diff --git a/.gitignore b/.gitignore index 3cb44c3..5631c13 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,3 @@ result-* # Ignore automatically generated direnv output .direnv - diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..444ee7c --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "secrets"] + path = secrets + url = https://git.terah.dev/imterah/sops diff --git a/LICENSE b/LICENSE index 26d4ef0..e5e6b2d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,11 +1,19 @@ -Copyright (c) 2025 imterah. +zlib License -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: +(C) 2024 Tera -1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. +This software is provided 'as-is', without any express or implied +warranty. In no event will the authors be held liable for any damages +arising from the use of this software. -2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the following restrictions: -3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. +2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. +3. This notice may not be removed or altered from any source distribution. diff --git a/README.md b/README.md index 1b3943b..50805ad 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ -# nix-infra +# Tera's NixOS Home Infrastructure -Work-in-progress NixOS Server Infrastructure \ No newline at end of file +Work-in-progress NixOS Server Infrastructure based on [valerie's NixOS setup](https://git.dessa.dev/valnyx/nixos/src/branch/main). + +## WARNING + +This is a work-in-progress and currently DOES NOT WORK. Please check back later. diff --git a/flake.lock b/flake.lock new file mode 100755 index 0000000..7b53690 --- /dev/null +++ b/flake.lock @@ -0,0 +1,339 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1744940522, + "narHash": "sha256-TNoetfICvd29DhxRPpmyKItQBDlqSvKcV+wGNkn14jk=", + "owner": "nix-community", + "repo": "disko", + "rev": "51d33bbb7f1e74ba5f9d9a77357735149da99081", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "emacs-overlay": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1745169495, + "narHash": "sha256-e9+CfVIrI/iGZVjUeS/h/bOG/55MdvGwOP6m9ncz27Q=", + "owner": "nix-community", + "repo": "emacs-overlay", + "rev": "d24224780e6cb41af7b46a17d39306e5e982aa15", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "emacs-overlay", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1738591040, + "narHash": "sha256-4WNeriUToshQ/L5J+dTSWC5OJIwT39SEP7V7oylndi8=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "afcb15b845e74ac5e998358709b2b5fe42a948d1", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744743431, + "narHash": "sha256-iyn/WBYDc7OtjSawbegINDe/gIkok888kQxk3aVnkgg=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "c61bfe3ae692f42ce688b5865fac9e0de58e1387", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nh": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1743682999, + "narHash": "sha256-bg+aAN8K90r3m/I+xXiXG0gawpbkshwlk93wxUN7KEk=", + "owner": "viperML", + "repo": "nh", + "rev": "9e9a4590b38b62b28f07a1fae973ce7b6ca0687a", + "type": "github" + }, + "original": { + "owner": "viperML", + "repo": "nh", + "type": "github" + } + }, + "nix-gaming": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1745114168, + "narHash": "sha256-x+HdFBsfRznwWPpnqXM3yaTVz2CcK5X/ThY6BA3PgcI=", + "owner": "fufexan", + "repo": "nix-gaming", + "rev": "05b70003daf802fd5c0af3903fab5f23fef3c47c", + "type": "github" + }, + "original": { + "owner": "fufexan", + "repo": "nix-gaming", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1744440957, + "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1744440957, + "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1744932701, + "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1744502386, + "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1736344531, + "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "emacs-overlay": "emacs-overlay", + "flake-utils": "flake-utils", + "home-manager": "home-manager", + "impermanence": "impermanence", + "nh": "nh", + "nix-gaming": "nix-gaming", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix", + "zen-browser": "zen-browser" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1744669848, + "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "61154300d945f0b147b30d24ddcafa159148026a", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "zen-browser": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1742688375, + "narHash": "sha256-yVsET+na0V2edU+5xZTchrZqbN7+uMOOtZ7FfZc79bg=", + "owner": "valnyx17", + "repo": "zen-browser-flake", + "rev": "05e9fd204ae043ceb1ed056460b4ca03fa413c12", + "type": "github" + }, + "original": { + "owner": "valnyx17", + "repo": "zen-browser-flake", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100755 