xin/hosts/stan/default.nix

334 lines
10 KiB
Nix
Raw Normal View History

2023-09-12 08:44:05 -06:00
{ config
, pkgs
, ...
}:
let
2024-02-09 11:30:10 -07:00
inherit (pkgs.vscode-utils) buildVscodeMarketplaceExtension;
testingMode = true;
syslogPort = 514;
2022-08-29 09:48:47 -06:00
pubKeys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
2023-02-08 15:36:07 -07:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrKLKzJQcecdPXUm5xCfinLKDStNP3MawaXy06krcK5 abieber@litr"
2022-08-29 09:48:47 -06:00
];
2022-11-07 11:53:06 -07:00
userBase = {
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
shell = pkgs.zsh;
2022-11-07 11:53:06 -07:00
};
2023-07-11 09:12:50 -06:00
peerixUser =
if builtins.hasAttr "peerix" config.users.users
then config.users.users.peerix.name
else "root";
2023-09-12 08:44:05 -06:00
in
{
2022-08-31 07:54:25 -06:00
_module.args.isUnstable = true;
2023-09-12 08:44:05 -06:00
imports = [ ./hardware-configuration.nix ];
2022-08-29 09:48:47 -06:00
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot/efi";
};
initrd = {
2023-07-11 09:12:50 -06:00
luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".device = "/dev/disk/by-uuid/23b20980-eb1e-4390-b706-f0f42a623ddf";
luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".keyFile = "/crypto_keyfile.bin";
2023-09-12 08:44:05 -06:00
secrets = { "/crypto_keyfile.bin" = null; };
2022-08-29 09:48:47 -06:00
};
2023-09-12 08:44:05 -06:00
kernelParams = [ "intel_idle.max_cstate=4" ];
kernelPackages = pkgs.linuxPackages;
2022-08-29 09:48:47 -06:00
};
2023-03-16 12:46:02 -06:00
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDExdPYnNp
ZGlhbiBMb2NhbCBSRVNUIEFQSTAeFw0yMzAyMTMxNzQ5MjVaFw0yNDAyMTMxNzQ5
MjVaMCIxIDAeBgNVBAMTF09ic2lkaWFuIExvY2FsIFJFU1QgQVBJMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0yijxG36TcCF7/NzZoBJFqxazwFhMB10
D6p4PIx0JZvGaTREEZ+pIrkB4PrQ9WX8Te5trPxMXUYhoZGYPPhMPA60CARzkBFp
WcsGmEeqxGrOYM+ixGYPQ26qDyxiBC8Au0EDRoEsH0iE2YnX+5gLpYKVKTBOzpZo
w6BDT6zW+LyveVL8qNBWbsPxIVoWEL7uH1cQDr853XT5F85HIoh+oo9utjnUNM6e
/h+rObzWqqOuPAkA4xG7peYPmDBWxDgTQnYA0NcnCNZavbfgLpBlcLVzkNjSZtHp
He+7cGQTE1dFU+HD3dKCyZsFbkCiEZ2ilgnNDhMHH2v/9sXhfKrnUQIDAQABo34w
fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIC9DA7BgNVHSUENDAyBggrBgEFBQcD
AQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwEQYJYIZI
AYb4QgEBBAQDAgD3MA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggEB
AGITD1ecJKfSlNWB7eRFHoyKkYCk7oObWX9Xmn+xlnagYCwNLwQkJbfIEx9h6B+7
8D6fDKcmMAtV7cInJEVs31AwOCf6pPEAkEuV01gcliE0MCnMjLI9gXgvn6dUXCn2
TfpgpBa/9r13qyT441QSXKUvdfKbG9jYDudRKCxUM3PWTMkisV04NTCXCv9wYoLb
/zIX07be6psy7R4Lq7JMqAtkqyw+0ncPg6AP3/Mh4gNYiT6Ms6WowG+928GgXXKY
igxg14FIjjtSmVVai9cL7rKiueDDGRsnfa/APz2jt+aCR40u9M1lWl3jJYqX8NHk
iIsViCSrKSGrNAYxFdQEJ9M=
-----END CERTIFICATE-----
''
''
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIJALFQqjdrHsc+MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
BAYTAlVTMRswGQYDVQQKExJDYWx5cHRpeCBTZWN1cml0eS4xCzAJBgNVBAsTAklU
MSEwHwYDVQQDExhDYWx5cHRpeCBEZXYgSW50ZXJuYWwgQ0ExHjAcBgkqhkiG9w0B
CQEWD2l0QGNhbHlwdGl4LmNvbTAeFw0xNTAzMjAwMDA1MDBaFw0yNTAzMTcwMDA1
MDBaMHoxCzAJBgNVBAYTAlVTMRswGQYDVQQKExJDYWx5cHRpeCBTZWN1cml0eS4x
CzAJBgNVBAsTAklUMSEwHwYDVQQDExhDYWx5cHRpeCBEZXYgSW50ZXJuYWwgQ0Ex
HjAcBgkqhkiG9w0BCQEWD2l0QGNhbHlwdGl4LmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMMvhgIrKr9/6szSqkj9KiZk/KCAJUG5r9X4yMa9TRMT
S/wV3rKGgZv1s9d6S6YFePZlsXgNGoSAGgrlrxYBpgUrkPn+iG5hdP85UgbzpWJi
