blob: 5b9c10ebce27e84089baa7cb4bc156b9c89b1be4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
{ config, pkgs, lib, ... }:
with lib;
let
ipv4 = {
address = "172.233.74.234";
gateway = "172.233.74.1";
netmask = "255.255.255.0";
prefixLength = 24; # https://www.pawprint.net/designresources/netmask-converter.php
};
ipv6 = {
address = "2400:8905::7ab1:59eb:d315:b252";
gateway = "fe80::1";
prefixLength = 64;
};
networkInterface = "eth0";
hostName = "v-proton-jp43";
hostId = "3185b70b";
hostAddr = "172-233-74-234.ip.linodeusercontent.com";
sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
maintainerKeys = [ ] ++ sefidelKeys;
in
{
deployment = {
targetHost = hostAddr;
targetPort = 22;
targetUser = "root";
};
imports = [ ./hardware-configuration.nix ];
networking.hostId = hostId;
boot.loader.grub.enable = true;
boot.loader.grub.device = "nodev";
# Linode tweaks
boot.loader.timeout = 10; # Compensate for LISH
# LISH
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
networking.usePredictableInterfaceNames = false;
boot.kernelParams = [
# LISH
"console=ttyS0,19200n8"
# See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
# The server ip refers to the NFS server -- not needed in this case.
"ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = hostName;
networking.useDHCP = false;
networking.interfaces.${networkInterface} = {
ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
};
networking.defaultGateway = ipv4.gateway;
networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
networking.nameservers = [ "8.8.8.8" ];
networking.firewall.enable = true;
time.timeZone = "UTC";
sops.secrets.root-password.neededForUsers = true;
sops.secrets.pvpn-private-key = { };
users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
nix.flakes.enable = true;
modules = {
security.enable = true;
persistence.enable = false;
cachix.enable = true;
sops.enable = true;
services.tailscale.enable = true;
};
networking.networkmanager.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}
|