ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

enable external SMTP for hydra (#49)

Browse Source 
* external SMTP for hydra

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

* nix-serve sops

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

* add binary cache

* add hydra jobs

* cleanup (#50)

* finish up cleanup branch merge

* switched back to nixpkgs-fmt

* add nixpkgs-fmt to hydrajobs.build

---------

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
Co-authored-by: Dennis Wuitz <dennish@wuitz.de>
Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
This commit is contained in:
Alice Huston 2024-02-01 16:50:14 -05:00 committed by GitHub
parent 10ed0c633b
commit 241c66f5ec
27 changed files with 412 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -48,11 +48,13 @@ creation_rules:
- pgp:
- *admin_alice
age: *servers
- path_regex: users/dennis/secrets\.yaml$
key_groups:
- pgp:
- *admin_dennis
age: *servers
- path_regex: users/richie/secrets\.yaml$
key_groups:
- pgp:

137
flake.lock generated
View File

@ -16,6 +16,25 @@
"type": "gitlab"
}
},
"fenix": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1706768574,
"narHash": "sha256-4o6TMpzBHO659EiJTzd/EGQGUDdbgwKwhqf3u6b23U8=",
"owner": "nix-community",
"repo": "fenix",
"rev": "668102037129923cd0fc239d864fce71eabdc6a3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -52,6 +71,21 @@
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1637014545,
"narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -59,11 +93,11 @@
]
},
"locked": {
"lastModified": 1706473109,
"narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
"lastModified": 1706798041,
"narHash": "sha256-BbvuF4CsVRBGRP8P+R+JUilojk0M60D7hzqE0bEvJBQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "d634c3abafa454551f2083b054cd95c3f287be61",
"rev": "4d53427bce7bf3d17e699252fd84dc7468afc46e",
"type": "github"
},
"original": {
@ -126,22 +160,6 @@
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1706182238,
"narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "f84eaffc35d1a655e84749228cde19922fcf55f1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixos-modules": {
"inputs": {
"flake-utils": [
@ -152,11 +170,11 @@
]
},
"locked": {
"lastModified": 1706608774,
"narHash": "sha256-kbMofnGXCRPInXWm7UAfMYcvIAuHIZO0vBytNhWt+nc=",
"lastModified": 1706740920,
"narHash": "sha256-uFwu44BZf17WYMAEmYIcdtVyNLDRVselv3rNsm7PYeE=",
"owner": "SuperSandro2000",
"repo": "nixos-modules",
"rev": "2dae76c258451a2c98e3dee5d1144f5061878e2a",
"rev": "453f941ff2cde75a5aac5d99c695d368fa28b7e1",
"type": "github"
},
"original": {
@ -167,11 +185,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1706371002,
"narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=",
"lastModified": 1706550542,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c002c6aa977ad22c60398daaa9be52f2203d0006",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"type": "github"
},
"original": {
@ -181,19 +199,86 @@
"type": "github"
}
},
"nixpkgs-fmt": {
"inputs": {
"fenix": "fenix",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1706820456,
"narHash": "sha256-2UDso6ALCoqVH0Q0boIYRT9NJtto8CECAc+gUIHi1/o=",
"owner": "rad-development",
"repo": "nixpkgs-fmt",
"rev": "a140f110952dc51d9757c2b6f285691f4e454ef9",
"type": "github"
},
"original": {
"owner": "rad-development",
"repo": "nixpkgs-fmt",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1706550542,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1637502770,
"narHash": "sha256-C28tuj+AgsRh67iB/Lg9oladquLoC8eamraqndeaO4A=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f508ae889415b51263ea1c20b6b4c0e0ecbfc0bd",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"mailserver": "mailserver",
"nix-pre-commit": "nix-pre-commit",
"nixos-hardware": "nixos-hardware",
"nixos-modules": "nixos-modules",
"nixpkgs": "nixpkgs",
"nixpkgs-fmt": "nixpkgs-fmt",
"sops-nix": "sops-nix",
"systems": "systems"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1706735270,
"narHash": "sha256-IJk+UitcJsxzMQWm9pa1ZbJBriQ4ginXOlPyVq+Cu40=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "42cb1a2bd79af321b0cc503d2960b73f34e2f92b",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [

