feat: move nix store to ssh on nuOS

2024-10-21 10:32:15 +02:00 · 2024-10-21 10:32:15 +02:00 · 9f8865441b
commit 9f8865441b
parent 2934e77dd6
4 changed files with 12 additions and 51 deletions
--- a/common/ssh-keys.nix
+++ b/common/ssh-keys.nix
@ -0,0 +1,4 @@
+[
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmUSRs2akTTWtiaCcB5PNaLFJlwZmvD8YEZp2R4SQ56gj1xddZ0QP8XQIqRd6cmkaGzS9QzNpo03mlaOUTItFarp+OJh7oe9DcqpLR7+30mdLJgmYC6SOm/Upm9jZbl+YVuRbCWUXJ8pgKeJ+GseiKUx/3nPFPJ17Z7xV1GwPBVDxE4F3TVF/JFn6NYE0NF0I35lYUT8JOrmr7r2+VYBt9Pbqta7G6afTl4ETX/pDDiEHQAsf5dUvF/FdAUp50DMVqC81xPlx/ajMzI4thssA8CkUDZdns7WhWSvDuyCz6bRZhnBqJ0oM9clhljhVq7eAScAEH4mM0XEexlE5NUmGqLZJT7NZIX+SRhxtKMTZBY3y6w6cxgNMo8lAhp0d1mlSmBEB1cvlCr38ZtcAyYA1m3vHwnJ4vsbCxxGZeTyLY+mZC4dFcSSyc+P3DtxBle7q6F/Qc9K53I454YsUVHTzD/K1A6r75/6igQBKEoGScVQX5qFLFWOu0k1hOEV3mT3jzP48l5iEz6whdO0EKbHJT3vvM+vj3zLzJ9YeSTDbxTE0AhMNt17yICB/vX1Fi/SwlwjYgUQnwiKbqkOaT5ZTxcqcv3x0EyTdq43J1TEWcAKUW7nlcQ9rwJnwg6MfUKE/cawwPUqGp8WTbavX4/IX/k+jQsuI9XvZ9Y96ilLhTRw== openpgp:0xD85CD295"
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFemc4Pzp7I0y8FHxgRO/c/ReBmXuqXR6CWqbhiQ+0t noa@Noas_flaptop"
+]
--- a/hosts/lambdaos/configuration.nix
+++ b/hosts/lambdaos/configuration.nix
@ -75,9 +75,7 @@
      description = "Noa Aarts";
      extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" "dialout" ];
      hashedPassword = "$6$rounds=512400$Zip3xoK2zcoR4qEL$N13YTHO5tpWfx2nKb1sye.ZPwfoRtMQ5f3YrMZqKzzoFoSSHHJ.l5ulCEa9HygFxZmBtPnwlseFEtl8ERnwF50";
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFemc4Pzp7I0y8FHxgRO/c/ReBmXuqXR6CWqbhiQ+0t noa@Noas_flaptop"
-      ];
+      openssh.authorizedKeys.keys = import ../../common/ssh-keys.nix;
    };
  };

@ -205,12 +203,6 @@
      pulse.enable = true;
      jack.enable = true;
    };
-    nix-serve = {
-      enable = true;
-      secretKeyFile = "/var/cache-priv-key.pem";
-      bindAddress = "127.0.0.1";
-      port = 22332;
-    };
    fail2ban.enable = true;
    greetd = {
      enable = false;
@ -250,28 +242,6 @@
    };
    flatpak.enable = true;
    udev.packages = [ pkgs.yubikey-personalization ];
-    nginx =
-      {
-        enable = true;
-        package = pkgs.nginx.override {
-          modules = [ pkgs.nginxModules.brotli ];
-        };
-
-
-        recommendedOptimisation = true;
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
-        recommendedBrotliSettings = true;
-        sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
-        virtualHosts = {
-
-          "lambdaos" = {
-            locations."/".proxyPass = "http://127.0.0.1:22332";
-          };
-
-        };
-      };
  };

