1 { pkgs, lib, config, ... }:
3 inherit (config) networking;
4 inherit (config.security) pass;
7 # This value determines the NixOS release with which your system is to be
8 # compatible, in order to avoid breaking some software such as database servers.
9 # You should change this only after NixOS release notes say you should.
10 system.stateVersion = "19.09"; # Did you read the comment?
12 # Avoid the use of systemd-run --user --scope tmux
13 # and let mosh work smoothly.
14 services.logind.killUserProcesses = false;
18 shellScript = lib.mkBefore ''
19 PATH="$PATH:${with pkgs; lib.makeBinPath [gnupg openssh]}"
21 gpg --decrypt '${pass.store}/root/key.pass.gpg' |
22 ssh '${config.install.target}' install -D -m 400 -o root -g root /dev/stdin /root/key.pass
26 store = ../../../sec/pass/servers/losurdo;
27 secrets."root/key" = {
30 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
31 --homedir /root/.gnupg \
32 --passphrase-file /root/key.pass \
33 --import '${pass.secrets."root/key".path}'
34 shred -u '${pass.secrets."root/key".path}'
38 systemd.services = lib.mapAttrs' (target: secret:
39 lib.nameValuePair (lib.removeSuffix ".service" secret.service)
40 (lib.optionalAttrs (target != "root/key") {
41 after = [ pass.secrets."root/key".service ];
42 wants = [ pass.secrets."root/key".service ];
46 services.unbound.enable = true;
48 environment.systemPackages = with pkgs; [
63 #iptables-nftables-compat