prettified config

2024-10-18 23:01:33 +02:00 · 2024-10-18 23:01:33 +02:00 · c09b1e8e17
commit c09b1e8e17
parent 40b9733f57
8 changed files with 35 additions and 36 deletions
--- a/hosts/forgejo-ci/default.nix
+++ b/hosts/forgejo-ci/default.nix
@ -2,9 +2,9 @@
  imports =
    [
      ./hardware-configuration.nix
-      ./../../users/lyn
    ];
  lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
+  lyn.users.lyn.enable = true;
  lyn.kernel.latest.enable = true; 
  lyn.kernel.hardened.enable = true;
  lyn.profiles.base.enable = true;
@ -12,13 +12,9 @@
  lyn.services.forgejo-ci.enable = true;
  lyn.services.forgejo-ci.domain = "git.shibe.pro";
  lyn.services.forgejo-ci.instancename = "shibepro-ci";
-  # Use UEFI
  boot.loader.systemd-boot.enable = true;

  networking.hostName = "forgejo-ci"; # Define your hostname.

-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
  system.stateVersion = "23.05"; 
 }
--- a/hosts/forgenite/default.nix
+++ b/hosts/forgenite/default.nix
@ -1,11 +1,10 @@
 { config, pkgs, lib, inputs, ... }: {
  imports =
    [
-      ./../../users/lyn
      ./hardware-configuration.nix
    ];
  lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
-
+  lyn.users.lyn.enable = true;
  lyn.kernel.latest.enable = true;
  lyn.kernel.hardened.enable =true;
  lyn.profiles.base.enable = true;
@ -18,10 +17,6 @@
  lyn.services.forgejo.domain = "git.shibe.pro";
  networking.hostName = "forgenite"; # Define your hostname.

-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
@ -30,10 +25,5 @@
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
 
-nix.gc = {
-    automatic = true;
-    persistent = true;
-    options = "--delete-older-than 8d";
-  };
 }

--- a/hosts/supernova/default.nix
+++ b/hosts/supernova/default.nix
@ -2,36 +2,31 @@
  imports =
    [
      ./hardware-configuration.nix
-      ./../../users/lyn
    ];
  lyn.kernel.latest.enable = true; 
  lyn.profiles.base.enable = true;
-  
-  networking.useDHCP = true;
-
-  # Use UEFI
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelParams = [ "ip=dhcp" ]; 
-
-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
+  lyn.users.lyn.enable = true;
  networking.hostName = "supernova";
-  system.stateVersion = "24.05"; 
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
+  boot.loader.systemd-boot.enable = true;
+
  # Firmware updates:
  services.fwupd.enable = true;

-  ##############
+  ##1##3##3##7##
  ## Security ##
-  ##############
+  ##1##3##3##7##
+
  # Kernel hardening
  lyn.kernel.hardened.enable = true;

  # Secure boot
  lyn.profiles.secureboot.enable = true;

-  # FDE stuff
+  # FDE + initrd stuff
+  boot.kernelParams = [ "ip=dhcp" ];
  boot.loader.timeout = 2;
  boot.initrd = {
    availableKernelModules = [ "r8169" ];
@ -42,6 +37,7 @@
    ssh = {
      enable = true;
      port = 2222;
+      # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
      hostKeys = [ /root/initrd-ssh-key ];
      # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
      # authorizedKeys = [ "ssh-rsa ..." ];
@ -49,4 +45,7 @@
    };
  };
  };
+
+  
+  system.stateVersion = "24.05";  
 }
--- a/modules/kernel/hardened.nix
+++ b/modules/kernel/hardened.nix
@ -1,6 +1,7 @@
 {lib, pkgs, config, cfg, ...}: let 
    ifApparmor = cfg.apparmor.enable; 
 in {
+	# TODO: Update this
    opt.apparmor.enable = lib.mkEnableOption "apparmor";
    boot.kernelPackages = let
 	kernel = pkgs.linux-libre;
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -5,8 +5,13 @@
  nix.package = config.pkgsInstances.unstable.lix;
  environment.variables.EDITOR = "nvim";
  
+  # TODO
  time.timeZone = "Europe/Berlin";

+  # Firewall base config:
+  networking.firewall.enable = lib.mkDefault true;
+  networking.firewall.allowPing = true;
+  # SSH:
  services.openssh = {
 	enable = true;
 	settings = {
@ -16,7 +21,9 @@
 	};
 	openFirewall = true;
  };
-  # Disable password checking for wheel group users so we can solely rely on ssh keys
+
+  # Disable password checking for wheel group users so we can rely on ssh keys.
+  # WARNING: This has an security impact!
  security.sudo.wheelNeedsPassword = false;

   environment.systemPackages = with pkgs; [
@ -27,4 +34,10 @@
    curl
    htop
  ];
+
+  nix.gc = {
+    automatic = true;
+    persistent = true;
+    options = "--delete-older-than 8d";
+  };
 }
--- a/modules/users/lyn/default.nix
+++ b/modules/users/lyn/default.nix
@ -1,4 +1,4 @@
-{lib,pkgs, config, ...}:{
+{lib,pkgs, config, cfg, ...}:{
    imports = [
 	./ssh.nix
    ];
--- a/modules/users/lyn/ssh.nix
+++ b/modules/users/lyn/ssh.nix