diff --git a/homes/x86_64-linux/kb@Ohybke/ssh.nix b/homes/x86_64-linux/kb@Ohybke/ssh.nix index 8ca45ce..7dbc361 100644 --- a/homes/x86_64-linux/kb@Ohybke/ssh.nix +++ b/homes/x86_64-linux/kb@Ohybke/ssh.nix @@ -3,10 +3,101 @@ # SSH Configuration services.ssh-agent.enable = true; programs.ssh.enable = true; + programs.ssh.extraConfig = '' + IdentitiesOnly=yes + ''; + + # SSH Shell Connections + programs.ssh.matchBlocks."master@pkpnafs-m1ni" = { + host = "pkpnafs"; + hostname = "pkpnafs.kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni"; + port = 3422; + }; + programs.ssh.matchBlocks."master@pkpnafs-ho2o" = { + host = "pkpnafs"; + hostname = "pkpnafs.kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o"; + port = 3422; + }; + programs.ssh.matchBlocks."master@pkpnafs-lar3" = { + host = "pkpnafs"; + hostname = "pkpnafs.kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3"; + port = 3422; + }; + programs.ssh.matchBlocks."master@senfnvp-m1ni" = { + host = "senfnvp"; + hostname = "senfnvp.kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni"; + port = 9553; + }; + programs.ssh.matchBlocks."master@senfnvp-ho2o" = { + host = "senfnvp"; + hostname = "senfnvp.kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o"; + port = 9553; + }; + programs.ssh.matchBlocks."master@senfnvp-lar3" = { + host = "senfnvp"; + hostname = "senfnvp.kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3"; + port = 9553; + }; + programs.ssh.matchBlocks."master@mow0m-m1ni" = { + host = "mow0m"; + hostname = "mow0m"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni"; + port = 9553; + }; + programs.ssh.matchBlocks."master@mow0m-ho2o" = { + host = "mow0m"; + hostname = "mow0m"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o"; + port = 9553; + }; + programs.ssh.matchBlocks."master@mow0m-lar3" = { + host = "mow0m"; + hostname = "mow0m"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3"; + port = 9553; + }; + programs.ssh.matchBlocks."master@web-m1ni" = { + host = "web"; + hostname = "kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni"; + port = 2222; + }; + programs.ssh.matchBlocks."master@web-ho2o" = { + host = "web"; + hostname = "kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o"; + port = 2222; + }; + programs.ssh.matchBlocks."master@web-lar3" = { + host = "web"; + hostname = "kb-one.de"; + user = "master"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3t."; + port = 2222; + }; + + # SSH Git Connections programs.ssh.matchBlocks."kb01@kb-one-git" = { host = "git.kb-one.de"; user = "git"; - identityFile = "~/.ssh/kb01@kb-one-git"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-git@m1ni"; port = 9522; }; programs.ssh.matchBlocks."kb01@0x90-git" = { @@ -14,39 +105,59 @@ user = "git"; identityFile = "~/.ssh/kb01@0x90-git"; }; - programs.ssh.matchBlocks."master@pkpnafs" = { - host = "pkpnafs"; - hostname = "pkpnafs.kb-one.de"; - user = "master"; - identityFile = "~/.ssh/master@pkpnafs"; - port = 3422; - }; - programs.ssh.matchBlocks."master@kb-web-01" = { - host = "kb-web-01"; - hostname = "kb-one.de"; - user = "master"; - identityFile = "~/.ssh/master@kb-web-01"; - port = 2222; - }; - programs.ssh.matchBlocks."remoteunlock-senfnvp" = { + + # SSH Remoteunlock Connections + programs.ssh.matchBlocks."remoteunlock@senfnvp-m1ni" = { host = "remoteunlock-senfnvp"; hostname = "senfnvp.kb-one.de"; user = "root"; - identityFile = "~/.ssh/remoteunlock-senfnvp"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni"; port = 7299; }; - programs.ssh.matchBlocks."master@senfnvp" = { + programs.ssh.matchBlocks."remoteunlock@senfnvp-ho2o" = { + host = "remoteunlock-senfnvp"; + hostname = "senfnvp.kb-one.de"; + user = "root"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o"; + port = 7299; + }; + programs.ssh.matchBlocks."remoteunlock@senfnvp-lar3" = { + host = "remoteunlock-senfnvp"; + hostname = "senfnvp.kb-one.de"; + user = "root"; + identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3"; + port = 7299; + }; + + # Nix Build Hosts + programs.ssh.matchBlocks."nix-builder@pkpnafs" = { + host = "pkpnafs"; + hostname = "pkpnafs.kb-one.de"; + user = "nix-builder"; + identityFile = "~/.ssh/nix-builder@pkpnafs"; + port = 3422; + }; + programs.ssh.matchBlocks."nix-builder@senfnvp" = { host = "senfnvp"; hostname = "senfnvp.kb-one.de"; - user = "master"; - identityFile = "~/.ssh/master@senfnvp"; + user = "nix-builder"; + identityFile = "~/.ssh/nix-builder@senfnvp"; port = 9553; }; - programs.ssh.matchBlocks."master@mow0m" = { - host = "mow0m"; - hostname = "mow0m"; - user = "master"; - identityFile = "~/.ssh/master@mow0m"; + + # Nix Caches + programs.ssh.matchBlocks."nix-ssh@pkpnafs" = { + host = "pkpnafs"; + hostname = "pkpnafs.kb-one.de"; + user = "nix-ssh"; + identityFile = "~/.ssh/nix-ssh@pkpnafs"; + port = 3422; + }; + programs.ssh.matchBlocks."nix-ssh@senfnvp" = { + host = "senfnvp"; + hostname = "senfnvp.kb-one.de"; + user = "nix-ssh"; + identityFile = "~/.ssh/nix-ssh@senfnvp"; port = 9553; }; } diff --git a/systems/i686-linux/Rubtrm/default.nix b/systems/i686-linux/Rubtrm/default.nix index fa927b5..34cb390 100644 --- a/systems/i686-linux/Rubtrm/default.nix +++ b/systems/i686-linux/Rubtrm/default.nix @@ -72,9 +72,15 @@ variant = ""; }; + # Security + security.rtkit.enable = true; + security.pam.services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; + # Enable sound with pipewire. services.pulseaudio.enable = false; - security.rtkit.enable = true; services.pipewire = { enable = true; alsa.enable = true; diff --git a/systems/i686-linux/Rubtrm/hardware.nix b/systems/i686-linux/Rubtrm/hardware.nix index ad0eaef..052bc18 100644 --- a/systems/i686-linux/Rubtrm/hardware.nix +++ b/systems/i686-linux/Rubtrm/hardware.nix @@ -1,44 +1,61 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + # Nix Config + nixpkgs.hostPlatform = lib.mkDefault "i686-linux"; + + # Kernel boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "usbhid" "usb_storage" "ums_realtek" "sd_mod" ]; boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ]; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/NIXOS_LUKS"; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; boot.kernelParams = [ "i915.force_probe=27ae" ]; - fileSystems."/" = - { device = "/dev/disk/by-label/NIXOS_ROOT"; - fsType = "ext4"; - }; - fileSystems."/boot" = - { device = "/dev/disk/by-label/NIXOS_BOOT"; - fsType = "vfat"; - }; + # Boot Process + boot.loader.grub = { + enable = true; + copyKernels = true; + }; + boot.initrd.systemd.enable = true; + #boot.plymouth.enable = true; + #boot.plymouth.logo = pkgs.fetchurl { + # url = "https://forum.auxolotl.org/uploads/default/original/1X/be37690f0748737fc813dd3592848f5323a7f277.png"; + # hash = "sha256-+E7mAoEMnHsavKzEdTosli08Oohq+yt3WB4Uhwpi0Vg="; + #}; + # Filesystems + fileSystems."/boot" = { + device = "/dev/disk/by-label/NIXOS_BOOT"; + fsType = "vfat"; + }; + fileSystems."/" = { + device = "/dev/disk/by-label/NIXOS_ROOT"; + fsType = "ext4"; + }; + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/NIXOS_LUKS"; + boot.initrd.luks.devices."cryptroot".crypttabExtraOpts = [ "fido2-device=auto" ]; swapDevices = [ { device = "/.swapfile"; } ]; + # Misc networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "i686-linux"; - # networking.enableIntel3945ABGFirmware = true; - #hardware.graphics.package = pkgs.intel-media-driver; - hardware.graphics.extraPackages = [ pkgs.intel-media-driver pkgs.intel-vaapi-driver ]; + # Firmware + # intel-media-driver + # intel-vaapi-driver + # libva-vdpau-drivemesar + # libvdpau-va-gl + # mesa + hardware.graphics.extraPackages = [ pkgs.driversi686Linux.mesa ]; + hardware.graphics.extraPackages32 = [ pkgs.driversi686Linux.mesa ]; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.enableAllFirmware = true; } diff --git a/systems/x86_64-linux/Ohybke/default.nix b/systems/x86_64-linux/Ohybke/default.nix index 5bd4650..b404c07 100644 --- a/systems/x86_64-linux/Ohybke/default.nix +++ b/systems/x86_64-linux/Ohybke/default.nix @@ -10,6 +10,10 @@ nix.settings = { experimental-features = [ "nix-command" "flakes" ]; }; + nix.extraOptions = '' + secret-key-files = /root/secrets/cache-Ohybke.sec + builders-use-substitutes = true + ''; nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" @@ -28,9 +32,6 @@ } ]; nix.distributedBuilds = true; - nix.extraOptions = '' - builders-use-substitutes = true - ''; # Networking networking.hostName = "Ohybke"; @@ -123,7 +124,7 @@ services.numen = { enable = true; - autoStart = true; + autoStart = false; phrasesPkg = pkgs.kb-one.numen-phrases.override { customWakeWords-en = [ "cyber" "writer" "activate" ]; customWakeWords-de = [ "aktivier" "cyber" "schreiber" ];