{ config, lib, pkgs, ... }: with lib; let primary-ip = "10.0.0.21"; in { config = { # TODO: remove? nixpkgs.config.permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" # CVE-2021-28041 ]; environment.etc = { nixos.source = "/state/nixos"; adjtime.source = "/state/etc/adjtime"; NIXOS.source = "/state/etc/NIXOS"; machine-id.source = "/state/etc/machine-id"; "host-config.nix".source = "/state/etc/host-config.nix"; "krb5.keytab" = { source = "/state/etc/plato.keytab"; user = "root"; group = "root"; mode = "0600"; }; }; system.stateVersion = "20.09"; boot.initrd.postDeviceCommands = lib.mkAfter '' ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank ''; security.sudo.extraConfig = '' # rollback results in sudo lectures after each reboot Defaults lecture = never ''; systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - /state/root/gnupg" # "L /root/.emacs.d - - - - /state/root/emacs.d" "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" ]; networking = { defaultGateway = { address = "10.0.0.1"; interface = "intif0"; }; interfaces = { intif0 = { useDHCP = false; ipv4.addresses = [{ address = primary-ip; prefixLength = 22; }]; }; }; }; services = { openssh = { hostKeys = [ { path = "/state/ssh/ssh_host_ed25519_key"; type = "ed25519"; } { path = "/state/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } ]; }; }; }; }