infra/nixos/hosts/silver/configuration.nix

110 lines
2.3 KiB
Nix
Raw Normal View History

2024-10-13 15:16:39 -05:00
{
config,
pkgs,
...
}: let
2024-11-03 20:30:30 -06:00
net = {
# TODO: hardcoding (this module *may* be a good place to store values like this, though)
2024-10-13 15:16:39 -05:00
address = "107.152.41.67";
prefixLength = 24;
subnet = "255.255.255.0";
gateway = "107.152.41.1";
interface = "eth0";
};
in {
imports = [
2024-12-14 18:24:51 -06:00
./services
2024-10-13 15:16:39 -05:00
./hardware.nix
./disk-config.nix
./mounts.nix
./secrets.nix
2024-12-14 18:24:51 -06:00
./prometheus.nix
2024-10-13 15:16:39 -05:00
];
networking.hostName = "silver"; # Define your hostname.
time.timeZone = "America/Chicago"; # Set your time zone.
# Allow unfree packages (firmware)
nixpkgs.config.allowUnfree = true;
# Basic networking
networking.firewall.enable = true;
# Networking - IP configuration
networking = {
enableIPv6 = false;
defaultGateway = {
address = net.gateway;
inherit (net) interface;
};
interfaces.${net.interface} = {
useDHCP = false;
ipv4.addresses = [
{inherit (net) address prefixLength;}
];
};
};
boot.kernelParams = [
# Manual IP configuration for initrd
"ip=${net.address}::${net.gateway}:${net.subnet}::${net.interface}:off"
];
# Locales
i18n.defaultLocale = "en_US.UTF-8";
console = {
keyMap = "us";
};
# Users - silver & root
users.users = {
root.hashedPasswordFile = config.sops.secrets."root-pw".path;
silver = {
isNormalUser = true;
2024-11-03 20:30:30 -06:00
extraGroups = ["wheel"];
2024-10-13 15:16:39 -05:00
hashedPasswordFile = config.sops.secrets."user-pw".path;
openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
};
};
# Packages
environment.systemPackages = with pkgs; [
rsync
git
vim
fastfetch
2024-11-02 00:50:53 -05:00
btop
2024-11-12 20:02:15 -06:00
tmux
2024-10-13 15:16:39 -05:00
speedtest-cli
];
environment.variables.EDITOR = "vim";
2024-12-13 16:47:09 -06:00
networking.firewall.allowedTCPPorts = [5201];
networking.firewall.allowedUDPPorts = [5201];
2024-10-13 15:16:39 -05:00
# Enable ssh server
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
2024-11-03 20:30:30 -06:00
listenAddresses = [
{
addr = "10.13.0.1";
port = 22;
}
];
2024-10-13 15:16:39 -05:00
};
# My modules
2024-12-13 16:47:09 -06:00
gen.hardening.disableSack = true;
gen.bootloader.luksSsh = {
2024-10-13 15:16:39 -05:00
enable = true;
port = 48722;
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
};
system.stateVersion = "24.05";
}