hosts/losurdo/users.nix

   1 { inputs, pkgs, lib, config, hostName, ... }:
   2 let
   3   inherit (config.security) gnupg;
   4   inherit (config.users) users;
   5 in
   6 {
   7 imports = [
   8   ../../members/julm.nix
   9 ];
  10
  11 nixpkgs.config.allowUnfree = true; # for hplip
  12 nix.trustedUsers = [
  13   users."julm".name
  14 ];
  15
  16 users = {
  17   mutableUsers = false;
  18   users = {
  19     root = {
  20       openssh.authorizedKeys.keys =
  21         users."julm".openssh.authorizedKeys.keys;
  22       hashedPassword = "!";
  23     };
  24     gnupg = {
  25       openssh.authorizedKeys.keys =
  26         users."root".openssh.authorizedKeys.keys;
  27     };
  28     julm = {
  29       openssh.authorizedKeys.keys = [
  30       ];
  31     };
  32     sevy = {
  33       openssh.authorizedKeys.keys = [
  34         (lib.readFile (inputs.secrets + "/members/ssh/sevy-patate.pub"))
  35         (lib.readFile (inputs.secrets + "/members/ssh/julm-carotte.pub"))
  36       ];
  37       isNormalUser = true;
  38       uid = 1001;
  39     };
  40   };
  41   groups = {
  42     adbusers.members = [
  43       users."julm".name
  44     ];
  45     dialout.members = [
  46       users."julm".name
  47     ];
  48     tor.members = [
  49       users."julm".name
  50     ];
  51     wheel.members = [
  52       users."julm".name
  53     ];
  54     gpg-agent.members = [
  55       users."julm".name
  56     ];
  57   };
  58 };
  59
  60 #security.gnupg.secrets."/root/.ssh/id_ed25519" = {
  61 #  gpg = "${gnupg.store}/ssh/root.ssh-ed25519.gpg";
  62 #};
  63
  64 networking.nftables.ruleset = lib.concatMapStringsSep "\n"
  65   (rule: "add rule inet filter fw2net meta skuid ${users.julm.name} " + rule) [
  66   ''tcp dport {25,465} counter accept comment "SMTP"''
  67   ''tcp dport 43 counter accept comment "Whois"''
  68   ''tcp dport 993 counter accept comment "IMAPS"''
  69   ''tcp dport 6697 counter accept comment "IRCS"''
  70   ''tcp dport 2222 counter accept comment "SSH(boot)"''
  71   ''tcp dport 5222 counter accept comment "XMPP"''
  72   ''tcp dport 11371 counter accept comment "HKP"''
  73   ''tcp dport {9009,9010,9011,9012,9013} counter accept comment "croc"''
  74   ''udp dport 33434-33523 counter accept comment "traceroute"''
  75   ''udp dport 60000-61000 counter accept comment "Mosh"''
  76   #''ip protocol tcp counter accept comment "all"''
  77 ];
  78 }