14 changed files with 29 additions and 282 deletions
--- a/README.md
+++ b/README.md
@ -4,39 +4,8 @@ My NixOS configuration.
 ## Installation
-For disk configuration we use disko, but for secrets management we use sops-nix and the particular setup makes the installation process a bit more involved. It is required that the computer from which the installation is being run has access to the `nixos-secrets` repository, otherwise you will need to manually add the required ssh keys to the installation image. 
+For disk configuration we use disko, this means that installing the system from the configuration is just a single command:
 ```bash
 # Load into the installer
 sudo passwd # Set a root password
 # From a machine with network access to the installer
 # and access to the nixos-secrets repo
 ssh -A root@(installer-ip)
 # Set up disks
 nix-shell -p disko
 disko --mode disko --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
 exit
 # Install NixOS
 nixos-install --no-channel-copy --no-root-password --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
 # Set up host credentials for access to the secrets
 cd /mnt/persist/system/etc/sops
 touch sops_ed25519_key 
 chmod 600 sops_ed25519_key
 nano sops_ed25519_key
 ```
-If `nixos-install` is being stopped by the OOM-killer, you can try adding `-j 1` to limit the amount of jobs that will be executed at the same time to 1. It might require running nixos-install multiple times untill it has managed to download all requirements and slowly start building the rest of the system.
+sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/latest#disko-install" -- --flake git+https://git.bulthuis.dev/Jan/dotfiles#<hostname> --disk main /dev/sda
-
+```
 ## Updating
 To update the system configuration, it is a single command:
 ```bash
 sudo system-update
 ```
 Or if this shell script has not been installed for some reason:
 ```bash
 sudo nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config
 ```
 Sometimes it may be necessary to reboot of course.
--- a/flake.lock
+++ b/flake.lock
@ -154,44 +154,7 @@
        "impermanence": "impermanence",
        "nix-minecraft": "nix-minecraft",
        "nix-modpack": "nix-modpack",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs"
        "secrets": "secrets",
        "sops-nix": "sops-nix"
      }
    },
    "secrets": {
      "locked": {
        "lastModified": 1749133396,
        "narHash": "sha256-St9GzTMi/Bx9Zs84LfNbcH7Qbs825UTg9hvzNg1ZI3A=",
        "ref": "refs/heads/main",
        "rev": "51679f68977cb3246a02791a59841fa31659136e",
        "revCount": 8,
        "type": "git",
        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
      },
      "original": {
        "type": "git",
        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1747603214,
        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -6,13 +6,6 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    # Secrets
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    secrets.url = "git+ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets";
    # Disk setup
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    impermanence.url = "github:nix-community/impermanence";
--- a/hosts/20212060/configuration.nix
+++ b/hosts/20212060/configuration.nix
@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ flake, ... }:
 {
  # State version
@ -13,17 +13,6 @@
    "wireshark"
  ];
  # Set up kerberos
  security.krb5 = {
    enable = true;
    settings = {
      libdefaults = {
        rdns = false;
      };
      realms = (inputs.secrets.gewis.krb5Realm);
    };
  };
  # Enable virtualisation for VMs
  virtualisation.libvirtd.enable = true;
--- a/hosts/vm-oddjob/configuration.nix
+++ b/hosts/vm-oddjob/configuration.nix
@ -1,22 +0,0 @@
 {
  lib,
  pkgs,
  config,
  ...
 }:
 {
  # State version
  system.stateVersion = "24.11";
  # Machine hostname
  networking.hostName = "vm-vpn";
  # Enabled modules
  modules = {
    profiles.vm.enable = true;
  };
  # Setup NAS Backup Job
 }
--- a/hosts/vm-oddjob/users/local.nix
+++ b/hosts/vm-oddjob/users/local.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  home.stateVersion = "24.11";
  modules.profiles.base.enable = true;
 }
--- a/modules/home/utilities/bitwarden.nix
+++ b/modules/home/utilities/bitwarden.nix
@ -1,22 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib;
 let
  cfg = config.modules.bitwarden;
 in
 {
  options.modules.bitwarden = {
    enable = mkEnableOption "Bitwarden";
  };
  config = mkIf cfg.enable {
    home.packages = with pkgs; [
      bitwarden-desktop
    ];
  };
 }
--- a/modules/home/utilities/secrets.nix
+++ b/modules/home/utilities/secrets.nix
@ -1,43 +0,0 @@
 {
  inputs,
  lib,
  config,
  ...
 }:
 with lib;
 let
  cfg = config.modules.secrets;
  secrets = inputs.secrets;
 in
 {
  options.modules.secrets = {
    enable = mkEnableOption "secrets";
    defaultFile = mkOption {
      type = types.str;
      default = "${secrets}/secrets/common.enc.yaml";
      description = ''
        The default file to use for SOPS.
      '';
    };
    secrets = mkOption {
      type = types.attrs;
      default = { };
      description = ''
        All secrets that should be made available.
