karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add lanzaboote

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-08-09 18:00:43 +02:00
parent 6873ecc0df
commit 1e6d515526
17 changed files with 338 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
flake.lock generated
View File

@@ -44,6 +44,21 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"locked": {
"lastModified": 1754269165,
"narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
"owner": "ipetkov",
"repo": "crane",
"rev": "444e81206df3f7d92780680e45858e31d2f07a08",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -65,6 +80,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-input-patcher": { "flake-input-patcher": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -90,17 +121,14 @@
}, },
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": "nixpkgs-lib"
"nur",
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1733312601, "lastModified": 1754487366,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -129,6 +157,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnim": { "gnim": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -165,6 +215,33 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1754297745,
"narHash": "sha256-aD6/scLN3L4ZszmNbhhd3JQ9Pzv1ScYFphz14wHinfs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "892cbdca865d6b42f9c0d222fe309f7720259855",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1753694789, "lastModified": 1753694789,
@@ -181,9 +258,26 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1753579242,
"narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": [
"flake-parts"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@@ -225,6 +319,32 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"quadlet-nix": { "quadlet-nix": {
"locked": { "locked": {
"lastModified": 1753321053, "lastModified": 1753321053,
@@ -246,8 +366,10 @@
"astal": "astal", "astal": "astal",
"disko": "disko", "disko": "disko",
"flake-input-patcher": "flake-input-patcher", "flake-input-patcher": "flake-input-patcher",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nur": "nur", "nur": "nur",
"nvidia-patch": "nvidia-patch", "nvidia-patch": "nvidia-patch",
@@ -259,14 +381,35 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754189623,
"narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1754044614, "lastModified": 1754739960,
"narHash": "sha256-+hNFrtcw8KHDYPVePVFWEuiEg6UfyyR4U5SK0DeY9as=", "narHash": "sha256-y6L+/e+BduxLUFT5NUXvtBHgCMj+h4+vZ0x/yUWAbeg=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "22a140f2c1a3b36ed97123e1cd5d0f07cdfbfff8", "rev": "c072cbb08deb0ea741b3c557c5190b5e8121ca10",
"revCount": 28, "revCount": 29,
"type": "git", "type": "git",
"url": "https://git.karaolidis.com/karaolidis/nix-secrets.git" "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
}, },

27
flake.nix
View File

@@ -17,21 +17,25 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
};
secrets = { secrets = {
url = "git+https://git.karaolidis.com/karaolidis/nix-secrets.git"; url = "git+https://git.karaolidis.com/karaolidis/nix-secrets.git";
flake = false; flake = false;
}; };
systems.url = "github:nix-systems/default";
nur = { nur = {
url = "github:nix-community/NUR"; url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs"; inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
}; };
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
}; };
treefmt-nix = { treefmt-nix = {
@@ -77,6 +81,15 @@
systems.follows = "systems"; systems.follows = "systems";
}; };
}; };
systems.url = "github:nix-systems/default";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
}; };
outputs = outputs =

22
hosts/common/configs/system/lanzaboote/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
inputs,
lib,
pkgs,
...
}:
{
imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
environment = {
persistence."/persist/state"."/var/lib/sbctl" = { };
systemPackages = with pkgs; [ sbctl ];
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
}

1
hosts/common/configs/system/nix-install/install.completion.zsh
View File

@@ -4,6 +4,7 @@ _nix-install_completion() {
'-m[Mode: 'install' or 'repair']:mode:(install repair)' '-m[Mode: 'install' or 'repair']:mode:(install repair)'
'-h[Host to configure]:host:($(_list_hosts))' '-h[Host to configure]:host:($(_list_hosts))'
'-k[Key file to copy to user config]:key:($(_list_keys))' '-k[Key file to copy to user config]:key:($(_list_keys))'
'-s[Enroll secure boot keys on current device]'
'-c[Copy configuration to target]' '-c[Copy configuration to target]'
'-r[Reboot after completion]' '-r[Reboot after completion]'
) )

