From e11aac3f0bacd47f39a9862e5742fabc4f0bbefe Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Wed, 13 Oct 2021 18:17:45 +0200 Subject: [PATCH] add common config --- common/default.nix | 47 +++++ common/generic-lxc.nix | 18 ++ common/generic-vm.nix | 14 ++ common/services/default.nix | 8 + common/services/flood.nix | 150 ++++++++++++++++ common/services/unpackerr.nix | 307 ++++++++++++++++++++++++++++++++ common/services/vmagent.nix | 114 ++++++++++++ common/users/default.nix | 65 +++++++ flake.nix | 6 +- hosts/bastion/configuration.nix | 110 +----------- 10 files changed, 729 insertions(+), 110 deletions(-) create mode 100644 common/default.nix create mode 100644 common/generic-lxc.nix create mode 100644 common/generic-vm.nix create mode 100644 common/services/default.nix create mode 100644 common/services/flood.nix create mode 100644 common/services/unpackerr.nix create mode 100644 common/services/vmagent.nix create mode 100644 common/users/default.nix diff --git a/common/default.nix b/common/default.nix new file mode 100644 index 00000000..9036a33a --- /dev/null +++ b/common/default.nix @@ -0,0 +1,47 @@ +# Common/default.nix + +# Inputs for this module, we don't use anything so can be empty. +{ ... }: + +{ + imports = [ + # User account definitions + ./users + ./services + ]; + + # Clean /tmp on boot. + boot.cleanTmpDir = true; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # Nix Settings + nix = { + package = pkgs.nixUnstable; + autoOptimiseStore = true; + binaryCaches = [ + "https://cachix.cachix.org" + "https://nix-community.cachix.org" + "https://nixpkgs-review-bot.cachix.org" + ]; + binaryCachePublicKeys = [ + "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" + ]; + trustedUsers = [ "root" "victor" ]; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + nixpkgs.config.allowUnfree = true; + + # Limit the systemd journal to 100 MB of disk or the + # last 7 days of logs, whichever happens first. + services.journald.extraConfig = '' + SystemMaxUse=100M + MaxFileSec=7day + ''; +} diff --git a/common/generic-lxc.nix b/common/generic-lxc.nix new file mode 100644 index 00000000..c492b91d --- /dev/null +++ b/common/generic-lxc.nix @@ -0,0 +1,18 @@ +{ ... }: { + # See also: https://blog.xirion.net/posts/nixos-proxmox-lxc/ + + # Import nixos lxc config + imports = [ + + ]; + + # Supress systemd services that don't work (correctly) on LXC + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + + # Enable SSH daemon support. + services.openssh.enable = true; +} diff --git a/common/generic-vm.nix b/common/generic-vm.nix new file mode 100644 index 00000000..de732089 --- /dev/null +++ b/common/generic-vm.nix @@ -0,0 +1,14 @@ +{ lib, ... }: { + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = lib.mkDefault "yes"; + + # Enable qemu guest agent + services.qemuGuest.enable = true; +} diff --git a/common/services/default.nix b/common/services/default.nix new file mode 100644 index 00000000..9fa6e606 --- /dev/null +++ b/common/services/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./flood.nix + ./unpackerr.nix + ./vmagent.nix + ]; +} diff --git a/common/services/flood.nix b/common/services/flood.nix new file mode 100644 index 00000000..3616bfac --- /dev/null +++ b/common/services/flood.nix @@ -0,0 +1,150 @@ +{ config, pkgs, lib, ... }: +with lib; +let cfg = config.services.flood; +in +{ + options.services.flood = { + enable = mkEnableOption "flood"; + + user = mkOption { + default = "flood"; + type = types.str; + description = '' + User account under which flood runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "rtorrent"; + description = '' + Group under which flood runs. + Flood needs to have the correct permissions if accessing rtorrent through the socket. