From ec0965e2672899d25a5a3a8c072de3ea734076a2 Mon Sep 17 00:00:00 2001 From: V Date: Wed, 9 Jun 2021 15:43:16 +0200 Subject: fleet: init Co-authored-by: edef Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65 --- fleet/configuration.nix | 141 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 fleet/configuration.nix (limited to 'fleet/configuration.nix') diff --git a/fleet/configuration.nix b/fleet/configuration.nix new file mode 100644 index 0000000..2ba819a --- /dev/null +++ b/fleet/configuration.nix @@ -0,0 +1,141 @@ +# SPDX-FileCopyrightText: V +# SPDX-FileCopyrightText: edef +# SPDX-License-Identifier: OSL-3.0 + +{ lib, pkgs, modulesPath, ... }: + +with lib; + +let + host = fileContents /etc/hostname; + # commit = commitIdFromGitRepo ./.git; +in { + imports = [ + "${modulesPath}/profiles/qemu-guest.nix" + (./hosts + "/${host}") + ] ++ mapAttrsToList (module: _: ./modules + "/${module}") (builtins.readDir ./modules); + + nixpkgs.overlays = [ (import ./pkgs/overlay.nix) ]; + + system.stateVersion = "20.09"; + + + ### Startup + + boot.loader.grub.device = "/dev/sda"; + + boot.initrd = { + availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; + + luks.devices.rpool = { + device = "/dev/sda3"; + allowDiscards = true; + }; + + network.enable = true; + + network.ssh = { + enable = true; + port = 798; # Random unassigned port in the range [1, 1024] + hostKeys = [ "/etc/initrd/ssh_host_ed25519_key" ]; + }; + }; + + + ### Filesystems + + # Come on, why isn't this the default? + boot.tmpOnTmpfs = true; + + # Required by ZFS, but redundant on a single-pathed system. + networking.hostId = "00000000"; + + fileSystems = { + "/boot" = { + device = "/dev/sda2"; + fsType = "ext2"; + }; + + "/" = { + device = "rpool/root"; + fsType = "zfs"; + + # Extracted from the strace output of `zfs mount -a` + # NOTE: the pool is configured with `zfs set setuid=off rpool` + # TODO(V): come up with a less ugly solution + options = [ "defaults" "atime" "strictatime" "dev" "exec" "rw" "nosuid" "nomand" "zfsutil" ]; + }; + }; + + + ### Networking + + networking.useNetworkd = true; + + networking.hostName = host; + networking.domain = "unfathomable.blue"; + + # Misnomer, actually enables DHCP for all unmanaged interfaces. + # It's also incompatible with systemd-networkd. + networking.useDHCP = false; + + networking.interfaces.ens3.useDHCP = true; + + # This is exceedingly spammy, and not so useful for an Internet-facing machine. + networking.firewall.logRefusedConnections = false; + + + ### Security + privacy + + security.sudo.enable = false; + + + ### System services + + system.autoUpgrade.enable = true; + + services.openssh = { + enable = true; + passwordAuthentication = false; + challengeResponseAuthentication = false; + # TODO(V): Route exclusively over WireGuard, if you dare + }; + + + ### Programs + user services + + programs.fish.enable = true; + programs.mosh.enable = true; + programs.mtr.enable = true; + + + ### Environment + + time.timeZone = "UTC"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ "en_US.UTF-8/UTF-8" ]; + extraLocaleSettings.LC_COLLATE = "C"; + }; + + # TODO(V): Switch to https://github.com/NixOS/nixpkgs/pull/101127 once it's been merged and made its way into stable. + users.defaultUserShell = pkgs.fish; + environment.variables.EDITOR = "kak"; + + environment.systemPackages = with pkgs; [ + kakoune + tree + htop + ldns + ]; + + + ### Users + + users.mutableUsers = false; + + # This is here so we can `git push` directly to /etc/nixos. + # It should be removed if we stop using that workflow. + users.users.root.packages = [ pkgs.git ]; +} -- cgit 1.4.1