171
flake.nix
View File

@ -1,20 +1,25 @@
{
description = "NixOS configuration for RAD-Development Servers";
nixConfig = {
trusted-substituters = [ "https://cache.nixos.org" "https://nix-community.cachix.org" "https://cache.alicehuston.xyz" ];
trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%" ];
};
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
systems.url = "github:nix-systems/default";
nixpkgs-fmt = {
url = "github:rad-development/nixpkgs-fmt";
inputs.fenix.inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
systems = {
url = "github:nix-systems/default";
};
nixos-modules = {
url = "github:SuperSandro2000/nixos-modules";
inputs = {
@ -55,40 +60,48 @@
};
};
outputs =
{ home-manager
, mailserver
, nix-pre-commit
, nixos-modules
, nixpkgs
, sops-nix
, ...
}:
outputs = { self, nixpkgs-fmt, home-manager, mailserver, nix-pre-commit, nixos-modules, nixpkgs, sops-nix, ... }:
let
inherit (nixpkgs) lib;
systems = [ "x86_64-linux" "aarch64-linux" ];
forEachSystem = lib.genAttrs systems;
src = builtins.filterSource (path: type: type == "directory" || lib.hasSuffix ".nix" (baseNameOf path)) ./.;
ls = dir: lib.attrNames (builtins.readDir (src + "/${dir}"));
lsdir = dir: if (builtins.pathExists (src + "/${dir}")) then (lib.attrNames (lib.filterAttrs (path: type: type == "directory") (builtins.readDir (src + "/${dir}")))) else [ ];
fileList = dir: map (file: ./. + "/${dir}/${file}") (ls dir);
recursiveMerge = attrList:
let
f = attrPath:
builtins.zipAttrsWith (n: values:
if builtins.tail values == [ ] then
builtins.head values
else if builtins.all builtins.isList values then
builtins.unique (builtins.concatLists values)
else if builtins.all builtins.isAttrs values then
f (attrPath ++ [ n ]) values
else
lib.last values);
in
f [ ] attrList;
config = {
repos = [
{
repo = "https://gitlab.com/vojko.pribudic/pre-commit-update";
rev = "bbd69145df8741f4f470b8f1cf2867121be52121";
hooks = [
{
id = "pre-commit-update";
args = [ "--dry-run" ];
}
];
hooks = [{
id = "pre-commit-update";
args = [ "--dry-run" ];
}];
}
{
repo = "local";
hooks = [
{
id = "nixpkgs-fmt check";
entry = "${nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt";
id = "nixfmt check";
entry = "${nixpkgs-fmt.legacyPackages.x86_64-linux.nixpkgs-fmt}/bin/nixpkgs-fmt";
args = [ "--check" ];
language = "system";
files = "\\.nix";
@ -106,67 +119,55 @@
};
in
{
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
formatter = forEachSystem (system: nixpkgs-fmt.legacyPackages.${system}.nixpkgs-fmt);
nixosConfigurations =
let
constructSystem =
{ hostname
, system ? "x86_64-linux"
, modules ? [ ]
, users ? [ "dennis" ]
}: lib.nixosSystem {
constructSystem = { hostname, users, home ? true, modules ? [ ], server ? true, sops ? true, system ? "x86_64-linux" }:
lib.nixosSystem {
inherit system;
modules = [
modules = [ nixos-modules.nixosModule sops-nix.nixosModules.sops { config.networking.hostName = "${hostname}"; } ] ++ (if server then [
mailserver.nixosModules.mailserver
nixos-modules.nixosModule
home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
./systems/programs.nix
./systems/configuration.nix
./systems/${hostname}/hardware.nix
./systems/${hostname}/configuration.nix
{ config.networking.hostName = "${hostname}"; }
] ++ modules ++ fileList "modules"
++ map
(user: { config, lib, pkgs, ... }@args: {
users.users.${user} = import ./users/${user} (args // { name = "${user}"; });
boot.initrd.network.ssh.authorizedKeys = config.users.users.${user}.openssh.authorizedKeys.keys;
sops = {
secrets."${user}/user-password" = {
sopsFile = ./users/${user}/secrets.yaml;
neededForUsers = true;
] else [
./users/${builtins.head users}/systems/${hostname}/configuration.nix
./users/${builtins.head users}/systems/${hostname}/hardware.nix
]) ++ fileList "modules" ++ modules ++ lib.optional home home-manager.nixosModules.home-manager
++ (if home then (map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users) else [ ]) ++ map
(user:
{ config, lib, pkgs, ... }@args: {
users.users.${user} = import ./users/${user} (args // { name = "${user}"; });
boot.initrd.network.ssh.authorizedKeys = lib.mkIf server config.users.users.${user}.openssh.authorizedKeys.keys;
sops = lib.mkIf sops {
secrets."${user}/user-password" = {
sopsFile = ./users/${user}/secrets.yaml;
neededForUsers = true;
};
};
};
})
users
++ map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users;
})
users;
};
in
(builtins.listToAttrs (map
(system: {
name = system;
value = constructSystem { hostname = system; } // (import ./systems/${system} { });
value = constructSystem ({ hostname = system; } // builtins.removeAttrs (import ./systems/${system} { }) [ "hostname" "server" "home" ]);
})
(lsdir "systems"))) //
(builtins.listToAttrs (builtins.concatMap
(user: map
(system: rec {
name = "${user}.${system}";
cfg = import ./users/${user}/systems/${system} { };
value = lib.nixosSystem {
system = cfg.system ? "x86_64-linux";
modules = [
nixos-modules.nixosModule
sops-nix.nixosModules.sops
./users/${user}/systems/${system}/configuration.nix
./users/${user}/systems/${system}/hardware.nix
{ config.networking.hostName = "${system}"; }
] ++ fileList "modules"
++ lib.optional (cfg.home-manager ? false) home-manager.nixosModules.home-manager;
};
})
(lsdir "users/${user}/systems"))
(lsdir "systems"))) // (builtins.listToAttrs (builtins.concatMap
(user:
map
(system: {
name = "${user}.${system}";
value = constructSystem ({
hostname = system;
server = false;
users = [ user ];
} // builtins.removeAttrs (import ./users/${user}/systems/${system} { }) [ "hostname" "server" "users" ]);
})
(lsdir "users/${user}/systems"))
(lsdir "users")));
devShell = lib.mapAttrs
@ -174,16 +175,30 @@
with nixpkgs.legacyPackages.${system};
mkShell {
sopsPGPKeyDirs = [ "./keys" ];
nativeBuildInputs = [
apacheHttpd
sopsPkgs.sops-import-keys-hook
];
shellHook = (nix-pre-commit.lib.${system}.mkConfig {
inherit pkgs config;
}).shellHook;
}
)
nativeBuildInputs = [ apacheHttpd sopsPkgs.sops-import-keys-hook ];
packages = [ self.formatter.${system} ];
shellHook = (nix-pre-commit.lib.${system}.mkConfig { inherit pkgs config; }).shellHook;
})
sops-nix.packages;
hydraJobs = {
build = (recursiveMerge
(
(map
(machine: {
${machine.pkgs.system} = (builtins.listToAttrs (map
(pkg: {
name = pkg.name;
value = pkg;
})
machine.config.environment.systemPackages));
})
(builtins.attrValues self.nixosConfigurations)) ++ [
(forEachSystem (system: {
${system}.${nixpkgs-fmt.legacyPackages.${system}.nixpkgs-fmt.name} = nixpkgs-fmt.legacyPackages.${system}.nixpkgs-fmt;
}))
]
));
};
};
}

