5 files changed, 26 insertions, 0 deletions

diff --git a/profiles/default.nix b/profiles/default.nix
index 4575b13..2353dde 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -26,6 +26,8 @@
 
   services.fstrim.enable = true;
 
+  services.fwupd.enable = true;
+
   programs.ssh = {
     # $ ssh-keyscan example.com
     knownHosts = {
diff --git a/profiles/nas.nix b/profiles/nas.nix
index 9c25c22..d1033af 100644
--- a/profiles/nas.nix
+++ b/profiles/nas.nix
@@ -11,4 +11,8 @@
     group = "nas";
     isSystemUser = true;
   };
+
+  # Use systemd-resolved
+  services.resolved.enable = true;
+  services.resolved.dnssec = "false";
 }
diff --git a/profiles/server.nix b/profiles/server.nix
index 5a95dff..731ebe8 100644
--- a/profiles/server.nix
+++ b/profiles/server.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./default.nix
+    ./tailscale.nix
   ];
 
   powerManagement.cpuFreqGovernor = "schedutil";
@@ -12,4 +13,12 @@
     packages = with pkgs; [ terminus_font ];
     keyMap = "us";
   };
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "yes";
+    passwordAuthentication = false;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 ];
 }
diff --git a/profiles/tailscale.nix b/profiles/tailscale.nix
new file mode 100644
index 0000000..61c1a38
--- /dev/null
+++ b/profiles/tailscale.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.tailscale.enable = true;
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.checkReversePath = "loose";
+}
diff --git a/profiles/workstation.nix b/profiles/workstation.nix
index f136c33..3b422a6 100644
--- a/profiles/workstation.nix
+++ b/profiles/workstation.nix
@@ -4,6 +4,7 @@
     ./default.nix
     ./documentation.nix
     ./btrfs.nix
+    ./tailscale.nix
   ];
 
   virtualisation.docker.enable = false;
@@ -82,4 +83,8 @@
     pavucontrol
     easyeffects
   ];
+
+  # Use systemd-resolved
+  services.resolved.enable = true;
+  services.resolved.dnssec = "false";
 }