{ lib, pkgs, modulesPath, inputs, ... }: { imports = [ inputs.disko.nixosModules.disko ../common/disks/std-disk-config.nix # Import core options ./hardware-configuration.nix ../common/core # Import optional options # ../common/optional/openssh # Create users for this host ../common/users/admin ]; # #virtualisation.virtualbox.guest.enable = true; # virtualisation.libvirtd = { # qemu = { # package = pkgs.qemu_kvm; # only emulates host arch, smaller download # swtpm.enable = true; # allows for creating emulated TPM # ovmf.packages = [(pkgs.OVMF.override { # secureBoot = true; # tpmSupport = true; # }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff # }; # }; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; timeout = 3; }; }; i18n.defaultLocale = "en_GB.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "uk"; useXkbConfig = false; }; networking = { hostName = "bootstrap"; networkmanager.enable = true; enableIPv6 = false; }; services = { qemuGuest.enable = true; openssh = { enable = true; ports = [22]; # FIXME: Make this use configVars.networking settings.PermitRootLogin = "yes"; # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611 # this mitigates the security issue caused by enabling u2fAuth in pam authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; }; }; security.pam = { sshAgentAuth.enable = true; #FIXME the above is deprecated in 24.05 but we will wait until release #sshAgentAuth.enable = true; services = { sudo.u2fAuth = true; }; }; # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config. # programs.ssh.startAgent = true; environment.systemPackages = builtins.attrValues { inherit(pkgs) wget curl git rsync; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; system.stateVersion = "23.11"; }