palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Projects Releases Wiki Activity

open ssh on chungus for password unlocking

Browse source
This commit is contained in:
Ingolf Wagner 2024-06-08 22:22:04 +02:00
parent 1bc5e3d034
commit 4e271cba8a
Signed by: palo
GPG key ID: 76BF5F1928B9618B
3 changed files with 69 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
components/nixos/default.nix
View file

@ -1,6 +1,9 @@
{ config, lib, ... }: { config, lib, ... }:
{ {
imports = [ ./upgrade-diff.nix ]; imports = [
./upgrade-diff.nix
./tor-ssh.nix
];
options.components.nixos.enable = lib.mkOption { options.components.nixos.enable = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;

60
components/nixos/tor-ssh.nix Normal file
View file

@ -0,0 +1,60 @@
{ config, lib, pkgs, ... }:
with lib;
with types;
{
options.components.nixos.boot = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
kernelModules = mkOption {
type = listOf str;
default = [ ];
description =
"lspci -v will tell you which kernel module is used for the ethernet interface";
};
ssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.enable;
};
};
};
config = mkMerge [
# ssh part
# --------
(mkIf (config.components.nixos.boot.ssh.enable) {
# boot
boot.initrd.systemd.enable = true;
boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";
# network
boot.initrd.systemd.network.enable = true;
boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules;
# ssh
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
#authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ;
#authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles;
port = 2222;
hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys;
};
})
];
}

7
machines/chungus/configuration.nix
View file

@ -55,10 +55,13 @@
components.network.wifi.enable = false; components.network.wifi.enable = false;
components.terminal.enable = true; components.terminal.enable = true;
components.nixos.boot.enable = true;
components.nixos.boot.kernelModules = [ "e1000e" ];
components.monitor.enable = true; components.monitor.enable = true;
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
services.printing.enable = false; services.printing.enable = false;
@ -68,7 +71,7 @@
#}; #};
virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset
sops.defaultSopsFile = ../../secrets/chungus.yaml; #sops.defaultSopsFile = ../../secrets/chungus.yaml;
networking.hostName = "chungus"; networking.hostName = "chungus";