xin/default.nix

229 lines
7.0 KiB
Nix

{ config, lib, options, pkgs, isUnstable, xinlib, ... }:
let
caPubKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGaOxh+Ci8akc39LKXkdAg1xFWsab1hGs80zpCkVUVqdFmkMh+MAQkbWcgqxB1vrMX+dS38evc/H4+SbcNFxa9I= Bold::Daemon SSH CA";
managementKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
statusKey = ''
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
'';
gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
inFluxSSHOptions = if isUnstable then {
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
} else {
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
in {
imports = [
./configs/ca.nix
./configs/ci.nix
./configs/colemak.nix
./configs/develop.nix
./configs/dns.nix
./configs/doas.nix
./configs/gitmux.nix
./configs/git.nix
./configs/neovim.nix
./configs/peerix.nix
./configs/manager.nix
./configs/tmux.nix
./configs/net-overlay.nix
./configs/zsh.nix
./dbuild
./gui
./modules
./overlays
./pkgs
./services
./system/nix-config.nix
./system/nix-lockdown.nix
./system/update.nix
./users
./bins
];
options.myconf = {
managementPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [ managementKey statusKey ];
example = default;
description = "List of management public keys to use";
};
hwPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDEKElNAm/BhLnk4Tlo00eHN5bO131daqt2DIeikw0b2AAAABHNzaDo="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
];
example = default;
description = "List of hardware public keys to use";
};
};
config = {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
xin_secrets_deploy_key = {
sopsFile = config.xin-secrets.deploy;
owner = "root";
group = "wheel";
mode = "400";
};
};
security.pki.caCertificateBlacklist =
[ "TrustCor ECA-1" "TrustCor RootCert CA-1" "TrustCor RootCert CA-2" ];
security.pki.certificates = [''
-----BEGIN CERTIFICATE-----
MIIBrjCCAVOgAwIBAgIIKUKZ6zcNut8wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
Qm9sZDo6RGFlbW9uMCAXDTIyMDEyOTAxMDMxOVoYDzIxMjIwMTI5MDEwMzE5WjAX
MRUwEwYDVQQDEwxCb2xkOjpEYWVtb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARYgIn1RWf059Hb964JEaiU3G248k2ZpBHtrACMmLRRO9reKr/prEJ2ltKrjCaX
+98ButRNIn78U8pL+H+aeE0Zo4GGMIGDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HQ4EFgQUiUdCcaNy3E2bFzO9I76TPlMJ4w4wHwYDVR0jBBgwFoAUiUdCcaNy3E2b
FzO9I76TPlMJ4w4wCgYIKoZIzj0EAwIDSQAwRgIhAOd6ejqevrYAH5JtDdy2Mh9M
OTIx9nDZd+AOAg0wzlzfAiEAvG5taCm14H+qdWbEZVn+vqj6ChtxjH7fqOHv3Xla
HWw=
-----END CERTIFICATE-----
''];
i18n.defaultLocale = "en_US.utf8";
# from https://github.com/dylanaraps/neofetch
users.motd = ''
::::. '::::: ::::'
'::::: ':::::. ::::'
::::: '::::.:::::
.......:::::..... ::::::::
::::::::::::::::::. :::::: ::::.
::::::::::::::::::::: :::::. ::::'
..... ::::' :::::'
::::: '::' :::::'
........::::: ' :::::::::::.
::::::::::::: :::::::::::::
::::::::::: .. :::::
.::::: .::: :::::
.::::: .....
::::: :::::. ......:::::::::::::'
::: ::::::. ':::::::::::::::::'
.:::::::: '::::::::::
.::::'''::::. '::::.
.::::' ::::. '::::.
.:::: :::: '::::.
'';
boot = {
cleanTmpDir = true;
kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened;
kernel.sysctl = {
"net.ipv4.tcp_keepalive_time" = 60;
"net.ipv6.tcp_keepalive_time" = 60;
};
};
nix = {
settings = if config.networking.hostName != "pwntie" then {
substituters = [ "https://nix-binary-cache.humpback-trout.ts.net/" ];
trusted-public-keys = [
"nix-binary-cache.humpback-trout.ts.net:e9fJhcRtNVp6miW2pffFyK/gZ2et4y6IDigBNrEsAa0="
];
} else
{ };
};
environment.systemPackages = with pkgs;
[
age
apg
bind
btop
direnv
git-sync
gosignify
got
jq
lz4
minisign
mosh
nix-diff
nixfmt
nix-index
nix-top
pass
rbw
ripgrep
taskwarrior
tmux
] ++ (if isUnstable then [ nil ] else [ ]);
environment.interactiveShellInit = ''
alias vi=nvim
'';
time.timeZone = "US/Mountain";
documentation.enable = true;
documentation.man.enable = true;
networking.timeServers = options.networking.timeServers.default;
programs = {
zsh.enable = true;
gnupg.agent.enable = true;
ssh = {
knownHosts = {
"[namish.humpback-trout.ts.net]:2222".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
"[git.tapenet.org]:2222".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
};
startAgent = true;
extraConfig = "";
};
};
environment.etc."ssh/ca.pub" = { text = caPubKey; };
services = {
openssh = {
enable = true;
knownHosts = {
"CA" = {
publicKey = ''
${caPubKey}
'';
certAuthority = true;
};
};
extraConfig = ''
TrustedUserCAKeys = "/etc/ssh/ca.pub";
'';
} // inFluxSSHOptions;
};
};
}