143 lines
2.8 KiB
Nix
143 lines
2.8 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
# Available to all users on the system. Keep it minimal.
|
|
global-packages = with pkgs; [
|
|
bind
|
|
cryptsetup
|
|
git
|
|
heimdal
|
|
openssh_gssapi
|
|
tldr
|
|
vim
|
|
wget
|
|
];
|
|
|
|
in {
|
|
environment = {
|
|
etc.nixos-live.source = ../../.;
|
|
|
|
systemPackages = global-packages;
|
|
|
|
# shellInit = ''
|
|
# ${pkgs.gnupg}/bin/gpg-connect-agent /bye
|
|
# export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
|
|
# '';
|
|
};
|
|
|
|
nix = {
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
};
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
security.acme.acceptTerms = true;
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
krb5 = {
|
|
enable = true;
|
|
|
|
appdefaults = {
|
|
forwardable = true;
|
|
proxiable = true;
|
|
encrypt = true;
|
|
forward = true;
|
|
};
|
|
|
|
libdefaults = {
|
|
allow_weak_crypto = true;
|
|
dns_lookup_kdc = true;
|
|
dns_lookup_realm = true;
|
|
forwardable = true;
|
|
proxiable = true;
|
|
};
|
|
|
|
kerberos = pkgs.heimdalFull;
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
startWhenNeeded = true;
|
|
useDns = true;
|
|
permitRootLogin = "prohibit-password";
|
|
extraConfig = ''
|
|
GSSAPIAuthentication yes
|
|
GSSAPICleanupCredentials yes
|
|
GSSAPIKeyExchange yes
|
|
GSSAPIStoreCredentialsOnRekey yes
|
|
'';
|
|
};
|
|
|
|
fail2ban =
|
|
let domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
|
|
in {
|
|
enable = config.networking.firewall.enable;
|
|
bantime-increment.enable = true;
|
|
ignoreIP = config.fudo.domains.${domain-name}.local-networks;
|
|
};
|
|
|
|
xserver = {
|
|
layout = "us";
|
|
xkbVariant = "dvp";
|
|
xkbOptions = "ctrl:nocaps";
|
|
};
|
|
|
|
# pcscd.enable = true;
|
|
# udev.packages = with pkgs; [ yubikey-personalization ];
|
|
};
|
|
|
|
networking.firewall = {
|
|
# Allow mosh connections if the firewall is enabled
|
|
allowedUDPPortRanges = [{
|
|
from = 60000;
|
|
to = 60100;
|
|
}];
|
|
};
|
|
|
|
console.useXkbConfig = true;
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
programs = {
|
|
mosh.enable = true;
|
|
|
|
bash.enableCompletion = true;
|
|
|
|
fish.enable = true;
|
|
|
|
gnupg.agent = {
|
|
enable = true;
|
|
# enableSSHSupport = true;
|
|
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
|
|
};
|
|
|
|
ssh = {
|
|
startAgent = true;
|
|
|
|
package = pkgs.openssh_gssapi;
|
|
|
|
extraConfig = ''
|
|
GSSAPIAuthentication yes
|
|
GSSAPIDelegateCredentials yes
|
|
'';
|
|
};
|
|
};
|
|
|
|
security.pam = {
|
|
enableSSHAgentAuth = true;
|
|
|
|
services = {
|
|
sshd = {
|
|
makeHomeDir = true;
|
|
sshAgentAuth = true;
|
|
# This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
|
|
# googleAuthenticator.enable = true;
|
|
};
|
|
};
|
|
};
|
|
}
|