40
modules/backup.nix
View File

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.backup;
in
{
let cfg = config.services.backup;
in {
options.services.backup = {
enable = lib.mkEnableOption "backup";
@ -54,9 +52,7 @@ in
restic.backups =
let
commonOpts = {
extraBackupArgs = [
"--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}"
];
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
initialize = true;
passwordFile = config.sops.secrets."restic/password".path;
@ -74,19 +70,11 @@ in
"/etc/subgid"
"/etc/subuid"
"/var/lib/nixos/"
] ++ cfg.paths
++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/"
++ lib.optional config.services.mysql.enable "/var/lib/mysql/"
++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/"
++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"
] ++ cfg.paths ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" ++ lib.optional config.services.mysql.enable "/var/lib/mysql/"
++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"
++ lib.optional config.mailserver.enable config.mailserver.mailDirectory;
pruneOpts = [
"--group-by host"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 12"
];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
timerConfig = {
OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00";
@ -95,13 +83,9 @@ in
};
in
lib.mkIf cfg.enable {
local = commonOpts // {
repository = "/var/backup";
};
local = commonOpts // { repository = "/var/backup"; };
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // {
repository = "sftp://offsite/${config.networking.hostName}";
};
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; };
};
};
@ -124,9 +108,7 @@ in
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;
};
} // lib.mkIf cfg.enable {
"restic/password".owner = "root";
};
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) ''
echo "Linking restic ssh config..."
@ -142,9 +124,7 @@ in
restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666";
};
timers = lib.mkIf config.services.postgresqlBackup.enable {
postgresqlBackup.timerConfig.RandomizedDelaySec = "5m";
};
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
};
};
}

