initial test config

2025-05-04 13:08:12 +02:00 · 2025-05-04 13:08:12 +02:00 · cbbe1e1a59
commit cbbe1e1a59
parent b5d6ec3bbe
13 changed files with 653 additions and 0 deletions
--- a/nixos/roles/admins.nix
+++ b/nixos/roles/admins.nix
@ -0,0 +1,42 @@
+{ lib, ... }:
+with lib;
+let
+  admins = {
+    nerf = {
+      hashedPassword = "$y$j9T$b3ZDy/YaHDNiqcFFZyEcS.$HlWj1JiqbEMTsD0bMKSwKcJGO7cfpC4P8W8VAlvUTK/";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEdfOWD1DLuB1Ho69uRC3VgQu+X3gExFzVHhu2CAl8JSAAAABHNzaDo= laptop_child-sk"
+      ];
+      nixKeys = [
+        "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
+      ];
+    };
+  };
+
+  mkAdmin =
+    name:
+    {
+      hashedPassword,
+      sshKeys,
+      ...
+    }:
+    {
+      "${name}" = {
+        isNormalUser = true;
+        createHome = true;
+        extraGroups = [ "wheel" ];
+        group = "users";
+        home = "/home/${name}";
+        openssh.authorizedKeys = {
+          keys = sshKeys;
+        };
+        inherit hashedPassword;
+      };
+    };
+  mkNixKeys = _: { nixKeys, ... }: nixKeys;
+in
+{
+  users.users = mkMerge (mapAttrsToList mkAdmin admins);
+  nix.settings.trusted-public-keys = lists.concatLists (mapAttrsToList mkNixKeys admins);
+}
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -0,0 +1,63 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    ./admins.nix
+    ./nix.nix
+    ./keyboard.nix
+    ../modules/impermanence.nix
+  ];
+
+  networking = {
+    firewall = {
+      # these shoud be default, but better make sure!
+      enable = true;
+      allowPing = true;
+    };
+    nftables.enable = true;
+  };
+
+  users = {
+    mutableUsers = false;
+    users.root.hashedPassword = "!";
+  };
+
+  impermanence.enable = true;
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  environment = {
+    systemPackages = builtins.attrValues {
+      inherit (pkgs)
+        htop
+        lsof
+        tmux
+        btop
+        helix
+        ;
+    };
+  };
+
+  services = {
+    journald.extraConfig = "SystemMaxUse=1G";
+
+    nginx = {
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedTlsSettings = true;
+    };
+
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+    #Prevent clock drift due to interaction problem with xen hardware clock
+    timesyncd.enable = lib.mkForce true;
+  };
+}
--- a/nixos/roles/keyboard.nix
+++ b/nixos/roles/keyboard.nix
@ -0,0 +1,7 @@
+{
+  services.xserver = {
+    xkb.layout = "de";
+    xkb.variant = "neo";
+  };
+  console.useXkbConfig = true;
+}
--- a/nixos/roles/nix.nix
+++ b/nixos/roles/nix.nix
@ -0,0 +1,22 @@
+{
+  nix = {
+    settings = {
+      # trusted-public-keys belonging to specific persons are set in rolse/admins.nix
+      trusted-public-keys = [ ];
+      experimental-features = [
+        "flakes"
+        "nix-command"
+      ];
+      auto-optimise-store = true;
+      fallback = true;
+      builders-use-substitutes = true;
+    };
+    gc = {
+      automatic = true;
+      persistent = false;
+      dates = "weekly";
+      options = "-d";
+      randomizedDelaySec = "5h";
+    };
+  };
+}