nixos: { ipAddress ? null , enableVpn ? false , vpnConnectTo ? "" , vpnRsaPrivateKeyFile ? null , vpnEd25519PrivateKeyFile ? null , deps ? {} # an attrset overlayed to pkgs , configuration # see: configuration.nix(5) }: # assert enableVpn -> builtins.isString ipAddress; # assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile; # assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile; let vpnExtraConfig = if enableVpn then '' ConnectTo = ${vpnConnectTo} Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}" PrivateKeyFile = "${vpnRsaPrivateKeyFile}" '' else ""; overlay = self: super: deps; defaults = { boot.cleanTmpDir = true; #networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }]; nix.binaryCaches = [ "https://cache.nixos.org" ]; nix.gc.automatic = true; nix.gc.dates = "Sunday 02:15"; nix.maxJobs = 1; # "auto"; nix.optimise.automatic = true; nix.optimise.dates = [ "Sunday 02:30" ]; nixpkgs.overlays = [ overlay ]; programs.mosh.enable = true; programs.mosh.withUtempter = true; security.acme.email = "ben@bsima.me"; security.acme.acceptTerms = true; security.sudo.wheelNeedsPassword = false; services.clamav.daemon.enable = true; # security services.clamav.updater.enable = true; # security services.fail2ban.enable = true; # security services.openssh.enable = true; services.openssh.openFirewall = true; services.openssh.forwardX11 = true; services.openssh.passwordAuthentication = false; #services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig; #services.tinc.networks.simatime-vpn.debugLevel = 3; #services.tinc.networks.simatime-vpn.interfaceType = "tap"; #services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix; system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin }; os = nixos { system = "x86_64-linux"; configuration = (defaults // configuration); }; in { system = os.system; vm = os.vm; }