From b6d6b6f366c3cbf7e7340f08ea8877bf0a8d45e7 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Tue, 2 May 2023 19:30:39 -0700 Subject: profiles: consolidates common networking bits This remove ssh on workstations. I also drop mosh since I don't use it. --- profiles/default.nix | 2 ++ profiles/nas.nix | 4 ++++ profiles/server.nix | 9 +++++++++ profiles/tailscale.nix | 6 ++++++ profiles/workstation.nix | 5 +++++ 5 files changed, 26 insertions(+) create mode 100644 profiles/tailscale.nix (limited to 'profiles') diff --git a/profiles/default.nix b/profiles/default.nix index 4575b13..2353dde 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -26,6 +26,8 @@ services.fstrim.enable = true; + services.fwupd.enable = true; + programs.ssh = { # $ ssh-keyscan example.com knownHosts = { diff --git a/profiles/nas.nix b/profiles/nas.nix index 9c25c22..d1033af 100644 --- a/profiles/nas.nix +++ b/profiles/nas.nix @@ -11,4 +11,8 @@ group = "nas"; isSystemUser = true; }; + + # Use systemd-resolved + services.resolved.enable = true; + services.resolved.dnssec = "false"; } diff --git a/profiles/server.nix b/profiles/server.nix index 5a95dff..731ebe8 100644 --- a/profiles/server.nix +++ b/profiles/server.nix @@ -2,6 +2,7 @@ { imports = [ ./default.nix + ./tailscale.nix ]; powerManagement.cpuFreqGovernor = "schedutil"; @@ -12,4 +13,12 @@ packages = with pkgs; [ terminus_font ]; keyMap = "us"; }; + + services.openssh = { + enable = true; + permitRootLogin = "yes"; + passwordAuthentication = false; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; } diff --git a/profiles/tailscale.nix b/profiles/tailscale.nix new file mode 100644 index 0000000..61c1a38 --- /dev/null +++ b/profiles/tailscale.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.tailscale.enable = true; + networking.firewall.trustedInterfaces = [ "tailscale0" ]; + networking.firewall.checkReversePath = "loose"; +} diff --git a/profiles/workstation.nix b/profiles/workstation.nix index f136c33..3b422a6 100644 --- a/profiles/workstation.nix +++ b/profiles/workstation.nix @@ -4,6 +4,7 @@ ./default.nix ./documentation.nix ./btrfs.nix + ./tailscale.nix ]; virtualisation.docker.enable = false; @@ -82,4 +83,8 @@ pavucontrol easyeffects ]; + + # Use systemd-resolved + services.resolved.enable = true; + services.resolved.dnssec = "false"; } -- cgit 1.4.1