-{ inputs, pkgs, lib, config, hostName, ... }:
-let
- inherit (config.security) gnupg;
- inherit (config.users) users;
-in
+{ pkgs, lib, config, ... }:
{
-imports = [
- ../../members/julm.nix
-];
+ imports = [
+ users/julm.nix
+ users/sevy.nix
+ ];
-nixpkgs.config.allowUnfree = true; # for hplip
-nix.trustedUsers = [
- users."julm".name
-];
-
-users = {
- mutableUsers = false;
- users = {
- root = {
- openssh.authorizedKeys.keys =
- users."julm".openssh.authorizedKeys.keys;
- hashedPassword = "!";
- };
- gnupg = {
- openssh.authorizedKeys.keys =
- users."root".openssh.authorizedKeys.keys;
- };
- julm = {
- openssh.authorizedKeys.keys = [
- ];
- };
- sevy = {
- openssh.authorizedKeys.keys = [
- (lib.readFile (inputs.secrets + "/members/ssh/sevy-patate.pub"))
- (lib.readFile (inputs.secrets + "/members/ssh/julm-carotte.pub"))
- ];
- isNormalUser = true;
- uid = 1001;
- };
- };
- groups = {
- adbusers.members = [
- users."julm".name
- ];
- dialout.members = [
- users."julm".name
- ];
- tor.members = [
- users."julm".name
- ];
- wheel.members = [
- users."julm".name
- ];
- gpg-agent.members = [
- users."julm".name
- ];
- };
-};
-
-#security.gnupg.secrets."/root/.ssh/id_ed25519" = {
-# gpg = "${gnupg.store}/ssh/root.ssh-ed25519.gpg";
-#};
-
-networking.nftables.ruleset = lib.concatMapStringsSep "\n"
- (rule: "add rule inet filter fw2net meta skuid ${users.julm.name} " + rule) [
- ''tcp dport {25,465} counter accept comment "SMTP"''
- ''tcp dport 43 counter accept comment "Whois"''
- ''tcp dport 993 counter accept comment "IMAPS"''
- ''tcp dport 6697 counter accept comment "IRCS"''
- ''tcp dport 2222 counter accept comment "SSH(boot)"''
- ''tcp dport 5222 counter accept comment "XMPP"''
- ''tcp dport 11371 counter accept comment "HKP"''
- ''tcp dport {9009,9010,9011,9012,9013} counter accept comment "croc"''
- ''udp dport 33434-33523 counter accept comment "traceroute"''
- ''udp dport 60000-61000 counter accept comment "Mosh"''
- #''ip protocol tcp counter accept comment "all"''
-];
+ users.mutableUsers = false;
+ users.users.root.hashedPassword = "!";
}