configuration.nix 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. { config, pkgs, ... }:
  2. {
  3. imports = [
  4. ./hardware-configuration.nix
  5. ./network-configuration.nix
  6. <sops-nix/modules/sops>
  7. ];
  8. boot.tmp.cleanOnBoot = true;
  9. zramSwap.enable = true;
  10. networking.hostName = "edrahil";
  11. networking.firewall = {
  12. enable = true;
  13. allowedTCPPorts = [
  14. 113
  15. 2222
  16. ];
  17. };
  18. sops = {
  19. defaultSopsFile = builtins.path {
  20. path = /etc/nixos/secrets.yaml;
  21. name = "edrahil-secrets.yaml";
  22. };
  23. secrets.restic_password = {
  24. owner = config.users.users.djm.name;
  25. };
  26. };
  27. services.openssh = {
  28. enable = true;
  29. ports = [ 2222 ];
  30. settings = {
  31. PermitRootLogin = "no";
  32. PasswordAuthentication = false;
  33. KbdInteractiveAuthentication = false;
  34. };
  35. allowSFTP = true;
  36. extraConfig = ''
  37. #AllowTcpForwarding yes
  38. X11Forwarding no
  39. AllowAgentForwarding no
  40. AllowStreamLocalForwarding no
  41. AuthenticationMethods publickey
  42. AllowUsers djm
  43. '';
  44. };
  45. services.sshguard.enable = true;
  46. services.oidentd.enable = true;
  47. services.locate = {
  48. enable = true;
  49. package = pkgs.plocate;
  50. localuser = null;
  51. };
  52. services.restic = {
  53. backups = {
  54. hb = {
  55. paths = [ "${config.users.users.djm.home}" ];
  56. repository = "sftp:djm@hb-backup:/home/djm/backup/edrahil";
  57. initialize = true;
  58. user = "djm";
  59. environmentFile = "/etc/restic-environment";
  60. passwordFile = config.sops.secrets.restic_password.path;
  61. timerConfig = {
  62. OnCalendar = "02:25";
  63. RandomizedDelaySec = "20min";
  64. };
  65. exclude = [
  66. "irclogs"
  67. ".cache"
  68. ".config"
  69. ".directory_history"
  70. ".local"
  71. "nixpkgs"
  72. ];
  73. extraBackupArgs = [
  74. "--compression=max"
  75. ];
  76. pruneOpts = [
  77. "--keep-daily 5"
  78. "--keep-weekly 2"
  79. "--keep-monthly 3"
  80. ];
  81. };
  82. bs = {
  83. paths = [ "${config.users.users.djm.home}" ];
  84. repository = "sftp:djm@bs-backup:/home/djm/backup/edrahil";
  85. initialize = true;
  86. user = "djm";
  87. environmentFile = "/etc/restic-environment";
  88. passwordFile = config.sops.secrets.restic_password.path;
  89. timerConfig = {
  90. OnCalendar = "03:15";
  91. RandomizedDelaySec = "20min";
  92. };
  93. exclude = [
  94. "irclogs"
  95. ".cache"
  96. ".config"
  97. ".directory_history"
  98. ".local"
  99. "nixpkgs"
  100. ];
  101. extraBackupArgs = [
  102. "--compression=max"
  103. ];
  104. pruneOpts = [
  105. "--keep-daily 5"
  106. "--keep-weekly 2"
  107. "--keep-monthly 3"
  108. ];
  109. };
  110. tt = {
  111. paths = [ "${config.users.users.djm.home}" ];
  112. repository = "sftp:djm@tt-backup:/home/djm/backup/edrahil";
  113. initialize = true;
  114. user = "djm";
  115. environmentFile = "/etc/restic-environment";
  116. passwordFile = config.sops.secrets.restic_password.path;
  117. timerConfig = {
  118. OnCalendar = "04:05";
  119. RandomizedDelaySec = "20min";
  120. };
  121. exclude = [
  122. "irclogs"
  123. ".cache"
  124. ".config"
  125. ".directory_history"
  126. ".local"
  127. "nixpkgs"
  128. ];
  129. extraBackupArgs = [
  130. "--compression=max"
  131. ];
  132. pruneOpts = [
  133. "--keep-daily 5"
  134. "--keep-weekly 2"
  135. "--keep-monthly 3"
  136. ];
  137. };
  138. };
  139. };
  140. time.timeZone = "Europe/London";
  141. users.users.djm = {
  142. isNormalUser = true;
  143. home = "/home/djm";
  144. description = "David Morgan";
  145. extraGroups = [
  146. "wheel"
  147. "plocate"
  148. ];
  149. shell = pkgs.zsh;
  150. openssh.authorizedKeys.keys = [
  151. "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCurCpxZCHtByB5wXzsjTXwMyDSB4+B8rq5XY6EGss58NwD8jc5cII4i+QUbCOGTiAggSZUSC9YIP24hjpOeNT/IYs5m7Qn1B9MtBAiUSrIYew8eDwnMLlPzN+k2x9zCrJeCHIvGJaFHPXTh1Lf5Jt2fPVGW9lksE/XUVOe6ht4N/b+nqqszXFhc8Ug6le2bC1YeTCVEf8pjlh/I7DkDBl6IB8uEXc3X2vxxbV0Z4vlBrFkkAywcD3j5VlS/QYfBr4BICNmq/sO3fMkbMbtAPwuFxeL4+h6426AARQZiSS0qVEc8OoFRBVx3GEH5fqVAWfB1geyLzei22HbjUcT9+xN davidmo@gendros"
  152. "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9UDTaVnUOU/JknrNdihlhhGOk53LmHq9I1ASri3aga djm@gaius"
  153. ];
  154. };
  155. security.sudo.extraConfig = ''
  156. djm ALL=(ALL) NOPASSWD: ALL
  157. '';
  158. security.doas = {
  159. enable = true;
  160. extraRules = [
  161. {
  162. users = [ "djm" ];
  163. noPass = true;
  164. keepEnv = true;
  165. }
  166. ];
  167. };
  168. programs.zsh.enable = true;
  169. programs.vim = {
  170. enable = true;
  171. defaultEditor = true;
  172. };
  173. environment.etc = {
  174. "restic-environment" = {
  175. text = ''
  176. RESTIC_COMPRESSION=max
  177. '';
  178. };
  179. };
  180. environment.systemPackages = with pkgs; [
  181. #procmail
  182. git
  183. wget
  184. ];
  185. nix.settings.trusted-users = [
  186. "root"
  187. "djm"
  188. ];
  189. nix.optimise.automatic = true;
  190. nix.optimise.dates = [ "03:00" ];
  191. i18n.defaultLocale = "en_GB.UTF-8";
  192. system.stateVersion = "22.05";
  193. }