colin
b658b93c64
this approach lets me persist the password. persisting /etc/shadow directly wasn't so feasible. populating /etc/shadow at activation time is something nix already does and is easy to plug into. so we store the passwd hash in this repo, but encrypt it to the destination machine's ssh pubkey to add enough entropy that it's not brute-forceable through the public git repo.
35 lines
1005 B
Nix
35 lines
1005 B
Nix
{ pkgs, ... }:
|
|
{
|
|
imports = [
|
|
./fs.nix
|
|
];
|
|
|
|
# sane.users.guest.enable = true;
|
|
sane.gui.sway.enable = true;
|
|
sane.impermanence.enable = true;
|
|
sane.nixcache.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = false;
|
|
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
|
|
|
|
sops.secrets.colin-passwd = {
|
|
sopsFile = ../../secrets/lappy.yaml;
|
|
neededForUsers = true;
|
|
};
|
|
|
|
# default config: https://man.archlinux.org/man/snapper-configs.5
|
|
# defaults to something like:
|
|
# - hourly snapshots
|
|
# - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
|
|
services.snapper.configs.nix = {
|
|
# TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
|
|
# but that also requires setting up the persist dir as a subvol
|
|
subvolume = "/nix";
|
|
};
|
|
|
|
# TODO: only here for debugging
|
|
# services.ipfs.enable = true;
|
|
|
|
# docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
|
|
system.stateVersion = "21.05";
|
|
}
|