" - ]; - - home.packages = with pkgs; [ - dconf-editor - file-roller - fractal - gnome-calculator - hyperfine - loupe - seahorse - ]; - - programs.obs-studio.enable = true; -} diff --git a/nixos/profiles/core/default.nix b/nixos/profiles/core/default.nix index 593f327..53a037a 100644 --- a/nixos/profiles/core/default.nix +++ b/nixos/profiles/core/default.nix @@ -1,5 +1,4 @@ { - config, lib, inputs, pkgs, @@ -26,15 +25,6 @@ inputs.self.overlays.patches ]; - home-manager = { - users.guanranwang = import ../../../home; - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = { - inherit inputs; - }; - }; - boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; environment.systemPackages = with pkgs; [ @@ -53,55 +43,19 @@ ]; users.mutableUsers = false; - users.users = { - "guanranwang" = { - isNormalUser = true; - description = "Guanran Wang"; - hashedPasswordFile = config.sops.secrets."hashed-passwd".path; - shell = pkgs.fish; - extraGroups = [ - "wheel" - "nix-access-tokens" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com" - ]; - }; - }; - boot.initrd.systemd.enable = true; environment.stub-ld.enable = false; programs.command-not-found.enable = false; - programs.dconf.enable = true; - programs.fish.enable = true; programs.nano.enable = false; programs.vim = { enable = true; defaultEditor = true; }; - # Avoid TOFU MITM with github by providing their public key here. - programs.ssh.knownHosts = { - "github.com".hostNames = [ "github.com" ]; - "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - - "gitlab.com".hostNames = [ "gitlab.com" ]; - "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf"; - - "git.sr.ht".hostNames = [ "git.sr.ht" ]; - "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60"; - }; - # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/ services.dbus.implementation = lib.mkDefault "broker"; - services.openssh = { - enable = true; - settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena - settings.PasswordAuthentication = false; - }; - security.sudo.execWheelOnly = true; security.sudo.extraConfig = '' Defaults lecture = never diff --git a/nixos/profiles/server/default.nix b/nixos/profiles/server/default.nix index f139044..2af6c22 100644 --- a/nixos/profiles/server/default.nix +++ b/nixos/profiles/server/default.nix @@ -1,17 +1,18 @@ -{ - pkgs, - config, - ... -}: +{ pkgs, ... }: { environment.systemPackages = with pkgs; [ foot.terminfo ]; - # TODO: colmena - services.openssh.settings.PermitRootLogin = "prohibit-password"; - users.users."root".openssh.authorizedKeys.keys = - config.users.users.guanranwang.openssh.authorizedKeys.keys; + services.openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + settings.PasswordAuthentication = false; + }; + + users.users."root".openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com" + ]; time.timeZone = "UTC"; } diff --git a/nixos/profiles/sing-box/default.nix b/nixos/profiles/sing-box/default.nix index d9dbff2..5352145 100644 --- a/nixos/profiles/sing-box/default.nix +++ b/nixos/profiles/sing-box/default.nix @@ -89,7 +89,7 @@ httpsProxy = "http://127.0.0.1:1080/"; }; - environment.shellAliases = + programs.fish.shellAliases = let inherit (config.networking.proxy) httpProxy httpsProxy; in