59
hosts/common/configs/system/nix-install/install.sh
View File

@@ -1,13 +1,14 @@
# shellcheck shell=bash # shellcheck shell=bash
usage() { usage() {
echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-c] [-r]" echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-s] [-c] [-r]"
echo echo
echo "Options:" echo "Options:"
echo " flake Directory containing the flake.nix file." echo " flake Directory containing the flake.nix file."
echo " -m mode Mode: 'install' or 'repair'." echo " -m mode Mode: 'install' or 'repair'."
echo " -h host Host to configure." echo " -h host Host to configure."
echo " -k key Key file to copy to user config." echo " -k key Key file to copy to user config."
echo " -s Enroll secure boot keys on current device."
echo " -c Copy configuration to target." echo " -c Copy configuration to target."
echo " -r Reboot after completion." echo " -r Reboot after completion."
exit 1 exit 1
@@ -35,7 +36,7 @@ check_flake() {
} }
check_host() { check_host() {
if ! nix flake show --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then if ! nix flake show --allow-import-from-derivation --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
echo "Host '$host' not found in flake." echo "Host '$host' not found in flake."
exit 1 exit 1
fi fi
@@ -51,6 +52,7 @@ check_key() {
set_password_file() { set_password_file() {
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt" SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
export SOPS_AGE_KEY_FILE export SOPS_AGE_KEY_FILE
install -m 600 /dev/null /tmp/keyfile
sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
unset SOPS_AGE_KEY_FILE unset SOPS_AGE_KEY_FILE
} }
@@ -62,7 +64,7 @@ prepare_disk() {
disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix" disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix"
} }
copy_keys() { copy_sops_keys() {
mkdir -p "$root/persist/state/etc/ssh" mkdir -p "$root/persist/state/etc/ssh"
cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key" cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
@@ -87,26 +89,46 @@ copy_keys() {
done done
} }
copy_secure_boot_keys() {
mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['guid']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*
unset SOPS_AGE_KEY_FILE
mkdir -p "$root/var/lib/sbctl"
mount --bind -o X-fstrim.notrim,x-gvfs-hide "$root/persist/state/var/lib/sbctl" "$root/var/lib/sbctl"
}
install() { install() {
nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd
} }
enroll_secure_boot() {
sbctl enroll-keys --microsoft
}
copy_config() { copy_config() {
echo "Copying configuration..." echo "Copying configuration..."
mkdir -p "$root/persist/user/etc/nixos" mkdir -p "$root/persist/user/etc"
rm -rf "$root/persist/user/etc/nixos" rm -rf "$root/persist/user/etc/nixos"
cp -r "$flake" "$root/persist/user/etc/nixos" cp -r "$flake" "$root/persist/user/etc/nixos"
} }
finish() {
echo "Rebooting system..."
trap - EXIT
cleanup
reboot
}
cleanup() { cleanup() {
rm -f /tmp/keyfile rm -f /tmp/keyfile
if [[ -d "$root" ]]; then umount "$root/var/lib/sbctl"; fi
if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi
if [[ -d "$root" ]]; then rmdir "$root"; fi if [[ -d "$root" ]]; then rmdir "$root"; fi
} }
@@ -124,14 +146,16 @@ main() {
mode="" mode=""
host="" host=""
key="" key=""
enroll_secure_boot_flag="false"
copy_config_flag="false" copy_config_flag="false"
reboot_flag="false" reboot_flag="false"
while getopts "m:h:k:cr" opt; do while getopts "m:h:k:scr" opt; do
case "$opt" in case "$opt" in
m) mode="$OPTARG" ;; m) mode="$OPTARG" ;;
h) host="$OPTARG" ;; h) host="$OPTARG" ;;
k) key="$OPTARG" ;; k) key="$OPTARG" ;;
s) enroll_secure_boot_flag="true" ;;
c) copy_config_flag="true" ;; c) copy_config_flag="true" ;;
r) reboot_flag="true" ;; r) reboot_flag="true" ;;
*) usage ;; *) usage ;;
@@ -153,10 +177,17 @@ main() {
;; ;;
esac esac
copy_keys copy_sops_keys
copy_secure_boot_keys
install install
[[ "$enroll_secure_boot_flag" == "true" ]] && enroll_secure_boot
[[ "$copy_config_flag" == "true" ]] && copy_config [[ "$copy_config_flag" == "true" ]] && copy_config
[[ "$reboot_flag" == "true" ]] && finish
cleanup
[[ "$reboot_flag" == "true" ]] && reboot
} }
main "$@" main "$@"

