configuration.nix 2.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
  1. { config, pkgs, ... }:
  2. {
  3. imports = [ ./hardware-configuration.nix ];
  4. boot.tmp.cleanOnBoot = true;
  5. zramSwap.enable = true;
  6. networking.hostName = "djmuk2";
  7. networking.firewall = {
  8. enable = true;
  9. allowedTCPPorts = [ 113 ];
  10. };
  11. services.openssh = {
  12. enable = true;
  13. settings = {
  14. PermitRootLogin = "no";
  15. PasswordAuthentication = false;
  16. KbdInteractiveAuthentication = false;
  17. };
  18. extraConfig = ''
  19. #AllowTcpForwarding yes
  20. X11Forwarding no
  21. AllowAgentForwarding no
  22. AllowStreamLocalForwarding no
  23. AuthenticationMethods publickey
  24. AllowUsers djm
  25. '';
  26. };
  27. services.sshguard.enable = true;
  28. services.oidentd.enable = true;
  29. services.locate = {
  30. enable = true;
  31. package = pkgs.plocate;
  32. localuser = null;
  33. };
  34. # Emulate nix-sops. Technically an anti-pattern, but this isn't a real secret, and this has to be embedded here, as we cannot set a file path to read it from.
  35. # Populate/update with:
  36. # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["openiscsi_name"]' machines/djmuk2/secrets.yaml | doas tee /root/.config/secrets/openiscsi_name
  37. services.openiscsi.enable = true;
  38. services.openiscsi.name = builtins.readFile "/root/.config/secrets/openiscsi_name";
  39. #services.openiscsi.enableAutoLoginOut = true;
  40. users.users.djm = {
  41. isNormalUser = true;
  42. home = "/home/djm";
  43. description = "David Morgan";
  44. extraGroups = [
  45. "wheel"
  46. "plocate"
  47. ];
  48. shell = pkgs.zsh;
  49. openssh.authorizedKeys.keys = [
  50. "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCurCpxZCHtByB5wXzsjTXwMyDSB4+B8rq5XY6EGss58NwD8jc5cII4i+QUbCOGTiAggSZUSC9YIP24hjpOeNT/IYs5m7Qn1B9MtBAiUSrIYew8eDwnMLlPzN+k2x9zCrJeCHIvGJaFHPXTh1Lf5Jt2fPVGW9lksE/XUVOe6ht4N/b+nqqszXFhc8Ug6le2bC1YeTCVEf8pjlh/I7DkDBl6IB8uEXc3X2vxxbV0Z4vlBrFkkAywcD3j5VlS/QYfBr4BICNmq/sO3fMkbMbtAPwuFxeL4+h6426AARQZiSS0qVEc8OoFRBVx3GEH5fqVAWfB1geyLzei22HbjUcT9+xN davidmo@gendros"
  51. "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9UDTaVnUOU/JknrNdihlhhGOk53LmHq9I1ASri3aga djm@gaius"
  52. ];
  53. };
  54. security.sudo.extraConfig = ''
  55. djm ALL=(ALL) NOPASSWD: ALL
  56. '';
  57. security.doas = {
  58. enable = true;
  59. extraRules = [
  60. {
  61. users = [ "djm" ];
  62. noPass = true;
  63. keepEnv = true;
  64. }
  65. ];
  66. };
  67. programs.zsh.enable = true;
  68. programs.vim = {
  69. enable = true;
  70. defaultEditor = true;
  71. };
  72. environment.systemPackages = with pkgs; [
  73. #procmail
  74. git
  75. wget
  76. ];
  77. nix.settings.trusted-users = [
  78. "root"
  79. "djm"
  80. ];
  81. nix.optimise.automatic = true;
  82. nix.optimise.dates = [ "03:00" ];
  83. i18n.defaultLocale = "en_GB.UTF-8";
  84. system.stateVersion = "22.05";
  85. }