summaryrefslogtreecommitdiff
path: root/machines
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2021-08-31 08:58:19 -0400
committerBen Sima <ben@bsima.me>2021-08-31 08:58:33 -0400
commitd3503a13da2bdaf11adcc72bca44214960c23190 (patch)
tree5e25c969228106b353ccce69f507dd2fd4cc6c71 /machines
parent836da08a0e669c62f9e192b4e9af9e70accfe85a (diff)
stub beryllium config
Diffstat (limited to 'machines')
-rw-r--r--machines/beryllium.nix104
1 files changed, 104 insertions, 0 deletions
diff --git a/machines/beryllium.nix b/machines/beryllium.nix
new file mode 100644
index 0000000..3d0a452
--- /dev/null
+++ b/machines/beryllium.nix
@@ -0,0 +1,104 @@
+{ config, lib, pkgs, ... }:
+
+# My airgapped machine for generating and backing up security keys
+
+let
+ nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix);
+in {
+
+ security.sudo.wheelNeedsPassword = false;
+ #security.pam.services."user".yubicoAuth = true;
+ #security.pam.yubico.enable = true;
+ #security.pam.yubico.control = "sufficient"; # pam.conf(5)
+ #security.pam.yubico.mode = "challenge-response"; # ykpamcfg(1)
+ #file."~/.yubico/authorized_yubikeys" = <list of keys>;
+
+ networking = {
+ hostName = "beryllium";
+ networkmanager.enable = false;
+ };
+
+ time.timeZone = "America/New_York";
+
+ environment.systemPackages = [
+ pkgs.brightnessctl
+ ];
+
+ nixpkgs = {
+ config = {
+ allowUnfree = false;
+ allowBroken = false;
+ };
+ };
+
+ hardware = {
+ enableAllFirmware = ;
+ bluetooth.enable = false;
+ };
+
+ programs = {
+ bash.enableCompletion = true;
+ command-not-found.enable = true;
+ light.enable = true;
+ gnupg.agent = {
+ enable = true;
+ enableSSHSupport = true;
+ };
+ };
+
+ services = {
+ pcscd = {
+ enable = true;
+ };
+
+ printing.enable = true;
+
+ xserver = {
+ enable = true;
+ autorun = true;
+ layout = "us";
+ libinput.enable = true;
+
+ xkbOptions = "caps:ctrl_modifier";
+
+ displayManager.sddm.enable = true;
+
+ windowManager.xmonad.enable = true;
+ desktopManager = {
+ xterm.enable = true;
+ };
+ };
+
+ # security stuff
+ clamav = {
+ daemon.enable = true;
+ };
+ };
+
+ # Use the systemd-boot EFI boot loader.
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ powerManagement.enable = false;
+
+ nix = {
+ nixPath = [
+ "nixpkgs=${nixpkgs}"
+ "nixos-config=/etc/nixos/configuration.nix"
+ "/nix/var/nix/profiles/per-user/root/channels"
+ ];
+ binaryCaches = [ ];
+ extraOptions = ''
+ keep-outputs = true
+ keep-derivations = true
+ builders-use-substitutes = true
+ '';
+ };
+
+ # This value determines the NixOS release with which your system is to be
+ # compatible, in order to avoid breaking some software such as database
+ # servers. You should change this only after NixOS release notes say you
+ # should.
+ system.stateVersion = "19.03"; # Did you read the comment?
+ system.autoUpgrade.enable = false;
+}