diff options
| author | Griffin Smith <grfn@gws.fyi> | 2020-09-30T03·42-0400 |
|---|---|---|
| committer | glittershark <grfn@gws.fyi> | 2020-09-30T03·49+0000 |
| commit | 3fc1143a04da49a92c3663813c6a0c1e8ccd477f (patch) | |
| tree | c663dd489e4e0e1b2b090bf103865e3cee865c98 /users/glittershark/system/system/machines/mugwump.nix | |
| parent | 734d07b864df7ef8293a73266ed5bee76b9d523f (diff) | |
feat(gs/system): Init mugwump r/1831
Init the config for mugwump, a NUC that I bought from ncl and which I'm going to use as a simple home server and ssh bastion box. Since this is the first time I've set up a server using my nixos config, this also moves a bunch of desktop (xserver, audio, etc.) related config out of modules/common.nix and into a new modules/desktop.nix. Coming soon: nixos-rebuild switch --target, but in the depot! Change-Id: I67bd5ba6e3c26f80f77058af186fd41cc245d5d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2016 Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
Diffstat (limited to 'users/glittershark/system/system/machines/mugwump.nix')
| -rw-r--r-- | users/glittershark/system/system/machines/mugwump.nix | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/users/glittershark/system/system/machines/mugwump.nix b/users/glittershark/system/system/machines/mugwump.nix new file mode 100644 index 0000000000..9521f57884 --- /dev/null +++ b/users/glittershark/system/system/machines/mugwump.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + ../modules/common.nix + ../modules/tvl.nix + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + networking.hostName = "mugwump"; + + boot = { + loader.systemd-boot.enable = true; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + initrd = { + availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + kernelModules = [ + "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" + ]; + + postDeviceCommands = pkgs.lib.mkBefore '' + mkdir -m 0755 -p /key + sleep 2 + mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key + ''; + + luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d"; + keyFile = "/key/keyfile"; + preLVM = false; + }; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7D74-0E4B"; + fsType = "vfat"; + }; + }; + + networking.interfaces = { + enp0s25.useDHCP = false; + wlp2s0.useDHCP = false; + }; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 22 ]; + + security.sudo.extraRules = [{ + groups = ["wheel"]; + commands = [{ command = "ALL"; options = ["NOPASSWD"]; }]; + }]; + + services.fail2ban = { + enable = true; + ignoreIP = [ + "172.16.0.0/16" + ]; + }; + + services.openssh = { + allowSFTP = false; + passwordAuthentication = false; + permitRootLogin = "no"; + }; +} |