{ config, lib, pkgs, inputs, values, ... }: { imports = [ ./users ]; networking.domain = "pvv.ntnu.no"; networking.useDHCP = false; # networking.search = [ "pvv.ntnu.no" "pvv.org" ]; # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; # networking.tempAddresses = lib.mkDefault "disabled"; # networking.defaultGateway = values.hosts.gateway; systemd.network.enable = true; services.resolved = { enable = lib.mkDefault true; dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways... }; time.timeZone = "Europe/Oslo"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "no"; }; system.autoUpgrade = { enable = true; flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; flags = [ "--update-input" "nixpkgs" "--update-input" "nixpkgs-unstable" "--no-write-lock-file" ]; }; nix.gc.automatic = true; nix.gc.options = "--delete-older-than 2d"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; /* This makes commandline tools like ** nix run nixpkgs#hello ** and nix-shell -p hello ** use the same channel the system ** was built with */ nix.registry = { nixpkgs.flake = inputs.nixpkgs; }; nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; environment.systemPackages = with pkgs; [ file git gnupg htop nano rsync screen tmux vim wget kitty.terminfo ]; programs.zsh.enable = true; users.groups."drift".name = "drift"; # Trusted users on the nix builder machines users.groups."nix-builder-users".name = "nix-builder-users"; services.openssh = { enable = true; extraConfig = '' PubkeyAcceptedAlgorithms=+ssh-rsa ''; settings.PermitRootLogin = "yes"; }; # nginx 404 for nonexistent virtualhosts sops.age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; sops.secrets = lib.mkIf (config.services.nginx.enable) { "snakeoil_cert/public" = { owner = "nginx"; group = "nginx"; sopsFile = ./secrets/common.yaml; }; "snakeoil_cert/private" = { owner = "nginx"; group = "nginx"; sopsFile = ./secrets/common.yaml; }; }; services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) { sslCertificate = config.sops.secrets."snakeoil_cert/public".path; sslCertificateKey = config.sops.secrets."snakeoil_cert/private".path; addSSL = true; extraConfig = "return 444;"; }; }