colmena/local.nix

@@ -8,6 +8,10 @@ in {
     tags = [ "local" ];
   };
 
+  nixpkgs.config.packageOverrides = pkgs: {
+    agenix = (import "${sources.agenix}" { inherit pkgs; }).agenix;
+  };
+
   environment.systemPackages = with pkgs; [
     agenix
     colmena

colmena/remote.nix

@@ -3,13 +3,9 @@
 {
   deployment = {
     targetHost = "${name}.birdsong.network";
-    targetUser = "qenya";
     tags = [ "remote" ];
   };
 
-  # Required for remote builds
-  security.sudo.wheelNeedsPassword = false;
-
   imports = [
     ../common/openssh.nix
   ];

common/openssh.nix

@@ -12,4 +12,9 @@
   services.fail2ban.enable = true;
 
   networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # Allow remote root login only from home network
+  # TODO: Find a less hacky way of doing remote deployment
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
+  services.openssh.extraConfig = "Match Address 45.14.17.200\n    PermitRootLogin prohibit-password";
 }

common/sudo.nix

@@ -1,5 +0,0 @@
-{ config, lib, pkgs,... }:
-
-{
-  security.sudo.execWheelOnly = true;
-}

hive.nix

@@ -6,24 +6,12 @@ in {
     deployment.replaceUnknownProfiles = false;
     networking.hostName = name;
 
-    nixpkgs.config = {
-      allowUnfree = true;
-      packageOverrides = pkgs: {
-        agenix = (import sources.agenix { inherit pkgs; }).agenix;
-        vscode-extensions = (import sources.nix-vscode-extensions).extensions.x86_64-linux; # TODO: This should check the host architecture
-      };
-    };
-
-    home-manager = {
-      useUserPackages = true;
-      useGlobalPkgs = true;
-    };
+    nixpkgs.config.allowUnfree = true;
 
     imports = [
       (import "${sources.home-manager}/nixos")
       (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
-      ./common/sudo.nix
       ./common/utilities.nix
       ./users/qenya.nix
     ];

home/vscode.nix

@@ -1,15 +1,22 @@
 { config, lib, pkgs, ... }:
 
 {
-  programs.vscode = {
+  programs.vscode =
+    let
+      system = builtins.currentSystem;
+      sources = import ../npins;
+      extensions = (import sources.nix-vscode-extensions).extensions.${system};
+    in
+    {
       enable = true;
       enableExtensionUpdateCheck = false;
       enableUpdateCheck = false;
       package = pkgs.vscodium;
       extensions = (with pkgs.vscode-extensions; [
-      open-vsx.jnoortheen.nix-ide
-      open-vsx.ms-python.python
-      open-vsx.robbowen.synthwave-vscode
+        jnoortheen.nix-ide
+        ms-python.python
+      ]) ++ (with extensions.open-vsx; [
+        robbowen.synthwave-vscode
       ]);
       mutableExtensionsDir = false;
       userSettings = {

hosts/tohru/configuration.nix

@@ -7,7 +7,6 @@
       ./home.nix
       ../../common/fonts.nix
       ../../common/gaming.nix
-      ./syncthing.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/tohru/hardware-configuration.nix

@@ -28,16 +28,6 @@
       fsType = "zfs";
     };
 
-  fileSystems."/config" =
-    { device = "rpool/config";
-      fsType = "zfs";
-    };
-
-  fileSystems."/data" =
-    { device = "rpool/data";
-      fsType = "zfs";
-    };
-
   fileSystems."/home" =
     { device = "rpool/home";
       fsType = "zfs";
@@ -49,13 +39,18 @@
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
+  fileSystems."/data" =
+    { device = "rpool/data";
+      fsType = "zfs";
+    };
+
   fileSystems."/data/steam" =
     { device = "rpool/data/steam";
       fsType = "zfs";
     };
 
-  fileSystems."/data/syncthing" =
-    { device = "rpool/data/syncthing";
+  fileSystems."/config" =
+    { device = "rpool/config";
       fsType = "zfs";
     };
 

hosts/tohru/syncthing.nix

@@ -1,16 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  services.syncthing = {
-    enable = true;
-    user = "qenya";
-    dataDir = "/data/syncthing";
-    overrideDevices = true;
-    overrideFolders = true;
-    settings = {
-      devices = {
-        "kilgharrah" = { id = "RDT7IGD-76FZ6LY-37PPB2W-DWPQRPR-LZ4AXF7-4GIIHYJ-RVXUUSG-ZXPN3AZ"; };
-      };
-    };
-  };
-}