added initial config for the supernova host

2024-10-16 16:57:55 +02:00 · 2024-10-16 16:57:55 +02:00 · 955f7d1131
commit 955f7d1131
parent 0aed53464d
3 changed files with 79 additions and 3 deletions
--- a/hosts/supernova/default.nix
+++ b/hosts/supernova/default.nix
@ -0,0 +1,36 @@
+{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./../../users/lyn
+    ];
+  lyn.kernel.latest.enable = true; 
+  lyn.kernel.hardened.enable = true;
+  lyn.profiles.base.enable = true;
+  # Use UEFI
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Firewall stuff:
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+  networking.hostName = "supernova";
+  system.stateVersion = "24.05"; 
+
+  # FDE stuff
+  boot.initrd.availableKernelModules = [ "virtio-pci" ];
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 2222;
+      hostECDSAKey = /var/src/secrets/dropbear/ecdsa-hostkey;
+      # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
+      # authorizedKeys = [ "ssh-rsa ..." ];
+      authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+    };
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+}
--- a/hosts/supernova/hardware-configuration.nix
+++ b/hosts/supernova/hardware-configuration.nix
@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4f7afb2d-a730-4a0c-a9e4-92d75ebd1540";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0374-0967";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/539bfdd3-6f33-4206-aa4d-7d06f3f91568"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -2,7 +2,7 @@
  lyn.sops.default.enable = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nixpkgs.config.allowUnfree = true;
-  nix.package = config.pkgsInstances.unstable.lix;
+  #nix.package = config.pkgsInstances.unstable.lix;
  environment.variables.EDITOR = "nvim";
  
  time.timeZone = "Europe/Berlin";
@ -11,7 +11,7 @@
 	enable = true;
 	settings = {
 		X11Forwarding = true;
-		PermitRootLogin = "no";
+		PermitRootLogin = "yes";
 		PasswordAuthentication = false;
 	};
 	openFirewall = true;