README.md

@@ -4,39 +4,8 @@ My NixOS configuration.
 
 ## Installation
 
-For disk configuration we use disko, but for secrets management we use sops-nix and the particular setup makes the installation process a bit more involved. It is required that the computer from which the installation is being run has access to the `nixos-secrets` repository, otherwise you will need to manually add the required ssh keys to the installation image. 
-```bash
-# Load into the installer
-sudo passwd # Set a root password
+For disk configuration we use disko, this means that installing the system from the configuration is just a single command:
 
-# From a machine with network access to the installer
-# and access to the nixos-secrets repo
-ssh -A root@(installer-ip)
-
-# Set up disks
-nix-shell -p disko
-disko --mode disko --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
-exit
-
-# Install NixOS
-nixos-install --no-channel-copy --no-root-password --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
-cd /mnt/persist/system/etc/sops
-
-# Set up host credentials for access to the secrets
-touch sops_ed25519_key 
-chmod 600 sops_ed25519_key
-nano sops_ed25519_key
 ```
-If `nixos-install` is being stopped by the OOM-killer, you can try adding `-j 1` to limit the amount of jobs that will be executed at the same time to 1. It might require running nixos-install multiple times untill it has managed to download all requirements and slowly start building the rest of the system.
-
-## Updating
-
-To update the system configuration, it is a single command:
-```bash
-sudo system-update
-```
-Or if this shell script has not been installed for some reason:
-```bash
-sudo nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config
-```
-Sometimes it may be necessary to reboot of course.
+sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/latest#disko-install" -- --flake git+https://git.bulthuis.dev/Jan/dotfiles#<hostname> --disk main /dev/sda
+```

flake.lock

@@ -154,44 +154,7 @@
         "impermanence": "impermanence",
         "nix-minecraft": "nix-minecraft",
         "nix-modpack": "nix-modpack",
-        "nixpkgs": "nixpkgs",
-        "secrets": "secrets",
-        "sops-nix": "sops-nix"
-      }
-    },
-    "secrets": {
-      "locked": {
-        "lastModified": 1748613807,
-        "narHash": "sha256-awE+2QvMkGP4OOPGniFMldvYnLYj60n4izgEJXcJUv0=",
-        "ref": "refs/heads/main",
-        "rev": "d120fcc272429517649402cf2ccefb9334f50535",
-        "revCount": 7,
-        "type": "git",
-        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
-      },
-      "original": {
-        "type": "git",
-        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
+        "nixpkgs": "nixpkgs"
       }
     },
     "systems": {

flake.nix

@@ -6,13 +6,6 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
-
-    # Secrets
-    sops-nix.url = "github:Mic92/sops-nix";
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    secrets.url = "git+ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets";
-
-    # Disk setup
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
     impermanence.url = "github:nix-community/impermanence";

modules/home/utilities/bitwarden.nix

@@ -1,22 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-
-with lib;
-let
-  cfg = config.modules.bitwarden;
-in
-{
-  options.modules.bitwarden = {
-    enable = mkEnableOption "Bitwarden";
-  };
-
-  config = mkIf cfg.enable {
-    home.packages = with pkgs; [
-      bitwarden-desktop
-    ];
-  };
-}

modules/home/utilities/secrets.nix

@@ -1,43 +0,0 @@
-{
-  inputs,
-  lib,
-  config,
-  ...
-}:
-
-with lib;
-let
-  cfg = config.modules.secrets;
-  secrets = inputs.secrets;
-in
-{
-  options.modules.secrets = {
-    enable = mkEnableOption "secrets";
-    defaultFile = mkOption {
-      type = types.str;
-      default = "${secrets}/secrets/common.enc.yaml";
-      description = ''
-        The default file to use for SOPS.
-      '';
-    };
-    secrets = mkOption {
-      type = types.attrs;
-      default = { };
-      description = ''
-        All secrets that should be made available.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # Set up SOPS
-    # TODO: Fix the key not being present in .config/sops before sops-nix runs
-    sops.defaultSopsFile = cfg.defaultFile;
-    sops.age.sshKeyPaths = [
-      "${config.home.homeDirectory}/.config/sops/sops_ed25519_key"
-      # "/persist/home/${config.home.username}/.config/sops/sops_ed25519_key"
-    ];
-    sops.secrets = cfg.secrets;
-    modules.impermanence.directories = [ ".config/sops" ];
-  };
-}

