# Headless server configuration with Lix { config, pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix ]; ## Use Lix, instead of Nix NixOS default ## nixpkgs.overlays = [ (final: prev: { inherit (prev.lixPackageSets.stable) nixpkgs-review nix-eval-jobs nix-fast-build colmena ; }) ]; nix.package = pkgs.lixPackageSets.stable.lix; ### TO BE CHANGED ACCORDING TO INSTALL ### # Networking networking.hostName = "server"; networking.networkmanager.enable = true; # Time zone time.timeZone = "Europe/Copenhagen"; # Locale i18n.defaultLocale = "en_GB.UTF-8"; # Also install Danish and Norwegian locales i18n.extraLocales = ["da_DK.UTF-8" "nb_NO.UTF-8"]; # User account with hardware key support users.users.admin = { isNormalUser = true; extraGroups = ["wheel" "networkmanager"]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3pjIXlpg7H9h1RrmdxbIRnDIdQvf/EZKI9PG2/rY7D openpgp:0x8BCD4992" ]; }; # Hardware Key Passwordless Sudo security.pam.u2f.enable = true; security.pam.u2f.settings = { authfile = "/etc/u2f_keys"; authpending_file = ""; pinverification = 0; userpresence = 1; }; # SSH Passwordless Sudo security.pam.enableSSHAgentAuth = true; security.pam.sshAgentAuth = { enable = true; authorizedKeysFiles = ["/etc/ssh/authorized_keys.d/admin"]; }; # Essential packages environment.systemPackages = with pkgs; [ wget curl git btop htop micro vim helix fastfetch ]; # OpenSSH services.openssh = { enable = true; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; }; # Tailscale - Think about how we manage this long term services.tailscale.enable = true; # Garbage collection nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; # Firewall networking.firewall.allowedTCPPorts = [22]; nixpkgs.config.allowUnfree = true; ### TO BE CHANGED ACCORDING TO INSTALL VERSION ### system.stateVersion = "XX.XX"; }