initial commit

modules/os.nix

@@ -0,0 +1,26 @@
+{
+  # configure nix stuff
+  nix = {
+    settings = {
+      experimental-features = [ "nix-command" "flakes" "pipe-operators" ];
+      auto-optimise-store = true;
+    };
+    gc = {
+      dates = "weekly";
+      automatic = true;
+      randomizedDelaySec = "45min";
+    };
+  };
+
+  # Make sure the system is at least semi up to date
+  system.autoUpgrade = {
+    enable = true;
+    dates = "weekly";
+  };
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "25.05"; # Did you read the comment?
+}

modules/pkgs.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  # just a bunch of default packages that I use
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    htop
+    neovim
+    progress
+    tmux
+    tree
+    unzip
+    zmotd
+  ];
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.wheelNeedsPassword = false;
+}

modules/sops.nix

@@ -0,0 +1,22 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    validateSopsFiles = false;
+
+    # Derive the age key from the systems ssh key. I didn't know this before but
+    # it seems like all systems have ssh keys already generated.
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+
+    secrets = {
+      "mail/me" = {};
+      "jellyfin/zachary" = {};
+    };
+  };
+}

modules/ssh.nix

@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+{
+  options.ssh = {
+    disable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = "disable ssh conifguration";
+    };
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      # A list of my keys so I can access my servers. This also allows me into
+      # root on every system using this module.
+      default = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJUvmBJcNTniRgcFj36vWVTlJHEL5JS8wAst65Tx+mLpD69QxGsaXU/xvluX7xl+gnAKM2mZrG8oGPCBxsug1VytHLthUHlDqSPa/iSLwHq2KoUlSMvLR6iVzZiBLc+x8+jXyDL0QE4cEPKSbKsPBqSwMyWVZLy3dpG4WuOhD6MkJ9+hsHvzfHR67bNkl8zuB2ghj4TiUHgW47JBSXaIEXzevDiVUfhH/bZV2UFXaAcl2UesqcEX5BS1/w0RrHpDZN6NZFjdu76ltXw9zR8qwSihHOaw0HOpN3ikw87ENE15DqEDBcC9bl+xklMfbGj3vgGitj3W7VfbUFwabyTb/M7e8e5jZlZ2Jdyx31xnoxSV2Mb2j+ZRVvzux4S4If5EJtkiR1i/fxjIS3Uf4lDa4lGy1lqKTDjrkuDYA2xoh+eA5PgLUFw1h1sROzerqarmVZAfyuvqnzO82xE39ea8zK9PeenVGjXn+USC1+ueGPvtlhmeKvIUUugNp3g2rciKM= squibid@vrooom"
+      ];
+    };
+  };
+
+  config = lib.mkIf (!config.ssh.disable) {
+    services.sshguard.enable = true;
+    services.openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+    };
+
+    users.users.root.openssh.authorizedKeys.keys = config.ssh.keys;
+  };
+}

modules/time.nix

@@ -0,0 +1,4 @@
+{
+  services.ntp.enable = true;
+  time.timeZone = "America/New_York";
+}

modules/unstable.nix

@@ -0,0 +1,9 @@
+{ inputs, pkgs, ... }:
+{
+  # this is quite silly but it works and with it you can specify packages to
+  # come from unstable like so:
+  # unstable.my_package_name
+  _module.args.unstable = import inputs.unstable {
+    inherit (pkgs.stdenv.hostPlatform) system;
+  };
+}

modules/users/admin.nix

@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+{
+  imports = [ ../ssh.nix ];
+
+  options.admin = {
+    disable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = "disable admin user";
+    };
+  };
+
+  # named this way to reduce the attack surface of my servers
+  config = lib.mkIf (!config.admin.disable) {
+    sops.secrets."users/crown".neededForUsers = true;
+    users.mutableUsers = false; # required for sops to touch the password
+
+    users.users.crown = {
+      description = "wikipedia.org/wiki/Root_crown";
+      home = "/home/crown";
+      createHome = true;
+      group = "crown";
+      extraGroups = [ "wheel" ];
+      useDefaultShell = true;
+      isNormalUser = true;
+      hashedPasswordFile = config.sops.secrets."users/crown".path;
+      openssh.authorizedKeys.keys = config.ssh.keys;
+    };
+
+    users.groups.crown = {};
+  };
+}

modules/zmotd.nix

@@ -0,0 +1,62 @@
+{ lib, pkgs, config, ... }:
+{
+  options.services.zmotd = {
+    enable = lib.mkEnableOption "zmotd";
+    interval = lib.mkOption {
+      default = "5m";
+      example = "5m";
+      description = "Change the timing of zmotd runs.";
+      type = lib.types.str;
+    };
+    config = lib.mkOption {
+      default = {
+        entries = [
+          { m = "hostname"; f = "fig"; }
+          { m = "distro"; }
+          { m = "kernel"; }
+          { m = "load"; }
+          { m = "uptime"; }
+        ];
+      };
+      type = lib.types.attrsOf lib.types.anything;
+    };
+    motdFile = lib.mkOption {
+      default = "/etc/motd";
+      description = "Change the where zmotd outputs to.";
+    };
+  };
+
+  config = lib.mkIf config.services.zmotd.enable {
+    users.motdFile = config.services.zmotd.motdFile;
+    systemd.services.zmotd = {
+      description = "Generate dynamic MOTD using zmotd";
+      enable = config.services.zmotd.enable;
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = let
+          motdFile = config.services.zmotd.motdFile;
+          configFile = pkgs.writers.writeTOML
+            "zmotd-config.toml"
+            config.services.zmotd.config;
+        in pkgs.writeShellScript "zmotd-wrapper" ''
+          ${pkgs.zmotd}/bin/zmotd ${configFile} > ${motdFile}
+        '';
+      };
+    };
+    systemd.timers.zmotd = {
+      description = "Regenerate MOTD often";
+      enable = config.services.zmotd.enable;
+
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnActiveSec = "0s";
+        OnUnitActiveSec = config.services.zmotd.interval;
+        Unit = "zmotd.service";
+        Persistent = true;
+      };
+    };
+  };
+}