Zuckerberg
71baa09bd2
Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
92 lines
1.7 KiB
Nix
92 lines
1.7 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./backups.nix
|
|
./flakes.nix
|
|
./auto-update.nix
|
|
./shell.nix
|
|
./network
|
|
./boot
|
|
./server
|
|
./pc
|
|
./machine-info
|
|
./ssh.nix
|
|
];
|
|
|
|
nix.flakes.enable = true;
|
|
|
|
system.stateVersion = "21.11";
|
|
|
|
networking.useDHCP = false;
|
|
|
|
networking.firewall.enable = true;
|
|
networking.firewall.allowPing = true;
|
|
|
|
time.timeZone = "America/Denver";
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
programs.mosh.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
wget
|
|
kakoune
|
|
htop
|
|
git
|
|
git-lfs
|
|
dnsutils
|
|
tmux
|
|
nethogs
|
|
iotop
|
|
pciutils
|
|
usbutils
|
|
killall
|
|
screen
|
|
micro
|
|
helix
|
|
lm_sensors
|
|
picocom
|
|
lf
|
|
];
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
users.mutableUsers = false;
|
|
users.users.googlebot = {
|
|
isNormalUser = true;
|
|
extraGroups = [
|
|
"wheel"
|
|
"dialout" # serial
|
|
];
|
|
shell = pkgs.fish;
|
|
openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
|
|
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
|
|
uid = 1000;
|
|
};
|
|
users.users.root = {
|
|
openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
|
|
};
|
|
nix.settings = {
|
|
trusted-users = [ "root" "googlebot" ];
|
|
};
|
|
|
|
# don't use sudo
|
|
security.doas.enable = true;
|
|
security.sudo.enable = false;
|
|
security.doas.extraRules = [
|
|
# don't ask for password every time
|
|
{ groups = [ "wheel" ]; persist = true; }
|
|
];
|
|
|
|
nix.gc.automatic = true;
|
|
|
|
security.acme.acceptTerms = true;
|
|
security.acme.defaults.email = "zuckerberg@neet.dev";
|
|
}
|