{ self }: { lib, config, pkgs, modulesPath, ... }: with lib; let cfg = config.local; in { imports = [ "${modulesPath}/installer/scan/not-detected.nix" ./fs ./options.nix ./users.nix ]; config = { nixpkgs.overlays = [ self.overlay ]; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.11"; # Did you read the comment? nix = { package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes ''; }; boot = { loader = (if cfg.loader == "grub" then { grub = { enable = true; device = "nodev"; efiSupport = true; }; } else { systemd-boot.enable = true; }) // { efi = { inherit (cfg) canTouchEfiVariables; }; }; initrd = let crypt = cfg.crypt.toplevel; headerPathEscaped = escapeShellArg "/initrd-boot/${crypt.headerFromBoot}"; in { availableKernelModules = cfg.initrdModules; supportedFilesystems = [ "vfat" ]; preDeviceCommands = optionalString (crypt != null) '' mkdir -p `dirname ${headerPathEscaped}` touch ${headerPathEscaped} ''; preLVMCommands = optionalString cfg.portable '' sleep 2 #TODO ''; postMountCommands = let fromRoot = path: escapeShellArg "/mnt-root/${path}"; auxOpen = aux: '' cryptsetup -v open \ --header ${fromRoot aux.header} \ --key-file ${fromRoot aux.keyfile} \ ${aux.device} ${aux.target} ''; in concatStringsSep "\n" (map auxOpen cfg.crypt.aux); luks.devices = mkIf (crypt != null) { "${crypt.target}" = { inherit (crypt) device; header = "/initrd-boot/${crypt.headerFromBoot}"; preLVM = false; preOpenCommands = '' mount -o ro -t vfat ${escapeShellArg cfg.fs.boot.device} /initrd-boot ''; postOpenCommands = '' umount /initrd-boot ''; }; }; #network = { # enable = true; # ssh = { # enable = true; # port = 2234; # }; #}; }; }; hardware.cpu = let ucode.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; in { amd = mkIf (cfg.cpuVendor == "amd") ucode; intel = mkIf (cfg.cpuVendor == "intel") ucode; }; time.timeZone = "America/Costa_Rica"; i18n.defaultLocale = "es_CR.UTF-8"; networking = { hostName = cfg.hostname; useDHCP = false; useNetworkd = true; interfaces = mkIf (cfg.dhcpInterface != null) { "${cfg.dhcpInterface}".useDHCP = true; }; wireguard.enable = true; }; environment.systemPackages = [ pkgs.dhcpcd pkgs.git ]; security.pam = { oath = { usersFile = "/var/trust/auth/users.oath"; digits = 6; window = 30; }; services.sshd.oathAuth = true; }; services.openssh = { enable = true; openFirewall = false; ports = [ 2234 ]; forwardX11 = true; permitRootLogin = "no"; passwordAuthentication = false; hostKeys = [ { bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; } { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } #TODO: Desfasar, inseguro { path = "/etc/ssh/ssh_host_ecdsa_key"; type = "ecdsa"; } ]; }; networking.firewall.allowedTCPPorts = [ 2234 ]; }; }