prettified config

hosts/forgejo-ci/default.nix

@@ -2,9 +2,9 @@
   imports =
     [
       ./hardware-configuration.nix
-      ./../../users/lyn
     ];
   lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
+  lyn.users.lyn.enable = true;
   lyn.kernel.latest.enable = true; 
   lyn.kernel.hardened.enable = true;
   lyn.profiles.base.enable = true;
@@ -12,13 +12,9 @@
   lyn.services.forgejo-ci.enable = true;
   lyn.services.forgejo-ci.domain = "git.shibe.pro";
   lyn.services.forgejo-ci.instancename = "shibepro-ci";
-  # Use UEFI
   boot.loader.systemd-boot.enable = true;
 
   networking.hostName = "forgejo-ci"; # Define your hostname.
 
-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
   system.stateVersion = "23.05"; 
 }

hosts/forgenite/default.nix

@@ -1,11 +1,10 @@
 { config, pkgs, lib, inputs, ... }: {
   imports =
     [
-      ./../../users/lyn
       ./hardware-configuration.nix
     ];
   lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
-
+  lyn.users.lyn.enable = true;
   lyn.kernel.latest.enable = true;
   lyn.kernel.hardened.enable =true;
   lyn.profiles.base.enable = true;
@@ -18,10 +17,6 @@
   lyn.services.forgejo.domain = "git.shibe.pro";
   networking.hostName = "forgenite"; # Define your hostname.
 
-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It's perfectly fine and recommended to leave
@@ -30,10 +25,5 @@
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "24.05"; # Did you read the comment?
  
-nix.gc = {
-    automatic = true;
-    persistent = true;
-    options = "--delete-older-than 8d";
-  };
 }
 

hosts/supernova/default.nix

@@ -2,36 +2,31 @@
   imports =
     [
       ./hardware-configuration.nix
-      ./../../users/lyn
     ];
   lyn.kernel.latest.enable = true; 
   lyn.profiles.base.enable = true;
-  
+  lyn.users.lyn.enable = true;
-  networking.useDHCP = true;
-
-  # Use UEFI
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelParams = [ "ip=dhcp" ]; 
-
-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
   networking.hostName = "supernova";
-  system.stateVersion = "24.05"; 
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
+  boot.loader.systemd-boot.enable = true;
+
   # Firmware updates:
   services.fwupd.enable = true;
 
-  ##############
+  ##1##3##3##7##
   ## Security ##
-  ##############
+  ##1##3##3##7##
+
   # Kernel hardening
   lyn.kernel.hardened.enable = true;
 
   # Secure boot
   lyn.profiles.secureboot.enable = true;
 
-  # FDE stuff
+  # FDE + initrd stuff
+  boot.kernelParams = [ "ip=dhcp" ];
   boot.loader.timeout = 2;
   boot.initrd = {
     availableKernelModules = [ "r8169" ];
@@ -42,11 +37,15 @@
     ssh = {
       enable = true;
       port = 2222;
+      # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
       hostKeys = [ /root/initrd-ssh-key ];
       # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
       # authorizedKeys = [ "ssh-rsa ..." ];
       authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
     };
   };
-  }; 
+  };
+
+  
+  system.stateVersion = "24.05";  
 }

hosts/supernova/hardware-configuration.nix

@@ -15,7 +15,7 @@
 
   boot.initrd.systemd.enable = true;
   boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6";
-  # doubles SSD performance because r/w queue is unnecessary here  
+  # doubles SSD performance because r/w queue is unnecessary here
   boot.initrd.luks.devices."root".bypassWorkqueues = true;
 
   fileSystems."/" =

modules/kernel/hardened.nix

@@ -1,6 +1,7 @@
 {lib, pkgs, config, cfg, ...}: let 
     ifApparmor = cfg.apparmor.enable; 
 in {
+	# TODO: Update this
     opt.apparmor.enable = lib.mkEnableOption "apparmor";
     boot.kernelPackages = let
 	kernel = pkgs.linux-libre;

modules/profiles/base.nix

@@ -5,8 +5,13 @@
   nix.package = config.pkgsInstances.unstable.lix;
   environment.variables.EDITOR = "nvim";
   
+  # TODO
   time.timeZone = "Europe/Berlin";
 
+  # Firewall base config:
+  networking.firewall.enable = lib.mkDefault true;
+  networking.firewall.allowPing = true;
+  # SSH:
   services.openssh = {
 	enable = true;
 	settings = {
@@ -16,7 +21,9 @@
 	};
 	openFirewall = true;
   };
-  # Disable password checking for wheel group users so we can solely rely on ssh keys
+
+  # Disable password checking for wheel group users so we can rely on ssh keys.
+  # WARNING: This has an security impact!
   security.sudo.wheelNeedsPassword = false;
 
    environment.systemPackages = with pkgs; [
@@ -27,4 +34,10 @@
     curl
     htop
   ];
+
+  nix.gc = {
+    automatic = true;
+    persistent = true;
+    options = "--delete-older-than 8d";
+  };
 }

modules/users/lyn/default.nix

@@ -1,4 +1,4 @@
-{lib,pkgs, config, ...}:{
+{lib,pkgs, config, cfg, ...}:{
     imports = [
 	./ssh.nix
     ];