15
modules/boot.nix
View File

@ -1,9 +1,7 @@
{ config, lib, libS, ... }:
let
cfg = config.boot;
in
{
let cfg = config.boot;
in {
options = {
boot = {
default = libS.mkOpinionatedOption "enable the boot builder";
@ -42,10 +40,7 @@ in
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams = [
"nordrand"
] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
zfs = lib.mkIf (cfg.filesystem == "zfs") {
enableUnstable = true;
@ -54,9 +49,7 @@ in
};
loader = {
efi = {
canTouchEfiVariables = false;
};
efi = { canTouchEfiVariables = false; };
generationsDir.copyKernels = true;
systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true;
grub = lib.mkIf (!cfg.useSystemdBoot) {

12
modules/fail2ban.nix
View File

@ -1,14 +1,8 @@
{ config, lib, libS, ... }:
let
cfg = config.services.fail2ban;
in
{
options = {
services.fail2ban = {
recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults";
};
};
let cfg = config.services.fail2ban;
in {
options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; };
config.services.fail2ban = lib.mkIf cfg.recommendedDefaults {
maxretry = 5;

9
modules/flake-update-service.nix
View File

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.autopull;
in
{
let cfg = config.services.autopull;
in {
options = {
services.autopull = {
enable = lib.mkEnableOption "autopull";
@ -29,7 +27,8 @@ in
triggersRebuild = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.'';
description =
"Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.";
};
};
};

6
modules/hydra.nix
View File

@ -1,9 +1,7 @@
{ config, lib, ... }:
let
cfg = config.services.hydra;
in
{
let cfg = config.services.hydra;
in {
config = {
services.hydra.extraConfig = lib.mkDefault (lib.concatLines [
cfg.extraConfig

7
modules/security.nix
View File

@ -1,6 +1,5 @@
# BIASED
{ config, lib, ... }:
{
{ config, lib, ... }: {
config = {
services = {
@ -23,8 +22,6 @@
};
};
networking.firewall = lib.mkIf config.services.openssh.enable {
allowedTCPPorts = config.services.openssh.ports ++ [ 22 ];
};
networking.firewall = lib.mkIf config.services.openssh.enable { allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; };
};
}

73
modules/website.nix
View File

@ -2,42 +2,41 @@
let
eachSite = config.services.staticpage.sites;
siteOpts = { lib, name, config, ... }:
{
options = {
package = lib.mkPackageOption pkgs "page" { };
siteOpts = { lib, name, config, ... }: {
options = {
package = lib.mkPackageOption pkgs "page" { };
root = lib.mkOption {
type = lib.types.str;
description = "The Document-Root folder in /var/lib";
};
root = lib.mkOption {
type = lib.types.str;
description = "The Document-Root folder in /var/lib";
};
domain = lib.mkOption {
type = lib.types.str;
example = "example.com";
description = "The staticpage's domain.";
};
domain = lib.mkOption {
type = lib.types.str;
example = "example.com";
description = "The staticpage's domain.";
};
subdomain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "app";
description = "The staticpage subdomain.";
};
subdomain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "app";
description = "The staticpage subdomain.";
};
usePHP = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Configure the Nginx Server to use PHP";
};
usePHP = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Configure the Nginx Server to use PHP";
};
configureNginx = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Configure the Nginx Server to serve the site with acne";
};
configureNginx = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Configure the Nginx Server to serve the site with acne";
};
};
};
in
{
options.services.staticpage = {
@ -81,7 +80,7 @@ in
allow all;
'';
};
locations."~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
extraConfig = ''
try_files $uri @rewrite;
expires max;
@ -94,17 +93,17 @@ in
'';
};
} // lib.optionalAttrs cfg.usePHP {
locations."~ '\.php$|^/update.php'" = {
locations."~ '.php$|^/update.php'" = {
extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.${name}.socket};
fastcgi_index index.php;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Ensure the php file exists. Mitigates CVE-2019-11043
try_files $fastcgi_script_name =404;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@ -114,7 +113,7 @@ in
'';
};
locations."~ \..*/.*\.php$" = {
locations."~ ..*/.*.php$" = {
extraConfig = ''
return 403;
'';
@ -124,7 +123,7 @@ in
return 403;
'';
};
locations."~ ^/sites/[^/]+/files/.*\.php$" = {
locations."~ ^/sites/[^/]+/files/.*.php$" = {
extraConfig = ''
deny all;
'';
@ -139,7 +138,7 @@ in
rewrite ^ /index.php;
'';
};
locations."~ /vendor/.*\.php$" = {
locations."~ /vendor/.*.php$" = {
extraConfig = ''
deny all;
return 404;
@ -150,7 +149,7 @@ in
try_files $uri @rewrite;
'';
};
locations."~ ^(/[a-z\-]+)?/system/files/" = {
locations."~ ^(/[a-z-]+)?/system/files/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';

