Infinidoge
414f8b6030
Also enable AMD microcode updates based on redistributable firmware being enabled
52 lines
1.3 KiB
Nix
52 lines
1.3 KiB
Nix
{ config, lib, ... }:
|
|
with lib;
|
|
{
|
|
# Security settings based on https://github.com/hlissner/dotfiles/blob/master/modules/security.nix
|
|
security = {
|
|
sudo.extraConfig = ''
|
|
Defaults lecture=never
|
|
'';
|
|
acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "infinidoge@inx.moe";
|
|
};
|
|
|
|
pam.enableSSHAgentAuth = true;
|
|
};
|
|
|
|
hardware = {
|
|
enableRedistributableFirmware = mkDefault true;
|
|
cpu.amd.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
|
|
};
|
|
|
|
boot = {
|
|
# Make tmp volatile, using tmpfs is speedy on SSD systems
|
|
# Redundant on opt-in state systems
|
|
# tmpOnTmpfs = mkDefault true;
|
|
# cleanTmpDir = mkDefault (!config.boot.tmpOnTmpfs);
|
|
};
|
|
|
|
# Allow non-root users to allow other users to access mount point
|
|
programs.fuse.userAllowOther = mkDefault true;
|
|
|
|
# For rage encryption, all hosts need a ssh key pair
|
|
services.openssh = {
|
|
enable = true;
|
|
openFirewall = mkDefault true;
|
|
settings.X11Forwarding = mkDefault false;
|
|
hostKeys = mkDefault [
|
|
{
|
|
bits = 4096;
|
|
openSSHFormat = true;
|
|
path = "/etc/ssh/ssh_host_rsa_key";
|
|
rounds = 100;
|
|
type = "rsa";
|
|
}
|
|
{
|
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|
rounds = 100;
|
|
type = "ed25519";
|
|
}
|
|
];
|
|
};
|
|
}
|