{ config, lib, pkgs, ... }: # airgapped machine, for setting up gpg keys # github.com/dhess/nixos-yubikey let nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix); in { isoImage.isoBaseName = "oxygen"; isoImage.edition = "o2"; isoImage.makeEfiBootable = true; isoImage.makeUsbBootable = true; users.users.root.initialHashedPassword = ""; services.getty.autologinUser = "root"; documentation.enable = true; documentation.nixos.enable = true; # prevent accidentally writing to persistent storage boot.kernelParams = [ "copytoram" ]; boot.cleanTmpDir = true; boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; }; boot.plymouth.enable = true; boot.plymouth.logo = pkgs.fetchurl { url = "https://www.themoviethemesong.com/wp-content/uploads/2014/04/The-Matrix-Theme-Song-5.jpg"; sha256 = "0smb717ji82pqqzn6rjg10mz4kjr2nfylm60a9q9divj918l2gqf"; }; boot.plymouth.theme = "breeze"; # disable networking networking.hostName = "oxygen"; # but we still need a hostname boot.initrd.network.enable = false; networking.dhcpcd.enable = false; networking.dhcpcd.allowInterfaces = []; networking.firewall.enable = true; networking.useDHCP = false; networking.useNetworkd = false; networking.wireless.enable = false; systemd.network.enable = false; time.timeZone = "America/New_York"; # ref: https://rzetterberg.github.io/yubikey-gpg-nixos.html environment.systemPackages = with pkgs; [ bitcoin ccrypt cryptsetup diceware # generate passphrases ent # entropy gnupg (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools) mkpasswd paperkey # store pgp keys on paper parted pcsclite # smartcard middleware pcsctools pgpdump pinentry-curses pwgen qrencode w3m-nographics # for documentation/manual yubikey-manager yubikey-personalization ]; services.udev.packages = [ pkgs.yubikey-personalization ]; environment.interactiveShellInit = let gpg-agent-conf = pkgs.writeText "gpg-agent.conf" '' pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses ''; in '' unset HISTFILE export GNUPGHOME=/run/user/$(id -u)/gnupg [ -d $GNUPGHOME ] || install -m 0700 -d $GNUPGHOME cp ${gpg-agent-conf} $GNUPGHOME/gpg-agent.conf echo "\$GNUPGHOME is $GNUPGHOME" ''; nixpkgs.config.allowUnfree = false; nixpkgs.config.allowBroken = false; programs.bash.enableCompletion = true; programs.command-not-found.enable = true; programs.light.enable = true; programs.gnupg.agent.enable = true; programs.gnupg.agent.enableSSHSupport = true; services.pcscd.enable = true; services.printing.enable = true; #services.xserver.enable = true; #services.xserver.autorun = true; #services.xserver.layout = "us"; #services.xserver.libinput.enable = true; #services.xserver.xkbOptions = "caps:ctrl_modifier"; #services.xserver.displayManager.lightdm.enable = true; #services.xserver.windowManager.xmonad.enable = true; #services.xserver.desktopManager.xterm.enable = true; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; powerManagement.enable = false; nix.useSandbox = true; nix.nixPath = [ "nixpkgs=${nixpkgs}" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]; nix.binaryCaches = [ ]; system.extraSystemBuilderCmds = "ln -sv ${pkgs.path} $out/nixpkgs"; environment.etc.host-nix-channel.source = pkgs.path; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "19.03"; # Did you read the comment? system.autoUpgrade.enable = false; }