diff options
Diffstat (limited to 'sys/preset')
| -rw-r--r-- | sys/preset/default.nix | 6 | ||||
| -rw-r--r-- | sys/preset/dmz.nix | 64 | ||||
| -rw-r--r-- | sys/preset/user.nix | 107 |
3 files changed, 177 insertions, 0 deletions
diff --git a/sys/preset/default.nix b/sys/preset/default.nix new file mode 100644 index 0000000..45ae529 --- /dev/null +++ b/sys/preset/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./dmz.nix + ./user.nix + ]; +} diff --git a/sys/preset/dmz.nix b/sys/preset/dmz.nix new file mode 100644 index 0000000..5a04c1e --- /dev/null +++ b/sys/preset/dmz.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.preset.dmz; +in { + options.local.preset.dmz = { + enable = mkEnableOption "dmz preset"; + + container = mkOption { + type = types.bool; + default = false; + }; + }; + + config = lib.mkIf cfg.enable { + local = { + boot = { + kernel = mkDefault pkgs.linuxPackages_hardened; + loader = mkDefault "grub"; + + efi.enable = mkDefault (!cfg.container); + firmware.mode = mkDefault "none"; + namespaced.enable = cfg.container; + + stack.luksExt4FscryptImpermanence = { + enable = mkDefault (!cfg.container); + }; + }; + + jobs.pkiExpiry.enable = mkDefault config.local.mta.enable; + + mta = { + enable = mkDefault true; + + mode = "primary"; + }; + + net = { + enable = true; + hostname = "dmz"; + + fail2ban.enable = true; + }; + + web.sites.portal.enable = true; + }; + + services = { + resolved = { + llmnr = "false"; + fallbackDns = []; # Disable the default systemd-resolved server list + }; + }; + + users = { + allowNoPasswordLogin = cfg.container; + mutableUsers = false; + }; + }; +} diff --git a/sys/preset/user.nix b/sys/preset/user.nix new file mode 100644 index 0000000..ff939f8 --- /dev/null +++ b/sys/preset/user.nix @@ -0,0 +1,107 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkDefault; + cfg = config.local.preset.user; +in { + options.local.preset.user = { + enable = lib.mkEnableOption "user-like preset"; + + kdeconnect = { + self6 = lib.mkOption { + type = lib.types.str; + }; + + peers6 = lib.mkOption { + type = with lib.types; listOf str; + default = []; + }; + }; + }; + + config = lib.mkIf cfg.enable { + local = { + installUsers = mkDefault "single"; + + auth = { + oath.enable = mkDefault true; + + openssh = { + enable = mkDefault true; + + hostKeys = { + rsa = mkDefault true; + ecdsa = mkDefault true; + ed25519 = mkDefault true; + }; + }; + }; + + boot = { + kernel = mkDefault pkgs.linuxPackages_latest; + loader = mkDefault "grub"; + + efi = { + enable = mkDefault true; + removable = mkDefault false; + }; + + firmware.mode = mkDefault "redistributable"; + detachedLuks.enable = mkDefault true; + + stack.btrfsToplevelMultidrive = { + enable = mkDefault true; + + toplevel.root = mkDefault "/root"; + secondary.home = mkDefault "/home"; + }; + }; + + hardware = { + yubico = { + enable = mkDefault true; + pamAuth = mkDefault true; + }; + + bluetooth.enable = mkDefault true; + }; + + net.enable = true; + + seat = { + enable = true; + graphical = mkDefault true; + }; + + #trivionomiconMotd.enable = true; + + athena-bccr = { + mirror = "https://public.posixlycorrect.com/dist/firma_digital"; + vendor = "athena"; + }; + }; + + networking = { + firewall.extraCommands = let + inherit (cfg.kdeconnect) self6; + + peerRules = peer6: '' + ip6tables -A local-input -s ${peer6} -d ${self6} -p tcp -m multiport --dports 1714:1764 -j ACCEPT + ip6tables -A local-input -s ${peer6} -d ${self6} -p udp -m multiport --dports 1714:1764 -j ACCEPT + ''; + in + lib.concatStrings (map peerRules cfg.kdeconnect.peers6); + }; + + services.nullmailer = { + enable = mkDefault true; + + config = { + me = "${config.networking.hostName}@${config.networking.domain}"; + }; + }; + }; +} |