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.flood; + defaultText = "pkgs.flood"; + description = '' + The flood package to use. + ''; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Address flood binds to. + ''; + }; + + port = mkOption { + type = types.port; + default = 3000; + description = '' + The flood web port. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for the port in . + ''; + }; + + rpcSocket = mkOption { + type = types.str; + readOnly = true; + default = "/run/rtorrent/rpc.sock"; + description = '' + RPC socket path. + (Only used when auth=none). + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/flood"; + description = '' + The directory where flood stores its data files. + ''; + }; + + downloadDir = mkOption { + type = types.str; + default = "/var/lib/rtorrent/download"; + description = '' + Root directory for downloaded files. + ''; + }; + + authMode = mkOption { + type = types.str; + default = "none"; + description = '' + Access control and user management method. + Either 'default' or 'none'. + ''; + }; + + ssl = mkOption { + type = types.bool; + default = false; + description = '' + Enable SSL. + key.pem and fullchain.pem needed in runtime directory. + ''; + }; + + baseURI = mkOption { + type = types.str; + default = "/"; + description = '' + This URI will prefix all of Flood's HTTP requests + ''; + }; + }; + + config = mkIf cfg.enable { + # Create group if set to default + users.groups = mkIf (cfg.group == "rtorrent") { + rtorrent = { }; + }; + + # Create user if set to default + users.users = mkIf (cfg.user == "flood") { + flood = { + group = cfg.group; + shell = pkgs.bashInteractive; + home = cfg.dataDir; + description = "flood Daemon user"; + isSystemUser = true; + }; + }; + + # Open firewall if option is set to do so. + networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ cfg.port ]; + + # The actual service + systemd.services.flood = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "flood system service"; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + Restart = "on-failure"; + WorkingDirectory = cfg.dataDir; + ExecStart = "${cfg.package}/bin/flood --baseuri ${cfg.baseURI} --rundir ${cfg.dataDir} --host ${cfg.host} --port ${toString cfg.port} ${if cfg.ssl then "--ssl" else ""} --auth ${cfg.authMode} --rtsocket ${cfg.rpcSocket} --allowedpath ${cfg.downloadDir}"; + }; + }; + + # This is needed to create the dataDir with the correct permissions. + systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ]; + }; +} diff --git a/common/services/unpackerr.nix b/common/services/unpackerr.nix new file mode 100644 index 00000000..7135b06e --- /dev/null +++ b/common/services/unpackerr.nix @@ -0,0 +1,307 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.unpackerr; + mkStarrOptions = { name, url }: { + url = mkOption { + type = types.str; + default = ""; + example = "${url}"; + description = '' + The URL to access ${name} + ''; + }; + apiKey = mkOption { + type = types.str; + default = ""; + description = '' + The API key for accessing ${name} + ''; + }; + paths = mkOption { + type = types.str; + default = ""; + example = "/downloads,/moreDownloads"; + description = '' + List of paths where content is downloaded for ${name} + ''; + }; + protocols = mkOption { + type = types.str; + default = "torrent"; + example = "torrent,usenet"; + description = '' + Protocols to process + ''; + }; + timeout = mkOption { + type = types.str; + default = "10s"; + description = '' + How long to wait for ${name} to respond + ''; + }; + deleteOrginal = mkOption { + type = types.bool; + default = false; + description = '' + Delete archives after import? + Recommend not setting this to true + ''; + }; + deleteDelay = mkOption { + type = types.str; + default = "5m"; + description = '' + Extracts are deleted this long after import. `-1` to disable. + ''; + }; + }; +in +{ + options.services.unpackerr = { + enable = mkEnableOption "unpackerr"; + + user = mkOption { + default = "unpackerr"; + type = types.str; + description = '' + User account under which unpackerr runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "unpackerr"; + description = '' + Group under which unpackerr runs. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.unpackerr; + defaultText = "pkgs.unpackerr"; + description = '' + The unpackerr package to use. + ''; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = '' + Turns on more logs. + ''; + }; + + interval = mkOption { + type = types.str; + default = "2m"; + description = '' + How often apps are polled, recommended 1m to 5m + ''; + }; + + startDelay = mkOption { + type = types.str; + default = "1m"; + description = '' + Files are queued at least this long before extraction + ''; + }; + + retryDelay = mkOption { + type = types.str; + default = "5m"; + description = '' + Failed extractions are retried after at least this long + ''; + }; + + maxRetries = mkOption { + type = types.int; + default = 3; + description = '' + Times to retry failed extractions. `0` = unlimited. + ''; + }; + + parallel = mkOption { + type = types.int; + default = 1; + description = '' + Concurrent extractions, 1 is recommended. + ''; + }; + + fileMode = mkOption { + type = types.str; + default = "0644"; + description = '' + Extracted files are written with this mode + ''; + }; + + dirMode = mkOption { + type = types.str; + default = "0755"; + description = '' + Extracted folders are written with this mode + ''; + }; + + sonarr = mkStarrOptions { name = "Sonarr"; url = "http://localhost:8989"; }; + + radarr = mkStarrOptions { name = "Radarr"; url = "http://localhost:7878"; }; + + lidarr = mkStarrOptions { name = "Lidarr"; url = "http://localhost:8686"; }; + + readarr = mkStarrOptions { name = "Readarr"; url = "http://localhost:8787"; }; + + folder = { + path = mkOption { + type = types.str; + default = ""; + description = '' + folder path, not for Starr apps. + ''; + }; + extractPath = mkOption { + type = types.str; + default = ""; + description = '' + Where to extract to, Defaults to . + ''; + }; + deleteAfter = mkOption { + type = types.str; + default = ""; + example = "10m"; + description = '' + Delete extracted files and/or archives after this duration, `0` to disable. + ''; + }; + deleteOrginal = mkOption { + type = types.bool; + default = false; + description = '' + Delete archives after extraction + ''; + }; + deleteFiles = mkOption { + type = types.bool; + default = false; + description = '' + Delete extracted files after successful extraction + ''; + }; + moveBack = mkOption { + type = types.bool; + default = false; + description = '' + Move extracted items back into original folder + ''; + }; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + description = '' + Extra environment variables + ''; + example = { + UN_WEBHOOK_0_URL = "http://example.com"; + }; + }; + }; + + config = mkIf cfg.enable { + # Create group if set to default + users.groups = mkIf (cfg.group == "unpackerr") { + unpackerr = { }; + }; + + # Create user if set to default + users.users = mkIf (cfg.user == "unpackerr") { + unpackerr = { + group = cfg.group; + shell = pkgs.bashInteractive; + createHome = false; + description = "unpackerr Daemon user"; + isSystemUser = true; + }; + }; + + # The actual service + systemd.services.unpackerr = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "unpackerr system service"; + # Filter out all unset variables else unpackerr complains + environment = filterAttrs (n: v: stringLength v > 0) { + # General options + UN_DEBUG = "${toString cfg.debug}"; + UN_INTERVAL = "${cfg.interval}"; + UN_START_DELAY = "${cfg.startDelay}"; + UN_RETRY_DELAY = "${cfg.retryDelay}"; + UN_MAX_RETRIES = "${toString cfg.maxRetries}"; + UN_PARALLEL = "${toString cfg.parallel}"; + UN_FILE_MODE = "${cfg.fileMode}"; + UN_DIR_MODE = "${cfg.dirMode}"; + + # Sonarr + UN_SONARR_0_URL = "${cfg.sonarr.url}"; + UN_SONARR_0_API_KEY = "${cfg.sonarr.apiKey}"; + UN_SONARR_0_PATHS_0 = "${cfg.sonarr.paths}"; + UN_SONARR_0_PROTOCOLS = "${cfg.sonarr.protocols}"; + UN_SONARR_0_TIMEOUT = "${cfg.sonarr.timeout}"; + UN_SONARR_0_DELETE_ORIG = "${toString cfg.sonarr.deleteOrginal}"; + UN_SONARR_0_DELETE_DELAY = "${cfg.sonarr.deleteDelay}"; + + # Radarr + UN_RADARR_0_URL = "${cfg.radarr.url}"; + UN_RADARR_0_API_KEY = "${cfg.radarr.apiKey}"; + UN_RADARR_0_PATHS_0 = "${cfg.radarr.paths}"; + UN_RADARR_0_PROTOCOLS = "${cfg.radarr.protocols}"; + UN_RADARR_0_TIMEOUT = "${cfg.radarr.timeout}"; + UN_RADARR_0_DELETE_ORIG = "${toString cfg.radarr.deleteOrginal}"; + UN_RADARR_0_DELETE_DELAY = "${cfg.radarr.deleteDelay}"; + + # Lidarr + UN_LIDARR_0_URL = "${cfg.lidarr.url}"; + UN_LIDARR_0_API_KEY = "${cfg.lidarr.apiKey}"; + UN_LIDARR_0_PATHS_0 = "${cfg.lidarr.paths}"; + UN_LIDARR_0_PROTOCOLS = "${cfg.lidarr.protocols}"; + UN_LIDARR_0_TIMEOUT = "${cfg.lidarr.timeout}"; + UN_LIDARR_0_DELETE_ORIG = "${toString cfg.lidarr.deleteOrginal}"; + UN_LIDARR_0_DELETE_DELAY = "${cfg.lidarr.deleteDelay}"; + + # Readarr + UN_READARR_0_URL = "${cfg.readarr.url}"; + UN_READARR_0_API_KEY = "${cfg.readarr.apiKey}"; + UN_READARR_0_PATHS_0 = "${cfg.readarr.paths}"; + UN_READARR_0_PROTOCOLS = "${cfg.readarr.protocols}"; + UN_READARR_0_TIMEOUT = "${cfg.readarr.timeout}"; + UN_READARR_0_DELETE_ORIG = "${toString cfg.readarr.deleteOrginal}"; + UN_READARR_0_DELETE_DELAY = "${cfg.readarr.deleteDelay}"; + + # Folder + UN_FOLDER_0_PATH = "${cfg.folder.path}"; + UN_FOLDER_0_EXTRACT_PATH = "${cfg.folder.extractPath}"; + UN_FOLDER_0_DELETE_AFTER = "${cfg.folder.deleteAfter}"; + UN_FOLDER_0_DELETE_ORIGINAL = "${toString cfg.folder.deleteOrginal}"; + UN_FOLDER_0_DELETE_FILES = "${toString cfg.folder.deleteFiles}"; + UN_FOLDER_0_MOVE_BACK = "${toString cfg.folder.moveBack}"; + } // cfg.extraConfig; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + Restart = "on-failure"; + ExecStart = "${cfg.package}/bin/unpackerr"; + }; + }; + }; +} diff --git a/common/services/vmagent.nix b/common/services/vmagent.nix new file mode 100644 index 00000000..677b3d1f --- /dev/null +++ b/common/services/vmagent.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, ... }: +with lib; +let cfg = config.services.vmagent; +in +{ + options.services.vmagent = { + enable = mkEnableOption "vmagent"; + + user = mkOption { + default = "vmagent"; + type = types.str; + description = '' + User account under which vmagent runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "vmagent"; + description = '' + Group under which vmagent runs. + ''; + }; + + package = mkOption { + default = pkgs.v.vmagent; + defaultText = "pkgs.v.vmagent"; + type = types.package; + description = '' + vmagent package to use. