89 lines
1.7 KiB
Nix
89 lines
1.7 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
modulesPath,
|
|
flake-inputs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
flake-inputs.disko.nixosModules.disko
|
|
flake-inputs.sops-nix.nixosModules.sops
|
|
"${modulesPath}/profiles/minimal.nix"
|
|
|
|
../modules
|
|
./nginx
|
|
./services
|
|
];
|
|
|
|
nix = {
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
|
|
# Enable remote builds from tlater
|
|
settings.trusted-users = [ "@wheel" ];
|
|
};
|
|
|
|
networking = {
|
|
usePredictableInterfaceNames = false;
|
|
useDHCP = false;
|
|
};
|
|
|
|
systemd.network.enable = true;
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
users.users.tlater = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
ports = [ 2222 ];
|
|
startWhenNeeded = true;
|
|
|
|
settings = {
|
|
GatewayPorts = "yes";
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
logrotate.enable = true;
|
|
|
|
postgresql = {
|
|
package = pkgs.postgresql_14;
|
|
enable = true;
|
|
|
|
# Only enable connections via the unix socket, and check with the
|
|
# OS to make sure the user matches the database name.
|
|
#
|
|
# See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
|
|
authentication = ''
|
|
local sameuser all peer
|
|
'';
|
|
};
|
|
};
|
|
|
|
security = {
|
|
sudo.execWheelOnly = true;
|
|
|
|
pam = {
|
|
rssh = {
|
|
enable = true;
|
|
settings.auth_key_file = "/etc/ssh/authorized_keys.d/$ruser";
|
|
};
|
|
services.sudo.rssh = true;
|
|
};
|
|
};
|
|
sops.defaultSopsFile = ../keys/production.yaml;
|
|
|
|
# Remove some unneeded packages
|
|
environment.defaultPackages = lib.mkForce [ ];
|
|
|
|
system.stateVersion = "20.09";
|
|
}
|