From 955f7d1131b518a79f12e4bd4796c1384b15c6d9 Mon Sep 17 00:00:00 2001 From: Lyn Date: Wed, 16 Oct 2024 16:57:55 +0200 Subject: [PATCH] added initial config for the supernova host --- hosts/supernova/default.nix | 36 +++++++++++++++++++ hosts/supernova/hardware-configuration.nix | 40 ++++++++++++++++++++++ modules/profiles/base.nix | 6 ++-- 3 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 hosts/supernova/default.nix create mode 100644 hosts/supernova/hardware-configuration.nix diff --git a/hosts/supernova/default.nix b/hosts/supernova/default.nix new file mode 100644 index 0000000..5817e1d --- /dev/null +++ b/hosts/supernova/default.nix @@ -0,0 +1,36 @@ +{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; { + imports = + [ + ./hardware-configuration.nix + ./../../users/lyn + ]; + lyn.kernel.latest.enable = true; + lyn.kernel.hardened.enable = true; + lyn.profiles.base.enable = true; + # Use UEFI + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Firewall stuff: + networking.firewall.enable = true; + networking.firewall.allowPing = true; + networking.hostName = "supernova"; + system.stateVersion = "24.05"; + + # FDE stuff + boot.initrd.availableKernelModules = [ "virtio-pci" ]; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + hostECDSAKey = /var/src/secrets/dropbear/ecdsa-hostkey; + # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually + # authorizedKeys = [ "ssh-rsa ..." ]; + authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; +} \ No newline at end of file diff --git a/hosts/supernova/hardware-configuration.nix b/hosts/supernova/hardware-configuration.nix new file mode 100644 index 0000000..ac591b6 --- /dev/null +++ b/hosts/supernova/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4f7afb2d-a730-4a0c-a9e4-92d75ebd1540"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0374-0967"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/539bfdd3-6f33-4206-aa4d-7d06f3f91568"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} \ No newline at end of file diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index 7dcbad2..fa6b96a 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -2,8 +2,8 @@ lyn.sops.default.enable = true; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config.allowUnfree = true; - nix.package = config.pkgsInstances.unstable.lix; - environment.variables.EDITOR = "nvim"; + #nix.package = config.pkgsInstances.unstable.lix; + environment.variables.EDITOR = "nvim"; time.timeZone = "Europe/Berlin"; @@ -11,7 +11,7 @@ enable = true; settings = { X11Forwarding = true; - PermitRootLogin = "no"; + PermitRootLogin = "yes"; PasswordAuthentication = false; }; openFirewall = true;