-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbase.nix
112 lines (99 loc) · 2.42 KB
/
base.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
{ pkgs
, ...
}:
let
# Function to read all files from authorized_keys directory
readAuthorizedKeys =
let
keyDir = ../authorized_keys;
# Read all files in the directory
fileNames = builtins.attrNames (builtins.readDir keyDir);
# Read content of each file
readKey = file: builtins.readFile (keyDir + "/${file}");
in
# Map over all files and read their contents
map readKey fileNames;
in
{
# Networking configuration
networking = {
# Add Hetzner recurisve nameservers
nameservers = [
"185.12.64.1" # Hetzner DNS 1
"185.12.64.2" # Hetzner DNS 2
];
firewall = {
enable = true;
# Ports open to the public internet
allowedTCPPorts = [ 80 443 22 ];
# ports only open on Wireguard interface
# Once you are sure that the wireguard network is secure, you can limit
# port 22 to the wireguard interface
# interfaces."wg0".allowedTCPPorts = [
# 22
# ];
# Trust all traffic on the Wireguard interface
trustedInterfaces = [ "wg0" ];
};
};
# User configuration
users.users.nix = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = readAuthorizedKeys;
};
# Sudo configuration
security.sudo.extraRules = [{
users = [ "nix" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
# SSH server configuration
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
# I'm not sure why this is necessary. I expected it to be auto generated.
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/ssh_host_rsa_key";
type = "rsa";
}
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
# Enable nix flakes
nix = {
package = pkgs.nixVersions.stable;
extraOptions = ''
experimental-features = nix-command flakes
'';
settings.trusted-users = [ "root" "@wheel" ];
};
# System packages
# System state version
system.stateVersion = "24.11";
# Swap configuration
swapDevices = [{
device = "/swapfile";
size = 8196; # Size in MB (8GB)
}];
boot.swraid.mdadmConf = ''
MAILADDR root@localhost
'';
environment.systemPackages = with pkgs; [
vim
git
wireguard-tools
sops
];
}