diff options
Diffstat (limited to 'sys/preset')
| -rw-r--r-- | sys/preset/default.nix | 6 | ||||
| -rw-r--r-- | sys/preset/dmz.nix | 64 | ||||
| -rw-r--r-- | sys/preset/user.nix | 79 |
3 files changed, 149 insertions, 0 deletions
diff --git a/sys/preset/default.nix b/sys/preset/default.nix new file mode 100644 index 0000000..45ae529 --- /dev/null +++ b/sys/preset/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./dmz.nix + ./user.nix + ]; +} diff --git a/sys/preset/dmz.nix b/sys/preset/dmz.nix new file mode 100644 index 0000000..5a04c1e --- /dev/null +++ b/sys/preset/dmz.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.preset.dmz; +in { + options.local.preset.dmz = { + enable = mkEnableOption "dmz preset"; + + container = mkOption { + type = types.bool; + default = false; + }; + }; + + config = lib.mkIf cfg.enable { + local = { + boot = { + kernel = mkDefault pkgs.linuxPackages_hardened; + loader = mkDefault "grub"; + + efi.enable = mkDefault (!cfg.container); + firmware.mode = mkDefault "none"; + namespaced.enable = cfg.container; + + stack.luksExt4FscryptImpermanence = { + enable = mkDefault (!cfg.container); + }; + }; + + jobs.pkiExpiry.enable = mkDefault config.local.mta.enable; + + mta = { + enable = mkDefault true; + + mode = "primary"; + }; + + net = { + enable = true; + hostname = "dmz"; + + fail2ban.enable = true; + }; + + web.sites.portal.enable = true; + }; + + services = { + resolved = { + llmnr = "false"; + fallbackDns = []; # Disable the default systemd-resolved server list + }; + }; + + users = { + allowNoPasswordLogin = cfg.container; + mutableUsers = false; + }; + }; +} diff --git a/sys/preset/user.nix b/sys/preset/user.nix new file mode 100644 index 0000000..56b6866 --- /dev/null +++ b/sys/preset/user.nix @@ -0,0 +1,79 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkDefault; + cfg = config.local.preset.user; +in { + options.local.preset.user = { + enable = lib.mkEnableOption "user-like preset"; + }; + + config = lib.mkIf cfg.enable { + local = { + installUsers = mkDefault "single"; + + auth = { + oath.enable = mkDefault true; + + openssh = { + enable = mkDefault true; + + hostKeys = { + rsa = mkDefault true; + ecdsa = mkDefault true; + ed25519 = mkDefault true; + }; + }; + }; + + boot = { + kernel = mkDefault pkgs.linuxPackages_latest; + loader = mkDefault "grub"; + + efi = { + enable = mkDefault true; + removable = mkDefault false; + }; + + firmware.mode = mkDefault "redistributable"; + detachedLuks.enable = mkDefault true; + + stack.btrfsToplevelMultidrive = { + enable = mkDefault true; + + toplevel.root = mkDefault "/root"; + secondary.home = mkDefault "/home"; + }; + }; + + hardware = { + yubico = { + enable = mkDefault true; + pamAuth = mkDefault true; + }; + + bluetooth.enable = mkDefault true; + }; + + net.enable = true; + + seat = { + enable = true; + graphical = mkDefault true; + }; + + #trivionomiconMotd.enable = true; + }; + + services.nullmailer = { + enable = mkDefault true; + + config = { + me = "${config.networking.hostName}@${config.networking.domain}"; + }; + }; + }; +} |