{ inputs, outputs, lib, config, pkgs, ... }: { nix = { package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes ''; optimise.automatic = true; gc = { automatic = true; options = "--delete-older-than 30d"; }; }; nixpkgs = { overlays = [ outputs.overlays.additions outputs.overlays.modifications # outputs.overlays.stable-packages ]; config.allowUnfree = true; }; time.timeZone = "Europe/Madrid"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "us"; }; security = { doas = { enable = true; extraRules = [{ groups = [ "wheel" ]; keepEnv = true; noPass = true; }]; }; sudo.enable = false; }; environment.systemPackages = with pkgs; [ git vim wget just ripgrep deploy-rs ]; services.openssh = { enable = true; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; hostKeys = [{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }]; knownHosts = { "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,snitch,trantor,capibara,axolotl" = { certAuthority = true; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca"; }; }; extraConfig = '' HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub TrustedUserCAKeys /etc/ssh/user_ca.pub ''; }; users.mutableUsers = false; users.groups = { dags.gid = 506; }; users.users = { root = { initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; }; rilla = { uid = 1000; isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; }; dags = { uid = 506; group = "dags"; extraGroups = [ "wheel" ]; createHome = false; isSystemUser = true; password = "*"; useDefaultShell = true; }; }; }