From ec6476d4706a5897917b7d107e8d3d9e21af61a3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 23 Apr 2023 11:06:57 +0800 Subject: [PATCH] rpi4: rename to raspite, add password --- .sops.yaml | 14 ++++++-- flake.nix | 9 ++--- home/xin/common/default.nix | 3 +- home/xin/raspite/default.nix | 28 ++++++++++++++++ machines/{rpi4 => raspite}/configuration.nix | 33 ++++++++++++++---- machines/raspite/secrets.yaml | 30 +++++++++++++++++ machines/secrets.yaml | 35 ++++++++++++-------- 7 files changed, 125 insertions(+), 27 deletions(-) create mode 100644 home/xin/raspite/default.nix rename machines/{rpi4 => raspite}/configuration.nix (56%) create mode 100644 machines/raspite/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index f3ae717..f928eee 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,17 +1,27 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - - &host-laptop age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: - age: - *xin - - *host-laptop + - *host-calcite + - path_regex: machines/raspite/secrets.yaml + key_groups: + - age: + - *xin + - *host-raspite - path_regex: machines/secrets.yaml key_groups: - age: - *xin + - *host-calcite + - *host-raspite - path_regex: home/xin/secrets.yaml key_groups: - age: - *xin + - *host-raspite + - *host-calcite diff --git a/flake.nix b/flake.nix index 788ebd0..6097107 100644 --- a/flake.nix +++ b/flake.nix @@ -61,20 +61,21 @@ ]; }; - nixosConfigurations.rpi4 = mkNixos { + nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; modules = [ nixos-hardware.nixosModules.raspberry-pi-4 - machines/rpi4/configuration.nix + machines/raspite/configuration.nix + (mkHome "xin" "raspite") ]; }; - images.rpi4 = (nixpkgs.lib.nixosSystem { + images.raspite = (mkNixos { system = "aarch64-linux"; modules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - machines/rpi4/configuration.nix nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix { nixpkgs.config.allowUnsupportedSystem = true; nixpkgs.hostPlatform.system = "aarch64-linux"; diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 73ba97a..391bf9c 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -8,7 +8,8 @@ dig du-dust # du + rust zoxide # autojumper - man-pages + file + # man-pages tree wget tmux diff --git a/home/xin/raspite/default.nix b/home/xin/raspite/default.nix new file mode 100644 index 0000000..d09be89 --- /dev/null +++ b/home/xin/raspite/default.nix @@ -0,0 +1,28 @@ + +{ config, pkgs, ... }: +{ + imports = [ + ../common + ]; + + home.username = "xin"; + home.homeDirectory = "/home/xin"; + home.stateVersion = "23.05"; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + + accounts.email.accounts.gmail = { + primary = true; + address = "lixinyang411@gmail.com"; + flavor = "gmail.com"; + }; + + accounts.email.accounts.whu = { + address = "lixinyang411@whu.edu.cn"; + }; + + accounts.email.accounts.foxmail = { + address = "lixinyang411@foxmail.com"; + }; +} diff --git a/machines/rpi4/configuration.nix b/machines/raspite/configuration.nix similarity index 56% rename from machines/rpi4/configuration.nix rename to machines/raspite/configuration.nix index 230bca5..4e3c149 100644 --- a/machines/rpi4/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,9 +1,6 @@ { config, libs, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - vim - ]; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { @@ -12,12 +9,33 @@ }) ]; - imports = [ ]; + imports = [ + ../clash.nix + ../sops.nix + ]; + + environment.systemPackages = with pkgs; [ + git + clash + ]; + + # Use mirror for binary cache + nix.settings.substituters = [ + "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" + ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + sops = { + secrets.password = { + sopsFile = ./secrets.yaml; + }; + }; system.stateVersion = "22.11"; networking = { - hostName = "pi-wh"; + hostName = "raspite"; useDHCP = false; interfaces.eth0.useDHCP = true; }; @@ -28,11 +46,12 @@ systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; - users.users.pi = { + users.users.xin = { isNormalUser = true; - home = "/home/pi"; extraGroups = [ "wheel" "networkmanager" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ]; + # passwordFile = config.sops.secrets.password.path; + hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; }; } \ No newline at end of file diff --git a/machines/raspite/secrets.yaml b/machines/raspite/secrets.yaml new file mode 100644 index 0000000..fcb790e --- /dev/null +++ b/machines/raspite/secrets.yaml @@ -0,0 +1,30 @@ +password: ENC[AES256_GCM,data:QHPNTvjNjrcUaV7aVvnFQFF+1bA+g1Y2emYIabBgHQ7Dmg7SuOwVpBsZCvsh+BgrWLykK3Gcf+huTMzixjaqXbGHrpqx9Eq9wi1O1alVG8bJ/UvWr7H3qBCuye85KUopBxXLF93skT7H1Q==,iv:Iq/s+AuMJN/Z/Pbc5UsZQA6gvnPXxihKJzWYl+N6Gmc=,tag:6UvNTQlLrl1ay3BI6vPqTw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieXZQcFZ6R0ZBQUdTMWtL + QXM2djdBNThrNnpuT1lpNDU1R3NIM2FRNnhZCkZqbUtrWldFMS9oOTE3T2ZCTklm + emxsL21pQThiMDJIUXA1Y0RKSVBRWFUKLS0tIE1qK0dySHZHUVZ1aDZoZ1lEZHoy + dnBLOWV4NjBrZzM5VkhRZFFrNFByVFkKK7j/rDiD7WbCU/Z1+FRuxjOitS6Y9cc1 + L2oW35AJluG27tdwe39nBORzeLwDrcFy5TpUSV9hMEBbeDBlhLNSiA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb0RxTHFhZjZ5bEtpblo1 + VHJkeDFpNjhoc294eWs5TmxxcEMwOTQ4SmxVCmp1dnFXSlNiUzdtWm9WSmlMa3BR + RDFmWVdxcXJzRmdzbzVOMkUvNDd4Y1UKLS0tIDVkNHBrYWFmNWtkNllidUlPdFJ1 + djhXQ2RzM0JEdnRvUkxVNm9MdFNJUHMKmacD8MIV7r92c5KbJtg7CbnI09QMclQl + 5rIF5vcgaRRpS6zXq22OgxSjsjIHg7jDOkUJdueGNHzc4f9F91+0yQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-23T03:02:43Z" + mac: ENC[AES256_GCM,data:7k+Eoua6DviF6XN5QiVOXE4LHr0gggvvYY9EMBU4J6RsA9hzi0L3DjdofppAvG2928mCd/SYiZC3vGU8UFohXbZuxFLq9YJGkE1P+VxvlggkMKoJkIbE2d2t78zm2gt4nd60tDyJgYINqbbgfs2qOdnm8Y/WShRkmNs/ggf5Azo=,iv:cXoP6GYOzhfXov/l9rSg/2GIGI4aeJonAXCQ6k6YuaQ=,tag:Tv/JYpj6DfhddSzSkh8zcQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/secrets.yaml b/machines/secrets.yaml index