{ lib, config, pkgs, ... }: { lyn.sops.enable = true; nix.settings.experimental-features = ["nix-command" "flakes"]; nixpkgs.config.allowUnfree = true; nix.package = config.pkgsInstances.unstable.lix; environment.variables.EDITOR = "nvim"; #initialize mesh vpn secret lyn.sops.secrets."all/meshnetwork/gossip_secret" = {}; # TODO time.timeZone = "Europe/Berlin"; # Firewall base config: networking.firewall.enable = lib.mkDefault true; networking.firewall.allowPing = true; # SSH: services.openssh = { enable = true; settings = { X11Forwarding = true; PermitRootLogin = "yes"; PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; openFirewall = true; }; # Disable password checking for wheel group users so we can rely on ssh keys. # WARNING: This has an security impact! security.sudo.wheelNeedsPassword = false; environment.systemPackages = with pkgs; [ git vim neovim wget curl htop ]; # Use encrypted Quad9 DNS networking.nameservers = ["127.0.0.1" "::1"]; services.dnscrypt-proxy2 = { enable = true; settings = { ipv6_servers = true; require_dnssec = true; sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ]; cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md server_names = ["quad9-dnscrypt-ip4-nofilter-pri" "quad9-dnscrypt-ip6-nofilter-pri"]; }; }; systemd.services.dnscrypt-proxy2.serviceConfig = { StateDirectory = "dnscrypt-proxy"; }; nix.gc = { automatic = true; persistent = true; options = "--delete-older-than 8d"; }; }