{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; { imports = [ ./hardware-configuration.nix ./../../users/lyn ]; lyn.kernel.latest.enable = true; lyn.profiles.base.enable = true; networking.useDHCP = true; # Use UEFI boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.kernelParams = [ "ip=dhcp" ]; # Firewall stuff: networking.firewall.enable = true; networking.firewall.allowPing = true; networking.hostName = "supernova"; system.stateVersion = "24.05"; ############## ## Security ## ############## # Kernel hardening lyn.kernel.hardened.enable = true; # Secure boot lyn.profiles.secureboot.enable = true; # FDE stuff boot.loader.timeout = 2; boot.initrd = { availableKernelModules = [ "r8169" ]; systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent"; secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";}; network = { enable = true; ssh = { enable = true; port = 2222; hostKeys = [ /root/initrd-ssh-key ]; # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually # authorizedKeys = [ "ssh-rsa ..." ]; authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); }; }; }; }