nixos/hosts/bootstrap/default.nix

147 lines
3.5 KiB
Nix
Raw Normal View History

2024-05-22 21:10:41 +01:00
{ inputs, config, lib, pkgs, outputs,... }:
2024-05-22 21:14:20 +01:00
let
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
2024-05-23 13:19:21 +01:00
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
hasOptinPersistence = config.environment.persistence ? "/persist";
2024-05-27 15:04:34 +01:00
# Disko setup
fsType = "btrfs";
dev = "/dev/vda";
2024-05-27 16:03:39 +01:00
encrypted = true;
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
2024-05-26 13:11:54 +01:00
in
2024-05-14 14:51:09 +01:00
{
2024-05-22 21:10:41 +01:00
imports =
2024-05-26 13:11:54 +01:00
[
2024-05-22 21:10:41 +01:00
# Disk configuration
2024-05-26 13:16:16 +01:00
inputs.sops-nix.nixosModules.sops
2024-05-27 15:04:34 +01:00
# Disk configuration
inputs.disko.nixosModules.disko
2024-05-27 15:04:34 +01:00
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
# Impermanence
2024-05-22 21:10:41 +01:00
inputs.impermanence.nixosModules.impermanence
2024-05-27 15:04:34 +01:00
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
2024-05-14 14:51:09 +01:00
# Import core options
./hardware-configuration.nix
2024-05-22 21:10:41 +01:00
];
2024-05-14 14:51:09 +01:00
2024-05-22 21:10:41 +01:00
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
];
config = {
allowUnfree = true;
};
};
2024-05-14 14:51:09 +01:00
2024-05-22 21:10:41 +01:00
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/etc/nixos"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
};
2024-05-23 13:19:21 +01:00
i18n.defaultLocale = "en_GB.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "uk";
2024-05-26 13:11:54 +01:00
useXkbConfig = false;
2024-05-23 13:19:21 +01:00
};
2024-05-26 13:11:54 +01:00
2024-05-23 13:19:21 +01:00
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
2024-05-14 14:51:09 +01:00
};
};
2024-05-22 21:10:41 +01:00
users = {
mutableUsers = true;
extraUsers = {
root = {
hashedPasswordFile = sopsHashedPasswordFile;
2024-05-22 21:15:22 +01:00
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
2024-05-22 21:10:41 +01:00
};
};
2024-05-14 14:51:09 +01:00
};
networking = {
hostName = "bootstrap";
2024-05-14 14:51:09 +01:00
networkmanager.enable = true;
enableIPv6 = false;
2024-05-14 14:51:09 +01:00
};
2024-05-23 13:19:21 +01:00
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
2024-05-23 13:19:21 +01:00
};
secrets = {
"passwords/root".neededForUsers = true;
"ssh_keys/deploy_key/id_ed25519" = {
path = "/etc/ssh/deploy_key-ssh-ed25519";
};
};
};
2024-05-23 13:47:31 +01:00
environment.systemPackages = [
pkgs.rsync
pkgs.curl
pkgs.just
pkgs.git
pkgs.neovim
2024-05-26 13:11:54 +01:00
];
2024-05-23 13:47:31 +01:00
2024-05-22 21:10:41 +01:00
services.openssh = {
enable = true;
2024-05-22 21:15:58 +01:00
ports = [22];
2024-05-22 21:10:41 +01:00
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
hostKeys = [{
path = "${lib.optionalString hasOptinPersistence "/persist"}/persist/etc/ssh/ssh_host_ed25519_key";
2024-05-22 21:10:41 +01:00
type = "ed25519";
}];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "yes";
PubKeyAuthentication = "yes";
StreamLocalBindUnlink = "yes";
UsePAM = true;
2024-05-14 14:51:09 +01:00
};
};
2024-05-26 13:11:54 +01:00
programs.ssh.extraConfig = ''
2024-05-22 21:10:41 +01:00
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
2024-05-22 21:14:20 +01:00
'';
2024-05-22 21:10:41 +01:00
2024-05-14 14:51:09 +01:00
security.pam = {
sshAgentAuth.enable = true;
};
2024-05-26 13:11:54 +01:00
2024-05-22 21:14:47 +01:00
networking.firewall.allowedTCPPorts = [ 22 ];
2024-05-14 14:51:09 +01:00
2024-05-22 21:10:41 +01:00
services = {
qemuGuest.enable = true;
2024-05-14 14:51:09 +01:00
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
}