1P5ESS5RRXaHe7PnFBDsy29zGEhR4YpPl6YNf8N870BRO7DVItlaaGwXD/U4uzSY
R9YGENx85wD06qxk3TccRbglCSoqCIdjCkG343USy7oJftPycLWe3K6Xx8Zv89wT
rtrjpSopXtY2iGxZJvs2OlxfHd7rEY+N9QNkwpOr5+gLYDnhJlOj0qP40FTytieX
xGkFeb/o4FJHblfkQyEH87IK9QTckKip///4WSf8v20CAwEAAaOB3zCB3DAdBgNV
HQ4EFgQUoc6flYe+Mlq4WTpWyvAMXk9f71swgawGA1UdIwSBpDCBoYAUoc6flYe+
Mlq4WTpWyvAMXk9f71uhfqR8MHoxCzAJBgNVBAYTAlVTMRswGQYDVQQKExJDYWx5
cHRpeCBTZWN1cml0eS4xCzAJBgNVBAsTAklUMSEwHwYDVQQDExhDYWx5cHRpeCBE
ZXYgSW50ZXJuYWwgQ0ExHjAcBgkqhkiG9w0BCQEWD2l0QGNhbHlwdGl4LmNvbYIJ
ALFQqjdrHsc+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAErodbwo
oCdB1x/GbE/Ap5pt0uuVymECgB9DGKmjFYzX9VB8i3Brjhp9UyqcpMKbA9hDhaOU
S+BOPL4rI5NMFQpaiRLSBPlQrsdKlXIMln3C2c2oHvcuw0agfkmXRonm7En8T7vC
kEWrZEZye9L8PRWRkHDwKb4lvOpnRcOvsV9ICRWEpFKVhP6I/HALfXonvMUNiOSo
5+7yxanKMvXNmZ6qLnfHbyUi9bv1jchgNwSatF5RI1tzstJf8hqDIH47NTbRUX+h
2hPSEdvfURSdHbvPsv8Ku87sgR+HY1P2j8Qdp63hALfkoMvaHn55MxRVUeVXExsn
tRhywtPsIHEmllI=
-----END CERTIFICATE-----
''
];
2022-08-29 09:48:47 -06:00
preDNS.enable = false;
networking = {
hostName = "stan";
hosts = {
2023-09-12 08:44:05 -06:00
"172.16.30.253" = [ "proxmox-02.vm.calyptix.local" ];
"127.0.0.1" = [ "borg.calyptix.dev" "localhost" ];
"192.168.122.249" = [ "arst.arst" "vm" ];
"192.168.8.194" = [ "router.arst" "router" ];
};
2022-08-29 09:48:47 -06:00
networkmanager.enable = true;
firewall = {
2023-11-14 06:49:31 -07:00
allowedTCPPorts = [ 22 ] ++ (if testingMode then [ 8080 ] else [ ]);
allowedUDPPorts = if testingMode then [ syslogPort ] else [ ];
2023-11-14 06:49:31 -07:00
checkReversePath = "loose";
2022-08-29 09:48:47 -06:00
};
};
2022-08-29 09:48:47 -06:00
i18n.defaultLocale = "en_US.utf8";
kde.enable = true;
defaultUsers.enable = false;
sshFidoAgent.enable = true;
2022-08-29 09:48:47 -06:00
sops.secrets = {
2024-02-28 09:48:35 -07:00
rkvm_cert = {
sopsFile = config.xin-secrets.stan.secrets.main;
2024-02-28 09:48:35 -07:00
owner = "root";
group = "wheel";
mode = "400";
};
vm_pass = {
sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root";
group = "wheel";
mode = "400";
};
2022-08-30 15:56:37 -06:00
peerix_private_key = {
sopsFile = config.xin-secrets.stan.secrets.peerix;
owner = "${peerixUser}";
group = "wheel";
2022-08-30 15:56:37 -06:00
mode = "400";
};
2024-01-26 08:10:31 -07:00
restic_password_file = {
sopsFile = config.xin-secrets.stan.secrets.main;
2024-01-26 08:10:31 -07:00
owner = "root";
mode = "400";
};
restic_env_file = {
sopsFile = config.xin-secrets.stan.secrets.main;
2024-01-26 08:10:31 -07:00
owner = "root";
mode = "400";
};
restic_repo_file = {
sopsFile = config.xin-secrets.stan.secrets.main;
2024-01-26 08:10:31 -07:00
owner = "root";
mode = "400";
};
abieber_hash = {
sopsFile = config.xin-secrets.stan.user_passwords.abieber;
owner = "root";
mode = "400";
neededForUsers = true;
};
root_hash = {
sopsFile = config.xin-secrets.stan.user_passwords.root;
owner = "root";
mode = "400";
neededForUsers = true;
};
2022-08-29 09:48:47 -06:00
};
users = {
mutableUsers = false;
users = {
root = userBase // {
hashedPasswordFile = config.sops.secrets.root_hash.path;
};
abieber = userBase // {
isNormalUser = true;
description = "Aaron Bieber";
extraGroups = [ "networkmanager" "wheel" "libvirtd" ];
hashedPasswordFile = config.sops.secrets.abieber_hash.path;
};
};
};
2022-08-29 09:48:47 -06:00
nixpkgs.config.allowUnfree = true;
2024-02-09 20:21:04 -07:00
environment = {
etc = {
