Enable passwordless sudo on remote machines

Closes #2

colmena/local.nix

@@ -8,10 +8,6 @@ in {
     tags = [ "local" ];
   };
 
-  nixpkgs.config.packageOverrides = pkgs: {
-    agenix = (import "${sources.agenix}" { inherit pkgs; }).agenix;
-  };
-
   environment.systemPackages = with pkgs; [
     agenix
     colmena

colmena/remote.nix

@@ -3,9 +3,13 @@
 {
   deployment = {
     targetHost = "${name}.birdsong.network";
+    targetUser = "qenya";
     tags = [ "remote" ];
   };
 
+  # Required for remote builds
+  security.sudo.wheelNeedsPassword = false;
+
   imports = [
     ../common/openssh.nix
   ];

common/openssh.nix

@@ -12,9 +12,4 @@
   services.fail2ban.enable = true;
 
   networking.firewall.allowedTCPPorts = [ 22 ];
-
-  # Allow remote root login only from home network
-  # TODO: Find a less hacky way of doing remote deployment
-  users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
-  services.openssh.extraConfig = "Match Address 45.14.17.200\n    PermitRootLogin prohibit-password";
 }

common/sudo.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs,... }:
+
+{
+  security.sudo.execWheelOnly = true;
+}

hive.nix

@@ -6,12 +6,24 @@ in {
     deployment.replaceUnknownProfiles = false;
     networking.hostName = name;
 
-    nixpkgs.config.allowUnfree = true;
+    nixpkgs.config = {
+      allowUnfree = true;
+      packageOverrides = pkgs: {
+        agenix = (import sources.agenix { inherit pkgs; }).agenix;
+        vscode-extensions = (import sources.nix-vscode-extensions).extensions.x86_64-linux; # TODO: This should check the host architecture
+      };
+    };
+
+    home-manager = {
+      useUserPackages = true;
+      useGlobalPkgs = true;
+    };
 
     imports = [
       (import "${sources.home-manager}/nixos")
       (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
+      ./common/sudo.nix
       ./common/utilities.nix
       ./users/qenya.nix
     ];

home/vscode.nix

@@ -1,39 +1,32 @@
 { config, lib, pkgs, ... }:
 
 {
-  programs.vscode =
-    let
-      system = builtins.currentSystem;
-      sources = import ../npins;
-      extensions = (import sources.nix-vscode-extensions).extensions.${system};
-    in
-    {
-      enable = true;
-      enableExtensionUpdateCheck = false;
-      enableUpdateCheck = false;
-      package = pkgs.vscodium;
-      extensions = (with pkgs.vscode-extensions; [
-        jnoortheen.nix-ide
-        ms-python.python
-      ]) ++ (with extensions.open-vsx; [
-        robbowen.synthwave-vscode
-      ]);
-      mutableExtensionsDir = false;
-      userSettings = {
-        "extensions.autoUpdate" = false;
-        "git.autofetch" = true;
-        "git.confirmSync" = false;
-        "git.enableSmartCommit" = true;
-        "javascript.updateImportsOnFileMove.enabled" = "always";
-        "nix.enableLanguageServer" = true;
-        "nix.serverPath" = "nil";
-        "nix.serverSettings".nil = {
-          diagnostics.ignored = [ "unused_binding" "unused_with" ];
-          formatting.command = [ "nixpkgs-fmt" ];
-        };
-        "workbench.colorTheme" = "SynthWave '84";
+  programs.vscode = {
+    enable = true;
+    enableExtensionUpdateCheck = false;
+    enableUpdateCheck = false;
+    package = pkgs.vscodium;
+    extensions = (with pkgs.vscode-extensions; [
+      open-vsx.jnoortheen.nix-ide
+      open-vsx.ms-python.python
+      open-vsx.robbowen.synthwave-vscode
+    ]);
+    mutableExtensionsDir = false;
+    userSettings = {
+      "extensions.autoUpdate" = false;
+      "git.autofetch" = true;
+      "git.confirmSync" = false;
+      "git.enableSmartCommit" = true;
+      "javascript.updateImportsOnFileMove.enabled" = "always";
+      "nix.enableLanguageServer" = true;
+      "nix.serverPath" = "nil";
+      "nix.serverSettings".nil = {
+        diagnostics.ignored = [ "unused_binding" "unused_with" ];
+        formatting.command = [ "nixpkgs-fmt" ];
       };
+      "workbench.colorTheme" = "SynthWave '84";
     };
+  };
 
   # Language servers etc
   home.packages = with pkgs; [

hosts/tohru/configuration.nix

@@ -7,6 +7,7 @@
       ./home.nix
       ../../common/fonts.nix
       ../../common/gaming.nix
+      ./syncthing.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/tohru/hardware-configuration.nix

@@ -28,6 +28,16 @@
       fsType = "zfs";
     };
 
+  fileSystems."/config" =
+    { device = "rpool/config";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data" =
+    { device = "rpool/data";
+      fsType = "zfs";
+    };
+
   fileSystems."/home" =
     { device = "rpool/home";
       fsType = "zfs";
@@ -39,18 +49,13 @@
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
-  fileSystems."/data" =
-    { device = "rpool/data";
-      fsType = "zfs";
-    };
-
   fileSystems."/data/steam" =
     { device = "rpool/data/steam";
       fsType = "zfs";
     };
 
-  fileSystems."/config" =
-    { device = "rpool/config";
+  fileSystems."/data/syncthing" =
+    { device = "rpool/data/syncthing";
       fsType = "zfs";
     };
 

hosts/tohru/syncthing.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.syncthing = {
+    enable = true;
+    user = "qenya";
+    dataDir = "/data/syncthing";
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      devices = {
+        "kilgharrah" = { id = "RDT7IGD-76FZ6LY-37PPB2W-DWPQRPR-LZ4AXF7-4GIIHYJ-RVXUUSG-ZXPN3AZ"; };
+      };
+    };
+  };
+}