From de6df90c79de50ae587976ba41fee62ab1253739 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Mon, 18 Sep 2023 09:02:00 -0500 Subject: [PATCH] Firewall --- flake.lock | 66 +++++++++++++++++++++++++++++++----------------- flake.nix | 8 +++++- nixos/common.nix | 11 ++++---- readme.md | 6 +++-- 4 files changed, 60 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 174dea2..c977fc8 100644 --- a/flake.lock +++ b/flake.lock @@ -135,6 +135,21 @@ "type": "github" } }, + "flake-utils_4": { + "locked": { + "lastModified": 1644229661, + "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "helix": { "inputs": { "crane": "crane", @@ -158,7 +173,9 @@ }, "home-manager": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1693208669, @@ -240,22 +257,6 @@ } }, "nixpkgs_4": { - "locked": { - "lastModified": 1693771906, - "narHash": "sha256-32EnPCaVjOiEERZ+o/2Ir7JH9pkfwJZJ27SKHNvt4yk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "da5adce0ffaff10f6d0fee72a02a5ed9d01b52fc", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { "locked": { "lastModified": 1692794066, "narHash": "sha256-H0aG8r16dj0x/Wz6wQhQxc9V7AsObOiHPaKxQgH6Y08=", @@ -271,7 +272,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1693844670, "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", @@ -287,7 +288,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1693844670, "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", @@ -309,15 +310,16 @@ "disko": "disko", "helix": "helix", "home-manager": "home-manager", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "rtx": "rtx", - "sops-nix": "sops-nix" + "sops-nix": "sops-nix", + "utils": "utils" } }, "rtx": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1693923183, @@ -360,7 +362,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_6", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -406,6 +408,24 @@ "repo": "default", "type": "github" } + }, + "utils": { + "inputs": { + "flake-utils": "flake-utils_4" + }, + "locked": { + "lastModified": 1657226504, + "narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 9896c08..80d25d0 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,15 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + utils.url = "github:gytis-ivaskevicius/flake-utils-plus"; # nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-channels/nixos-unstable"; api-lyte-dev.url = "git+ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git"; - home-manager.url = "github:nix-community/home-manager/release-23.05"; + home-manager = { + url = "github:nix-community/home-manager/release-23.05"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.utils.follows = "utils"; + }; + disko.url = "github:nix-community/disko/master"; sops-nix.url = "github:Mic92/sops-nix"; helix.url = "github:helix-editor/helix"; diff --git a/nixos/common.nix b/nixos/common.nix index 02e18d1..52af431 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -1,11 +1,12 @@ -{ config, lib, inputs, system, ... }: -let +{ config, lib, inputs, system, ... }: +let overlay = final: prev: { helix = prev.helix // inputs.helix.packages.${system}.helix; rtx = prev.rtx // inputs.rtx.packages.${system}.rtx; }; pkgs = inputs.nixpkgs.legacyPackages.${system}.extend overlay; -in { +in +{ services.journald.extraConfig = "SystemMaxUse=1G"; environment = { @@ -96,8 +97,8 @@ in { PasswordAuthentication = false; }; - # tailscale handles this I think - openFirewall = lib.mkDefault false; + # TODO: tailscale can handle this I think...? + openFirewall = lib.mkDefault true; # listenAddresses = [ # { addr = "0.0.0.0"; port = 22; } diff --git a/readme.md b/readme.md index 42dcbbb..a067f39 100644 --- a/readme.md +++ b/readme.md @@ -75,12 +75,14 @@ sudo nix-shell --packages git --run "nix run \ --arg disks '[ \"/dev/your_disk\" ]'" ``` -And finally install NixOS as specified by this flake: +And finally install NixOS (optionally using my cache) as specified by this flake: ```bash nix-shell --packages git \ --run "sudo nixos-install \ - --flake 'git+https://git.lyte.dev/lytedev/nix#yourNixosConfig'" + --flake 'git+https://git.lyte.dev/lytedev/nix#yourNixosConfig' \ + --option substituters 'https://nix.h.lyte.dev' \ + --option trusted-public-keys 'h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0='" ``` **NOTE**: This takes a while, mostly due to building Helix myself on each box. I