2023-09-12 08:44:05 -06:00
|
|
|
{ config
|
|
|
|
, pkgs
|
|
|
|
, ...
|
|
|
|
}:
|
|
|
|
let
|
2024-02-09 11:30:10 -07:00
|
|
|
inherit (pkgs.vscode-utils) buildVscodeMarketplaceExtension;
|
2023-10-06 06:20:54 -06:00
|
|
|
testingMode = true;
|
|
|
|
syslogPort = 514;
|
2022-08-29 09:48:47 -06:00
|
|
|
pubKeys = [
|
|
|
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
|
2023-02-08 15:36:07 -07:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrKLKzJQcecdPXUm5xCfinLKDStNP3MawaXy06krcK5 abieber@litr"
|
2022-08-29 09:48:47 -06:00
|
|
|
];
|
|
|
|
|
2022-11-07 11:53:06 -07:00
|
|
|
userBase = {
|
|
|
|
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
|
2024-03-12 11:18:29 -06:00
|
|
|
shell = pkgs.zsh;
|
2022-11-07 11:53:06 -07:00
|
|
|
};
|
2023-07-11 09:12:50 -06:00
|
|
|
peerixUser =
|
|
|
|
if builtins.hasAttr "peerix" config.users.users
|
|
|
|
then config.users.users.peerix.name
|
|
|
|
else "root";
|
2023-09-12 08:44:05 -06:00
|
|
|
in
|
|
|
|
{
|
2022-08-31 07:54:25 -06:00
|
|
|
_module.args.isUnstable = true;
|
2023-09-12 08:44:05 -06:00
|
|
|
imports = [ ./hardware-configuration.nix ];
|
2022-08-29 09:48:47 -06:00
|
|
|
|
|
|
|
boot = {
|
|
|
|
loader = {
|
|
|
|
systemd-boot.enable = true;
|
|
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
efi.efiSysMountPoint = "/boot/efi";
|
|
|
|
};
|
|
|
|
|
|
|
|
initrd = {
|
2023-07-11 09:12:50 -06:00
|
|
|
luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".device = "/dev/disk/by-uuid/23b20980-eb1e-4390-b706-f0f42a623ddf";
|
|
|
|
luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".keyFile = "/crypto_keyfile.bin";
|
2023-09-12 08:44:05 -06:00
|
|
|
secrets = { "/crypto_keyfile.bin" = null; };
|
2022-08-29 09:48:47 -06:00
|
|
|
};
|
2023-09-12 08:44:05 -06:00
|
|
|
kernelParams = [ "intel_idle.max_cstate=4" ];
|
2022-09-27 10:38:04 -06:00
|
|
|
kernelPackages = pkgs.linuxPackages;
|
2022-08-29 09:48:47 -06:00
|
|
|
};
|
2023-03-16 12:46:02 -06:00
|
|
|
security.pki.certificates = [
|
|
|
|
''
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIDPTCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDExdPYnNp
|
|
|
|
ZGlhbiBMb2NhbCBSRVNUIEFQSTAeFw0yMzAyMTMxNzQ5MjVaFw0yNDAyMTMxNzQ5
|
|
|
|
MjVaMCIxIDAeBgNVBAMTF09ic2lkaWFuIExvY2FsIFJFU1QgQVBJMIIBIjANBgkq
|
|
|
|
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0yijxG36TcCF7/NzZoBJFqxazwFhMB10
|
|
|
|
D6p4PIx0JZvGaTREEZ+pIrkB4PrQ9WX8Te5trPxMXUYhoZGYPPhMPA60CARzkBFp
|
|
|
|
WcsGmEeqxGrOYM+ixGYPQ26qDyxiBC8Au0EDRoEsH0iE2YnX+5gLpYKVKTBOzpZo
|
|
|
|
w6BDT6zW+LyveVL8qNBWbsPxIVoWEL7uH1cQDr853XT5F85HIoh+oo9utjnUNM6e
|
|
|
|
/h+rObzWqqOuPAkA4xG7peYPmDBWxDgTQnYA0NcnCNZavbfgLpBlcLVzkNjSZtHp
|
|
|
|
He+7cGQTE1dFU+HD3dKCyZsFbkCiEZ2ilgnNDhMHH2v/9sXhfKrnUQIDAQABo34w
|
|
|
|
fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIC9DA7BgNVHSUENDAyBggrBgEFBQcD
|
|
|
|
AQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwEQYJYIZI
|
|
|
|
AYb4QgEBBAQDAgD3MA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggEB
|
|
|
|
AGITD1ecJKfSlNWB7eRFHoyKkYCk7oObWX9Xmn+xlnagYCwNLwQkJbfIEx9h6B+7
|
|
|
|
8D6fDKcmMAtV7cInJEVs31AwOCf6pPEAkEuV01gcliE0MCnMjLI9gXgvn6dUXCn2
|
|
|
|
TfpgpBa/9r13qyT441QSXKUvdfKbG9jYDudRKCxUM3PWTMkisV04NTCXCv9wYoLb
|
|
|
|
/zIX07be6psy7R4Lq7JMqAtkqyw+0ncPg6AP3/Mh4gNYiT6Ms6WowG+928GgXXKY
|
|
|
|
igxg14FIjjtSmVVai9cL7rKiueDDGRsnfa/APz2jt+aCR40u9M1lWl3jJYqX8NHk
|
|
|
|
iIsViCSrKSGrNAYxFdQEJ9M=
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
''
|
|
|
|
''
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIEVzCCAz+gAwIBAgIJALFQqjdrHsc+MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
|
|
|
|
BAYTAlVTMRswGQYDVQQKExJDYWx5cHRpeCBTZWN1cml0eS4xCzAJBgNVBAsTAklU
|
|
|
|
MSEwHwYDVQQDExhDYWx5cHRpeCBEZXYgSW50ZXJuYWwgQ0ExHjAcBgkqhkiG9w0B
|
|
|
|
CQEWD2l0QGNhbHlwdGl4LmNvbTAeFw0xNTAzMjAwMDA1MDBaFw0yNTAzMTcwMDA1
|
|
|
|
MDBaMHoxCzAJBgNVBAYTAlVTMRswGQYDVQQKExJDYWx5cHRpeCBTZWN1cml0eS4x
|
|
|
|
CzAJBgNVBAsTAklUMSEwHwYDVQQDExhDYWx5cHRpeCBEZXYgSW50ZXJuYWwgQ0Ex
|
|
|
|
HjAcBgkqhkiG9w0BCQEWD2l0QGNhbHlwdGl4LmNvbTCCASIwDQYJKoZIhvcNAQEB
|
|
|
|
BQADggEPADCCAQoCggEBAMMvhgIrKr9/6szSqkj9KiZk/KCAJUG5r9X4yMa9TRMT
|
|
|
|
S/wV3rKGgZv1s9d6S6YFePZlsXgNGoSAGgrlrxYBpgUrkPn+iG5hdP85UgbzpWJi
|
|
|
|
1P5ESS5RRXaHe7PnFBDsy29zGEhR4YpPl6YNf8N870BRO7DVItlaaGwXD/U4uzSY
|
|
|
|
R9YGENx85wD06qxk3TccRbglCSoqCIdjCkG343USy7oJftPycLWe3K6Xx8Zv89wT
|
|
|
|
rtrjpSopXtY2iGxZJvs2OlxfHd7rEY+N9QNkwpOr5+gLYDnhJlOj0qP40FTytieX
|
|
|
|
xGkFeb/o4FJHblfkQyEH87IK9QTckKip///4WSf8v20CAwEAAaOB3zCB3DAdBgNV
|
|
|
|
HQ4EFgQUoc6flYe+Mlq4WTpWyvAMXk9f71swgawGA1UdIwSBpDCBoYAUoc6flYe+
|
|
|
|
Mlq4WTpWyvAMXk9f71uhfqR8MHoxCzAJBgNVBAYTAlVTMRswGQYDVQQKExJDYWx5
|
|
|
|
cHRpeCBTZWN1cml0eS4xCzAJBgNVBAsTAklUMSEwHwYDVQQDExhDYWx5cHRpeCBE
|
|
|
|
ZXYgSW50ZXJuYWwgQ0ExHjAcBgkqhkiG9w0BCQEWD2l0QGNhbHlwdGl4LmNvbYIJ
|
|
|
|
ALFQqjdrHsc+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAErodbwo
|
|
|
|
oCdB1x/GbE/Ap5pt0uuVymECgB9DGKmjFYzX9VB8i3Brjhp9UyqcpMKbA9hDhaOU
|
|
|
|
S+BOPL4rI5NMFQpaiRLSBPlQrsdKlXIMln3C2c2oHvcuw0agfkmXRonm7En8T7vC
|
|
|
|
kEWrZEZye9L8PRWRkHDwKb4lvOpnRcOvsV9ICRWEpFKVhP6I/HALfXonvMUNiOSo
|
|
|
|
5+7yxanKMvXNmZ6qLnfHbyUi9bv1jchgNwSatF5RI1tzstJf8hqDIH47NTbRUX+h
|
|
|
|
2hPSEdvfURSdHbvPsv8Ku87sgR+HY1P2j8Qdp63hALfkoMvaHn55MxRVUeVXExsn
|
|
|
|
tRhywtPsIHEmllI=
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
''
|
|
|
|
];
|
2022-08-29 09:48:47 -06:00
|
|
|
|
|
|
|
preDNS.enable = false;
|
|
|
|
networking = {
|
|
|
|
hostName = "stan";
|
2022-08-29 10:55:28 -06:00
|
|
|
|
|
|
|
hosts = {
|
2023-09-12 08:44:05 -06:00
|
