From 06900b906fb64df473a5955b21c64ede4616d378 Mon Sep 17 00:00:00 2001 From: Mel Date: Sun, 24 Sep 2023 20:35:09 +0200 Subject: Create base config from lapin --- configuration.nix | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ hardware/lapin.nix | 38 +++++++++++++++++++++++++++ machines/lapin.nix | 19 ++++++++++++++ me.nix | 3 +++ security.nix | 14 ++++++++++ util.nix | 5 ++++ 6 files changed, 154 insertions(+) create mode 100644 configuration.nix create mode 100644 hardware/lapin.nix create mode 100644 machines/lapin.nix create mode 100644 me.nix create mode 100644 security.nix create mode 100644 util.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..24ae7e3 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,75 @@ +{ pkgs, ... }: + +let + util = import ./util.nix; + + me = import ./me.nix { inherit util; }; + security = import ./security.nix; +in +{ + system.stateVersion = "23.05"; + + imports = [ + (./hardware + "/${me.name}.nix") + (./machine + "/${me.name}.nix") + ]; + + boot.loader.systemd-boot.enable = true; + + users.mutableUsers = false; + users.users.mel = { + isNormalUser = true; + home = "/home/mel"; + shell = pkgs.fish; + extraGroups = [ "wheel" "docker" ]; + + openssh.authorizedKeys.keys = security.keys; + hashedPassword = security.password; + }; + + networking = { + hostName = me.name; + + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + trustedInterfaces = [ "tailscale0" ]; + }; + }; + + services = { + openssh = { + enable = true; + openFirewall = false; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; + nginx.enable = true; + tailscale.enable = true; + }; + + virtualisation = { + docker = { + enable = true; + enableOnBoot = true; + }; + }; + + programs = { + fish.enable = true; + }; + + services.nginx.virtualHosts = { + default = { default = true; }; + "${me.name}.rnrd.eu" = { root = "/var/www/html"; }; + }; + + environment.variables = { EDITOR = "vim"; }; + environment.systemPackages = with pkgs; [ + vim + ]; +} + diff --git a/hardware/lapin.nix b/hardware/lapin.nix new file mode 100644 index 0000000..b33eb26 --- /dev/null +++ b/hardware/lapin.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/bf63f1e9-416c-4bba-b0e4-3ab1b53414db"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/ADF6-F1B5"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/15e0485e-dff2-4eb5-9a4d-12c69baa3db1"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/machines/lapin.nix b/machines/lapin.nix new file mode 100644 index 0000000..21c24d8 --- /dev/null +++ b/machines/lapin.nix @@ -0,0 +1,19 @@ +{ ... }: + +{ + networking = { + defaultGateway = "172.31.1.1"; + nameservers = [ + "185.12.64.1" "185.12.64.2" + "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" + ]; + }; + + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + address = [ "2a01:4f8:c012:9493::1" ]; + routes = [ { routeConfig.Gateway = "fe80::1"; } ]; + }; +} \ No newline at end of file diff --git a/me.nix b/me.nix new file mode 100644 index 0000000..7f088d3 --- /dev/null +++ b/me.nix @@ -0,0 +1,3 @@ +{ util, ... }: util.mkMe { + name = ""; # Enter machine name here +} \ No newline at end of file diff --git a/security.nix b/security.nix new file mode 100644 index 0000000..1f3be79 --- /dev/null +++ b/security.nix @@ -0,0 +1,14 @@ +{ + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2HuNCosEE5SZOv5g8mLDn5jCJRFnYTLZifMl+N6iUD mel@rite" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeB9g5hVrDe6OY1MQqvnYXVawAo4eMFd35HnCsJb3Ym mel@bismuth" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3PPmDNIBxdRig9JvEf/KNOw+6+A6+FEeXrmaT9Ijkb mel@concrete" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDujTul5wWyGnidLnNuJDRze0Up29l2cDpyKdmvW2Ls mel@grimoire" + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINs2TTjnQvDNr/S3lPLWYOnZi00YIMrRUDH8cpBz1k1m mel@renard" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBsr3M7YFIXhKJADIanCmnvUbqm4uSlkSMLhykHf3gq mel@souris" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzDyaafULcgTuFca51NNgYAzZ28RFDQwVWavRpnY5c+ mel@lapin" + ]; + + password = "$y$j9T$4wGl.YJizIpcfFv0LyvLU0$7LLEkjIFWBOV.XXynReCOczBYNX0EZfMPIDB/bmmhhC"; +} \ No newline at end of file diff --git a/util.nix b/util.nix new file mode 100644 index 0000000..86fe375 --- /dev/null +++ b/util.nix @@ -0,0 +1,5 @@ +{ + mkMe = { name ? "", ... }@me: + assert name != ""; + me; +} \ No newline at end of file -- cgit 1.4.1