Merge pull request #125 from pinpox/add-limette

Add limette

flake.nix

@@ -3,6 +3,28 @@
 
   inputs = {
 
+    inovex-mdm = {
+      type = "gitlab";
+      host = "gitlab.inovex.de";
+      owner = "ffranzmann";
+      ref = "master";
+      repo = "mdm-linux-inventory-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.mdm-linux-inventory.follows = "mdm-linux-inventory";
+    };
+
+    mdm-linux-inventory = {
+      type = "gitlab";
+      host = "gitlab.inovex.de";
+      owner = "inovex-it-mdm";
+      ref = "main";
+      repo = "mdm-linux-inventory";
+      flake = false;
+    };
+
+    disko.url = "github:nix-community/disko/latest";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
     caddy-patched = {
       url = "github:pinpox/nixos-caddy-patched";
       inputs.nixpkgs.follows = "nixpkgs";

home-manager/modules/shell/zsh.nix

@@ -82,9 +82,9 @@
       weather = "${pkgs.curl}/bin/curl -4 http://wttr.in/Koeln";
       radio = "${pkgs.mpv}/bin/mpv http://lassul.us:8000/radio.ogg";
 
+      # ${pkgs.yubikey-manager}/bin/ykman oath accounts code | \
       yotp = ''
-        ${pkgs.yubikey-manager}/bin/ykman oath accounts code | \
-         ${pkgs.fzf}/bin/fzf | awk '{print $2}' | ${pkgs.xclip}/bin/xclip -sel clip
+        ${pkgs.fzf}/bin/fzf | awk '{print $2}' | ${pkgs.xclip}/bin/xclip -sel clip
       '';
 
       zzz = "systemctl suspend";

machines/ahorn/configuration.nix

@@ -5,6 +5,7 @@
   pkgs,
   lib,
   nixos-hardware,
+  inovex-mdm,
   ...
 }:
 {
@@ -65,10 +66,20 @@
     nixos-hardware.nixosModules.lenovo-thinkpad-t480s
     ./hardware-configuration.nix
     retiolum.nixosModules.retiolum
+    inovex-mdm.nixosModules.default
 
     #retiolum.nixosModules.ca
   ];
 
+  lollypops.secrets.files."inovex-mdm/mdm-create-token" = { };
+
+  services.inovex-mdm = {
+    enable = true;
+    userhome = "/home/pinpox";
+    tokenFile = "${config.lollypops.secrets.files."inovex-mdm/mdm-create-token".path}";
+    screenLockTimeout = "300";
+  };
+
   programs.sway.enable = true;
 
   hardware.graphics = {
@@ -183,6 +194,17 @@
     enable = true;
     wireguardIp = "192.168.7.2";
     hostname = "ahorn";
-    bootDevice = "/dev/disk/by-uuid/d4b70087-c965-40e8-9fca-fc3b2606a590";
   };
+
+  # Encrypted drive to be mounted by the bootloader. Path of the device will
+  # have to be changed for each install.
+  boot.initrd.luks.devices = {
+    root = {
+      # Get UUID from blkid /dev/sda2
+      device = "/dev/disk/by-uuid/d4b70087-c965-40e8-9fca-fc3b2606a590";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
+
 }

machines/kartoffel/configuration.nix

@@ -13,7 +13,17 @@
     enable = true;
     wireguardIp = "192.168.7.3";
     hostname = "kartoffel";
-    bootDevice = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b";
+  };
+
+  # Encrypted drive to be mounted by the bootloader. Path of the device will
+  # have to be changed for each install.
+  boot.initrd.luks.devices = {
+    root = {
+      # Get UUID from blkid /dev/sda2
+      device = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b";
+      preLVM = true;
+      allowDiscards = true;
+    };
   };
 
   pinpox.defaults.CISkip = true;

machines/kfbox/configuration.nix

@@ -10,6 +10,8 @@
 }:
 {
 
+  lollypops.deployment.deploy-method = "archive";
+
   lollypops.secrets.files."ente/credentials.yaml" = {
     owner = "ente";
     group-name = "ente";