faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

added stuff

Browse source
This commit is contained in:
Charlie Root 2024-04-09 23:11:33 +02:00
commit 9d0ebdfbd0
907 changed files with 70990 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

37
nyx/modules/core/roles/iso/system/boot.nix Normal file
View file

@ -0,0 +1,37 @@
{
pkgs,
lib,
...
}: let
inherit (lib.modules) mkForce;
in {
boot = {
# use the latest Linux kernel
kernelPackages = pkgs.linuxPackages_latest;
# talk to me kernel
kernelParams = lib.mkAfter ["noquiet"];
# no need for systemd in the initrd stage on an installation media
# being put in to recovery mode, or having systemd in stage one is
# entirely pointless
initrd.systemd = {
enable = lib.mkImageMediaOverride false;
emergencyAccess = lib.mkImageMediaOverride true;
};
# Needed for https://github.com/NixOS/nixpkgs/issues/58959
# tl;dr: ZFS is problematic and we don't want it
supportedFilesystems = mkForce [
"btrfs"
"vfat"
"f2fs"
"xfs"
"ntfs"
"cifs"
];
# disable software RAID
swraid.enable = mkForce false;
};
}

13
nyx/modules/core/roles/iso/system/default.nix Normal file
View file

@ -0,0 +1,13 @@
{
imports = [
./misc
./services
./boot.nix
./environment.nix
./hardware.nix
./networking.nix
./nix.nix
./users.nix
];
}

46
nyx/modules/core/roles/iso/system/environment.nix Normal file
View file

@ -0,0 +1,46 @@
{
inputs,
pkgs,
lib,
...
}: let
inherit (lib.modules) mkForce;
in {
environment = {
# our installer is a minimal, TUI-only environment. I don't find any
# good reason to keep X11 libs around while we will not be depending
# on any GUI frameworks.
noXlibs = true;
# 24.04 has brought in a stub-ld that will throw a warning if you try to run a
# dynamically linked binary. This is an installer, so we probably won't try to run
# dynamically linked binaries on this system. Besides, it's annoying.
stub-ld.enable = mkForce false;
# NixOS bundles a few packages by default
# it's not too large of a list, but I don't need it and I prefer
# my system containing only the packages I've declared.
defaultPackages = mkForce [];
# packages I might want on an installer environment
systemPackages = with pkgs; [
gitMinimal
curl
wget
pciutils
lshw
rsync
nixos-install-tools
];
etc = {
# link a copy of our nixpkgs input as the nixpkgs channel
"nix/flake-channels/nixpkgs".source = inputs.nixpkgs;
# fix an annoying warning
"mdadm.conf".text = ''
MAILADDR root
'';
};
};
}

6
nyx/modules/core/roles/iso/system/hardware.nix Normal file
View file

@ -0,0 +1,6 @@
{
# provide all hardware drivers, including proprietary ones
hardware = {
enableRedistributableFirmware = true;
};
}

10
nyx/modules/core/roles/iso/system/misc/console.nix Normal file
View file

@ -0,0 +1,10 @@
{pkgs, ...}: {
# console locale
console = let
variant = "u24n";
in {
# hidpi terminal font
font = "${pkgs.terminus_font}/share/consolefonts/ter-${variant}.psf.gz";
keyMap = "trq";
};
}

6
nyx/modules/core/roles/iso/system/misc/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./console.nix
./sound.nix
];
}

4
nyx/modules/core/roles/iso/system/misc/sound.nix Normal file
View file

@ -0,0 +1,4 @@
{
# disable sound related programs
sound.enable = false;
}

20
nyx/modules/core/roles/iso/system/networking.nix Normal file
View file

@ -0,0 +1,20 @@
{
pkgs,
lib,
...
}: let
inherit (lib.modules) mkForce;
in {
networking.networkmanager = {
enable = true;
plugins = mkForce [];
};
networking.wireless.enable = mkForce false;
# Enable SSH in the boot process.
systemd.services.sshd.wantedBy = mkForce ["multi-user.target"];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHRDg2lu1rXKP4OfyghP17ZVL2csnyJEJcy9Km3LQm4r notashelf@enyo"
];
}

12
nyx/modules/core/roles/iso/system/nix.nix Normal file
View file

@ -0,0 +1,12 @@
{
nix = {
settings = {
experimental-features = ["nix-command" "flakes" "repl-flake"];
log-lines = 30;
warn-dirty = false;
http-connections = 50;
accept-flake-config = true;
auto-optimise-store = true;
};
};
}

11
nyx/modules/core/roles/iso/system/security.nix Normal file
View file

@ -0,0 +1,11 @@
{
# attempt to fix "too many open files"
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = "65536";
}
];
}

5
nyx/modules/core/roles/iso/system/services/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./openssh.nix
];
}

88
nyx/modules/core/roles/iso/system/services/openssh.nix Normal file
View file

@ -0,0 +1,88 @@
{
# Hardened SSH configuration
services.openssh = {
extraConfig = ''
AllowTcpForwarding no
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
PermitTunnel no
'';
settings = {
Ciphers = [
"aes256-gcm@openssh.com"
"aes256-ctr,aes192-ctr"
"aes128-ctr"
"aes128-gcm@openssh.com"
"chacha20-poly1305@openssh.com"
];
KbdInteractiveAuthentication = false;
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"sntrup761x25519-sha512@openssh.com"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
X11Forwarding = false;
};
};
# Client side SSH configuration
programs.ssh = {
ciphers = [
"aes256-gcm@openssh.com"
"aes256-ctr,aes192-ctr"
"aes128-ctr"
"aes128-gcm@openssh.com"
"chacha20-poly1305@openssh.com"
];
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-ed25519-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"sk-ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512"
"rsa-sha2-512-cert-v01@openssh.com"
"rsa-sha2-256"
"rsa-sha2-256-cert-v01@openssh.com"
];
kexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"sntrup761x25519-sha512@openssh.com"
];
knownHosts = {
github-rsa = {
hostNames = ["github.com"];
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=";
};
github-ed25519 = {
hostNames = ["github.com"];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
};
gitlab-rsa = {
hostNames = ["gitlab.com"];
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9";
};
gitlab-ed25519 = {
hostNames = ["gitlab.com"];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
};
};
macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
}

11
nyx/modules/core/roles/iso/system/users.nix Normal file
View file

@ -0,0 +1,11 @@
{
users.extraUsers.root.password = "";
users.users.nixos = {
uid = 1000;
password = "nixos";
description = "default";
isNormalUser = true;
extraGroups = ["wheel"];
};
}