|
|
"172.16.30.253" = [ "proxmox-02.vm.calyptix.local" ];
|
|
|
|
"127.0.0.1" = [ "borg.calyptix.dev" "localhost" ];
|
|
|
|
"192.168.122.249" = [ "arst.arst" "vm" ];
|
|
|
|
"192.168.8.194" = [ "router.arst" "router" ];
|
2022-08-29 10:55:28 -06:00
|
|
|
};
|
|
|
|
|
2022-08-29 09:48:47 -06:00
|
|
|
networkmanager.enable = true;
|
|
|
|
firewall = {
|
2023-11-14 06:49:31 -07:00
|
|
|
allowedTCPPorts = [ 22 ] ++ (if testingMode then [ 8080 ] else [ ]);
|
2023-10-06 06:20:54 -06:00
|
|
|
allowedUDPPorts = if testingMode then [ syslogPort ] else [ ];
|
2023-11-14 06:49:31 -07:00
|
|
|
checkReversePath = "loose";
|
2022-08-29 09:48:47 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-10-06 06:20:54 -06:00
|
|
|
|
2022-08-29 09:48:47 -06:00
|
|
|
i18n.defaultLocale = "en_US.utf8";
|
|
|
|
|
2022-08-29 09:50:41 -06:00
|
|
|
kde.enable = true;
|
|
|
|
defaultUsers.enable = false;
|
2022-08-30 21:44:20 -06:00
|
|
|
sshFidoAgent.enable = true;
|
2022-08-29 09:48:47 -06:00
|
|
|
|
|
|
|
sops.secrets = {
|
2024-02-28 09:48:35 -07:00
|
|
|
rkvm_cert = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
2024-02-28 09:48:35 -07:00
|
|
|
owner = "root";
|
|
|
|
group = "wheel";
|
|
|
|
mode = "400";
|
|
|
|
};
|
2022-09-12 13:20:43 -06:00
|
|
|
vm_pass = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
2022-09-12 13:20:43 -06:00
|
|
|
owner = "root";
|
|
|
|
group = "wheel";
|
|
|
|
mode = "400";
|
|
|
|
};
|
2022-08-30 15:56:37 -06:00
|
|
|
peerix_private_key = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.secrets.peerix;
|
2022-09-01 12:42:47 -06:00
|
|
|
owner = "${peerixUser}";
|
|
|
|
group = "wheel";
|
2022-08-30 15:56:37 -06:00
|
|
|
mode = "400";
|
|
|
|
};
|
2024-01-26 08:10:31 -07:00
|
|
|
restic_password_file = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
2024-01-26 08:10:31 -07:00
|
|
|
owner = "root";
|
|
|
|
mode = "400";
|
|
|
|
};
|
|
|
|
restic_env_file = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
2024-01-26 08:10:31 -07:00
|
|
|
owner = "root";
|
|
|
|
mode = "400";
|
|
|
|
};
|
|
|
|
restic_repo_file = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
2024-01-26 08:10:31 -07:00
|
|
|
owner = "root";
|
|
|
|
mode = "400";
|
|
|
|
};
|
2024-03-12 11:18:29 -06:00
|
|
|
abieber_hash = {
|
2024-03-21 22:08:30 -06:00
|
|
|
sopsFile = config.xin-secrets.stan.user_passwords.abieber;
|
2024-03-12 11:18:29 -06:00
|
|
|
owner = "root";
|
|
|
|
mode = "400";
|
|
|
|
neededForUsers = true;
|
|
|
|
};
|
2024-03-22 07:47:22 -06:00
|
|
|
root_hash = {
|
|
|
|
sopsFile = config.xin-secrets.stan.user_passwords.root;
|
|
|
|
owner = "root";
|
|
|
|
mode = "400";
|
|
|
|
neededForUsers = true;
|
|
|
|
};
|
2022-08-29 09:48:47 -06:00
|
|
|
};
|
|
|
|
|
2024-03-12 11:18:29 -06:00
