diff --git a/flake.nix b/flake.nix index 53e35f5..e938e85 100644 --- a/flake.nix +++ b/flake.nix @@ -21,14 +21,13 @@ lib = nixpkgs.lib; lib' = import ./lib.nix { inherit lib; }; mod = lib'.walk-dir ./mod; - var = lib'.walk-dir ./var; + specialArgs = { - inherit - inputs - lib' - mod - var - ; + inherit inputs lib' mod; + var = (lib'.walk-dir ./var).map_import; + }; + overlays = _: { + nixpkgs.overlays = [ colmena.overlay ]; }; in { @@ -38,8 +37,9 @@ inherit specialArgs; modules = [ ./host/solo - mod.common._nixos_mod - mod.pc-common._nixos_mod + mod.common.to_mod + mod.pc-common.to_mod + overlays ]; }; @@ -48,8 +48,9 @@ inherit specialArgs; modules = [ ./host/c2 - mod.common._nixos_mod - mod.pc-common._nixos_mod + mod.common.to_mod + mod.pc-common.to_mod + overlays ]; }; }; @@ -68,7 +69,8 @@ }; imports = [ ./host/roam - mod.common._nixos_mod + mod.common.to_mod + overlays ]; }; }; diff --git a/host/roam/default.nix b/host/roam/default.nix index 83fbb4a..13168c7 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -1,8 +1,11 @@ { lib', ... }: +let + submodules = lib'.walk-dir ./.; +in { networking.hostName = "roam"; - imports = lib'.import-recursive ./.; + imports = [ submodules.to_mod_without_default ]; # ====== DON'T CHANGE ====== system.stateVersion = "24.11"; diff --git a/host/solo/default.nix b/host/solo/default.nix index be09b34..25779da 100644 --- a/host/solo/default.nix +++ b/host/solo/default.nix @@ -1,8 +1,11 @@ { lib', ... }: +let + submodules = lib'.walk-dir ./.; +in { networking.hostName = "solo"; - imports = lib'.import-recursive ./.; + imports = [ submodules.to_mod_without_default ]; powerManagement = { enable = true; diff --git a/lib.nix b/lib.nix index 21e21f3..6ec418d 100644 --- a/lib.nix +++ b/lib.nix @@ -1,33 +1,47 @@ { lib, ... }: +with builtins; rec { walk-dir = - path: let - dir = builtins.readDir path; + walk-dir-inner = + path: + let + dir = readDir path; - subpaths = lib.mapAttrs' (filename: value: { - name = lib.removeSuffix ".nix" filename; - value = - if value == "regular" then - path + "/${filename}" - else if value == "directory" then - walk-dir (path + "/${filename}") - else - builtins.throw "Items of type ${value} are unsupported."; - }) dir; - in - subpaths - // rec { - _files = lib.collect builtins.isPath (subpaths // { default = { }; }); - _nix_files = builtins.filter (lib.hasSuffix ".nix") _files; - _nixos_mod = - { ... }: - { - imports = _nix_files; + in + lib.mapAttrs' (filename: value: { + name = lib.removeSuffix ".nix" filename; + value = + if value == "regular" then + path + "/${filename}" + else if value == "directory" then + walk-dir-inner (path + "/${filename}") + else + throw "Items of type ${value} are unsupported."; + }) dir; + + helper-attrs = + subpaths: + let + _files = lib.collect (x: isPath x || isString x) subpaths; + _nix_files = filter (lib.hasSuffix ".nix") _files; + in + rec { + to_mod = _: { + imports = _nix_files; + }; + to_mod_without_default = without_default.to_mod; + collect_nix_files = _nix_files; + map_import = lib.mapAttrsRecursive (_: import) subpaths; + without_default = + let + subpaths' = removeAttrs subpaths [ "default" ]; + in + with-helper-attrs subpaths'; }; - }; - # Takes a path `p` and returns a list of all files in that - # directory recursively, ignoring `p/default.nix`. - import-recursive = path: (walk-dir path)._files; + with-helper-attrs = + x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x; + in + p: with-helper-attrs (walk-dir-inner p); } diff --git a/mod/common/shell.nix b/mod/common/shell.nix index 5d5ab8e..307ffb2 100644 --- a/mod/common/shell.nix +++ b/mod/common/shell.nix @@ -18,7 +18,7 @@ unzip wget wl-clipboard - inputs.colmena.packages."x86_64-linux".colmena # todo use overlay + colmena ]; programs = { diff --git a/mod/common/users.nix b/mod/common/users.nix index bcf37c0..48a8b29 100644 --- a/mod/common/users.nix +++ b/mod/common/users.nix @@ -2,6 +2,7 @@ pkgs, lib, options, + var, ... }: { @@ -15,24 +16,12 @@ extraGroups = [ "wheel" ]; shell = pkgs.fish; packages = [ ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB" - ]; + openssh.authorizedKeys.keys = var.ssh-keys.unprivileged; hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8"; }; users.root = { hashedPassword = "!"; - - # I don't like the unprivileged users to have unrestricted access to root - # but this is required for colmena. Better options are - # - only authorize root's pubkey - # - create password protected key - # TODO: do one of the above - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB" - ]; + openssh.authorizedKeys.keys = var.ssh-keys.priviliged; }; }; } diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix new file mode 100644 index 0000000..4ef907e --- /dev/null +++ b/var/ssh-keys.nix @@ -0,0 +1,13 @@ +rec { + # this is only used for forcing password entry on colmena apply + priviliged-by-host = { + "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; + }; + priviliged = builtins.attrValues priviliged-by-host; + + unprivileged-by-host = { + "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"; + "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"; + }; + unprivileged = builtins.attrValues unprivileged-by-host; +}