fleet: init

Co-authored-by: edef <edef@unfathomable.blue>
Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65

1 files changed, 141 insertions, 0 deletions

diff --git a/fleet/configuration.nix b/fleet/configuration.nix
new file mode 100644
index 0000000..2ba819a
--- /dev/null
+++ b/fleet/configuration.nix
@@ -0,0 +1,141 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ lib, pkgs, modulesPath, ... }:
+
+with lib;
+
+let
+  host = fileContents /etc/hostname;
+  # commit = commitIdFromGitRepo ./.git;
+in {
+  imports = [
+    "${modulesPath}/profiles/qemu-guest.nix"
+    (./hosts + "/${host}")
+  ] ++ mapAttrsToList (module: _: ./modules + "/${module}") (builtins.readDir ./modules);
+
+  nixpkgs.overlays = [ (import ./pkgs/overlay.nix) ];
+
+  system.stateVersion = "20.09";
+
+
+  ### Startup
+
+  boot.loader.grub.device = "/dev/sda";
+
+  boot.initrd = {
+    availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+
+    luks.devices.rpool = {
+      device = "/dev/sda3";
+      allowDiscards = true;
+    };
+
+    network.enable = true;
+
+    network.ssh = {
+      enable = true;
+      port = 798;  # Random unassigned port in the range [1, 1024]
+      hostKeys = [ "/etc/initrd/ssh_host_ed25519_key" ];
+    };
+  };
+
+
+  ### Filesystems
+
+  # Come on, why isn't this the default?
+  boot.tmpOnTmpfs = true;
+
+  # Required by ZFS, but redundant on a single-pathed system.
+  networking.hostId = "00000000";
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/sda2";
+      fsType = "ext2";
+    };
+
+    "/" = {
+      device = "rpool/root";
+      fsType = "zfs";
+
+      # Extracted from the strace output of `zfs mount -a`
+      # NOTE: the pool is configured with `zfs set setuid=off rpool`
+      # TODO(V): come up with a less ugly solution
+      options = [ "defaults" "atime" "strictatime" "dev" "exec" "rw" "nosuid" "nomand" "zfsutil" ];
+    };
+  };
+
+
+  ### Networking
+
+  networking.useNetworkd = true;
+
+  networking.hostName = host;
+  networking.domain = "unfathomable.blue";
+
+  # Misnomer, actually enables DHCP for all unmanaged interfaces.
+  # It's also incompatible with systemd-networkd.
+  networking.useDHCP = false;
+
+  networking.interfaces.ens3.useDHCP = true;
+
+  # This is exceedingly spammy, and not so useful for an Internet-facing machine.
+  networking.firewall.logRefusedConnections = false;
+
+
+  ### Security + privacy
+
+  security.sudo.enable = false;
+
+
+  ### System services
+
+  system.autoUpgrade.enable = true;
+
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    # TODO(V): Route exclusively over WireGuard, if you dare
+  };
+
+
+  ### Programs + user services
+
+  programs.fish.enable = true;
+  programs.mosh.enable = true;
+  programs.mtr.enable = true;
+
+
+  ### Environment
+
+  time.timeZone = "UTC";
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+    extraLocaleSettings.LC_COLLATE = "C";
+  };
+
+  # TODO(V): Switch to https://github.com/NixOS/nixpkgs/pull/101127 once it's been merged and made its way into stable.
+  users.defaultUserShell = pkgs.fish;
+  environment.variables.EDITOR = "kak";
+
+  environment.systemPackages = with pkgs; [
+    kakoune
+    tree
+    htop
+    ldns
+  ];
+
+
+  ### Users
+
+  users.mutableUsers = false;
+
+  # This is here so we can `git push` directly to /etc/nixos.
+  # It should be removed if we stop using that workflow.
+  users.users.root.packages = [ pkgs.git ];
+}