164 lines
3.9 KiB
Nix
164 lines
3.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
|
|
# Available to all users on the system. Keep it minimal.
|
|
global-packages = with pkgs; [
|
|
bind
|
|
cryptsetup
|
|
git
|
|
heimdal
|
|
mosh
|
|
openssh_gssapi
|
|
tldr
|
|
vim
|
|
wget
|
|
];
|
|
|
|
import-paths = [ ./build ./host ./user ];
|
|
|
|
in {
|
|
|
|
imports = let
|
|
is-regular-file = filename: type: type == "regular" || type == "link";
|
|
regular-files = path:
|
|
attrNames (filterAttrs is-regular-file (builtins.readDir path));
|
|
is-nix-file = filename: (builtins.match "^(.+).nix$" filename) != null;
|
|
nix-files = path:
|
|
map (file: path + "/${file}") (filter is-nix-file (regular-files path));
|
|
in concatMap nix-files import-paths;
|
|
|
|
config = {
|
|
fudo = { hosts."${hostname}".local-networks = [ "::1/128" ]; };
|
|
|
|
system = {
|
|
autoUpgrade.enable = false;
|
|
# copySystemConfiguration = true;
|
|
};
|
|
|
|
nix = {
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
optimise = {
|
|
automatic = true;
|
|
dates = [ "weekly" ];
|
|
};
|
|
gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 14d";
|
|
};
|
|
settings.auto-optimise-store = true;
|
|
};
|
|
|
|
hardware.enableAllFirmware = true;
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
startWhenNeeded = true;
|
|
settings = {
|
|
UseDns = true;
|
|
PermitRootLogin = "prohibit-password";
|
|
# extraConfig = ''
|
|
# GSSAPIAuthentication yes
|
|
# GSSAPICleanupCredentials yes
|
|
# GSSAPIKeyExchange yes
|
|
# GSSAPIStoreCredentialsOnRekey yes
|
|
# '';
|
|
# FIXME: This is temporary! Getting error: Unsupported KEX algorithm "sntrup761x25519-sha512@openssh.com"
|
|
# kexAlgorithms = [
|
|
# "curve25519-sha256"
|
|
# "curve25519-sha256@libssh.org"
|
|
# "diffie-hellman-group-exchange-sha256"
|
|
# ];
|
|
};
|
|
};
|
|
|
|
fail2ban =
|
|
let domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
|
|
in {
|
|
enable = config.networking.firewall.enable;
|
|
bantime-increment.enable = true;
|
|
};
|
|
|
|
xserver = {
|
|
layout = "us";
|
|
xkbVariant = "dvp";
|
|
xkbOptions = "ctrl:nocaps";
|
|
};
|
|
|
|
btrfs.autoScrub.enable = let
|
|
btrfsFilesystems = filter (fsOpts: fsOpts.fsType == "btrfs")
|
|
(attrValues config.fileSystems);
|
|
in length btrfsFilesystems > 0;
|
|
|
|
pcscd.enable = true;
|
|
udev = {
|
|
enable = true;
|
|
packages = with pkgs; [ yubikey-personalization ];
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
# Allow mosh connections if the firewall is enabled
|
|
allowedUDPPortRanges = [{
|
|
from = 60000;
|
|
to = 60100;
|
|
}];
|
|
};
|
|
|
|
console.useXkbConfig = true;
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
programs = {
|
|
mosh.enable = true;
|
|
|
|
bash.enableCompletion = true;
|
|
|
|
fish.enable = true;
|
|
|
|
gnupg.agent = {
|
|
enable = true;
|
|
# enableSSHSupport = true;
|
|
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
|
|
};
|
|
|
|
ssh = { startAgent = true; };
|
|
};
|
|
|
|
security = {
|
|
|
|
acme.acceptTerms = true;
|
|
sudo.extraConfig = ''
|
|
# rollback results in sudo lectures after each reboot
|
|
Defaults lecture = never
|
|
'';
|
|
|
|
pam = {
|
|
enableSSHAgentAuth = true;
|
|
|
|
services = {
|
|
sshd = {
|
|
makeHomeDir = true;
|
|
sshAgentAuth = true;
|
|
# This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
|
|
# googleAuthenticator.enable = true;
|
|
};
|
|
};
|
|
|
|
# yubikey = {
|
|
# enable = true;
|
|
# debug = true;
|
|
# mode = "challenge-response";
|
|
# };
|
|
};
|
|
};
|
|
};
|
|
}
|