Merged Rubtrm Configurations

homes/x86_64-linux/kb@Ohybke/ssh.nix

@@ -3,10 +3,101 @@
   # SSH Configuration
   services.ssh-agent.enable = true;
   programs.ssh.enable = true;
+  programs.ssh.extraConfig = ''
+    IdentitiesOnly=yes
+  '';
+
+  # SSH Shell Connections
+  programs.ssh.matchBlocks."master@pkpnafs-m1ni" = {
+    host = "pkpnafs";
+    hostname = "pkpnafs.kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni";
+    port = 3422;
+  };
+  programs.ssh.matchBlocks."master@pkpnafs-ho2o" = {
+    host = "pkpnafs";
+    hostname = "pkpnafs.kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o";
+    port = 3422;
+  };
+  programs.ssh.matchBlocks."master@pkpnafs-lar3" = {
+    host = "pkpnafs";
+    hostname = "pkpnafs.kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3";
+    port = 3422;
+  };
+  programs.ssh.matchBlocks."master@senfnvp-m1ni" = {
+    host = "senfnvp";
+    hostname = "senfnvp.kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni";
+    port = 9553;
+  };
+  programs.ssh.matchBlocks."master@senfnvp-ho2o" = {
+    host = "senfnvp";
+    hostname = "senfnvp.kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o";
+    port = 9553;
+  };
+  programs.ssh.matchBlocks."master@senfnvp-lar3" = {
+    host = "senfnvp";
+    hostname = "senfnvp.kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3";
+    port = 9553;
+  };
+  programs.ssh.matchBlocks."master@mow0m-m1ni" = {
+    host = "mow0m";
+    hostname = "mow0m";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni";
+    port = 9553;
+  };
+  programs.ssh.matchBlocks."master@mow0m-ho2o" = {
+    host = "mow0m";
+    hostname = "mow0m";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o";
+    port = 9553;
+  };
+  programs.ssh.matchBlocks."master@mow0m-lar3" = {
+    host = "mow0m";
+    hostname = "mow0m";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3";
+    port = 9553;
+  };
+  programs.ssh.matchBlocks."master@web-m1ni" = {
+    host = "web";
+    hostname = "kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni";
+    port = 2222;
+  };
+  programs.ssh.matchBlocks."master@web-ho2o" = {
+    host = "web";
+    hostname = "kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o";
+    port = 2222;
+  };
+  programs.ssh.matchBlocks."master@web-lar3" = {
+    host = "web";
+    hostname = "kb-one.de";
+    user = "master";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3t.";
+    port = 2222;
+  };
+
+  # SSH Git Connections
   programs.ssh.matchBlocks."kb01@kb-one-git" = {
     host = "git.kb-one.de";
     user = "git";
-    identityFile = "~/.ssh/kb01@kb-one-git";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-git@m1ni";
     port = 9522;
   };
   programs.ssh.matchBlocks."kb01@0x90-git" = {
@@ -14,39 +105,59 @@
     user = "git";
     identityFile = "~/.ssh/kb01@0x90-git";
   };
-  programs.ssh.matchBlocks."master@pkpnafs" = {
+
-    host = "pkpnafs";
+  # SSH Remoteunlock Connections
-    hostname = "pkpnafs.kb-one.de";
+  programs.ssh.matchBlocks."remoteunlock@senfnvp-m1ni" = {
-    user = "master";
-    identityFile = "~/.ssh/master@pkpnafs";
-    port = 3422;
-  };
-  programs.ssh.matchBlocks."master@kb-web-01" = {
-    host = "kb-web-01";
-    hostname = "kb-one.de";
-    user = "master";
-    identityFile = "~/.ssh/master@kb-web-01";
-    port = 2222;
-  };
-  programs.ssh.matchBlocks."remoteunlock-senfnvp" = {
     host = "remoteunlock-senfnvp";
     hostname = "senfnvp.kb-one.de";
     user = "root";
-    identityFile = "~/.ssh/remoteunlock-senfnvp";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@m1ni";
     port = 7299;
   };
-  programs.ssh.matchBlocks."master@senfnvp" = {
+  programs.ssh.matchBlocks."remoteunlock@senfnvp-ho2o" = {
+    host = "remoteunlock-senfnvp";
+    hostname = "senfnvp.kb-one.de";
+    user = "root";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@ho2o";
+    port = 7299;
+  };
+  programs.ssh.matchBlocks."remoteunlock@senfnvp-lar3" = {
+    host = "remoteunlock-senfnvp";
+    hostname = "senfnvp.kb-one.de";
+    user = "root";
+    identityFile = "~/.ssh/id_ed25519_sk_rk_kb-ssh@lar3";
+    port = 7299;
+  };
+
+  # Nix Build Hosts
+  programs.ssh.matchBlocks."nix-builder@pkpnafs" = {
+    host = "pkpnafs";
+    hostname = "pkpnafs.kb-one.de";
+    user = "nix-builder";
+    identityFile = "~/.ssh/nix-builder@pkpnafs";
+    port = 3422;
+  };
+  programs.ssh.matchBlocks."nix-builder@senfnvp" = {
     host = "senfnvp";
     hostname = "senfnvp.kb-one.de";
-    user = "master";
+    user = "nix-builder";
-    identityFile = "~/.ssh/master@senfnvp";
+    identityFile = "~/.ssh/nix-builder@senfnvp";
     port = 9553;
   };
-  programs.ssh.matchBlocks."master@mow0m" = {
+
-    host = "mow0m";
+  # Nix Caches
-    hostname = "mow0m";
+  programs.ssh.matchBlocks."nix-ssh@pkpnafs" = {
-    user = "master";
+    host = "pkpnafs";
-    identityFile = "~/.ssh/master@mow0m";
+    hostname = "pkpnafs.kb-one.de";
+    user = "nix-ssh";
+    identityFile = "~/.ssh/nix-ssh@pkpnafs";
+    port = 3422;
+  };
+  programs.ssh.matchBlocks."nix-ssh@senfnvp" = {
+    host = "senfnvp";
+    hostname = "senfnvp.kb-one.de";
+    user = "nix-ssh";
+    identityFile = "~/.ssh/nix-ssh@senfnvp";
     port = 9553;
   };
 }