16
hosts/elara/configs/git/default.nix → hosts/elara/configs/ssh/default.nix
View File

@@ -8,16 +8,28 @@
let let
selfPkgs = inputs.self.packages.${system}; selfPkgs = inputs.self.packages.${system};
in in
# Configured for the root user to allow private builds
{ {
sops.secrets."ssh/sas/ed25519/key" = { sops.secrets = {
"ssh/personal/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "ssh/key";
path = "/root/.ssh/ssh_personal_ed25519_key";
};
"ssh/sas/ed25519/key" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "ssh/ed25519/key"; key = "ssh/ed25519/key";
path = "/root/.ssh/ssh_sas_ed25519_key"; path = "/root/.ssh/ssh_sas_ed25519_key";
}; };
};
programs.ssh = { programs.ssh = {
extraConfig = '' extraConfig = ''
Host karaolidis.com
User git
HostName karaolidis.com
IdentityFile /root/.ssh/ssh_personal_ed25519_key
Host github.com Host github.com
User git User git
HostName github.com HostName github.com

3
hosts/elara/default.nix
View File

@@ -21,6 +21,7 @@
../common/configs/system/git ../common/configs/system/git
../common/configs/system/gpg-agent ../common/configs/system/gpg-agent
../common/configs/system/impermanence ../common/configs/system/impermanence
../common/configs/system/lanzaboote
../common/configs/system/libvirt ../common/configs/system/libvirt
../common/configs/system/neovim ../common/configs/system/neovim
../common/configs/system/networkmanager ../common/configs/system/networkmanager
@@ -47,9 +48,9 @@
../common/configs/system/users ../common/configs/system/users
../common/configs/system/zsh ../common/configs/system/zsh
./configs/git
"${inputs.secrets}/hosts/elara/configs/globalprotect" "${inputs.secrets}/hosts/elara/configs/globalprotect"
./configs/pki ./configs/pki
./configs/ssh
./users/nikara ./users/nikara
]; ];

14
hosts/himalia/configs/ssh/default.nix Normal file
View File

@@ -0,0 +1,14 @@
{ inputs, ... }:
{
sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key";
};
programs.ssh.extraConfig = ''
Host karaolidis.com
User git
HostName karaolidis.com
IdentityFile /root/.ssh/ssh_personal_ed25519_key
'';
}

3
hosts/himalia/default.nix
View File

@@ -17,6 +17,7 @@
../common/configs/system/git ../common/configs/system/git
../common/configs/system/gpg-agent ../common/configs/system/gpg-agent
../common/configs/system/impermanence ../common/configs/system/impermanence
../common/configs/system/lanzaboote
../common/configs/system/libvirt ../common/configs/system/libvirt
../common/configs/system/neovim ../common/configs/system/neovim
../common/configs/system/networkmanager ../common/configs/system/networkmanager
@@ -43,6 +44,8 @@
../common/configs/system/users ../common/configs/system/users
../common/configs/system/zsh ../common/configs/system/zsh
./configs/ssh
./users/nick ./users/nick
]; ];

