1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
{ config, lib, pkgs, ... }@args:
{
imports = [
./services
./programs
./bluetooth.nix
./fonts.nix
./mobile-device.nix
];
deployment = {
buildOnTarget = lib.mkDefault false;
targetUser = lib.mkDefault "root";
targetHost = lib.mkDefault config.networking.fqdn;
targetPort = lib.mkDefault (lib.head config.services.openssh.ports);
};
networking.hostName = lib.mkDefault args.name;
networking.domain = lib.mkDefault "ctu.cx";
i18n.defaultLocale = "en_US.UTF-8";
i18n.supportedLocales = ["de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"];
nix = {
settings.trusted-users = [ "@wheel" ];
settings.auto-optimise-store = true;
optimise = {
automatic = lib.mkDefault true;
dates = [ "12:00" "15:00" "18:00" "21:00" ];
};
gc = {
automatic = lib.mkDefault true;
options = "--delete-older-than 3d";
dates = "18:00";
};
};
systemd.services.nginx.onFailure = [ "email-notify@%i.service" ];
services = {
timesyncd.enable = true;
vnstat.enable = true;
vnstati.enable = (lib.mkDefault (if (config.networking.primaryIP != "") || (config.networking.primaryIP4 != "") then true else false));
fstrim.enable = true;
journald.extraConfig = "SystemMaxUse=1G";
nginx = {
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
server_names_hash_bucket_size 64;
charset utf-8;
access_log off;
'';
virtualHosts.default = {
default = true;
rejectSSL = true;
};
};
openssh = {
enable = true;
startWhenNeeded = true;
ports = [ 22 ];
extraConfig = "StreamLocalBindUnlink yes";
settings = {
PasswordAuthentication = false;
PermitRootLogin = "without-password";
};
};
};
security = {
acme.acceptTerms = true;
acme.defaults.email = "letsencrypt@ctu.cx";
};
age.secrets.leah-systempassword.file = ../../secrets/passwords/leah.age;
users.mutableUsers = false;
users.users = {
root.openssh.authorizedKeys.keys = [
#yubikey gpg
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"
#ipad gpg
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC28lphReKNN+Ns2vdlOiqhiL/ByAv0foLFwYmF6HNwQVQjHg4n2956OuSxD/prsIycALNuicR1fh31MgR4KqbIPI6vDg1IjriIiXaQGULVK1z3B0pwUoGvlK6CVqBlVU5AjQXsEj04PQGiRcwPlgYJ//pInxSRZ0tQXvx6U5wljoHrEbg4rPVPHJPi/dU9lH2EA5cTxfIUiUYobdGr8U+ljGloi31vPPtC8kRe2Dj/smirsPARDugNCgImfAemaKX6hJsIdgKkjNGdS2f97G6cq+/T/iGiQy1PNNKqt2fSpzYbZvjpmBHN0GxMiEgViYT3saij572+DZujKjmM1ZVDlwB7TbAgF8mBhg2iyusi9sv31KNHVxf+gKE6cZ3SSz3nmCSBpdDPW1KIRrzGskoBVwsoZ5N6+yX+a5aChg6fR0X+pCYD0LKXhSgbV6jxad5f7OACh3DMVN4aphQLxXJrCAZQP02f4Skpnn0kroDoGObkE2+Gu+cXAwLxPv0rsfSVGlfRiTOPKa/09LJHbPsjhPXE6b295VhT0EaEp/a7WjcSBkUUmujI5IOijANpPVH87GMGQlWw41enGR9qnYZEsITr/6iqLYxHQsJ6xPdOH6AZsbXz7qG9sbSl/4M9lcVk1GMXUgf1I8iDsqNZZxhZkI9jXXkITXz0YI3PZci87w== (none)"
];
leah = {
isNormalUser = true;
hashedPasswordFile = config.age.secrets.leah-systempassword.path;
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
openssh.authorizedKeys.keys = [
#yubikey gpg
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"
#ipad gpg
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC28lphReKNN+Ns2vdlOiqhiL/ByAv0foLFwYmF6HNwQVQjHg4n2956OuSxD/prsIycALNuicR1fh31MgR4KqbIPI6vDg1IjriIiXaQGULVK1z3B0pwUoGvlK6CVqBlVU5AjQXsEj04PQGiRcwPlgYJ//pInxSRZ0tQXvx6U5wljoHrEbg4rPVPHJPi/dU9lH2EA5cTxfIUiUYobdGr8U+ljGloi31vPPtC8kRe2Dj/smirsPARDugNCgImfAemaKX6hJsIdgKkjNGdS2f97G6cq+/T/iGiQy1PNNKqt2fSpzYbZvjpmBHN0GxMiEgViYT3saij572+DZujKjmM1ZVDlwB7TbAgF8mBhg2iyusi9sv31KNHVxf+gKE6cZ3SSz3nmCSBpdDPW1KIRrzGskoBVwsoZ5N6+yX+a5aChg6fR0X+pCYD0LKXhSgbV6jxad5f7OACh3DMVN4aphQLxXJrCAZQP02f4Skpnn0kroDoGObkE2+Gu+cXAwLxPv0rsfSVGlfRiTOPKa/09LJHbPsjhPXE6b295VhT0EaEp/a7WjcSBkUUmujI5IOijANpPVH87GMGQlWw41enGR9qnYZEsITr/6iqLYxHQsJ6xPdOH6AZsbXz7qG9sbSl/4M9lcVk1GMXUgf1I8iDsqNZZxhZkI9jXXkITXz0YI3PZci87w== (none)"
# iphone
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuteK6BuIa8mgihSaTcsKFKrmhSb2gR8X38hJnso5Vq Shortcuts on ctucx.iPhone"
];
};
};
home-manager.users.leah = {
home = {
language = {
"base" = "en_US.UTF-8";
"time" = "de_DE.utf8";
"address" = "de_DE.utf8";
"monetary" = "de_DE.utf8";
"paper" = "de_DE.utf8";
};
};
};
}