56
systems/configuration.nix
View File

@ -1,5 +1,4 @@
{ lib, pkgs, config, ... }:
{
{ lib, pkgs, config, ... }: {
i18n = {
defaultLocale = "en_US.utf8";
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
@ -7,9 +6,7 @@
boot = {
default = true;
kernel.sysctl = {
"net.ipv6.conf.ens3.accept_ra" = 1;
};
kernel.sysctl = { "net.ipv6.conf.ens3.accept_ra" = 1; };
};
home-manager = {
@ -37,7 +34,7 @@
openssh = {
enable = true;
fixPermissions = true;
extraConfig = ''StreamLocalBindUnlink yes'';
extraConfig = "StreamLocalBindUnlink yes";
hostKeys = [
{
@ -72,28 +69,11 @@
TcpKeepAlive = "no";
X11Forwarding = lib.mkDefault false;
KexAlgorithms = [
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ];
};
};
autopull = {
@ -143,32 +123,12 @@
zsh-autoenv.enable = true;
enableCompletion = true;
enableBashCompletion = true;
ohMyZsh = {
enable = true;
};
ohMyZsh = { enable = true; };
};
nix-ld = {
enable = true;
libraries = with pkgs; [
acl
attr
bzip2
curl
glib
libglvnd
libmysqlclient
libsodium
libssh
libxml2
openssl
stdenv.cc.cc
systemd
util-linux
xz
zlib
zstd
];
libraries = with pkgs; [ acl attr bzip2 curl glib libglvnd libmysqlclient libsodium libssh libxml2 openssl stdenv.cc.cc systemd util-linux xz zlib zstd ];
};
};

7
systems/jeeves-jr/configuration.nix
View File

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{ pkgs, ... }: {
time.timeZone = "America/New_York";
console.keyMap = "us";
networking.hostId = "1beb3026";
@ -34,9 +33,7 @@
};
environment = {
systemPackages = with pkgs; [
docker-compose
];
systemPackages = with pkgs; [ docker-compose ];
etc = {
# Creates /etc/lynis/custom.prf

9
systems/jeeves-jr/default.nix
View File

@ -1,8 +1 @@
{ ... }:
{
users = [
"alice"
"dennis"
"richie"
];
}
{ ... }: { users = [ "alice" "dennis" "richie" ]; }

26
systems/jeeves-jr/hardware.nix
View File

@ -4,30 +4,24 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }];
swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

32
systems/palatine-hill/configuration.nix
View File

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{ config, pkgs, ... }: {
time.timeZone = "America/New_York";
console.keyMap = "us";
networking.hostId = "dc2f9781";
@ -8,15 +7,10 @@
loader.grub.device = "/dev/sda";
filesystem = "zfs";
useSystemdBoot = true;
kernelParams = [
"i915.force_probe=56a5"
"i915.enable_guc=2"
];
kernelParams = [ "i915.force_probe=56a5" "i915.enable_guc=2" ];
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; };
hardware = {
enableAllFirmware = true;
@ -57,10 +51,9 @@
# };
};
environment.systemPackages = with pkgs; [
docker-compose
jellyfin-ffmpeg
];
environment.systemPackages = with pkgs; [ docker-compose jellyfin-ffmpeg ];
systemd.services.hydra-notify = { serviceConfig.EnvironmentFile = config.sops.secrets."hydra/environment".path; };
services = {
samba.enable = true;
@ -101,9 +94,22 @@
minimumDiskFree = 50;
minimumDiskFreeEvaluator = 100;
};
nix-serve = {
enable = true;
secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
};
};
networking.firewall.enable = false;
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"hydra/environment".owner = "hydra";
"nix-serve/secret-key".owner = "root";
};
};
system.stateVersion = "23.05";
}

