blob: 4193ed5dd43e624b201660ad86587fa4313840af (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
nixos:
{ ipAddress ? null
, enableVpn ? false
, vpnConnectTo ? ""
, vpnRsaPrivateKeyFile ? null
, vpnEd25519PrivateKeyFile ? null
, configuration # see: configuration.nix(5)
}:
assert enableVpn -> builtins.isString ipAddress;
assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile;
assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile;
let
vpnExtraConfig = if enableVpn then ''
ConnectTo = ${vpnConnectTo}
Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}"
PrivateKeyFile = "${vpnRsaPrivateKeyFile}"
'' else "";
defaults = {
boot.cleanTmpDir = true;
#networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }];
nix.binaryCaches = [ "https://cache.nixos.org" ];
nix.gc.automatic = true;
nix.gc.dates = "Sunday 02:15";
nix.maxJobs = 1; # "auto";
nix.optimise.automatic = true;
nix.optimise.dates = [ "Sunday 02:30" ];
security.sudo.wheelNeedsPassword = false;
services.clamav.daemon.enable = true; # security
services.clamav.updater.enable = true; # security
services.fail2ban.enable = true; # security
services.openssh.enable = true;
services.openssh.openFirewall = true;
services.openssh.forwardX11 = true;
services.openssh.passwordAuthentication = false;
#services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig;
#services.tinc.networks.simatime-vpn.debugLevel = 3;
#services.tinc.networks.simatime-vpn.interfaceType = "tap";
#services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix;
system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin
users.motd = "\n\n\twelcome to the simatime network\n\n\n";
users.users = import ./users.nix;
users.mutableUsers = false;
};
os = nixos {
system = "x86_64-linux";
configuration = (defaults // configuration);
};
in {
system = os.system;
vm = os.vm;
}
|
