127 lines
3.8 KiB
Nix
127 lines
3.8 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
utils,
|
|
inputs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
./module.nix
|
|
./common-but-not.nix
|
|
./verify-system/nixos.nix
|
|
./nixos-rebuild.nix
|
|
./minimal-nixos.nix
|
|
];
|
|
options.vacu.underTest = lib.mkOption {
|
|
default = false;
|
|
type = lib.types.bool;
|
|
};
|
|
options.vacu.acmeCertDependencies = lib.mkOption {
|
|
default = { };
|
|
example = ''
|
|
vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
|
|
'';
|
|
type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
|
|
};
|
|
config =
|
|
let
|
|
for-systemd-services = lib.concatMapAttrs (cert: units: {
|
|
"acme-selfsigned-${cert}" = {
|
|
wantedBy = units;
|
|
before = units;
|
|
};
|
|
}) config.vacu.acmeCertDependencies;
|
|
for-security-acme-certs = lib.concatMapAttrs (cert: units: {
|
|
${cert}.reloadServices = units;
|
|
}) config.vacu.acmeCertDependencies;
|
|
in
|
|
{
|
|
# the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
|
|
# presumably needed by nheko
|
|
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
|
|
# nixpkgs.overlays = [ inputs.self.overlays.default ];
|
|
|
|
console = {
|
|
keyMap = lib.mkDefault "us";
|
|
};
|
|
networking.hostName = config.vacu.hostName;
|
|
vacu.packages."xorg-xev" = {
|
|
enable = config.services.xserver.enable;
|
|
package = pkgs.xorg.xev;
|
|
};
|
|
environment.systemPackages = config.vacu.packageList;
|
|
programs.git = lib.mkDefault {
|
|
enable = true;
|
|
lfs.enable = true;
|
|
};
|
|
programs.nix-ld.enable = true;
|
|
system.nixos.tags = [
|
|
"vacu${config.vacu.versionId}"
|
|
config.vacu.hostName
|
|
];
|
|
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
|
|
environment.etc."chromium".source = "/run/current-system/sw/etc/chromium";
|
|
|
|
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
|
|
time.timeZone = "America/Los_Angeles";
|
|
|
|
users.users.shelvacu = {
|
|
openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
};
|
|
systemd.services = for-systemd-services;
|
|
security.acme.certs = for-security-acme-certs;
|
|
services.openssh = {
|
|
# require public key authentication for better security
|
|
settings.PasswordAuthentication = false;
|
|
settings.KbdInteractiveAuthentication = false;
|
|
settings.PermitRootLogin = "prohibit-password";
|
|
};
|
|
|
|
nix.settings.trusted-users = [ "shelvacu" ];
|
|
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
|
|
|
programs.screen = {
|
|
screenrc = ''
|
|
defscrollback 10000
|
|
termcapinfo xterm* ti@:te@
|
|
maptimeout 5
|
|
'';
|
|
} // (if config.system.nixos.release == "23.11" then { } else { enable = true; });
|
|
|
|
programs.tmux.enable = true;
|
|
programs.tmux.extraConfig = "setw mouse";
|
|
programs.tmux.clock24 = true;
|
|
|
|
nix.settings = {
|
|
experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
substituters = lib.mkForce config.vacu.nix.substituterUrls;
|
|
extra-substituters = lib.mkForce [ ];
|
|
trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
|
|
extra-trusted-public-keys = lib.mkForce [ ];
|
|
};
|
|
nixpkgs.config.allowUnfree = lib.mkDefault true;
|
|
|
|
programs.mosh.enable = lib.mkDefault true;
|
|
|
|
programs.ssh.extraConfig = config.vacu.ssh.config;
|
|
|
|
security.pki.certificates = config.vacu.rootCAs;
|
|
|
|
# commands.nix
|
|
environment.pathsToLink = [
|
|
"/share/vacufuncs"
|
|
"/etc/chromium"
|
|
];
|
|
vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
|
|
programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
|
|
programs.bash.promptInit = lib.mkForce "";
|
|
};
|
|
}
|