|
|
|
users = {
|
|
|
|
mutableUsers = false;
|
|
|
|
users = {
|
2024-03-22 07:47:22 -06:00
|
|
|
root = userBase // {
|
|
|
|
hashedPasswordFile = config.sops.secrets.root_hash.path;
|
|
|
|
};
|
2024-03-12 11:18:29 -06:00
|
|
|
abieber = userBase // {
|
|
|
|
isNormalUser = true;
|
|
|
|
description = "Aaron Bieber";
|
|
|
|
extraGroups = [ "networkmanager" "wheel" "libvirtd" ];
|
|
|
|
hashedPasswordFile = config.sops.secrets.abieber_hash.path;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2022-08-29 09:48:47 -06:00
|
|
|
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
2024-02-09 20:21:04 -07:00
|
|
|
environment = {
|
|
|
|
etc = {
|
|
|
|
"vscode-settings.json".text = builtins.toJSON {
|
|
|
|
"telemetry.enableTelemetry" = false;
|
|
|
|
"telemetry.enableCrashReporter" = false;
|
|
|
|
"editor.formatOnSave" = true;
|
|
|
|
"extensions.ignoreRecommendations" = true;
|
|
|
|
"extensions.autoUpdate" = false;
|
|
|
|
"extensions.autoCheckUpdates" = false;
|
|
|
|
"update.mode" = "none";
|
|
|
|
"workbench.colorTheme" = "Visual Studio Light";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
systemPackages = with pkgs; [
|
|
|
|
fzf
|
|
|
|
google-chrome
|
|
|
|
ispell
|
|
|
|
keychain
|
|
|
|
libreoffice
|
|
|
|
mattermost-desktop
|
|
|
|
mosh
|
|
|
|
mupdf
|
|
|
|
nmap
|
|
|
|
oath-toolkit
|
|
|
|
oathToolkit
|
|
|
|
obs-studio
|
|
|
|
openvpn
|
|
|
|
remmina
|
|
|
|
rex
|
|
|
|
rustdesk
|
|
|
|
snmpcheck
|
|
|
|
sshfs
|
|
|
|
step-cli
|
|
|
|
tcpdump
|
|
|
|
unzip
|
|
|
|
virt-manager
|
|
|
|
(vscode-with-extensions.override {
|
|
|
|
vscodeExtensions = with vscode-extensions; [
|
|
|
|
golang.go
|
|
|
|
ms-vscode-remote.remote-ssh
|
|
|
|
rust-lang.rust-analyzer
|
|
|
|
streetsidesoftware.code-spell-checker
|
|
|
|
vscodevim.vim
|
|
|
|
|
|
|
|
(buildVscodeMarketplaceExtension {
|
|
|
|
mktplcRef = {
|
|
|
|
name = "lit-html";
|
|
|
|
publisher = "bierner";
|
|
|
|
version = "1.11.1";
|
|
|
|
sha256 = "sha256-bN786jjTKkcrF0UUOG/J1/k1wqM7JfUO1pQomWLu8+I=";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
(buildVscodeMarketplaceExtension {
|
|
|
|
mktplcRef = {
|
|
|
|
name = "lit-plugin";
|
|
|
|
publisher = "runem";
|
|
|
|
version = "1.4.3";
|
|
|
|
sha256 = "sha256-jhGqtBFkpOChVocv+5zLqA/EtoITbdftI+tMTjjBqs0=";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
(buildVscodeMarketplaceExtension {
|
|
|
|
mktplcRef = {
|
|
|
|
name = "solargraph";
|
|
|
|
publisher = "castwide";
|
|
|
|
version = "0.24.1";
|
|
|
|
sha256 = "sha256-M96kGuCKo232rIwLovDU+C/rhEgZWT4s/zsR7CUYPnk=";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
(buildVscodeMarketplaceExtension {
|
|
|
|
mktplcRef = {
|
|
|
|
name = "vscode-todo-highlight";
|
|
|
|
publisher = "wayou";
|
|
|
|
