hosts/aubergine.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   inputs,
   6   ...
   7 }:
   8 {
   9   imports = [
  10     ../nixos/profiles/router.nix
  11     #../nixos/profiles/debug.nix
  12     ../nixos/profiles/lang-fr.nix
  13     #../nixos/profiles/tor.nix
  14     ../nixos/profiles/networking/remote.nix
  15     ../nixos/profiles/home.nix
  16     aubergine/anki.nix
  17     aubergine/apc.nix
  18     aubergine/backup.nix
  19     aubergine/hardware.nix
  20     aubergine/nebula.nix
  21     aubergine/networking.nix
  22     aubergine/nginx.nix
  23     aubergine/pixiecore.nix
  24     aubergine/printing.nix
  25     aubergine/sftp.nix
  26   ];
  27
  28   # Lower kernel's security for better performances
  29   security.kernel.mitigations = "off";
  30
  31   home-manager.users.julm = {
  32     imports = [ ../homes/julm.nix ];
  33   };
  34   users = {
  35     users.julm = {
  36       isNormalUser = true;
  37       uid = 1000;
  38       # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  39       # which is already world readable.
  40       # printf %s $(mkpasswd -m yescrypt)
  41       hashedPassword = lib.readFile aubergine/users/julm/login/hashedPassword.clear;
  42       extraGroups = [
  43         "adbusers"
  44         "audio"
  45         "dialout"
  46         "networkmanager"
  47         "tor"
  48         "video"
  49         "wheel"
  50         "wireshark"
  51       ];
  52       createHome = true;
  53       openssh.authorizedKeys.keys = map lib.readFile [
  54         ../users/julm/ssh/losurdo.pub
  55         ../users/julm/ssh/nan2gua1.pub
  56         ../users/julm/ssh/oignon.pub
  57         ../users/julm/ssh/pumpkin.pub
  58         ../users/julm/ssh/redmi.pub
  59         ../users/root/ssh/losurdo.pub
  60       ];
  61     };
  62     users.root = {
  63       hashedPassword = "!";
  64       openssh.authorizedKeys.keys = config.users.users.julm.openssh.authorizedKeys.keys;
  65     };
  66     users.sevy = {
  67       isNormalUser = true;
  68       uid = 1001;
  69       hashedPassword = "!";
  70       extraGroups = [
  71       ];
  72       createHome = true;
  73       openssh.authorizedKeys.keys = map lib.readFile [
  74         ../users/sevy/ssh/patate.pub
  75       ];
  76     };
  77   };
  78
  79   #systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted =
  80   #  "secret-key-files:" + aubergine/nix/secret-key-files;
  81   nix = {
  82     extraOptions = ''
  83       #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
  84     '';
  85     settings = {
  86       substituters = [
  87         #"http://nix-localcache.losurdo.wg"
  88         #"ssh://nix-ssh@losurdo.wg?priority=30"
  89         #"ssh://nix-ssh@oignon.wg?priority=30"
  90       ];
  91       trusted-public-keys = map lib.readFile [
  92         #../users/root/nix/oignon.pub
  93         #../users/root/nix/pumpkin.pub
  94       ];
  95     };
  96   };
  97   #environment.etc."nixpkgs".source = pkgs.path;
  98   #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  99
 100   nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
 101   nix.sshServe = {
 102     enable = true;
 103     keys = map lib.readFile [
 104       ../users/julm/ssh/losurdo.pub
 105       ../users/sevy/ssh/patate.pub
 106       ../users/julm/ssh/oignon.pub
 107       ../users/julm/ssh/pumpkin.pub
 108     ];
 109   };
 110
 111   environment.systemPackages = [
 112   ];
 113
 114   boot.extraModulePackages = [
 115     #config.boot.kernelPackages.v4l2loopback
 116   ];
 117
 118   # This value determines the NixOS release with which your system is to be
 119   # compatible, in order to avoid breaking some software such as database
 120   # servers. You should change this only after NixOS release notes say you should.
 121   system.stateVersion = "22.11"; # Did you read the comment?
 122 }