# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Bootloader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; boot.loader.grub.useOSProber = true; # Use latest kernel. boot.kernelPackages = pkgs.linuxPackages_latest; networking.hostName = "vm-0n25m"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager.enable = true; networking.interfaces.enp1s0.ipv4.addresses = [{ address = "192.168.122.2"; prefixLength = 24; }]; networking.defaultGateway = "192.168.122.1"; networking.nameservers = [ "9.9.9.9" ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; # enable NAT # networking.nat.enable = true; # networking.nat.externalInterface = "eth0"; # networking.nat.internalInterfaces = [ "wg0" ]; # networking.firewall.allowedUDPPorts = [ 51820 ]; # networking.wireguard.interfaces = { # # "wg0" is the network interface name. You can name the interface arbitrarily. # wg0 = { # # Determines the IP address and subnet of the client's end of the tunnel interface. # ips = [ "10.213.0.2/24" ]; # listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) # # # Path to the private key file. # # # # Note: The private key can also be included inline via the privateKey option, # # but this makes the private key world-readable; thus, using privateKeyFile is # # recommended. # privateKeyFile = "/home/user/wireguard-keys/private"; # # peers = [ # # For a client configuration, one peer entry for the server will suffice. # # { # # Public key of the server (not a file path). # publicKey = "{server public key}"; # # # Forward all the traffic via VPN. # allowedIPs = [ "0.0.0.0/0" ]; # # Or forward only particular subnets # #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; # # # Set this to the server IP and port. # endpoint = "147.189.168.9:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 # # # Send keepalives every 25 seconds. Important to keep NAT tables alive. # persistentKeepalive = 25; # } # ]; # }; # }; # Set your time zone. time.timeZone = "America/New_York"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "en_US.UTF-8"; LC_IDENTIFICATION = "en_US.UTF-8"; LC_MEASUREMENT = "en_US.UTF-8"; LC_MONETARY = "en_US.UTF-8"; LC_NAME = "en_US.UTF-8"; LC_NUMERIC = "en_US.UTF-8"; LC_PAPER = "en_US.UTF-8"; LC_TELEPHONE = "en_US.UTF-8"; LC_TIME = "en_US.UTF-8"; }; # Configure keymap in X11 services.xserver.xkb = { layout = "us"; variant = ""; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.user = { isNormalUser = true; description = "user"; extraGroups = [ "networkmanager" "wheel" "docker"]; packages = with pkgs; []; }; users.users.user.openssh.authorizedKeys.keys = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILlH0MBSUOzUfUdCNkPqrFSQsQnPrCD8wt2ZbUj7xn7lAAAABHNzaDo=" # green_ham "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6GNWvC4o2MfwCWl7ClIMAL/UncQvJdxigrON0kLTkX" # red_penguin "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM0a/oZbVK0v17T1S6yUw02tKxWkNGVMSJDCiL3q8Eb7" # blue_hen ]; # Enable automatic login for the user. services.getty.autologinUser = "user"; # Allow unfree packages nixpkgs.config.allowUnfree = true; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. wget wireguard-tools ]; services.openssh.enable = true; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; ############################################################################################## # Enable doas : SECURITY doas to replace sudo security.doas.enable = true; security.doas.extraRules = [{ groups = [ "wheel" ]; persist = true; keepEnv = true; }]; security.sudo.enable = false; security.sudo.execWheelOnly = true; ############################################################################################## # Enable pam security.pam.u2f = { enable = true; settings = { interactive = true; cue = true; }; }; services.pcscd.enable = true; security.pam.services = { login.u2fAuth = false; sudo.u2fAuth = true; }; ###################################################################################### # Enable docker virtualisation.docker.enable = true; # users.users.user.extraGroups = [ "docker" ]; virtualisation.docker.enableOnBoot = true; ############################################################################################## # Enable caddy (local reverse proxy) services.caddy.enable = true; services.caddy.email = "example@example.com"; services.caddy.virtualHosts."localhost".extraConfig = '' respond "OK" '' ; services.caddy.config = " example.com { root /var/www/ } # log { # level ERROR # } "; # https://mdleom.com/blog/2020/03/14/caddy-nixos-part-3/#reverse-proxy ############################################################################################## # List services that you want to enable: # Enable the OpenSSH daemon. # services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "25.05"; # Did you read the comment? }