1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
{
artautil,
config,
lib,
...
}: {
sops.defaultSopsFile = ../../../secrets/${config.networking.hostName}/secrets.yaml;
boot.isContainer = true;
# Install new init script
system.activationScripts.installInitScript = lib.mkForce ''
mkdir -p /sbin
ln -fs $systemConfig/init /sbin/init
'';
time.timeZone = "Europe/Helsinki";
networking.defaultGateway = {
address = "10.1.2.1";
interface = "eth0";
};
networking.nameservers = ["10.1.2.3"];
networking.interfaces."eth0".ipv4.addresses = [
{
address = artautil.getIPv4 config.networking.hostName;
prefixLength = 24;
}
];
nix.settings.trusted-users = ["root"];
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAlif3ABIk0YSx++A+sEeRYPNMMZWLcDuoTKhmcCL6K jonni@liljamo.com"
];
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = lib.mkForce false;
KbdInteractiveAuthentication = lib.mkForce false;
PermitRootLogin = lib.mkForce "prohibit-password";
};
};
systemd.suppressedSystemUnits = [
"console-getty.service"
"getty@.service"
"systemd-udev-trigger.service"
"systemd-udevd.service"
"sys-fs-fuse-connections.mount"
"sys-kernel-debug.mount"
"dev-mqueue.mount"
];
services = {
journald.extraConfig = "SystemMaxUse=4G";
cron.systemCronJobs = [
"0 22 * * * root journalctl --vacuum-time=7d"
];
};
}