9
systems/palatine-hill/default.nix
View File

@ -1,8 +1 @@
{ ... }:
{
users = [
"alice"
"dennis"
"richie"
];
}
{ ... }: { users = [ "alice" "dennis" "richie" ]; }

9
systems/palatine-hill/hardware.nix
View File

@ -6,8 +6,7 @@
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "mpt3sas" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "mpt3sas" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
@ -22,8 +21,7 @@
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }];
swapDevices = [{ device = "/dev/disk/by-uuid/2b01e592-2297-4eb1-854b-17a63f1d4cf6"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
@ -35,6 +33,5 @@
# networking.interfaces.enp72s0f3u1u2c2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

76
systems/palatine-hill/secrets.yaml Normal file
View File

@ -0,0 +1,76 @@
hydra:
environment: ENC[AES256_GCM,data:k6t0jVLgsCbOwAnj71ogmsdoLsMaMjeScYRblE72FNEk8cgWc2Q5kw5LVShIC5Kgl2XhSJIoi1+pDS1X5huyWs+cz4T9oUtOJhtSlL9+UCLmaqoR0SCI1eCZT1fkRZ3QtitrRmtvm77Sld7Ckz/apG7cQsfpKhymkEz+Y8WdC3mc5Kjt05eAn66IbQYO8y1HQc9bkCAWYD+NSwOqC80W5RIfkKActWz1DFoeTESwMcpA9MKHlGMKP82Uo/qlRhXq+riY5e5voFGQw0O3CKRTy1Q=,iv:Fbl/9XkNTe5qmn7wvPtQ1Hpfzp7+3WLeuipkme9a29A=,tag:+git1pCZzSirfFsxj91WUQ==,type:str]
nix-serve:
secret-key: ENC[AES256_GCM,data:a+N7udOUnls35wCyO/icqtMWEVMorg3mSlZKih8LHQM4wgemZXuXYdhvw65CTPHvzcS0mr6QEMNzkqXios4kvlNDUvbG0OuaVhtqWqtuutz4J9VsGf8PdIvXNkLSHfm2fEY4n84nYM5tUidzwfA=,iv:045gOacG0t9rbzaszQ/5quZkRvfHLF8cETG2tABUrvk=,tag:sLs/yFdUlwf+YZf/Ja8YbA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMXl4RWc0Ymt4YjB4dHk3
YWdHcndLQzhyRFl4Vlp4d015KzJ3dGN2OGxBCkE4MEZjTnVua0pEd1BibWlhOUVs
enZFMUw4dVBBWC9Zb2hhalNxZi9LRGMKLS0tIEFreDViNEEySXlqM3FQMVE1ZEtk
Qkt2U1hWWGo4VzB2bEFYTWUwL0tyYzgKE1H8Wx5VH8D5cBHrniAAVQXD8yyR1eWY
wUjeAOgiTEe8gjulqGDKxjMqcz7w/wuHBTICXEUEi6fBSdDE4RJkkA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-01T05:36:42Z"
mac: ENC[AES256_GCM,data:mUpprU3khFg6ioJlv6dD0SfD6vmLsKKWqX/nHMkUooyc3SbLTEh7u40bmIhpQLMTvxryRB1+oV+K87NTUYBlD34SglH4a3/FyCzdeP0cgpc+pkswa5LQsJrPcB2IN2MJe4cWGGDkzVS80747HSdAqHw6fv2lNjQBFfvsp3Jo8ck=,iv:ltDI4nOBYRPVTTbSfEYfLFee3H7b0G9tjOu0eNnpvgw=,tag:+l3NsxJ+HSy8RI2ZAUn0Jw==,type:str]
pgp:
- created_at: "2024-02-01T04:49:29Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nAQ/9GapgiAVoonYaq99pd66krKBfZMzdaFH6/29azR/f8+/Z
