Set up a minimal initial config.

2024-12-17 15:26:10 -05:00
parent 48f700b803
commit 6953cdb81f
8 changed files with 455 additions and 0 deletions
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -0,0 +1,177 @@
+{ config, lib, pkgs, pkgs-unstable, ... }:
+
+{
+  imports =
+    [
+      ./hosts/odo
+      "${builtins.fetchTarball {url="https://github.com/nix-community/disko/archive/refs/tags/v1.9.0.tar.gz";sha256="0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388";}}/module.nix"
+      ./boot.nix
+      ./zfs.nix
+      ./network.nix
+    ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  users.mutableUsers = false;
+  users.users.talexander = {
+    isNormalUser = true;
+    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
+    extraGroups = [ "wheel" ];
+    packages = with pkgs; [
+      tree
+    ];
+    # Generate with `mkpasswd -m scrypt`
+    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
+    ];
+  };
+
+  # Automatic garbage collection
+  nix.gc = {
+    # Runs nix-collect-garbage --delete-older-than 5d
+    automatic = true;
+    randomizedDelaySec = "14m";
+    options = "--delete-older-than 5d";
+  };
+
+  # Use doas instead of sudo
+  security.doas.enable = true;
+  security.doas.wheelNeedsPassword = false;
+  security.sudo.enable = false;
+  security.doas.extraRules = [{
+    # Retain environment (for example NIX_PATH)
+    keepEnv = true;
+    persist = true;  # Only ask for a password the first time.
+  }];
+
+  # Do not use default packages (nixos includes some defaults like nano)
+  environment.defaultPackages = lib.mkForce [];
+
+  environment.systemPackages = with pkgs; [
+    git
+    wget
+    mg
+    rsync
+    libinput
+    htop
+    tmux
+    file
+    usbutils # for lsusb
+    pciutils # for lspci
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedUDPPorts = [ ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Check what will be lost with `zfs diff zroot/linux/root@blank`
+  boot.initrd.systemd.enable = lib.mkDefault true;
+  boot.initrd.systemd.services.zfs-rollback = {
+    description = "Rollback ZFS root dataset to blank snapshot";
+    wantedBy = [
+      "initrd.target"
+    ];
+    after = [
+      "zfs-import-zroot.service"
+    ];
+    before = [
+      "sysroot.mount"
+    ];
+    path = with pkgs; [
+      zfs
+    ];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      zfs rollback -r zroot/linux/root@blank
+      zfs rollback -r zroot/linux/home@blank
+      echo "rollback complete"
+    '';
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/etc/nixos" # Contains system configuration, optional
+      "/etc/NetworkManager/system-connections" # Wifi settings
+      "/var/lib/iwd" # Wifi settings
+      "/var/lib/nixos" # Contains user information (uids/gids)
+    ];
+    files = [
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    # users.talexander = {
+    #   directories = [];
+    #   files = [];
+    # };
+  };
+
+  # Write a list of the currently installed packages to /etc/current-system-packages
+  environment.etc."current-system-packages".text =
+    let
+      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+      formatted = builtins.concatStringsSep "\n" sortedUnique;
+    in
+      formatted;
+
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     nix = pkgs-unstable.nix;
+  #   })
+  # ];
+
+
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}