From 4b2b808224d4c4f249d0367ee2c8f68b825639e5 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 7 Jan 2023 20:43:57 +0100 Subject: Format: First formatting with Alejandra This marks the beginning of a clean git commit history. This is because of two changes: * Usage of conventional-commits (https://www.conventionalcommits.org/en/v1.0.0/). * Consistent formatting of the code base to reduce diff footprints. The choice of Alejandra as auto-formatter is obviously not final. --- configuration.nix | 7 +++---- hardware-configuration.nix | 15 ++++++++------- networking.nix | 39 +++++++++++++++++++++++++++++---------- packages.nix | 17 ++++++++--------- 4 files changed, 48 insertions(+), 30 deletions(-) diff --git a/configuration.nix b/configuration.nix index e531a8e..dd6b7a8 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,9 +1,8 @@ -{ pkgs, ... }: { +{pkgs, ...}: { imports = [ ./hardware-configuration.nix ./packages.nix ./networking.nix # generated at runtime by nixos-infect - ]; boot.cleanTmpDir = true; @@ -12,9 +11,9 @@ networking.domain = "vhack.eu"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2mYuiOuIb13E3wJRYPHOFN/dR5ySFozG2I/18HBSRJ dt@DESKTOP-IDOHVE" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2mYuiOuIb13E3wJRYPHOFN/dR5ySFozG2I/18HBSRJ dt@DESKTOP-IDOHVE" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" ]; system.stateVersion = "22.11"; diff --git a/hardware-configuration.nix b/hardware-configuration.nix index e8756e4..c4fe39a 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -1,9 +1,10 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - boot.initrd.kernelModules = [ "nvme" "btrfs" ]; - fileSystems."/" = { device = "/dev/vda3"; fsType = "ext4"; }; - + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + boot.initrd.kernelModules = ["nvme" "btrfs"]; + fileSystems."/" = { + device = "/dev/vda3"; + fsType = "ext4"; + }; } diff --git a/networking.nix b/networking.nix index 9b254e0..26d6719 100644 --- a/networking.nix +++ b/networking.nix @@ -1,9 +1,10 @@ -{ lib, ... }: { +{lib, ...}: { # This file was populated at runtime with the networking # details gathered from the active system. networking = { - nameservers = [ "8.8.8.8" - ]; + nameservers = [ + "8.8.8.8" + ]; defaultGateway = "89.58.56.1"; defaultGateway6 = "fe80::1"; dhcpcd.enable = false; @@ -11,20 +12,38 @@ interfaces = { eth0 = { ipv4.addresses = [ - { address="89.58.58.33"; prefixLength=22; } + { + address = "89.58.58.33"; + prefixLength = 22; + } ]; ipv6.addresses = [ - { address="2a03:4000:6a:3f3:6422:6dff:fe82:939b"; prefixLength=64; } -{ address="fe80::6422:6dff:fe82:939b"; prefixLength=64; } + { + address = "2a03:4000:6a:3f3:6422:6dff:fe82:939b"; + prefixLength = 64; + } + { + address = "fe80::6422:6dff:fe82:939b"; + prefixLength = 64; + } + ]; + ipv4.routes = [ + { + address = "89.58.56.1"; + prefixLength = 32; + } + ]; + ipv6.routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } ]; - ipv4.routes = [ { address = "89.58.56.1"; prefixLength = 32; } ]; - ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ]; }; - }; }; services.udev.extraRules = '' ATTR{address}=="66:22:6d:82:93:9b", NAME="eth0" - + ''; } diff --git a/packages.nix b/packages.nix index ea6daf3..4d33c6e 100644 --- a/packages.nix +++ b/packages.nix @@ -1,10 +1,9 @@ -{ pkgs, ...}: -{ - environment.systemPackages = with pkgs; [ - jre_minimal - git - zsh - neovim - btrfs-progs - ]; +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + jre_minimal + git + zsh + neovim + btrfs-progs + ]; } -- cgit 1.4.1 From 78aae0bda1053235c0fc43556dbd0b58fd4aea8b Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 7 Jan 2023 21:06:45 +0100 Subject: Feat: Some security for ssh Yes, root login is in itself a bad thing, but reducing the attack surface somewhat should be a good first step to a bright future. --- configuration.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/configuration.nix b/configuration.nix index dd6b7a8..852a6ee 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,19 +2,25 @@ imports = [ ./hardware-configuration.nix ./packages.nix - ./networking.nix # generated at runtime by nixos-infect + ./networking.nix # network configuration that just works ]; boot.cleanTmpDir = true; zramSwap.enable = true; networking.hostName = "server1"; networking.domain = "vhack.eu"; - services.openssh.enable = true; + + # openssh config + services.openssh = { + enable = true; + passwordAuthentication = false; + extraConfig = "PrintMotd yes\n"; # this could be done with pam + }; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2mYuiOuIb13E3wJRYPHOFN/dR5ySFozG2I/18HBSRJ dt@DESKTOP-IDOHVE" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" ]; system.stateVersion = "22.11"; } +# vim: ts=2 -- cgit 1.4.1