80m0wyS58u54/vosYMdCjiWx7+uiL6PqRs+xzyDlcXJjCqT1ExXywHaEL1IueY4q
3OkqUcj0Vnas0uIBV70Xa8RngxE9hPS7OitmUjEKUhHbFhqJnCNdiXcvEsBQkVpT
C+YOGCpIszWShUHukH7CZuZQWW8mF6+c+pcqPt+NVcuBx+c2tJfXCRxh0QloUbT+
zVmuiwHcQpX0wwO+lLFjuGq/7nUzYyxqbyeqkRwYXFwDF1btdL1aIz7RXobLxjQO
hBDgJZTb0TxZGPzhvgGtMWaK0wDuNa3KA6IEv03ivmkmK0rffEJ4qIW2XXA4MXbU
wJDDMe7u2B5Kgs09soPa9eYQuRRDigvgdTPWg6dPMIdAszqtXCY0l7847ODYl1pw
8J7CS1kL1sShFvoHqPwK5c1231Kc3mJwgAntlwwemBZP60TGcwgmqWRl/LhfoRm5
CwzbVyLZeYRYuuVHeJDNXB1FFmVtpgidcB8tduUZUo80otnBgEzU73ShJHr32BeJ
195qa0vb5KCLz9G89oWZUq5jOKe3rHftCEMlGHQ0cvBHl3SezLCx9FJ373c6Rsq2
egNwg9HMyScJGD93mukGPRlyawJAEEmZawmDJz8IKa/YzxqE+cDHp37MImXIEBzS
XgHsddLzcv0vY73sq+Wl3TYmHEq0Bs36WZWHJ4CkfRqkhRW3AGfS5jo1UAvIYKMa
oZCksFpcoJ4jLfxze/pU3ZX1n4fdapCSZSJNwdwYRygZlx9Mn38l7qF+MX8hTvg=
=7ah4
-----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
- created_at: "2024-02-01T04:49:29Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DqDJbhoEBo+ISAQdAKVno0tJCc4ipQxmAk1vA8TJeR0prQ/TAvueAYoTulFkw
KVrbiII3tQQFVeUeT8iG+QZEY1heDW0qGrGg7YLGk71R7HXrOgFMGpjGg+gXQsui
1GgBCQIQqSQ6oXefrAklm7/aMTgfjvo5ZdIPSF9dbwhxx4J3tf+Pm9pyEDZSxTy+
/vHvwlnqJXKOEPnwHl1XJKawwdTOIPeuBTr5uH51/kmd4TcrGBMBXKVHfI5qtqAs
lQNgfsDgk+oH/Q==
=KQD1
-----END PGP MESSAGE-----
fp: 8F79E6CD6434700615867480D11A514F5095BFA8
- created_at: "2024-02-01T04:49:29Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA29thaGx06tOAQ/8Cjj9t2J2t8aehRfqRsFK1npQV/ToTsGLn2mpAl5ITXrF
xOBLg1nqRq1h9++xSdpH2A9KK8tf0JkJ0Yb9sFfu/7SNqTmdnfl7FYSU67Hlxji/
LYBLDy6KPOEkfes8prYcAnNGe6U7W5zHfRasKjbg2RqJ0wrlkB9dttBRFIpTHkUK
amibjf/ScLRJuqt5nwZkNnvOFBImQlXHMOhxp/QUnWzUD1CE6zWGe6hb++ixGoHW
OSqlVF87K1/7jqaUMmX5Jee16ybcziHg5c7dnoq623GWZHZrGEDG3c8E588+c2LJ
RSyQjLfUvvRbkIdBOgKTM0/EdNVmwHLWezRgwiHsZJFP8tJUBY7CZTzIrwFwm4Hz
zxlr/p7egN2KrI8mzePBd9DlOsJJ1gCSW+MMZ/mqi+AntJqmNOcrHyEIr5wPbiyP
c6iIucTAAJIHLgMwa1PzzlK8F8miE0R6ON4IeDg/i5LXk9QpB9FZktiqp2bybPyd
WUNhWbZT9z7homCkjgyMQ/1Pc6/i5NZFQZ5HaGvsiEszToF0uCoMWUxwJeHwfKfO
RRV3XsMMzKaagS3eauq+omE47yj86gePmTIBK2nTvhg3HH3c3S+XN/vKU170scbO
mo03fH09qoXJ0B4QScj8O7NDFdTo4FcOa5eJGpfRcZFaBcNIttz4A5xnho2Pz7nS
XgG1chsapzPutaMWqicefBs7niFgEhIoL2aEBRlY9lpj5noyZBgvC7u00Fi5sXVb
MY3H0SlP4B3ic3fh77L5yr3ZemYh+NVfujdzMak6OgLk+ELrs8ZxMj4MMvEgoq4=
=Nw8m
-----END PGP MESSAGE-----
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
unencrypted_suffix: _unencrypted
version: 3.8.1

