54 lines
1.7 KiB
Nix
54 lines
1.7 KiB
Nix
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
|
imports =
|
|
[
|
|
./hardware-configuration.nix
|
|
./virtualization.nix
|
|
];
|
|
lyn.kernel.latest.enable = true;
|
|
lyn.profiles.base.enable = true;
|
|
lyn.users.lyn.enable = true;
|
|
networking.hostName = "supernova";
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
# this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
# Firmware updates:
|
|
services.fwupd.enable = true;
|
|
|
|
##1##3##3##7##
|
|
## Security ##
|
|
##1##3##3##7##
|
|
|
|
# Kernel hardening
|
|
lyn.kernel.hardened.enable = true;
|
|
## Don't print any errors/logs to the console
|
|
boot.consoleLogLevel = 0;
|
|
|
|
# Secure boot
|
|
lyn.profiles.secureboot.enable = true;
|
|
|
|
# FDE + initrd stuff
|
|
boot.kernelParams = [ "ip=dhcp" ];
|
|
boot.loader.timeout = 2;
|
|
boot.initrd = {
|
|
availableKernelModules = [ "r8169" ];
|
|
systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
|
secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
|
|
network = {
|
|
enable = true;
|
|
ssh = {
|
|
enable = true;
|
|
port = 2222;
|
|
# WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
|
|
hostKeys = [ /root/initrd-ssh-key ];
|
|
# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
|
|
# authorizedKeys = [ "ssh-rsa ..." ];
|
|
authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
system.stateVersion = "24.05";
|
|
}
|