nixos/hosts/bootstrap/default.nix

{  lib, pkgs, modulesPath, inputs, ... }:
{
  imports = [
      inputs.disko.nixosModules.disko
      ../common/disks/std-disk-config.nix

      # Import core options
      ./hardware-configuration.nix
      ../common/core
      # Import optional options
#      ../common/optional/openssh

      # Create users for this host
      ../common/users/admin
  ];

#  #virtualisation.virtualbox.guest.enable = true;
#  virtualisation.libvirtd = {
#    qemu = {
#      package = pkgs.qemu_kvm; # only emulates host arch, smaller download
#      swtpm.enable = true; # allows for creating emulated TPM
#      ovmf.packages = [(pkgs.OVMF.override {
#        secureBoot = true;
#        tpmSupport = true;
#      }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
#    };
#  };

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
      timeout = 3;
    };
  };

  i18n.defaultLocale = "en_GB.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "uk";
    useXkbConfig = false; 
  };

  networking = {
    hostName = "bootstrap";
    networkmanager.enable = true;
    enableIPv6 = false;
  };

  services = {
    qemuGuest.enable = true;
    openssh = {
      enable = true;
      ports = [22]; # FIXME: Make this use configVars.networking
      settings.PermitRootLogin = "yes";
      # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
      # this mitigates the security issue caused by enabling u2fAuth in pam
      authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
    };
  };

  security.pam = {
    sshAgentAuth.enable = true;
    #FIXME the above is deprecated in 24.05 but we will wait until release
    #sshAgentAuth.enable = true;
    services = {
      sudo.u2fAuth = true;
    };
  };

  # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
 # programs.ssh.startAgent = true;

  environment.systemPackages = builtins.attrValues {
    inherit(pkgs)
    wget
    curl
    git
    rsync;
  };


  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  system.stateVersion = "23.11";
}
update just file, revisions to bootstrap.sh 2024-05-16 16:54:21 +01:00			`{ lib, pkgs, modulesPath, inputs, ... }:`
disko config and bootstrapping 2024-05-14 14:51:09 +01:00			`{`
			`imports = [`
update just file, revisions to bootstrap.sh 2024-05-16 16:54:21 +01:00			`inputs.disko.nixosModules.disko`
			`../common/disks/std-disk-config.nix`

disko config and bootstrapping 2024-05-14 14:51:09 +01:00			`# Import core options`
			`./hardware-configuration.nix`
			`../common/core`
			`# Import optional options`
			`# ../common/optional/openssh`

			`# Create users for this host`
			`../common/users/admin`
			`];`

update just file, revisions to bootstrap.sh 2024-05-16 16:54:21 +01:00			`# #virtualisation.virtualbox.guest.enable = true;`
			`# virtualisation.libvirtd = {`
			`# qemu = {`
			`# package = pkgs.qemu_kvm; # only emulates host arch, smaller download`
			`# swtpm.enable = true; # allows for creating emulated TPM`
			`# ovmf.packages = [(pkgs.OVMF.override {`
			`# secureBoot = true;`
			`# tpmSupport = true;`
			`# }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff`
			`# };`
			`# };`

			`boot = {`
			`loader = {`
			`systemd-boot.enable = true;`
			`efi.canTouchEfiVariables = true;`
			`timeout = 3;`
disko config and bootstrapping 2024-05-14 14:51:09 +01:00			`};`
			`};`

			`i18n.defaultLocale = "en_GB.UTF-8";`
			`console = {`
			`font = "Lat2-Terminus16";`
			`keyMap = "uk";`
			`useXkbConfig = false;`
			`};`

			`networking = {`
modified networking to add correct hostname 2024-05-15 20:55:48 +01:00			`hostName = "bootstrap";`
disko config and bootstrapping 2024-05-14 14:51:09 +01:00			`networkmanager.enable = true;`
modified networking to add correct hostname 2024-05-15 20:55:48 +01:00			`enableIPv6 = false;`
disko config and bootstrapping 2024-05-14 14:51:09 +01:00			`};`

			`services = {`
			`qemuGuest.enable = true;`
			`openssh = {`
			`enable = true;`
			`ports = [22]; # FIXME: Make this use configVars.networking`
			`settings.PermitRootLogin = "yes";`
			`# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611`
			`# this mitigates the security issue caused by enabling u2fAuth in pam`
			`authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];`
			`};`
			`};`

			`security.pam = {`
			`sshAgentAuth.enable = true;`
			`#FIXME the above is deprecated in 24.05 but we will wait until release`
			`#sshAgentAuth.enable = true;`
			`services = {`
			`sudo.u2fAuth = true;`
			`};`
			`};`

			`# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.`
			`# programs.ssh.startAgent = true;`

			`environment.systemPackages = builtins.attrValues {`
			`inherit(pkgs)`
			`wget`
			`curl`
bootstrap script 2024-05-14 18:26:45 +01:00			`git`
disko config and bootstrapping 2024-05-14 14:51:09 +01:00			`rsync;`
			`};`


			`nix.settings.experimental-features = [ "nix-command" "flakes" ];`
			`system.stateVersion = "23.11";`
			`}`