feat: new deploy system, allows for in-repo pii

2025-12-06 09:07:21 +01:00 · 2025-06-11 02:25:34 +02:00 · 2025-06-11 02:25:34 +02:00 · a11c7854d1
commit a11c7854d1
parent 7e11641fe7
19 changed files with 1251 additions and 412 deletions
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@ -6,6 +6,14 @@
    home-manager = lib.mkIf config.swarselsystems.withHomeManager {
      useGlobalPkgs = true;
      useUserPackages = true;
+      verbose = true;
+      sharedModules = [
+        inputs.nix-index-database.hmModules.nix-index
+        inputs.sops-nix.homeManagerModules.sops
+        {
+          home.stateVersion = lib.mkDefault config.system.stateVersion;
+        }
+      ];
      extraSpecialArgs = { inherit (inputs) self; };
    };
  };
--- a/modules/nixos/common/lanzaboote.nix
+++ b/modules/nixos/common/lanzaboote.nix
@ -10,7 +10,7 @@
      lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
        enable = true;
        pkiBundle = "/var/lib/sbctl";
-        configurationLimit = 3;
+        configurationLimit = 6;
      };
    };
  };
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@ -5,6 +5,7 @@
    environment.systemPackages = with pkgs; [
      gnupg
      nix-index
+      nvd
      ssh-to-age
      git
      emacs
--- a/modules/nixos/server/ssh.nix
+++ b/modules/nixos/server/ssh.nix
@ -4,6 +4,18 @@
  config = lib.mkIf config.swarselsystems.modules.server.ssh {
    services.openssh = {
      enable = true;
+      startWhenNeeded = lib.mkForce false;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "yes";
+      };
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
    };
    users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
      (self + /secrets/keys/ssh/yubikey.pub)