modules/nixos/secrets.nix

@@ -1,43 +0,0 @@
-{
-  inputs,
-  lib,
-  config,
-  ...
-}:
-
-with lib;
-let
-  cfg = config.modules.secrets;
-  secrets = inputs.secrets;
-in
-{
-  options.modules.secrets = {
-    enable = mkEnableOption "secrets";
-    defaultFile = mkOption {
-      type = types.str;
-      default = "${secrets}/secrets/common.enc.yaml";
-      description = ''
-        The default file to use for SOPS.
-      '';
-    };
-    secrets = mkOption {
-      type = types.attrs;
-      default = { };
-      description = ''
-        All secrets that should be made available.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # Set up SOPS
-    # TODO: Fix the key not being present in /etc/sops before sops-nix runs
-    sops.defaultSopsFile = cfg.defaultFile;
-    sops.age.sshKeyPaths = [
-      "/etc/sops/sops_ed25519_key"
-      "/persist/system/etc/sops/sops_ed25519_key"
-    ];
-    sops.secrets = cfg.secrets;
-    modules.impermanence.directories = [ "/etc/sops" ];
-  };
-}

modules/nixos/ssh.nix

@@ -9,24 +9,7 @@ in
     enable = mkEnableOption "ssh";
   };
   config = mkIf cfg.enable {
-    services.openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = "no";
-      };
-      hostKeys = mkIf (config.modules.impermanence.enable) [
-        {
-          type = "ed25519";
-          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
-        }
-        {
-          type = "rsa";
-          bits = 4096;
-          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
-        }
-      ];
-    };
+    services.openssh.enable = true;
+    # TODO: Is this default configuration secure?
   };
 }

profiles/disko/vm.nix

@@ -3,7 +3,6 @@
     disk = {
       main = {
         type = "disk";
-        device = "/dev/sda";
         content = {
           type = "gpt";
           partitions = {
@@ -18,19 +17,12 @@
               };
             };
             zfs = {
-              end = "-4G";
+              size = "100%";
               content = {
                 type = "zfs";
                 pool = "tank";
               };
             };
-            swap = {
-              size = "100%";
-              content = {
-                type = "swap";
-                discardPolicy = "both";
-              };
-            };
           };
         };
       };

profiles/home/jan.nix

@@ -24,6 +24,7 @@ in
       freecad-wayland
       inkscape
       ente-auth
+      bitwarden
       carla
       winbox
       whatsapp-for-linux
@@ -60,7 +61,6 @@ in
           "flake.lock"
         ];
       };
-      bitwarden.enable = true;
       xpra = {
         enable = true;
         hosts = [

profiles/nixos/base.nix

@@ -1,4 +1,5 @@
 {
+  mkModule,
   pkgs,
   lib,
   config,
@@ -19,19 +20,13 @@ in
       bootloader.enable = mkDefault true;
       ssh.enable = mkDefault true;
 
+      # Setup sensible default persistent data
       impermanence.directories = [
         "/var/lib/nixos"
       ];
-
-      # TODO: Remove the secrets module and use sops directly?
-      secrets = {
-        enable = true;
-        secrets = {
-          "ssh-keys/deploy-priv" = {
-            path = "/root/.ssh/id_ed25519";
-          };
-        };
-      };
+      impermanence.files = [
+        "/etc/shadow"
+      ];
     };
 
     # Localization

profiles/nixos/vm.nix

@@ -1,4 +1,5 @@
 {
+  mkModule,
   pkgs,
   lib,
   config,
@@ -32,26 +33,15 @@ in
       ssh.enable = true;
     };
 
-    # Autologin to root for access from hypervisor
-    services.getty.autologinUser = "root";
-
-    # Local user
-    modules.secrets.secrets."passwords/local-hashed".neededForUsers = true;
-    users.mutableUsers = false;
+    # Admin users
     users.users.local = {
-      hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
+      initialPassword = "local";
       extraGroups = [ "wheel" ];
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Admin"
+        "ssh-ed25519  jan@bulthuis.dev"
       ];
     };
 
-    # System packages
-    environment.systemPackages = with pkgs; [
-      # TODO: Make module for utilities/scripts
-      (writeShellScriptBin "system-update" "nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config")
-    ];
-
     # Enable qemu guest agent
     services.qemuGuest.enable = true;
 
@@ -71,6 +61,17 @@ in
       "sd_mod"
       "sr_mod"
     ];
+    boot.initrd.kernelModules = [ ];
     boot.kernelModules = [ "kvm-intel" ];
+    boot.extraModulePackages = [ ];
+    hardware.cpu.intel.updateMicrocode = true;
+
+    # Swapfile
+    swapDevices = [
+      {
+        device = "/var/lib/swapfile";
+        size = 6 * 1024;
+      }
+    ];
   };
 }