version = "1.0.5";
|
|
|
|
sha256 = "sha256-CQVtMdt/fZcNIbH/KybJixnLqCsz5iF1U0k+GfL65Ok=";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
];
|
|
|
|
})
|
|
|
|
wireshark
|
|
|
|
zig
|
|
|
|
];
|
|
|
|
};
|
2022-08-29 09:48:47 -06:00
|
|
|
|
|
|
|
virtualisation.libvirtd.enable = true;
|
|
|
|
|
|
|
|
programs = {
|
2023-09-12 08:44:05 -06:00
|
|
|
git.config.safe.directory = "/home/abieber/aef100";
|
2022-08-29 09:48:47 -06:00
|
|
|
dconf.enable = true;
|
|
|
|
zsh.enable = true;
|
2023-09-12 08:44:05 -06:00
|
|
|
ssh.knownHosts = {
|
|
|
|
"[192.168.122.249]:7022".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOzf2Rv6FZYuH758TlNBcq4CXAHTPJxe5qoQTRM3nRc";
|
|
|
|
};
|
2022-08-29 09:48:47 -06:00
|
|
|
};
|
|
|
|
|
2022-08-30 15:56:37 -06:00
|
|
|
tsPeerix = {
|
2022-09-01 12:14:46 -06:00
|
|
|
enable = false;
|
2022-08-30 15:56:37 -06:00
|
|
|
privateKeyFile = "${config.sops.secrets.peerix_private_key.path}";
|
2023-09-12 08:44:05 -06:00
|
|
|
interfaces = [ "wlp170s0" "ztksevmpn3" ];
|
2022-08-30 15:56:37 -06:00
|
|
|
};
|
|
|
|
|
2022-08-29 09:48:47 -06:00
|
|
|
services = {
|
2024-02-28 09:48:35 -07:00
|
|
|
rkvm.client = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
certificate = "${config.sops.secrets.rkvm_cert.path}";
|
|
|
|
password = "fake";
|
|
|
|
server = "127.0.0.1:24800";
|
|
|
|
};
|
|
|
|
};
|
2024-01-26 08:10:31 -07:00
|
|
|
restic = {
|
|
|
|
backups = {
|
|
|
|
remote = {
|
|
|
|
initialize = true;
|
|
|
|
environmentFile = "${config.sops.secrets.restic_env_file.path}";
|
|
|
|
passwordFile = "${config.sops.secrets.restic_password_file.path}";
|
|
|
|
repositoryFile = "${config.sops.secrets.restic_repo_file.path}";
|
|
|
|
|
2024-01-26 12:39:16 -07:00
|
|
|
paths = [ "/home/abieber" ];
|
2024-01-26 08:10:31 -07:00
|
|
|
|
|
|
|
pruneOpts = [ "--keep-daily 7" "--keep-weekly 2" "--keep-monthly 2" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-10-06 06:20:54 -06:00
|
|
|
rsyslogd = {
|
|
|
|
enable = testingMode;
|
|
|
|
defaultConfig = ''
|
|
|
|
module(load="imudp")
|
|
|
|
input(type="imudp" port="${toString syslogPort}")
|
|
|
|
|
|
|
|
daemon.* -/var/log/daemon
|
|
|
|
*.warning;*.warn -/var/log/warning
|
|
|
|
'';
|
|
|
|
};
|
2022-08-29 09:48:47 -06:00
|
|
|
printing.enable = true;
|
|
|
|
fwupd.enable = true;
|
2023-02-13 10:42:47 -07:00
|
|
|
unifi.enable = false;
|
2022-08-29 09:48:47 -06:00
|
|
|
openntpd.enable = true;
|
|
|
|
resolved = {
|
|
|
|
enable = true;
|
|
|
|
dnssec = "allow-downgrade";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-06-15 09:10:54 -06:00
|
|
|
|
2022-11-08 14:54:41 -07:00
|
|
|
system.autoUpgrade.allowReboot = false;
|
2022-08-29 09:48:47 -06:00
|
|
|
system.stateVersion = "22.05"; # Did you read the comment?
|
|
|
|
}
|