  systemd = {
@ -345,7 +315,6 @@

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [
-    80 # nix-serve
    53317 # Localsend
    7791 # Pixelflut
    38281 # Archipelago
--- a/hosts/muos/configuration.nix
+++ b/hosts/muos/configuration.nix
@ -63,9 +63,7 @@
      description = "Noa Aarts";
      extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" ];
      hashedPassword = "$6$rounds=512400$Zip3xoK2zcoR4qEL$N13YTHO5tpWfx2nKb1sye.ZPwfoRtMQ5f3YrMZqKzzoFoSSHHJ.l5ulCEa9HygFxZmBtPnwlseFEtl8ERnwF50";
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFemc4Pzp7I0y8FHxgRO/c/ReBmXuqXR6CWqbhiQ+0t noa@Noas_flaptop"
-      ];
+      openssh.authorizedKeys.keys = import ../../common/ssh-keys.nix;
    };
  };

--- a/hosts/nuos/configuration.nix
+++ b/hosts/nuos/configuration.nix
@ -40,14 +40,16 @@
    noa = {
      isNormalUser = true;
      extraGroups = [ "networkmanager" "wheel" "docker" "libvirt" ];
-      openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmUSRs2akTTWtiaCcB5PNaLFJlwZmvD8YEZp2R4SQ56gj1xddZ0QP8XQIqRd6cmkaGzS9QzNpo03mlaOUTItFarp+OJh7oe9DcqpLR7+30mdLJgmYC6SOm/Upm9jZbl+YVuRbCWUXJ8pgKeJ+GseiKUx/3nPFPJ17Z7xV1GwPBVDxE4F3TVF/JFn6NYE0NF0I35lYUT8JOrmr7r2+VYBt9Pbqta7G6afTl4ETX/pDDiEHQAsf5dUvF/FdAUp50DMVqC81xPlx/ajMzI4thssA8CkUDZdns7WhWSvDuyCz6bRZhnBqJ0oM9clhljhVq7eAScAEH4mM0XEexlE5NUmGqLZJT7NZIX+SRhxtKMTZBY3y6w6cxgNMo8lAhp0d1mlSmBEB1cvlCr38ZtcAyYA1m3vHwnJ4vsbCxxGZeTyLY+mZC4dFcSSyc+P3DtxBle7q6F/Qc9K53I454YsUVHTzD/K1A6r75/6igQBKEoGScVQX5qFLFWOu0k1hOEV3mT3jzP48l5iEz6whdO0EKbHJT3vvM+vj3zLzJ9YeSTDbxTE0AhMNt17yICB/vX1Fi/SwlwjYgUQnwiKbqkOaT5ZTxcqcv3x0EyTdq43J1TEWcAKUW7nlcQ9rwJnwg6MfUKE/cawwPUqGp8WTbavX4/IX/k+jQsuI9XvZ9Y96ilLhTRw== openpgp:0xD85CD295"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFemc4Pzp7I0y8FHxgRO/c/ReBmXuqXR6CWqbhiQ+0t noa@Noas_flaptop"
-      ];
      hashedPassword = "$6$rounds=512400$g/s4dcRttXi4ux6c$Z6pKnhJXcWxv0TBSMtvJu5.piETdUBSgBVN7oDPKiQV.lbTYz1r.0XQLwMYxzcvaaX0DL6Iw/SEUTiC2M50wC/";
+      openssh.authorizedKeys.keys = import ../../common/ssh-keys.nix;
    };
  };

+  nix.sshServe = {
+    enable = true;
+    keys = import ../../common/ssh-keys.nix;
+  };
+
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

@ -230,18 +232,6 @@
            };
          };

-          "locked.itepastra.nl" = {
-            forceSSL = true;
-            useACMEHost = "itepastra.nl";
-            extraConfig = extra;
-
-            locations."/" = {
-              proxyWebsockets = true;
-              proxyPass = "http://192.168.42.5:9000/";
-            };
-
-          };
-
          "calendar.itepastra.nl" = proxy "itepastra.nl" "http://[::1]:29341";
        };
      };