{ inputs, config, lib, pkgs, outputs,... }: { imports = [ # Disk configuration #inputs.disko.nixosModules.disko #(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence # Import core options ./hardware-configuration.nix ../common/core # Create users for this host ../common/users/media ]; nixpkgs = { overlays = [ outputs.overlays.additions outputs.overlays.modifications outputs.overlays.unstable-packages ]; config = { allowUnfree = true; }; }; fileSystems."/persist".neededForBoot = true; environment.persistence."/persist" = { hideMounts = true; directories = [ "/etc/nixos" "/var/log" "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" ]; users.media = { directories = [ "keep" ".ssh" ]; }; }; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; timeout = 3; }; }; networking = { hostName = "media"; networkmanager.enable = true; enableIPv6 = false; }; services = { qemuGuest.enable = true; openssh = { enable = true; ports = [22]; # FIXME: Make this use configVars.networking settings.PermitRootLogin = "yes"; # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611 # this mitigates the security issue caused by enabling u2fAuth in pam authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; }; }; security.pam = { sshAgentAuth.enable = true; #FIXME the above is deprecated in 24.05 but we will wait until release #sshAgentAuth.enable = true; services = { sudo.u2fAuth = true; }; }; # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config. # programs.ssh.startAgent = true; environment.systemPackages = builtins.attrValues { inherit(pkgs) wget curl git rsync; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; system.stateVersion = "23.11"; }