nix-infra/profiles/base/default.nix

128 lines
2.6 KiB
Nix
Raw Normal View History

2024-04-07 11:50:21 +00:00
{ lib, pkgs, inputs, ... }: {
2024-04-01 17:16:35 +00:00
imports = [
../../users/root
../../users/sammy
2024-04-20 12:22:16 +00:00
../../modules/nixos
2024-04-01 17:16:35 +00:00
inputs.home-manager.nixosModules.home-manager
];
deployment.tags = [ pkgs.stdenv.hostPlatform.system ];
deployment.targetUser = lib.mkDefault "sammy";
nix = {
settings = {
experimental-features = [ "nix-command" "flakes" ];
trusted-users = [ "root" "@wheel" "sammy" ];
};
gc = {
automatic = lib.mkDefault true;
options = lib.mkDefault "--delete-older-than 7d";
};
};
users.mutableUsers = false;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
nixpkgs.config.allowUnfree = true;
hardware.enableAllFirmware = true;
time.timeZone = lib.mkDefault "Europe/Berlin";
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = lib.mkDefault "de";
useXkbConfig = true;
};
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = {
enable = true;
extraConfig = ''
StreamLocalBindUnlink yes
'';
settings = {
2024-04-01 18:23:27 +00:00
PermitRootLogin = lib.mkOverride 999 "no";
2024-04-01 17:16:35 +00:00
PasswordAuthentication = false;
Macs = [
"hmac-sha2-512"
"hmac-sha2-256"
];
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
};
};
security = {
sudo = {
enable = true;
wheelNeedsPassword = false;
keepTerminfo = true;
};
acme = {
acceptTerms = true;
defaults.email = "admin@cherrykitten.dev";
};
};
services.fail2ban = {
enable = lib.mkDefault true;
maxretry = 5;
};
services.udev.packages = with pkgs; [ libu2f-host yubikey-personalization ];
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
enableExtraSocket = true;
};
services.pcscd.enable = true;
virtualisation.vmVariant = {
# following configuration is added only when building VM with build-vm
virtualisation = {
memorySize = 8192;
cores = 6;
graphics = true;
};
users.users.sammy.hashedPassword = "";
};
programs.fish.enable = true;
# Packages used on all systems
environment.systemPackages = with pkgs; [
bat
bind.dnsutils
fd
file
git
gnupg
htop
jq
mtr
nmap
openssl
pinentry
rsync
tcpdump
tmux
wget
whois
wireguard-tools
];
}