nixos/servers: dont use home-manager

This commit is contained in:
Guanran Wang 2024-08-28 05:44:22 +08:00
parent de39160e63
commit a6c6003033
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
10 changed files with 102 additions and 125 deletions

View file

@ -1,10 +1,12 @@
{ pkgs, ... }: { lib, pkgs, ... }:
{ {
programs.fish = { programs.fish = {
enable = true; enable = true;
interactiveShellInit = '' interactiveShellInit = ''
set fish_greeting set fish_greeting
''; '';
plugins = [ plugins = [
{ {
name = "autopair"; name = "autopair";
@ -19,5 +21,24 @@
inherit (pkgs.fishPlugins.puffer) src; inherit (pkgs.fishPlugins.puffer) src;
} }
]; ];
functions =
let
jq = lib.getExe pkgs.jq;
nix = lib.getExe pkgs.nix;
curl = lib.getExe pkgs.curl;
in
{
"pb" = ''
${jq} -Rns '{text: inputs}' | \
${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
${jq} -r '. | "https://pb.ny4.dev\(.path)"'
'';
"getmnter" = ''
${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
${jq} '.[].github | "@" + .' -r
'';
};
}; };
} }

View file

@ -5,10 +5,14 @@
matchBlocks = matchBlocks =
let let
inherit (config.home) homeDirectory; inherit (config.home) homeDirectory;
serverConfig = {
identityFile = "${homeDirectory}/.ssh/id_github_signing";
user = "root";
};
in in
{ {
"blacksteel".identityFile = "${homeDirectory}/.ssh/id_github_signing"; "blacksteel" = serverConfig;
"tyo0.ny4.dev".identityFile = "${homeDirectory}/.ssh/id_github_signing"; "tyo0.ny4.dev" = serverConfig;
}; };
}; };
} }

View file

@ -1,5 +1,4 @@
{ {
lib,
pkgs, pkgs,
... ...
}: }:
@ -10,46 +9,52 @@
stateVersion = "23.05"; stateVersion = "23.05";
}; };
imports = [ imports =
./applications/atuin [
./applications/bash ./theme.nix
./applications/bat ./xdg-mime.nix
./applications/eza ]
./applications/fish ++ map (n: ./applications/${n}) [
./applications/git "atuin"
./applications/gpg "bash"
./applications/neovim "bat"
./applications/ssh "eza"
./applications/starship "fcitx5"
./applications/tealdeer "firefox"
./applications/tmux "fish"
"foot"
"git"
"go"
"gpg"
"mpv"
"nautilus"
"neovim"
"nix"
"ssh"
"starship"
"sway"
"tealdeer"
"thunderbird"
"tmux"
"ydict"
]; ];
programs.jq.enable = true; programs.jq.enable = true;
programs.obs-studio.enable = true;
programs.ripgrep.enable = true; programs.ripgrep.enable = true;
programs.skim.enable = true; programs.skim.enable = true;
programs.zoxide.enable = true; programs.zoxide.enable = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
fastfetch fastfetch
fd fd
dconf-editor
file-roller
fractal
gnome-calculator
hyperfine
loupe
seahorse
]; ];
programs.fish.functions =
let
jq = lib.getExe pkgs.jq;
nix = lib.getExe pkgs.nix;
curl = lib.getExe pkgs.curl;
in
{
"pb" = ''
${jq} -Rns '{text: inputs}' | \
${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
${jq} -r '. | "https://pb.ny4.dev\(.path)"'
'';
"getmnter" = ''
${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
${jq} '.[].github | "@" + .' -r
'';
};
} }

View file

@ -1,6 +1,8 @@
{ {
lib, lib,
config,
pkgs, pkgs,
inputs,
... ...
}: }:
{ {
@ -19,7 +21,27 @@
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
system.stateVersion = "24.05"; system.stateVersion = "24.05";
home-manager.users.guanranwang = import ./home; users.users = {
"guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
extraGroups = [
"wheel"
"nix-access-tokens"
];
};
};
home-manager = {
users.guanranwang = import ../../home;
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs;
};
};
boot.tmp.useTmpfs = true; boot.tmp.useTmpfs = true;
@ -36,6 +58,8 @@
networking.firewall.allowedUDPPorts = [ 53317 ]; networking.firewall.allowedUDPPorts = [ 53317 ];
programs.adb.enable = true; programs.adb.enable = true;
programs.dconf.enable = true;
programs.fish.enable = true;
programs.localsend.enable = true; programs.localsend.enable = true;
programs.seahorse.enable = true; programs.seahorse.enable = true;
programs.ssh = { programs.ssh = {

View file

@ -1,32 +0,0 @@
{ pkgs, ... }:
{
imports =
[
./theme.nix
./xdg-mime.nix
]
++ map (n: ../../../home/applications/${n}) [
"fcitx5"
"firefox"
"foot"
"go"
"mpv"
"nautilus"
"nix"
"sway"
"thunderbird"
"ydict"
];
home.packages = with pkgs; [
dconf-editor
file-roller
fractal
gnome-calculator
hyperfine
loupe
seahorse
];
programs.obs-studio.enable = true;
}

View file

@ -1,5 +1,4 @@
{ {
config,
lib, lib,
inputs, inputs,
pkgs, pkgs,
@ -26,15 +25,6 @@
inputs.self.overlays.patches inputs.self.overlays.patches
]; ];
home-manager = {
users.guanranwang = import ../../../home;
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs;
};
};
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -53,55 +43,19 @@
]; ];
users.mutableUsers = false; users.mutableUsers = false;
users.users = {
"guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
extraGroups = [
"wheel"
"nix-access-tokens"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
];
};
};
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
environment.stub-ld.enable = false; environment.stub-ld.enable = false;
programs.command-not-found.enable = false; programs.command-not-found.enable = false;
programs.dconf.enable = true;
programs.fish.enable = true;
programs.nano.enable = false; programs.nano.enable = false;
programs.vim = { programs.vim = {
enable = true; enable = true;
defaultEditor = true; defaultEditor = true;
}; };
# Avoid TOFU MITM with github by providing their public key here.
programs.ssh.knownHosts = {
"github.com".hostNames = [ "github.com" ];
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".hostNames = [ "gitlab.com" ];
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
"git.sr.ht".hostNames = [ "git.sr.ht" ];
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
};
# https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/ # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
services.dbus.implementation = lib.mkDefault "broker"; services.dbus.implementation = lib.mkDefault "broker";
services.openssh = {
enable = true;
settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
settings.PasswordAuthentication = false;
};
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
Defaults lecture = never Defaults lecture = never

View file

@ -1,17 +1,18 @@
{ { pkgs, ... }:
pkgs,
config,
...
}:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
foot.terminfo foot.terminfo
]; ];
# TODO: colmena services.openssh = {
services.openssh.settings.PermitRootLogin = "prohibit-password"; enable = true;
users.users."root".openssh.authorizedKeys.keys = settings.PermitRootLogin = "prohibit-password";
config.users.users.guanranwang.openssh.authorizedKeys.keys; settings.PasswordAuthentication = false;
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
];
time.timeZone = "UTC"; time.timeZone = "UTC";
} }

View file

@ -89,7 +89,7 @@
httpsProxy = "http://127.0.0.1:1080/"; httpsProxy = "http://127.0.0.1:1080/";
}; };
environment.shellAliases = programs.fish.shellAliases =
let let
inherit (config.networking.proxy) httpProxy httpsProxy; inherit (config.networking.proxy) httpProxy httpsProxy;
in in