ae8271c..95ec167 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -1,4 +1,4 @@ -clash_subscription_link: ENC[AES256_GCM,data:HKHMCu6FAhXroM+j33coUhJybw2P0k4c+2NyVoLkHRtxyWc2qDmwLfyaYfU9hkBdE60eZ6t5ewNFnMFe78DatVTcwPXGznY=,iv:0yP9LG8lUdjKiize6z5LjY3NsGmKST4H2aMvOZoUXyo=,tag:vcBk7seKuaSpEw8PXmM05A==,type:str] +clash_subscription_link: ENC[AES256_GCM,data:QwszQooTzHboIgIsbxcL1ZrVgOn91pKC8mMUSY7R0FB426ERiVPNyGWBy5ar4m0yk/XwcFLdFRmiWOrQG9mWsx9J6/tH7K8=,iv:zeDuLmDRUiCtKfUlpl1KJl62DP4DnQ2c6gOjpiHw+4c=,tag:w5AQIUC1p3nrwepdxH7Kkw==,type:str] sops: kms: [] gcp_kms: [] @@ -8,23 +8,32 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRXoxNVJzZERQTFdDNWlL - N2s2ajdCVzFFZWlSY1dndWhCL0RuMnk3aVdJCjJaQUJ2a1VPanArN2YxMy9vSEYv - blBISEZQL3UvNnRFN0ozZ3hzbEcvaDQKLS0tIEYydmF2bHBwQWdTSFFQQ29ROGxi - OFo3K3N6VWsyRnphblVsM2pHZnljUncKWLyzuKl+8WXtvlPtsaYG4PyGYNmPFdG5 - gxlMsQvaUrGReCs9M3EeS0KKvl9INzOP33KCiwrIAfq1PygP1xF1QQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjBKUUNCTlpoYXJqMkVL + U0xoNDNXVUpGaEdTVFVVL05MYng4N3l5dlhRCjZXMmplRGY1UWdlUTB4NHBFNHVO + QThQTkhwVlc2NE1HWUc5RlRyS2lURE0KLS0tIDZPOW1EMis2TjFjaS9sUHEvenRJ + cmZYOEVHTE1ybDBXMDFZRnJQaWRjeU0KVAiaO0xMhDQTh26e4lTRigkG2P6KfXov + c2DItjmdWmdfN/QOKl6JzObtHBxSWxXGZwbnWmDkGq69t20TDus2Xw== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZHpMa0NiYzJSa0Jyd3dD - WUFzenY3dEYzRjBxbVk4NWFGUnp0N0oySjE4CllEMlRXSmR6cWR0QlMrOWJGdEhO - ZzkwaFRRMVdjcVhLaEpMcFhxMTVxcTQKLS0tIEY3eER1d3B0NGtsdk9RaENscTBk - eHg2UVZRRkdVWm5PdW1MSzhVTGlpc3cKnZj4fil9mysiJJcDK4SLo+I0TcUtgww1 - 67W3wpd2y+ofIEP/qBSTVU4PYJ+ZsYDr1hy+6qJ7r4rgQ9wzLiWBog== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWWx3TGJTWEtLd0ROVXZQ + OUcycUlCUmhJT3JybldLYytJNlhld3lSVENJCmd0YUVBbWN3MU8yQ2FFMTRSWXln + S0x4c0pGemVDdVV6N3hCM3BsWGxBYzQKLS0tIDdyNFBtK2RQTFNXdlRDaVZBNjZ6 + TVo3cmh0eFlDU1d2RnVZVUI1NXcrbnMKU+tJhePvEk/awxtoZA8NWTxUr5buXSRu + CyIZXG3THbrIWAzBRlgtKqmlvdOseIASSO9OgOUPb8/EKSD5eUTH3g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-22T15:22:58Z" - mac: ENC[AES256_GCM,data:3LtivTLt04ADulz9XkMxcpgAY6it+hWFuXZVI9AOuFVQCgGE41fpH0RUKgJ4kIpr5kvbe4wVLQ6OTFqBcAkPnBBPCCg/Npzo7sWbGOiBEyK3aEk2uGsmZHqpDexHS5VJvSY0iePD+Qb/LNxjBo4KLWGNj+frKnpGALV0Qn6yzIE=,iv:alylpWLPhIIL4piaVFpjHbXJY4nz0pcUIFN5TvVcj74=,tag:HaSjcpwRMZ06UjXoDwEmyg==,type:str] + - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidXFsbFBPc3hhMzFMSk9v + NVdKWDE5MWoyMnUyVWdwOXhsK3dpQ1o2bGlBClZHVTZzc2lxblYrUUUvRFRmQ2Mv + S1I4YzJYd1JCcUx5b0E2MTlwYWlwRDAKLS0tIGphM2NaSXBwdlZSR3kwSUkzcXkv + dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou + DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-23T03:03:14Z" + mac: ENC[AES256_GCM,data:LxnM5wRjyV0VxOWm0/XDF6iVoe2PoJ/Ps8iW6mNI4JDDy8EK7pRElcU0W+IuOq09eUCBJ4KzIssbUTqumUtQHXIOhkCx0qrsf4XWsLnKNqteMwkDuWhQAiUgzGa4T0zD7B1chnos9J85rHGrGLZ9aGzC04hwUrADcw0HbxQIBm4=,iv:U2sYlCl8cppaJT8ldJhVoHj2NbTCanJyPblsO11/hBs=,tag:h8cE/+uNDz5CXoX29RKCgQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3