kyle/imladris
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
7be8a4c5e6e2d6b6a99e6646f1c70dbc08e381d8
imladris/configuration.nix
Kyle Isom 87be4e34d3 Add WNTRMUTE issuing CA to system trust store 
All NixOS machines now trust the Metacircular platform CA. This
allows curl, browsers, and Go services to verify TLS certificates
issued by Metacrypt without --insecure or custom CA flags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 19:30:24 -07:00

154 lines
3.7 KiB
Nix
Raw Blame History

# Baseline configuration for all systems.
{ config, pkgs, lib, ... }:
{
imports =
[
./configs
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# disabled in favor of nh (see pkgs.nix)
# nix.settings.auto-optimise-store = true;
# nix.gc = {
# automatic = true;
# dates = "weekly";
# options = "--delete-older-than 10d";
# };
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
# set by the configurator
# networking.hostName = "imladris"; # Define your hostname.
networking.networkmanager.enable = true;
services.resolved.enable = true;
services.resolved.fallbackDns = [
"1.1.1.1"
"8.8.8.8"
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
};
# passwordAuthentication = false;
};
security.doas = {
enable = true;
extraRules = [{
users = ["kyle"];
keepEnv = true;
noPass = true;
}];
};
environment.variables = {
SBCL_HOME = "/run/current-system/sw/lib/sbcl";
};
services.cron.enable = true;
programs.zsh.enable = true;
users.mutableUsers = true;
users.users.kyle = {
initialPassword = "password";
isNormalUser = true;
extraGroups = [
"wheel"
"audio"
"cdrom"
"dialout"
"disk"
"kvm"
"networkmanager"
"video"
];
shell = pkgs.zsh;
};
programs.direnv.enable = true;
programs.command-not-found.enable = false;
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
services.udisks2.enable = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
virtualisation = {
containers = {
enable = true;
};
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
diskSize = 262144;
};
services.tailscale.enable = true;
services.syncthing.enable = true;
security.pam.u2f = {
enable = true;
settings.cue = true;
};
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
programs.ssh.askPassword = "ksshaskpass";
# Trust the WNTRMUTE issuing CA for all Metacircular services.
security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.trusted-users = ["kyle"];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.11"; # Did you read the comment?
}
Reference in New Issue View Git Blame Copy Permalink