systems/i686-linux/Rubtrm/default.nix

@@ -72,9 +72,15 @@
     variant = "";
   };
 
+  # Security
+  security.rtkit.enable = true;
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+
   # Enable sound with pipewire.
   services.pulseaudio.enable = false;
-  security.rtkit.enable = true;
   services.pipewire = {
     enable = true;
     alsa.enable = true;

systems/i686-linux/Rubtrm/hardware.nix

@@ -1,44 +1,61 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  ];
 
+  # Nix Config
+  nixpkgs.hostPlatform = lib.mkDefault "i686-linux";
+
+  # Kernel
   boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "usbhid" "usb_storage" "ums_realtek" "sd_mod" ];
   boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ];
-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/NIXOS_LUKS";
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
   boot.kernelParams = [ "i915.force_probe=27ae" ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXOS_ROOT";
-      fsType = "ext4";
-    };
 
-  fileSystems."/boot" =
+  # Boot Process
-    { device = "/dev/disk/by-label/NIXOS_BOOT";
+  boot.loader.grub = {
-      fsType = "vfat";
+    enable = true;
-    };
+    copyKernels = true;
+  };
+  boot.initrd.systemd.enable = true;
+  #boot.plymouth.enable = true;
+  #boot.plymouth.logo = pkgs.fetchurl {
+  #  url = "https://forum.auxolotl.org/uploads/default/original/1X/be37690f0748737fc813dd3592848f5323a7f277.png";
+  #  hash = "sha256-+E7mAoEMnHsavKzEdTosli08Oohq+yt3WB4Uhwpi0Vg=";
+  #};
 
+  # Filesystems
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXOS_BOOT";
+    fsType = "vfat";
+  };
+  fileSystems."/" = { 
+    device = "/dev/disk/by-label/NIXOS_ROOT";
+    fsType = "ext4";
+  };
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/NIXOS_LUKS";
+  boot.initrd.luks.devices."cryptroot".crypttabExtraOpts = [ "fido2-device=auto" ];
   swapDevices = [ 
     {
       device = "/.swapfile";
     }
   ];
 
+  # Misc
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
 
-  nixpkgs.hostPlatform = lib.mkDefault "i686-linux";
+  # Firmware
-  # networking.enableIntel3945ABGFirmware = true;
+  # intel-media-driver
-  #hardware.graphics.package = pkgs.intel-media-driver;
+  # intel-vaapi-driver
-  hardware.graphics.extraPackages = [ pkgs.intel-media-driver pkgs.intel-vaapi-driver ];
+  # libva-vdpau-drivemesar
+  # libvdpau-va-gl
+  # mesa
+  hardware.graphics.extraPackages = [ pkgs.driversi686Linux.mesa ];
+  hardware.graphics.extraPackages32 = [ pkgs.driversi686Linux.mesa ];
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   hardware.enableAllFirmware = true;
 }

systems/x86_64-linux/Ohybke/default.nix

@@ -10,6 +10,10 @@
   nix.settings = {
     experimental-features = [ "nix-command" "flakes" ];
   };
+  nix.extraOptions = ''
+    secret-key-files = /root/secrets/cache-Ohybke.sec
+    builders-use-substitutes = true
+  '';
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.permittedInsecurePackages = [
     "electron-27.3.11"
@@ -28,9 +32,6 @@
     }
   ];
   nix.distributedBuilds = true;
-  nix.extraOptions = ''
-    builders-use-substitutes = true
-  '';
 
   # Networking
   networking.hostName = "Ohybke";
@@ -123,7 +124,7 @@
 
   services.numen = {
     enable = true;
-    autoStart = true;
+    autoStart = false;
     phrasesPkg = pkgs.kb-one.numen-phrases.override {
       customWakeWords-en = [ "cyber" "writer" "activate" ];
       customWakeWords-de = [ "aktivier" "cyber" "schreiber" ];