Zuckerberg
71baa09bd2
Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
54 lines
1.2 KiB
Nix
54 lines
1.2 KiB
Nix
{ config, pkgs, modulesPath, ... }:
|
|
|
|
{
|
|
imports = [
|
|
(modulesPath + "/installer/cd-dvd/channel.nix")
|
|
../../common/machine-info
|
|
../../common/ssh.nix
|
|
];
|
|
|
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
|
|
boot.kernelParams = [
|
|
"panic=30"
|
|
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
|
|
"console=ttyS0,115200" # enable serial console
|
|
"console=tty1"
|
|
];
|
|
boot.kernel.sysctl."vm.overcommit_memory" = "1";
|
|
|
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
|
|
system.stateVersion = "21.11";
|
|
|
|
# hardware.enableAllFirmware = true;
|
|
# nixpkgs.config.allowUnfree = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
cryptsetup
|
|
btrfs-progs
|
|
git
|
|
git-lfs
|
|
wget
|
|
htop
|
|
dnsutils
|
|
pciutils
|
|
usbutils
|
|
lm_sensors
|
|
];
|
|
|
|
environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
|
|
|
|
networking.useDHCP = true;
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
KbdInteractiveAuthentication = false;
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
services.getty.autologinUser = "root";
|
|
users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
|
|
}
|