1 files changed, 56 insertions, 0 deletions

diff --git a/Biz/buildOS.nix b/Biz/buildOS.nix
new file mode 100644
index 0000000..9e6c2f2
--- /dev/null
+++ b/Biz/buildOS.nix
@@ -0,0 +1,56 @@
+nixos:
+{ ipAddress ? null
+, enableVpn ? false
+, vpnConnectTo ? ""
+, vpnRsaPrivateKeyFile ? null
+, vpnEd25519PrivateKeyFile ? null
+, deps ? {} # an attrset overlayed to pkgs
+, configuration # see: configuration.nix(5)
+}:
+# assert enableVpn -> builtins.isString ipAddress;
+# assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile;
+# assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile;
+let
+  vpnExtraConfig = if enableVpn then ''
+    ConnectTo = ${vpnConnectTo}
+    Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}"
+    PrivateKeyFile = "${vpnRsaPrivateKeyFile}"
+  '' else "";
+  overlay = self: super: deps;
+  defaults = {
+    boot.cleanTmpDir = true;
+    #networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }];
+    networking.firewall.allowPing = true;
+    nix.binaryCaches = [ "https://cache.nixos.org" ];
+    nix.gc.automatic = true;
+    nix.gc.dates = "Sunday 02:15";
+    nix.maxJobs = 1; # "auto";
+    nix.optimise.automatic = true;
+    nix.optimise.dates = [ "Sunday 02:30" ];
+    nixpkgs.overlays = [ overlay ];
+    programs.mosh.enable = true;
+    programs.mosh.withUtempter = true;
+    security.acme.email = "ben@bsima.me";
+    security.acme.acceptTerms = true;
+    security.sudo.wheelNeedsPassword = false;
+    services.clamav.daemon.enable = true; # security
+    services.clamav.updater.enable = true; # security
+    services.fail2ban.enable = true; # security
+    services.openssh.enable = true;
+    services.openssh.openFirewall = true;
+    services.openssh.forwardX11 = true;
+    services.openssh.passwordAuthentication = false;
+    #services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig;
+    #services.tinc.networks.simatime-vpn.debugLevel = 3;
+    #services.tinc.networks.simatime-vpn.interfaceType = "tap";
+    #services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix;
+    system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin
+  };
+  os = nixos {
+    system = "x86_64-linux";
+    configuration = (defaults // configuration);
+  };
+in {
+   system = os.system;
+   vm = os.vm;
+}