index 0000000..a6270e9 --- /dev/null +++ b/flake.nix @@ -0,0 +1,53 @@ +{ + description = "Tera's Server Setup: 'When my data's tracking me, when my phone is spying, if not now, then when?'"; + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + flake-utils.url = "github:gytis-ivaskevicius/flake-utils-plus"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + sops-nix.url = "github:Mic92/sops-nix"; + impermanence.url = "github:nix-community/impermanence"; + nh = { + url = "github:viperML/nh"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + }; + + outputs = { + self, + nixpkgs, + flake-utils, + ... + } @ inputs: let + mkApp = flake-utils.lib.mkApp; + mkFlake = flake-utils.lib.mkFlake; + in mkFlake { + inherit self inputs nixpkgs; + overlays = import ./overlays.nix {inherit inputs;}; + + sharedOverlays = [ + self.overlays.additions + self.overlays.modifications + self.overlays.unstable-packages + ]; + + hostDefaults.extraArgs = {inherit flake-utils;}; + hostDefaults.specialArgs = { + inherit inputs; + inherit (self) outputs; + }; + + # Main Docker-based host + hosts.andromeda = { + system = "x86_64-linux"; + modules = [ + inputs.disko.nixosModules.default + (import ./hosts/andromeda/disko.nix {device = "/dev/disk/by-id/nvme-Samsung_SSD_979_PRO_with_Heatsink_1TB_S6WSNJ0T900943T";}) + inputs.impermanence.nixosModules.impermanence + ./hosts/andromeda/configuration.nix + ]; + }; + }; +} diff --git a/hosts/andromeda/README.md b/hosts/andromeda/README.md new file mode 100644 index 0000000..30728ae --- /dev/null +++ b/hosts/andromeda/README.md @@ -0,0 +1,3 @@ +# Andromeda: Docker Home Server + +This thing handles nearly all traffic for my home network. She has Traefik, diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix new file mode 100755 index 0000000..81df4a4 --- /dev/null +++ b/hosts/andromeda/configuration.nix @@ -0,0 +1,59 @@ +{ + config, + pkgs, + lib, + outputs, + inputs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ../../system/nix.nix + ../../system/sops.nix + ../../system/impermanence.nix + ../../system/sshd.nix + ../../system/avahifixes.nix + ../../system/i18n.nix + ]; + + sops.secrets.tera-password.neededForUsers = true; + users.mutableUsers = false; + + users.users.tera = { + uid = 1000; + description = "Tera"; + home = "/home/tera"; + hashedPasswordFile = config.sops.secrets.tera-password.path; + isNormalUser = true; + createHome = true; + shell = pkgs.bash; + + extraGroups = [ + "wheel" + "networkmanager" + "audio" + "docker" + "input" + "plugdev" + ]; + + openssh.authorizedKeys.keys = [ + (builtins.readFile ../../secrets/id_user.pub) + ]; + }; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + networking.hostName = "andromeda"; + networking.networkmanager.enable = true; + boot.supportedFilesystems = []; + + # Services + services.docker.enable = true; + + environment.systemPackages = builtins.attrValues { + inherit (pkgs.unstable) htop btop micro nano; + }; + + system.stateVersion = "24.11"; +} diff --git a/hosts/andromeda/hardware-configuration.nix b/hosts/andromeda/hardware-configuration.nix new file mode 100755 index 0000000..e91f94a --- /dev/null +++ b/hosts/andromeda/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "uas" "sd_mod"]; + boot.initrd.kernelModules = ["dm-snapshot"]; + boot.kernelModules = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp193s0f3u2u3.