129 lines
2.8 KiB
Nix
129 lines
2.8 KiB
Nix
# common
|
|
|
|
{ inputs, outputs, lib, config, pkgs, ... }:
|
|
|
|
{
|
|
nix = {
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
secret-key-files = /etc/nix/cache-priv-key.pem
|
|
'';
|
|
optimise.automatic = true;
|
|
gc = {
|
|
automatic = true;
|
|
options = "--delete-older-than 30d";
|
|
};
|
|
};
|
|
|
|
nixpkgs = {
|
|
overlays = [
|
|
outputs.overlays.additions
|
|
outputs.overlays.modifications
|
|
];
|
|
config.allowUnfree = true;
|
|
};
|
|
|
|
age.identityPaths = [
|
|
"/mnt/persist/etc/ssh/ssh_host_ed25519_key"
|
|
# "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
|
|
# "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
|
|
];
|
|
|
|
age.secrets = with outputs.secrets; {
|
|
root-passwordfile.file = user-passwordfiles.root;
|
|
rilla-passwordfile.file = user-passwordfiles.rilla;
|
|
cache-priv-key = {
|
|
file = cache-priv-key;
|
|
mode = "400";
|
|
owner = "root";
|
|
group = "root";
|
|
path = "/etc/nix/cache-priv-key.pem";
|
|
};
|
|
};
|
|
|
|
time.timeZone = "Europe/Madrid";
|
|
|
|
# Select internationalisation properties.
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
keyMap = "us";
|
|
};
|
|
|
|
security = {
|
|
doas = {
|
|
enable = true;
|
|
extraRules = [{
|
|
groups = [ "wheel" ];
|
|
keepEnv = true;
|
|
noPass = true;
|
|
}];
|
|
};
|
|
sudo.enable = false;
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ git vim wget just ripgrep deploy-rs ];
|
|
|
|
environment.etc = {
|
|
user-ca-pub = {
|
|
target = "/etc/ssh/user_ca.pub";
|
|
source = ./user_ca.pub;
|
|
};
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
|
|
hostKeys = [{
|
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}];
|
|
|
|
knownHosts = {
|
|
"*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,cuina,trantor,capibara,axolotl" =
|
|
{
|
|
certAuthority = true;
|
|
publicKey =
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca";
|
|
};
|
|
};
|
|
|
|
extraConfig = ''
|
|
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
TrustedUserCAKeys /etc/ssh/user_ca.pub
|
|
'';
|
|
};
|
|
|
|
users.mutableUsers = false;
|
|
users.groups = {
|
|
dags.gid = 506;
|
|
};
|
|
users.users = {
|
|
|
|
root.passwordFile = config.age.secrets.root-passwordfile.path;
|
|
|
|
rilla = {
|
|
uid = 1000;
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
passwordFile = config.age.secrets.rilla-passwordfile.path;
|
|
};
|
|
|
|
dags = {
|
|
uid = 506;
|
|
group = "dags";
|
|
extraGroups = [ "wheel" ];
|
|
createHome = false;
|
|
isSystemUser = true;
|
|
password = "*";
|
|
useDefaultShell = true;
|
|
};
|
|
|
|
};
|
|
}
|