      '';
    };
  };
  config = mkIf cfg.enable {
    # Set up SOPS
    # TODO: Fix the key not being present in .config/sops before sops-nix runs
    sops.defaultSopsFile = cfg.defaultFile;
    sops.age.sshKeyPaths = [
      "${config.home.homeDirectory}/.config/sops/sops_ed25519_key"
      # "/persist/home/${config.home.username}/.config/sops/sops_ed25519_key"
    ];
    sops.secrets = cfg.secrets;
    modules.impermanence.directories = [ ".config/sops" ];
  };
 }
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@ -1,43 +0,0 @@
 {
  inputs,
  lib,
  config,
  ...
 }:
 with lib;
 let
  cfg = config.modules.secrets;
  secrets = inputs.secrets;
 in
 {
  options.modules.secrets = {
    enable = mkEnableOption "secrets";
    defaultFile = mkOption {
      type = types.str;
      default = "${secrets}/secrets/common.enc.yaml";
      description = ''
        The default file to use for SOPS.
      '';
    };
    secrets = mkOption {
      type = types.attrs;
      default = { };
      description = ''
        All secrets that should be made available.
      '';
    };
  };
  config = mkIf cfg.enable {
    # Set up SOPS
    # TODO: Fix the key not being present in /etc/sops before sops-nix runs
    sops.defaultSopsFile = cfg.defaultFile;
    sops.age.sshKeyPaths = [
      "/etc/sops/sops_ed25519_key"
      "/persist/system/etc/sops/sops_ed25519_key"
    ];
    sops.secrets = cfg.secrets;
    modules.impermanence.directories = [ "/etc/sops" ];
  };
 }
--- a/modules/nixos/ssh.nix
+++ b/modules/nixos/ssh.nix
@ -9,24 +9,7 @@ in
    enable = mkEnableOption "ssh";
  };
  config = mkIf cfg.enable {
-    services.openssh = {
+    services.openssh.enable = true;
-      enable = true;
+    # TODO: Is this default configuration secure?
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "no";
      };
      hostKeys = mkIf (config.modules.impermanence.enable) [
        {
          type = "ed25519";
          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
        }
        {
          type = "rsa";
          bits = 4096;
          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
        }
      ];
    };
  };
 }
--- a/profiles/disko/vm.nix
+++ b/profiles/disko/vm.nix
@ -3,7 +3,6 @@
    disk = {
      main = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
@ -18,19 +17,12 @@
              };
            };
            zfs = {
-              end = "-4G";
+              size = "100%";
              content = {
                type = "zfs";
                pool = "tank";
              };
            };
            swap = {
              size = "100%";
              content = {
                type = "swap";
                discardPolicy = "both";
              };
            };
          };
        };
      };
--- a/profiles/home/jan.nix
+++ b/profiles/home/jan.nix
@ -24,6 +24,7 @@ in
      freecad-wayland
      inkscape
      ente-auth
      bitwarden
      carla
      winbox
      whatsapp-for-linux
@ -38,7 +39,6 @@ in
      prismlauncher
      foliate
      wireshark
      obsidian
    ];
    modules = {
@ -61,7 +61,6 @@ in
          "flake.lock"
        ];
      };
      bitwarden.enable = true;
      xpra = {
        enable = true;
        hosts = [
--- a/profiles/nixos/base.nix
+++ b/profiles/nixos/base.nix
@ -1,4 +1,5 @@
 {
  mkModule,
  pkgs,
  lib,
  config,
@ -19,19 +20,13 @@ in
      bootloader.enable = mkDefault true;
      ssh.enable = mkDefault true;
      # Setup sensible default persistent data
      impermanence.directories = [
        "/var/lib/nixos"
      ];
-
+      impermanence.files = [
-      # TODO: Remove the secrets module and use sops directly?
+        "/etc/shadow"
-      secrets = {
+      ];
        enable = true;
        secrets = {
          "ssh-keys/deploy-priv" = {
            path = "/root/.ssh/id_ed25519";
          };
        };
      };
    };
    # Localization
--- a/profiles/nixos/vm.nix
+++ b/profiles/nixos/vm.nix
@ -1,4 +1,5 @@
 {
  mkModule,
  pkgs,
  lib,
  config,
@ -32,26 +33,15 @@ in
      ssh.enable = true;
    };
-    # Autologin to root for access from hypervisor
+    # Admin users
    services.getty.autologinUser = "root";
    # Local user
    modules.secrets.secrets."passwords/local-hashed".neededForUsers = true;
    users.mutableUsers = false;
    users.users.local = {
-      hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
+      initialPassword = "local";
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Admin"
+        "ssh-ed25519  jan@bulthuis.dev"
      ];
    };
    # System packages
    environment.systemPackages = with pkgs; [
      # TODO: Make module for utilities/scripts
      (writeShellScriptBin "system-update" "nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config")
    ];
    # Enable qemu guest agent
    services.qemuGuest.enable = true;
@ -71,6 +61,17 @@ in
      "sd_mod"
      "sr_mod"
    ];
    boot.initrd.kernelModules = [ ];
    boot.kernelModules = [ "kvm-intel" ];
    boot.extraModulePackages = [ ];
    hardware.cpu.intel.updateMicrocode = true;
    # Swapfile
    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 6 * 1024;
      }
    ];
  };
 }