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/vmagent"; + description = '' + The directory where vmagent stores its data files. + ''; + }; + + remoteWriteUrl = mkOption { + default = "http://localhost:8428/api/v1/write"; + type = types.str; + description = '' + The remote storage endpoint such as VictoriaMetrics + ''; + }; + + prometheusConfig = mkOption { + default = ""; + type = types.str; + example = '' + global: + scrape_interval: 5s + scrape_configs: + - job_name: 'apache' + static_configs: + - targets: ['apache-exporter:9117'] + ''; + description = '' + Config for prometheus style metrics + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for the default ports. + ''; + }; + }; + + config = mkIf cfg.enable { + # Create group if set to default + users.groups = mkIf (cfg.group == "vmagent") { + vmagent = { }; + }; + + # Create user if set to default + users.users = mkIf (cfg.user == "vmagent") { + vmagent = { + group = cfg.group; + shell = pkgs.bashInteractive; + description = "vmagent Daemon user"; + home = cfg.dataDir; + isSystemUser = true; + }; + }; + + # Open firewall if option is set to do so. + networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ 8429 ]; + + # The actual service + systemd.services.vmagent = let + prometheusConfig = pkgs.writeText "prometheus.yml" cfg.prometheusConfig; + in { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "vmagent system service"; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + Restart = "on-failure"; + WorkingDirectory = cfg.dataDir; + ExecStart = "${cfg.package}/bin/vmagent -remoteWrite.url=${cfg.remoteWriteUrl} -promscrape.config=${prometheusConfig}"; + }; + }; + + systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ]; + }; +} diff --git a/common/users/default.nix b/common/users/default.nix new file mode 100644 index 00000000..c685da99 --- /dev/null +++ b/common/users/default.nix @@ -0,0 +1,65 @@ +# common/users/default.nix + +# Inputs to this NixOS module, in this case we are +# using `pkgs` so we can have some user specific packages and config +# to configure the root ssh key. +{ config, pkgs, ... }: + +{ + # Setup ZSH to use grml config + programs.zsh = { + enable = true; + enableCompletion = true; + syntaxHighlighting.enable = true; + interactiveShellInit = '' + source "${pkgs.grml-zsh-config}/etc/zsh/zshrc" + source "${pkgs.fzf}/share/fzf/key-bindings.zsh" + source "${pkgs.fzf}/share/fzf/completion.zsh" + eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" + ''; + # otherwise it'll override the grml prompt + promptInit = ""; + }; + + environment.pathsToLink = [ "/share/zsh" ]; + + # Disable sudo prompt for `wheel` users. + security.sudo.wheelNeedsPassword = false; + + # The block that specifies my user account. + users.extraUsers.victor = { + # This account is intended for a non-system user. + isNormalUser = true; + + # My default shell + shell = pkgs.zsh; + + # My SSH keys. + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC3alaexJkUAi/81weIGGTNrkRf+x0UT0wTWNENOc8bakmgzPg0STopCwHYAHoNHDC1dorVpVfCqWsAx9ta9KOCvqo3BS7rOWlASSna2fejvnNZAy6yzdvWq8Bclg7U40ic8ubnLw7l9nompHk7kzwVN6a6wqVfM5aefEXpaE4rlXu56yF81RR1TaWMnTvD7JMzyeDHt29DPdw+/ivOy3SXC8lUOukQLycNYduBO911gegkKH7mRNrqgYCuV6PF38CZPAhboC0JbpMKsiHInfY6iTrST035JIuVfEG0oRlW7BSsSfafPBlstyvf63mjjCJ13/47PyvkxWB47UYtYUjtQvrlzQtGlxyljyARL6x6RC6WY2Hluej4kWRVrJNRtDZAx+AeYa2jgUeD+RWPUQuXYLXs+0F1A7/y/m3FiuBMpB6neptX/jRY7aI1XDZiO23Pyui0pCsl9c8PQFltwvL1N32miRGhA/2DPhrKgpLRcRNglwRPZSkc+3er1cuUrs= victor@eevee" + "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjJmG5W+uO+KTOmzknOfzkjbCtOCpO9tSxLN2BG6hxCsKPN1U31WDiajeHrZFselpWG80710Ne3wAlWduU3aUTeXdms0N99F7CbIFHXRqU0aEu4FN3WDuv0bRLoc+Ern9V7R4DvtxyNFd66yLzvzfT2/0nudiIkWV6W8qF4W6wJF+/TVTYcwZzVTBfpqUG9LMyMB1e6c0DYISmIGT0Q5s0sb2Hrs5Xa2Q7vgAevHJJzPojGQ+zcK/nHos4/glnDGoj9iyj55zB48LycLxjpFL9GAZfBZPi0SXVRy3gEVPkeger0e4OSumYiEbZhcV3MdtffSIHmq3ehgXi0FyBeMhsw== victor@xirion.net" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMMbdjysLnmwJD5Fs/SjBPstdIQNUxy8zFHP0GlhHMJB