flake/hosts/supernova/default.nix

{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
  imports =
    [
      ./hardware-configuration.nix
    ];
  lyn.kernel.latest.enable = true; 
  lyn.profiles.base.enable = true;
  lyn.users.lyn.enable = true;
  networking.hostName = "supernova";
  boot.loader.efi.canTouchEfiVariables = true;
  
  # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
  boot.loader.systemd-boot.enable = true;

  # Firmware updates:
  services.fwupd.enable = true;

  ##1##3##3##7##
  ## Security ##
  ##1##3##3##7##

  # Kernel hardening
  lyn.kernel.hardened.enable = true;

  # Secure boot
  lyn.profiles.secureboot.enable = true;

  # FDE + initrd stuff
  boot.kernelParams = [ "ip=dhcp" ];
  boot.loader.timeout = 2;
  boot.initrd = {
    availableKernelModules = [ "r8169" ];
    systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
    secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
    network = {
    enable = true;
    ssh = {
      enable = true;
      port = 2222;
      # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
      hostKeys = [ /root/initrd-ssh-key ];
      # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
      # authorizedKeys = [ "ssh-rsa ..." ];
      authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
    };
  };
  };

  
  system.stateVersion = "24.05";  
}
added initial config for the supernova host 2024-10-16 16:57:55 +02:00			`{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {`
			`imports =`
			`[`
			`./hardware-configuration.nix`
			`];`
			`lyn.kernel.latest.enable = true;`
			`lyn.profiles.base.enable = true;`
prettified config 2024-10-18 23:01:33 +02:00			`lyn.users.lyn.enable = true;`
			`networking.hostName = "supernova";`
			`boot.loader.efi.canTouchEfiVariables = true;`
lanzaboot added for secureboot, went back to unstable packages 2024-10-16 22:50:37 +02:00
prettified config 2024-10-18 23:01:33 +02:00			`# this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:`
added initial config for the supernova host 2024-10-16 16:57:55 +02:00			`boot.loader.systemd-boot.enable = true;`

added fwupdmgr to supernova to update firmware more easily 2024-10-17 00:19:04 +02:00			`# Firmware updates:`
			`services.fwupd.enable = true;`
lanzaboot added for secureboot, went back to unstable packages 2024-10-16 22:50:37 +02:00
prettified config 2024-10-18 23:01:33 +02:00			`##1##3##3##7##`
lanzaboot added for secureboot, went back to unstable packages 2024-10-16 22:50:37 +02:00			`## Security ##`
prettified config 2024-10-18 23:01:33 +02:00			`##1##3##3##7##`

lanzaboot added for secureboot, went back to unstable packages 2024-10-16 22:50:37 +02:00			`# Kernel hardening`
			`lyn.kernel.hardened.enable = true;`

			`# Secure boot`
			`lyn.profiles.secureboot.enable = true;`

prettified config 2024-10-18 23:01:33 +02:00			`# FDE + initrd stuff`
			`boot.kernelParams = [ "ip=dhcp" ];`
first working state \o/ 2024-10-16 22:19:53 +02:00			`boot.loader.timeout = 2;`
desperate attempt to make this work 2024-10-16 19:00:09 +02:00			`boot.initrd = {`
first working state \o/ 2024-10-16 22:19:53 +02:00			`availableKernelModules = [ "r8169" ];`
			`systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";`
desperate attempt to make this work 2024-10-16 19:00:09 +02:00			`secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};`
			`network = {`
added initial config for the supernova host 2024-10-16 16:57:55 +02:00			`enable = true;`
			`ssh = {`
			`enable = true;`
			`port = 2222;`
prettified config 2024-10-18 23:01:33 +02:00			`# WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.`
snapshot 2024-10-16 20:06:17 +02:00			`hostKeys = [ /root/initrd-ssh-key ];`
added initial config for the supernova host 2024-10-16 16:57:55 +02:00			`# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually`
			`# authorizedKeys = [ "ssh-rsa ..." ];`
			`authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);`
			`};`
snapshot 2024-10-16 20:06:17 +02:00			`};`
prettified config 2024-10-18 23:01:33 +02:00			`};`


			`system.stateVersion = "24.05";`
snapshot 2024-10-16 20:06:17 +02:00			`}`