nixos-config/defaults.nix

# Ref: https://learnxinyminutes.com/docs/nix/

{ config, pkgs, lib, ... }:

let state-version = "20.03";

in {
  imports = [
    ./hardware-configuration.nix
    ./packages/local.nix
    ./config/local.nix
    ./bash.nix
    <home-manager/nixos>
  ];

  nixpkgs.config.allowUnfree = true;
  security.acme.acceptTerms = true;

  environment.systemPackages = with pkgs; [
    asdf
    atop
    autoconf
    automake
    bash
    boot
    bind
    binutils
    # bpytop
    btrfs-progs
    bundix
    byobu
    cdrtools
    cargo
    certbot
    clang
    curl
    doomEmacsInit
    dpkg
    enca
    fail2ban
    file
    fortune
    gcc
    git
    gnumake
    gnupg
    google-cloud-sdk
    guile
    heimdalFull
    home-manager
    imagemagick
    ipfs
    iptables
    jdk
    jq
    kerberos
    leiningen
    libisofs
    libstdcxxHook
    lispPackages.alexandria
    lispPackages.cl-ppcre
    lispPackages.clx
    lispPackages.quicklisp
    lsof
    lshw
    mkpasswd
    ncurses5
    nixfmt
    nix-index
    nix-prefetch-git
    nmap
    oidentd
    openldap
    openssh
    openssl_1_1
    openssh_gssapi
    pciutils
    pinentry.curses
    pv
    pwgen
    ruby
    rustc
    sbcl
    screen
    service-wrapper
    stdenv
    telnet
    texlive.combined.scheme-basic
    tmux
    unzip
    vim
    wget
    yubikey-manager
    yubikey-personalization
  ];

  system.stateVersion = state-version;

  system.autoUpgrade.enable = true;

  environment.etc.current-nixos-config.source = ./.;

  krb5.enable = true;
  krb5.kerberos = pkgs.heimdalFull;

  services.xserver = {
    layout = "us";
    xkbVariant = "dvp";
    xkbOptions = "ctrl:nocaps";
  };

  console = { useXkbConfig = true; };

  i18n = { defaultLocale = "en_US.UTF-8"; };

  programs = {
    mosh.enable = true;

    ssh = {
      startAgent = false;

      extraConfig = ''
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
      '';
    };

    bash.enableCompletion = true;
    mtr.enable = true;

    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };

    fish = { enable = true; };
  };

  services = {
    emacs = {
      defaultEditor = true;
      enable = true;
    };

    cron = { enable = true; };
    openssh = {
      enable = true;
      startWhenNeeded = true;
      permitRootLogin = "prohibit-password";
      extraConfig = ''
        GSSAPIAuthentication yes
        GSSAPICleanupCredentials yes
      '';
    };

    pcscd = { enable = true; };

    udev.packages = with pkgs; [ yubikey-personalization ];
  };

  environment.shellInit = ''
    gpg-connect-agent /bye
    export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
  '';

  security.pam = {
    # TODO: add yubico?
    services = {
      sshd = {
        # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway.
        # googleAuthenticator.enable = true;
        makeHomeDir = true;
        sshAgentAuth = true;
      };
    };
  };

  users.extraUsers = {
    node = {
      isSystemUser = true;
      group = "nogroup";
    };
  };

  users.groups = { fudosys = { gid = 888; }; };

  users.extraUsers = {
    niten = {
      isNormalUser = true;
      uid = 10000;
      createHome = true;
      description = "Niten";
      extraGroups = [
        "wheel"
        "audio"
        "video"
        "disk"
        "floppy"
        "lp"
        "cdrom"
        "tape"
        "dialout"
        "adm"
        "input"
        "systemd-journal"
        "fudosys"
        "libvirtd"
      ];
      group = "users";
      home = "/home/niten";
      hashedPassword =
        "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoWkjyeIfgwm0b78weToVYOQSD0RQ0qbNzpsN5NokbIFv2/980kLtnYrQEgIJ/JwMLlT3uJYacbCT5/a6Fb8oLxNpj0AF1EKaWZ3Rrlg72Sq+9SEwJwWWmZizX83sovMwUBMaUp6jWLhAhPpzBW5pfc5YWoc89wxGbELSwzgt5EgHbSJgvDnaHSp3fVaY01wfDXbL/oO160iNe7wv2HLMZu/FkWBkIjz6HmoGJJzYM89bUpHbyYG28lmCHB/8UPog5/BsjOn3/qupgf4zh6mMdMsXLvbR2jVwVjxcEMj9N5nCvc+Y3oi7Mij6VNrWbhkaAJMEzeMhWYrF3/pFQxUqG37aK3d0gw9kp5tMDLIlAPX4y1lfA87pIzoa0+Alql0CJQA1IJvp9SFG7lBmSthWQLmZvwwfoGg/ZjF6rOgsVoZ8TizpQnydWJDr6NboU9LL9Oa64OM5Rs0AU3cR2UbOF4QIcWFJ/7oDe3dOnfZ8QYqx9eXJyxoAUpDanaaTHYBiAKkeOBwQU+MVLKCcONKw9FZclf/1TpDB5b3/JeUFANjHQTv0UXA4YYU7iCx6H7XB4qwwtU9O19CGQYYfCfULX12/fRpYJw6VJaQWyyU4Bn5dk/dcB2nGI36jwbLMfhbUTIApujioAnd/GQIMakHEZ1+syPhMx9BxMkZb99B0A1Q== openpgp:0x4EC95B64"
      ];
    };
    reaper = {
      isNormalUser = true;
      uid = 10049;
      createHome = true;
      description = "Reaper";
      extraGroups = [
        "wheel"
        "audio"
        "video"
        "disk"
        "floppy"
        "lp"
        "cdrom"
        "tape"
        "dialout"
        "adm"
        "input"
        "systemd-journal"
        "fudosys"
        "libvirtd"
      ];
      group = "users";
      home = "/home/reaper";
      hashedPassword =
        "$6$YVCI6kiGcG5EVMT$t9lYEXjAhbnh7YkvJJPAbrzL8XE/AASsKFlWWeS.fDjBi/8S7zwXTHF0j41nDUfC//3viysn0tIOQKyZTHhzG.";
    };
    fudo = {
      isSystemUser = true;
      uid = 888;
      description = "Fudo System User";
      group = "fudosys";
    };
  };

  home-manager.users = {
    niten = import ./users/niten.nix { inherit config pkgs lib; };
    root = import ./users/root.nix { inherit config pkgs lib; };
  };

  systemd.services.fudo-environment-init = {
    enable = true;
    description = "Fudo common settings.";
    wantedBy = [ "default.target" ];

    # Careful, this WILL run many times
    script = ''
      # Create a directory for system user homedirs if it doesn't already exist
      if [ ! -d /var/home ]; then
        mkdir -p /var/home
        chmod +x /var/home
      fi
    '';
  };

}