forked from pub-solar/os
teutat3s
6fd2903516
from defaults NixOS default openssh MACs have changed to use "encrypt-then-mac" only. This breaks compatibilty with clients that do not offer these MACs. For compatibility reasons, we add back the old defaults. See: https://github.com/NixOS/nixpkgs/pull/231165 https://blog.stribik.technology/2015/01/04/secure-secure-shell.html https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
166 lines
4.4 KiB
Nix
166 lines
4.4 KiB
Nix
{
|
||
config,
|
||
latestModulesPath,
|
||
lib,
|
||
inputs,
|
||
pkgs,
|
||
profiles,
|
||
self,
|
||
...
|
||
}: let
|
||
psCfg = config.pub-solar;
|
||
in {
|
||
imports = [
|
||
# Include the results of the hardware scan.
|
||
./hardware-configuration.nix
|
||
./triton-vmtools.nix
|
||
|
||
./caddy.nix
|
||
./drone.nix
|
||
./keycloak.nix
|
||
./gitea.nix
|
||
./mailman.nix
|
||
./owncast.nix
|
||
|
||
profiles.base-user
|
||
profiles.users.root # make sure to configure ssh keys
|
||
profiles.users.barkeeper
|
||
|
||
"${latestModulesPath}/services/misc/gitea.nix"
|
||
];
|
||
disabledModules = [
|
||
"services/misc/gitea.nix"
|
||
];
|
||
|
||
config = {
|
||
# # #
|
||
# # # pub.solar options
|
||
# # #
|
||
pub-solar.core = {
|
||
disk-encryption-active = false;
|
||
iso-options.enable = true;
|
||
lite = true;
|
||
};
|
||
|
||
# Allow sudo without a password for the barkeeper user
|
||
security.sudo.extraRules = [
|
||
{
|
||
users = ["${psCfg.user.name}"];
|
||
commands = [
|
||
{
|
||
command = "ALL";
|
||
options = ["NOPASSWD"];
|
||
}
|
||
];
|
||
}
|
||
];
|
||
|
||
# Override nix.conf for more agressive garbage collection
|
||
nix.extraOptions = lib.mkForce ''
|
||
min-free = 536870912
|
||
keep-outputs = false
|
||
keep-derivations = false
|
||
fallback = true
|
||
'';
|
||
|
||
# Machine user for CI pipelines
|
||
users.users.hakkonaut = {
|
||
description = "CI and automation user";
|
||
home = "/var/nix/iso-cache";
|
||
useDefaultShell = true;
|
||
uid = 998;
|
||
group = "hakkonaut";
|
||
isSystemUser = true;
|
||
openssh.authorizedKeys.keys = [
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
||
];
|
||
};
|
||
|
||
users.groups.hakkonaut = {};
|
||
|
||
# # #
|
||
# # # Triton host specific options
|
||
# # # DO NOT ALTER below this line, changes might render system unbootable
|
||
# # #
|
||
|
||
# Use the systemd-boot EFI boot loader.
|
||
boot.loader.systemd-boot.enable = true;
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
|
||
# Force getting the hostname from cloud-init
|
||
networking.hostName = lib.mkDefault "";
|
||
|
||
# Set your time zone.
|
||
time.timeZone = "Europe/Berlin";
|
||
|
||
# Select internationalisation properties.
|
||
console = {
|
||
font = "Lat2-Terminus16";
|
||
keyMap = "us";
|
||
};
|
||
|
||
# List packages installed in system profile. To search, run:
|
||
# $ nix search wget
|
||
environment.systemPackages = with pkgs; [
|
||
git
|
||
vim
|
||
wget
|
||
];
|
||
|
||
# Some programs need SUID wrappers, can be configured further or are
|
||
# started in user sessions.
|
||
# programs.mtr.enable = true;
|
||
# programs.gnupg.agent = {
|
||
# enable = true;
|
||
# enableSSHSupport = true;
|
||
# };
|
||
|
||
# List services that you want to enable:
|
||
services.cloud-init.enable = true;
|
||
services.cloud-init.ext4.enable = true;
|
||
services.cloud-init.network.enable = true;
|
||
# use the default NixOS cloud-init config, but add some SmartOS customization to it
|
||
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
|
||
datasource_list: [ SmartOS ]
|
||
|
||
# Do not create the centos/ubuntu/debian user
|
||
users: [ ]
|
||
|
||
# mount second disk with label ephemeral0, gets formated by cloud-init
|
||
# this will fail to get added to /etc/fstab as it's read-only, but should
|
||
# mount at boot anyway
|
||
mounts:
|
||
- [ vdb, /data, auto, "defaults,nofail" ]
|
||
'';
|
||
|
||
# Enable the OpenSSH daemon.
|
||
services.openssh = {
|
||
enable = true;
|
||
settings = {
|
||
PasswordAuthentication = false;
|
||
PermitRootLogin = "no";
|
||
Macs = [
|
||
"hmac-sha2-512-etm@openssh.com"
|
||
"hmac-sha2-256-etm@openssh.com"
|
||
"umac-128-etm@openssh.com"
|
||
"hmac-sha2-512"
|
||
"hmac-sha2-256"
|
||
"umac-128@openssh.com"
|
||
];
|
||
};
|
||
};
|
||
|
||
# We manage the firewall with nix, too
|
||
# altough triton can also manage firewall rules via the triton fwrule subcommand
|
||
networking.firewall.enable = true;
|
||
|
||
# This value determines the NixOS release from which the default
|
||
# settings for stateful data, like file locations and database versions
|
||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||
# this value at the release version of the first install of this system.
|
||
# Before changing this value read the documentation for this option
|
||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||
system.stateVersion = "22.05"; # Did you read the comment?
|
||
};
|
||
}
|