105 lines
2.1 KiB
Nix
105 lines
2.1 KiB
Nix
# Headless server configuration with Lix
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
];
|
|
|
|
## Use Lix, instead of Nix NixOS default ##
|
|
nixpkgs.overlays = [
|
|
(final: prev: {
|
|
inherit
|
|
(prev.lixPackageSets.stable)
|
|
nixpkgs-review
|
|
nix-eval-jobs
|
|
nix-fast-build
|
|
colmena
|
|
;
|
|
})
|
|
];
|
|
|
|
nix.package = pkgs.lixPackageSets.stable.lix;
|
|
|
|
### TO BE CHANGED ACCORDING TO INSTALL ###
|
|
|
|
# Networking
|
|
networking.hostName = "server";
|
|
networking.networkmanager.enable = true;
|
|
|
|
# Time zone
|
|
time.timeZone = "Europe/Copenhagen";
|
|
|
|
# Locale
|
|
i18n.defaultLocale = "en_GB.UTF-8";
|
|
# Also install Danish and Norwegian locales
|
|
i18n.extraLocales = ["da_DK.UTF-8" "nb_NO.UTF-8"];
|
|
|
|
# User account with hardware key support
|
|
users.users.admin = {
|
|
isNormalUser = true;
|
|
extraGroups = ["wheel" "networkmanager"];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3pjIXlpg7H9h1RrmdxbIRnDIdQvf/EZKI9PG2/rY7D openpgp:0x8BCD4992"
|
|
];
|
|
};
|
|
|
|
# Hardware Key Passwordless Sudo
|
|
security.pam.u2f.enable = true;
|
|
security.pam.u2f.settings = {
|
|
authfile = "/etc/u2f_keys";
|
|
authpending_file = "";
|
|
pinverification = 0;
|
|
userpresence = 1;
|
|
};
|
|
|
|
# SSH Passwordless Sudo
|
|
security.pam.enableSSHAgentAuth = true;
|
|
security.pam.sshAgentAuth = {
|
|
enable = true;
|
|
authorizedKeysFiles = ["/etc/ssh/authorized_keys.d/admin"];
|
|
};
|
|
|
|
# Essential packages
|
|
environment.systemPackages = with pkgs; [
|
|
wget
|
|
curl
|
|
git
|
|
btop
|
|
htop
|
|
micro
|
|
vim
|
|
helix
|
|
fastfetch
|
|
];
|
|
|
|
# OpenSSH
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
# Tailscale - Think about how we manage this long term
|
|
services.tailscale.enable = true;
|
|
|
|
# Garbage collection
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 30d";
|
|
};
|
|
|
|
# Firewall
|
|
networking.firewall.allowedTCPPorts = [22];
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
### TO BE CHANGED ACCORDING TO INSTALL VERSION ###
|
|
system.stateVersion = "XX.XX";
|
|
}
|