Changes for lambda, fixes for sea.fudo.org

config/host-config/lambda.nix

@@ -39,6 +39,24 @@ in {
     "L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa"
     "L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
     "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
+
+    # "L /etc/ssh/ssh_host_rsa_key - - - - ${state-dir}/ssh/ssh_host_rsa_key"
+    # "L /etc/ssh/ssh_host_rsa_key.pub - - - - ${state-dir}/ssh/ssh_host_rsa_key.pub"
+    # "L /etc/ssh/ssh_host_ed25519_key - - - - ${state-dir}/ssh/ssh_host_ed25519_key"
+    # "L /etc/ssh/ssh_host_ed25519_key.pub - - - - ${state-dir}/ssh/ssh_host_ed25519_key.pub"
+  ];
+
+  services.openssh.hostKeys = [
+    {
+      path = "${state-dir}/ssh/ssh_host_rsa_key";
+      type = "rsa";
+      bits = 4096;
+    }
+    {
+      path = "${state-dir}/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+      bits = 4096;
+    }
   ];
 
   environment.etc = {
@@ -66,7 +84,11 @@ in {
       group = "root";
       mode = "0444";
     };
+    nixos.source = "/etc/nixos-live";
     "machine-id".source = "${state-dir}/host/machine-id";
+    "host-config.nix".source = "/state/host/host-config.nix";
+    adjtime.source = "/state/host/adjtime";
+    NIXOS.source = "/state/host/NIXOS";
   };
 
   security.sudo.extraConfig = ''

config/host-config/limina.nix

@@ -139,11 +139,12 @@ in {
       NIXOS.source = "/state/etc/NIXOS";
       machine-id.source = "/state/etc/machine-id";
       "host-config.nix".source = "/state/etc/host-config.nix";
-      "krb5.keytab" = {
+      ## This should be handled by nixops deploy
-        source = "/state/etc/limina.keytab";
+      # "krb5.keytab" = {
-        user = "root";
+      #   source = "/state/etc/limina.keytab";
-        mode = "0400";
+      #   user = "root";
-      };
+      #   mode = "0400";
+      # };
     };
 
     boot.initrd.postDeviceCommands = lib.mkAfter ''

config/site-config/seattle.nix

@@ -6,18 +6,22 @@ in {
     "/mnt/documents" = {
       device = "whitedwarf.${local-domain}:/volume1/Documents";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/downloads" = {
       device = "whitedwarf.${local-domain}:/volume1/Downloads";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/music" = {
       device = "doraemon.${local-domain}:/volume1/Music";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/video" = {
       device = "doraemon.${local-domain}:/volume1/Video";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     # fileSystems."/mnt/security" = {
     #   device = "panopticon.${local-domain}:/srv/kerberos/data";
@@ -26,10 +30,12 @@ in {
     "/mnt/cargo_video" = {
       device = "cargo.${local-domain}:/volume1/video";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/photo" = {
       device = "cargo.${local-domain}:/volume1/pictures";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
   };
 

home-manager/niten.nix

@@ -163,6 +163,8 @@ in {
       #     fi
       #   '';
       # };
+
+      ".fonts.conf" = { source = ../static/fonts.conf; };
     };
 
     sessionVariables = {

lib/fudo/users.nix

@@ -129,6 +129,34 @@ let
     let user-list = attrNames users;
     in filter (username: list-includes user-list username) group-members;
 
+  ensure-group-directory = group: dir: ''
+    if [[ -d ${dir} ]]; then
+      GROUP="$(stat --format '%G' "${dir}")"
+      if [[ "$GROUP" = "${group}" ]]; then
+        echo "${dir} exists and belongs to ${group}"
+        exit 0
+      else
+        echo "setting ownership of ${dir} to ${group}"
+        chgrp ${group} ${dir}
+        chmod g+rx ${dir}
+      fi
+    elif [[ ! -e ${dir} ]]; then
+      echo "creating ${dir} and setting ownership to ${group}"
+      mkdir ${dir}
+      chgrp ${group} ${dir}
+      chmod g+rx ${dir}
+    elif [[ -e ${dir} && ! -d ${dir} ]]; then
+      echo "unable to create directory ${dir}, object exists"
+      exit 2
+    else
+      echo "unknown error creating ${dir}"
+      exit 3
+    fi
+  '';
+
+  ensure-group-dirs-script = group: dirs:
+    concatStringsSep "\n" (map (ensure-group-directory group) dirs);
+
 in {
   options.fudo = {
     users = mkOption {
@@ -150,13 +178,10 @@ in {
     };
   };
 
-  imports = [
+  imports = [ ./users-common.nix ];
-    ./users-common.nix
+
-  ];
+  config = let sys = import ../system.nix { inherit lib config; };
 
-  config = let
-    sys = import ../system.nix { inherit lib config; };
-    
   in {
     fudo.auth.ldap-server = let
       ldapUsers = (filterAttrs
@@ -212,8 +237,23 @@ in {
       users = let
         home-manager-users =
           filterAttrs (username: userOpts: userOpts.home-manager-config != null)
-            sys.local-users;
+          sys.local-users;
-      in mapAttrs (username: userOpts: userOpts.home-manager-config) home-manager-users;
+      in mapAttrs (username: userOpts: userOpts.home-manager-config)
+      home-manager-users;
     };
+
+    # Group home directories have to exist, otherwise users can't log in
+    systemd.services = let
+      ensure-group-directories = group:
+        nameValuePair "ensure-group-directories-${group}" {
+          script = ensure-group-dirs-script group [ "/home/${group}" ];
+          wantedBy = [ "multi-user.target" ];
+          requires = [ "local-fs.target" ];
+          after = [ "remote-fs.target" ];
+        };
+      groups-with-members = attrNames
+        (filterAttrs (group: groupOpts: (length groupOpts.members) > 0)
+          sys.local-groups);
+    in listToAttrs (map ensure-group-directories groups-with-members);
   };
 }

packages/default.nix

@@ -176,10 +176,5 @@ in {
       rev = "278a90f7ce219e36e5de0a80b540e469a9bce912";
       sha256 = "06qns3ayc84mamdgn0jw652rvx60wy9km1vxm2361mzmx2zk89iw";
     };
-
-    hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [
-      libva
-      pipewire
-    ];
   };
 }