diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-08-10 13:56:28 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-08-10 13:56:28 -0700 |
| commit | 8247d060a6cae65b2d63fd6bd3bf19ed9e66214c (patch) | |
| tree | b76329f5b7cc145d2f7bf5d8fd584790e18875f9 /profiles | |
| parent | flake.lock: Update (diff) | |
| download | infra-8247d060a6cae65b2d63fd6bd3bf19ed9e66214c.tar.gz | |
manage a DigitalOcean virtual machine with nixos
Add a new machine on DigitalOcean and provision it using terraform +
nixos-anywhere. This takes care of bringing the machine up on nixos
completely, and use a static SSH host key in order to configure
wireguard at the same time.
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/admin-user/user.nix | 1 | ||||
| -rw-r--r-- | profiles/default.nix | 11 | ||||
| -rw-r--r-- | profiles/server.nix | 19 |
3 files changed, 13 insertions, 18 deletions
diff --git a/profiles/admin-user/user.nix b/profiles/admin-user/user.nix index e05ae6d..1a6b1dc 100644 --- a/profiles/admin-user/user.nix +++ b/profiles/admin-user/user.nix @@ -10,6 +10,7 @@ inherit (adminUser) uid; shell = pkgs.fish; isNormalUser = true; + hashedPassword = "$6$Llw8m62nKMLLN9mm$3.a4CKUFlqwkG8vjBryLlBNwTwgH63vpg2nhYwRoQzG76Q91vTXnlYDujS4G5yGrWoatkKZx5epCx4/NAvRh2/"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" ]; diff --git a/profiles/default.nix b/profiles/default.nix index 58c22eb..13b8759 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -40,16 +40,6 @@ ## only allow declarative user management users.mutableUsers = false; - services.openssh.enable = true; - services.openssh.settings.PasswordAuthentication = false; - services.openssh.settings.PermitRootLogin = "no"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - ]; - - networking.firewall.allowedTCPPorts = [ 22 ]; - programs.fish.enable = true; security.sudo.wheelNeedsPassword = false; @@ -67,6 +57,7 @@ tcpdump traceroute vim + wireguard-tools ]; ## disable that slow "building man-cache" step diff --git a/profiles/server.nix b/profiles/server.nix index ae46bce..49a0bc7 100644 --- a/profiles/server.nix +++ b/profiles/server.nix @@ -1,5 +1,4 @@ { - config, lib, pkgs, self, @@ -12,10 +11,9 @@ "${self}/modules/motd.nix" ]; - # Virtualization settings + #Virtualization settings virtualisation.docker.enable = true; - boot.loader.systemd-boot.enable = true; boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernel.sysctl = { @@ -32,11 +30,6 @@ useNetworkd = lib.mkDefault true; }; - networking.useDHCP = lib.mkDefault true; - - # Default to systemd-networkd usage. - systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; - # Use systemd-resolved for DoT support. services.resolved = { enable = true; @@ -51,4 +44,14 @@ "8.8.8.8#dns.google" "1.0.0.1#cloudflare-dns.com" ]; + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + services.openssh.settings.PermitRootLogin = "no"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + + networking.firewall.allowedTCPPorts = [ 22 ]; } |