initial commit

2025-12-17 03:29:20 +00:00 · 2024-08-30 12:50:02 +01:00 · 2024-08-30 12:50:02 +01:00 · c45c7f26a4
commit c45c7f26a4
28 changed files with 1531 additions and 0 deletions
--- a/modules/boot.nix
+++ b/modules/boot.nix
@ -0,0 +1,7 @@
+{...}: {
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+    systemd-boot.enable = true;
+  };
+  system.stateVersion = "24.05";
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,17 @@
+{utils}: let
+  nixosModules = utils.lib.exportModules [
+    ./nix.nix
+    ./hm.nix
+    ./boot.nix
+    ./deploy.nix
+    ./keys.nix
+    ./secret.nix
+  ];
+  sharedModules = with nixosModules; [
+    nix
+    hm
+    boot
+    deploy
+    secret
+  ];
+in {inherit nixosModules sharedModules;}
--- a/modules/deploy.nix
+++ b/modules/deploy.nix
@ -0,0 +1,74 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.services.remote-deploy;
+in {
+  options.services.remote-deploy = {
+    enable = mkEnableOption "Enable remote deployment with nixinate.";
+    host = mkOption {
+      type = types.str;
+      description = "Hostname to connect to.";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "deploy";
+      description = "Username for deploy account.";
+    };
+    group = mkOption {
+      type = types.str;
+      default = "deploy";
+      description = "Group for deploy account.";
+    };
+    keys = mkOption {
+      type = types.listOf types.str;
+      description = "Authorised SSH keys for deployment";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 22;
+      description = "SSH port to use.";
+    };
+    buildOn = mkOption {
+      type = types.enum ["local" "remote"];
+      default = "local";
+      description = "Where to build the config.";
+    };
+
+    substituteOnTarget = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Substitute closures and paths from remote";
+    };
+  };
+  config = mkIf cfg.enable {
+    _module.args = {
+      nixinate = {
+        inherit (cfg) host buildOn port substituteOnTarget;
+        sshUser = cfg.user;
+      };
+    };
+    users.groups."${cfg.group}" = {};
+    users.users."${cfg.user}" = {
+      isSystemUser = true;
+      shell = pkgs.bash;
+      inherit (cfg) group;
+      openssh.authorizedKeys.keys = cfg.keys;
+    };
+    nix.settings.trusted-users = [cfg.user];
+    security.sudo.extraRules = [
+      {
+        groups = [cfg.group];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+  };
+}
--- a/modules/hm.nix
+++ b/modules/hm.nix
@ -0,0 +1,4 @@
+{pkgs, ...}: {
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+}
--- a/modules/keys.nix
+++ b/modules/keys.nix
@ -0,0 +1,5 @@
+{
+  c = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDStMNZgO26AhBz+GkwkMnnDL7nfhOblEMz+bXVaDM3M ssh@cleslie.uk"
+  ];
+}
--- a/modules/nix.nix
+++ b/modules/nix.nix
@ -0,0 +1,18 @@
+{
+  nix = {
+    extraOptions = "gc-keep-outputs = true";
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://callumio-public.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "callumio-public.cachix.org-1:VucOSl7vh44GdqcILwMIeHlI0ufuAnHAl8cO1U/7yhg="
+      ];
+    };
+  };
+}
--- a/modules/secret.nix
+++ b/modules/secret.nix
@ -0,0 +1,3 @@
+{
+  imports = [../secrets/secrets-configuration.nix];
+}