victor@bastion" + ]; + + # Make me admin + extraGroups = [ "wheel" ]; + }; + + # Configure the root account + users.extraUsers.root = { + # Allow my SSH keys for logging in as root. + openssh.authorizedKeys.keys = config.users.users.victor.openssh.authorizedKeys.keys; + # Also use zsh for root + shell = pkgs.zsh; + }; + + # Setup packages available everywhere + environment.systemPackages = with pkgs; [ + fzf + git + htop + rsync + neovim + zoxide + ]; +} diff --git a/flake.nix b/flake.nix index b1368ddf..22a47374 100644 --- a/flake.nix +++ b/flake.nix @@ -9,17 +9,15 @@ modules = [ ./hosts/bastion/configuration.nix ]; }; - deploy.nodes.bastion = { + deploy.nodes.bastion = { hostname = "localhost"; fastConnection = true; profiles.system = { user = "root"; path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.bastion; }; - }; - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; }; - } diff --git a/hosts/bastion/configuration.nix b/hosts/bastion/configuration.nix index 1edb7464..9cc5e45d 100644 --- a/hosts/bastion/configuration.nix +++ b/hosts/bastion/configuration.nix @@ -6,104 +6,23 @@ { imports = - [ # Include the results of the hardware scan. + [ + ../../common + ../../common/generic-vim.nix + # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.version = 2; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only networking.hostName = "bastion"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Set your time zone. time.timeZone = "Europe/Amsterdam"; - - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - -security.sudo.wheelNeedsPassword = false; - - - # Configure keymap in X11 - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.jane = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # }; - - # List packages installed in system profile. To search, run: - # $ nix search wget - # environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - # wget - # firefox - # ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; - - #services.openssh.passwordAuthentication = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - #networking.firewall.enable = false; - - environment.systemPackages = with pkgs; [git rsync htop neovim]; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiOUE5yEKMXvKMoQJxfAKbLi5GGOQptzUbWuAVIOnQG+AXJetF/D4Qj68X/0LGEEX78aA4Tb4rNa4imv95+I2rRvRcz8U/9sWoSdfzXLT6KjMqW/4+iNGNFEd0jx92HxPU1Sir6rOGWVwxcayEGO4NJXAjE0LvNMN0+4c9TaH4FZ1hLhyjAdkh5KgPP48JbubqI0zf+BlTJJCWDz3MtN9CHn2nERjGRodYHjq3WTwGXyq7o7Tfmko7C0CE2gBuz4f3LJdH2vz+ghkL5vzFnxzq9QgucJoRr+Pjons71L1622ZLFFHsmicJIEofOUgTrwiD5yayijp/izVFdUvUoB20w==" - ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave @@ -111,25 +30,4 @@ security.sudo.wheelNeedsPassword = false; # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? - - - # Flakes - nix = { - package = pkgs.nixUnstable; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - users.extraUsers.victor = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ -"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiOUE5yEKMXvKMoQJxfAKbLi5GGOQptzUbWuAVIOnQG+A -XJetF/D4Qj68X/0LGEEX78aA4Tb4rNa4imv95+I2rRvRcz8U/9sWoSdfzXLT6KjMqW/4+iNGNFEd0jx92HxPU1Sir -6rOGWVwxcayEGO4NJXAjE0LvNMN0+4c9TaH4FZ1hLhyjAdkh5KgPP48JbubqI0zf+BlTJJCWDz3MtN9CHn2nERjGR -odYHjq3WTwGXyq7o7Tfmko7C0CE2gBuz4f3LJdH2vz+ghkL5vzFnxzq9QgucJoRr+Pjons71L1622ZLFFHsmicJIE -ofOUgTrwiD5yayijp/izVFdUvUoB20w==" ]; - }; } -