"vscode-settings.json".text = builtins.toJSON {
"telemetry.enableTelemetry" = false;
"telemetry.enableCrashReporter" = false;
"editor.formatOnSave" = true;
"extensions.ignoreRecommendations" = true;
"extensions.autoUpdate" = false;
"extensions.autoCheckUpdates" = false;
"update.mode" = "none";
"workbench.colorTheme" = "Visual Studio Light";
};
};
systemPackages = with pkgs; [
fzf
google-chrome
ispell
keychain
libreoffice
mattermost-desktop
mosh
mupdf
nmap
oath-toolkit
oathToolkit
obs-studio
openvpn
remmina
rex
rustdesk
snmpcheck
sshfs
step-cli
tcpdump
unzip
virt-manager
(vscode-with-extensions.override {
vscodeExtensions = with vscode-extensions; [
golang.go
ms-vscode-remote.remote-ssh
rust-lang.rust-analyzer
streetsidesoftware.code-spell-checker
vscodevim.vim
(buildVscodeMarketplaceExtension {
mktplcRef = {
name = "lit-html";
publisher = "bierner";
version = "1.11.1";
sha256 = "sha256-bN786jjTKkcrF0UUOG/J1/k1wqM7JfUO1pQomWLu8+I=";
};
})
(buildVscodeMarketplaceExtension {
mktplcRef = {
name = "lit-plugin";
publisher = "runem";
version = "1.4.3";
sha256 = "sha256-jhGqtBFkpOChVocv+5zLqA/EtoITbdftI+tMTjjBqs0=";
};
})
(buildVscodeMarketplaceExtension {
mktplcRef = {
name = "solargraph";
publisher = "castwide";
version = "0.24.1";
sha256 = "sha256-M96kGuCKo232rIwLovDU+C/rhEgZWT4s/zsR7CUYPnk=";
};
})
(buildVscodeMarketplaceExtension {
mktplcRef = {
name = "vscode-todo-highlight";
publisher = "wayou";
version = "1.0.5";
sha256 = "sha256-CQVtMdt/fZcNIbH/KybJixnLqCsz5iF1U0k+GfL65Ok=";
};
})
];
})
wireshark
zig
];
};
2022-08-29 09:48:47 -06:00
virtualisation.libvirtd.enable = true;
programs = {
2023-09-12 08:44:05 -06:00
git.config.safe.directory = "/home/abieber/aef100";
2022-08-29 09:48:47 -06:00
dconf.enable = true;
zsh.enable = true;
2023-09-12 08:44:05 -06:00
ssh.knownHosts = {
"[192.168.122.249]:7022".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOzf2Rv6FZYuH758TlNBcq4CXAHTPJxe5qoQTRM3nRc";
};
2022-08-29 09:48:47 -06:00
};
2022-08-30 15:56:37 -06:00
tsPeerix = {
2022-09-01 12:14:46 -06:00
enable = false;
2022-08-30 15:56:37 -06:00
privateKeyFile = "${config.sops.secrets.peerix_private_key.path}";
2023-09-12 08:44:05 -06:00
interfaces = [ "wlp170s0" "ztksevmpn3" ];
2022-08-30 15:56:37 -06:00
};
2022-08-29 09:48:47 -06:00
services = {
2024-02-28 09:48:35 -07:00
rkvm.client = {
enable = true;
settings = {
certificate = "${config.sops.secrets.rkvm_cert.path}";
password = "fake";
server = "127.0.0.1:24800";
};
};
2024-01-26 08:10:31 -07:00
restic = {
backups = {
remote = {
initialize = true;
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
repositoryFile = "${config.sops.secrets.restic_repo_file.path}";
2024-01-26 12:39:16 -07:00
paths = [ "/home/abieber" ];
2024-01-26 08:10:31 -07:00
pruneOpts = [ "--keep-daily 7" "--keep-weekly 2" "--keep-monthly 2" ];
};
};
};
rsyslogd = {
enable = testingMode;
defaultConfig = ''
module(load="imudp")
input(type="imudp" port="${toString syslogPort}")
daemon.* -/var/log/daemon
*.warning;*.warn -/var/log/warning
'';
};
2022-08-29 09:48:47 -06:00
printing.enable = true;
fwupd.enable = true;
2023-02-13 10:42:47 -07:00
unifi.enable = false;
2022-08-29 09:48:47 -06:00
openntpd.enable = true;
resolved = {
enable = true;
dnssec = "allow-downgrade";
};
};
2023-06-15 09:10:54 -06:00
2022-11-08 14:54:41 -07:00
system.autoUpgrade.allowReboot = false;
2022-08-29 09:48:47 -06:00
system.stateVersion = "22.05"; # Did you read the comment?
}