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/milkyway/README.md b/hosts/milkyway/README.md new file mode 100644 index 0000000..55003a4 --- /dev/null +++ b/hosts/milkyway/README.md @@ -0,0 +1,3 @@ +# Milky Way: Remote VPS + +This is the gateway from my home network to the public internet. diff --git a/secrets b/secrets new file mode 160000 index 0000000..ed485bb --- /dev/null +++ b/secrets @@ -0,0 +1 @@ +Subproject commit ed485bba5151879e9b598fd18e6970624b0d21e5 diff --git a/system/avahifixes.nix b/system/avahifixes.nix new file mode 100755 index 0000000..8cac906 --- /dev/null +++ b/system/avahifixes.nix @@ -0,0 +1,17 @@ +{ + pkgs, + lib, + ... +}: { + # local name resolution + services.avahi = { + enable = true; + openFirewall = true; + nssmdns4 = true; + }; + system.nssModules = lib.optional true pkgs.nssmdns; + system.nssDatabases.hosts = lib.optionals true (pkgs.lib.mkMerge [ + (lib.mkBefore ["mdns4_minimal [NOTFOUND=return]"]) # before resolution + (lib.mkAfter ["mdns4"]) # after dns + ]); +} diff --git a/system/disko.nix b/system/disko.nix new file mode 100755 index 0000000..67dca85 --- /dev/null +++ b/system/disko.nix @@ -0,0 +1,47 @@ +{device ? throw "Set this to your disk device, e.g. /dev/disk/by-id/...", ...}: { + disko.devices = { + disk = { + main = { + inherit device; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + rootfs = { + size = "100%"; + content = { + "/root" = { + mountpoint = "/"; + # mountOptions = ["compress=zstd" "noatime"]; + }; + "/persist" = { + mountpoint = "/persist"; + # mountOptions = ["compress=zstd" "subvol=persist" "noatime"]; + mountOptions = ["subvol=persist" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "subvol=home" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "subvol=nix" "noatime"]; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/system/i18n.nix b/system/i18n.nix new file mode 100755 index 0000000..540393d --- /dev/null +++ b/system/i18n.nix @@ -0,0 +1,4 @@ +{...}: { + time.timeZone = "America/Indiana/Indianapolis"; + i18n.defaultLocale = "en_US.UTF-8"; +} diff --git a/system/impermanence.nix b/system/impermanence.nix new file mode 100755 index 0000000..0ccda3f --- /dev/null +++ b/system/impermanence.nix @@ -0,0 +1,45 @@ +{lib, ...}: { + fileSystems."/persist".neededForBoot = true; + fileSystems."/nix".neededForBoot = true; + boot.initrd.postDeviceCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/root_vg/root /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + environment.persistence."/persist" = { + enable = true; + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/nixos" + "/etc/NetworkManager" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + #"/var/lib/sops-nix/key.txt" + ]; + }; +} diff --git a/system/nix.nix b/system/nix.nix new file mode 100755 index 0000000..47f2999 --- /dev/null +++ b/system/nix.nix @@ -0,0 +1,52 @@ +{ + lib, + config, + outputs, + inputs, + ... +}: { + nixpkgs.config = { + allowUnfree = true; + allowUnfreePredicate = _: true; + cudaSupport = true; + }; + nixpkgs.overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + ]; + nix = let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in { + settings = { + # Enable flakes and new 'nix' command + experimental-features = "nix-command flakes"; + # Opinionated: disable global registry + flake-registry = ""; + # Workaround for https://github.com/NixOS/nix/issues/9574 + nix-path = config.nix.nixPath; + # allowUnfree = true; + auto-optimise-store = true; + builders-use-substitutes = true; + keep-derivations = true; + keep-outputs = true; + trusted-users = ["root" "@wheel"]; + + substituters = [ + "https://cache.nixos.org" + "https://nix-community.cachix.org" + ]; + + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + # Opinionated: disable channels + channel.enable = false; + + # Opinionated: make flake registry and nix path match flake inputs + registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; +} diff --git a/system/sops.nix b/system/sops.nix new file mode 100755 index 0000000..773c596 --- /dev/null +++ b/system/sops.nix @@ -0,0 +1,12 @@ +{inputs, ...}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops.defaultSopsFile = "${../secrets/secrets.yaml}"; + sops.validateSopsFiles = false; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "/persist/var/lib/sops-nix/key.txt"; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.age.generateKey = true; +} diff --git a/system/sshd.nix b/system/sshd.nix new file mode 100755 index 0000000..2673cfe --- /dev/null +++ b/system/sshd.nix @@ -0,0 +1,12 @@ +{lib, ...}: { + services.openssh = { + enable = true; + settings = { + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + PasswordAuthentication = false; + UseDns = true; + X11Forwarding = false; + }; + }; +}