14
hosts/installer/README.md
View File

@@ -1,12 +1,16 @@
# installer # installer
I have automated myself out of a job. How to use: I have automated myself out of a job. Here's how to use the installer to create a new host:
1. Boot into installer 1. Enable Secure Boot Setup Mode on the target device's UEFI menu - this will vary depending on the manufacturer
2. Connect to the internet with `sudo nmcli device wifi connect "<SSID>" [--ask]` 2. Boot into the installer
3. Run `sudo nix-install /etc/nixos -m install|repair -h host [-k key] [-c] [-r]"` 3. Connect to the internet with `sudo nmcli device wifi connect "<SSID>" [--ask]`
4. Run `sudo nix-install /etc/nixos -m install|repair -s -h host [-k key] [-c] [-r]"`
5. Enable Secure Boot on the device's UEFI menu.
## Reinstalling the Installer ## Reinstalling the Installer
@@ -65,4 +69,4 @@ I have automated myself out of a job. How to use:
6. I really hope you had a backup of the keys, because you must copy them to the repository before the next step. 6. I really hope you had a backup of the keys, because you must copy them to the repository before the next step.
7. Run `nix --experimental-features "nix-command flakes" shell nixpkgs#disko nixpkgs#jq -c bash hosts/common/configs/system/nix-install/install.sh nix -m install -h installer -k personal -c` 7. Run `nix --experimental-features "nix-command flakes" shell nixpkgs#disko nixpkgs#sbctl nixpkgs#jq -c bash hosts/common/configs/system/nix-install/install.sh . -m install -h installer -k personal -c`

14
hosts/installer/configs/ssh/default.nix Normal file
View File

@@ -0,0 +1,14 @@
{ inputs, ... }:
{
sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key";
};
programs.ssh.extraConfig = ''
Host karaolidis.com
User git
HostName karaolidis.com
IdentityFile /root/.ssh/ssh_personal_ed25519_key
'';
}

3
hosts/installer/default.nix
View File

@@ -15,6 +15,7 @@
../common/configs/system/git ../common/configs/system/git
../common/configs/system/gpg-agent ../common/configs/system/gpg-agent
../common/configs/system/impermanence ../common/configs/system/impermanence
../common/configs/system/lanzaboote
../common/configs/system/neovim ../common/configs/system/neovim
../common/configs/system/networkmanager ../common/configs/system/networkmanager
../common/configs/system/nix ../common/configs/system/nix
@@ -35,6 +36,8 @@
../common/configs/system/users ../common/configs/system/users
../common/configs/system/zsh ../common/configs/system/zsh
./configs/ssh
./users/nick ./users/nick
]; ];

14
hosts/jupiter-vps/configs/ssh/default.nix Normal file
View File

@@ -0,0 +1,14 @@
{ inputs, ... }:
{
sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key";
};
programs.ssh.extraConfig = ''
Host karaolidis.com
User git
HostName karaolidis.com
IdentityFile /root/.ssh/ssh_personal_ed25519_key
'';
}

1
hosts/jupiter-vps/default.nix
View File

@@ -23,6 +23,7 @@
./configs/boot ./configs/boot
./configs/podman ./configs/podman
./configs/ssh
./configs/wireguard ./configs/wireguard
]; ];

14
hosts/jupiter/configs/ssh/default.nix Normal file
View File

@@ -0,0 +1,14 @@
{ inputs, ... }:
{
sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key";
};
programs.ssh.extraConfig = ''
Host karaolidis.com
User git
HostName karaolidis.com
IdentityFile /root/.ssh/ssh_personal_ed25519_key
'';
}

2
hosts/jupiter/default.nix
View File

@@ -14,6 +14,7 @@
../common/configs/system/documentation ../common/configs/system/documentation
../common/configs/system/git ../common/configs/system/git
../common/configs/system/impermanence ../common/configs/system/impermanence
../common/configs/system/lanzaboote
../common/configs/system/neovim ../common/configs/system/neovim
../common/configs/system/networkmanager ../common/configs/system/networkmanager
../common/configs/system/nix ../common/configs/system/nix
@@ -32,6 +33,7 @@
../common/configs/system/zsh ../common/configs/system/zsh
./configs/btrbk ./configs/btrbk
./configs/ssh
./configs/tv ./configs/tv
./configs/wireguard ./configs/wireguard

2
secrets

Submodule secrets updated: 22a140f2c1...c072cbb08d