3
systems/programs.nix
View File

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
bat
btop

6
users/alice/home.nix
View File

@ -61,11 +61,7 @@
topgrade = {
enable = true;
settings = {
misc = {
disable = [ "system" "nix" "shell" ];
};
};
settings = { misc = { disable = [ "system" "nix" "shell" ]; }; };
};
};

4
users/alice/secrets.yaml
View File

@ -33,8 +33,8 @@ sops:
THdwZG9QQ01mamYrclhHT2dQUXhIWTQK9fxQV7RDYij2aCdfgCufUToWgoais1KI
UQ7bPV0ZPhaBX4h2Q7kUk7FJwK5aGAsoBxf4KW4V78tSbz+XIyd3JQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-03T23:04:30Z"
mac: ENC[AES256_GCM,data:6Wnf1Ul8qJXs7/qeJGilLDgVcHFR7p5EkH4g058uqL08zbN++VAkkKzfayKa5zF6DQeSBw9E+68r1bzML9O1UIpdUUyedKn0Jyl6rm0nPbWfgfQR0NkMlhi9JNvJp+ROfLAUQP/5g/o2BQAEDcGuGaleZ6wV39Q5ZX2vMayxufM=,iv:YBQco/q50LEUCssG1/HoQ9buAPnYJG+kRGQbg4HFyfU=,tag:okJ+Un0ri6wLERNlDSclHw==,type:str]
lastmodified: "2024-02-01T04:49:18Z"
mac: ENC[AES256_GCM,data:4TarduVMtlQWCcCY73i6xuZOAUZAVHuGVxy+Mpl5IPo+BPMTUYjMed4x/EbYSV/+j/NEvA3A5c9+MTHjDvO9ywCYjulgosSim5aNHacOpQ7rwwa7fLFyztmL2SG3ZSBdjH2H/5VXkPfpKpOmp6X/yRHxnEKa0WAJg9FKOht/P2E=,iv:iqFwMB6hid7hEq7HZ7jCYCAXoZjDypC6Qg7qqcJxfAc=,tag:A7AoIPm8IsjPgOOl4Burxg==,type:str]
pgp:
- created_at: "2023-12-29T19:22:00Z"
enc: |-

3
users/alice/systems/configuration.nix
View File

@ -1,2 +1 @@
{ ... }:
{ }
{ ... }: { }

13
users/alice/systems/testtop/configuration.nix
View File

@ -1,10 +1,5 @@
{ pkgs, ... }:
{
imports = [
../configuration.nix
../programs.nix
./programs.nix
];
{ pkgs, ... }: {
imports = [ ../configuration.nix ../programs.nix ./programs.nix ];
time.timeZone = "America/New_York";
console.keyMap = "us";
@ -23,9 +18,7 @@
boot = {
default = true;
kernel.sysctl = {
"net.ipv6.conf.ens3.accept_ra" = 1;
};
kernel.sysctl = { "net.ipv6.conf.ens3.accept_ra" = 1; };
};
system.stateVersion = "23.05";

6
users/alice/systems/testtop/default.nix
View File

@ -1,5 +1,5 @@
{ ... }:
{
{ ... }: {
system = "x86_64-linux";
home-manager = true;
home = true;
sops = false;
}

26
users/alice/systems/testtop/hardware.nix
View File

@ -4,30 +4,24 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7295-A442";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }];
swapDevices = [{ device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

3
users/alice/systems/testtop/programs.nix
View File

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
bat
btop

13
users/default.nix
View File

@ -1,11 +1,4 @@
{ lib
, config
, pkgs
, name
, publicKeys ? [ ]
, defaultShell ? "zsh"
,
}:
{ lib, config, pkgs, name, publicKeys ? [ ], defaultShell ? "zsh", }:
{
inherit name;
@ -22,7 +15,7 @@
"plugdev"
"uaccess"
];
shell = pkgs.${defaultShell};
hashedPasswordFile = config.sops.secrets."${name}/user-password".path;
shell = lib.mkIf config.programs.${defaultShell}.enable pkgs.${defaultShell};
hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
openssh.authorizedKeys.keys = publicKeys;
}