6 files changed, 160 insertions, 82 deletions

diff --git a/profiles/admin-user/home-manager.nix b/profiles/admin-user/home-manager.nix
new file mode 100644
index 0000000..7a9ae43
--- /dev/null
+++ b/profiles/admin-user/home-manager.nix
@@ -0,0 +1,12 @@
+{
+  adminUser,
+  ...
+}:
+{
+  home-manager = {
+    users.${adminUser.name} = {
+      home.username = "${adminUser.name}";
+      inherit (adminUser) userinfo;
+    };
+  };
+}
diff --git a/profiles/admin-user/user.nix b/profiles/admin-user/user.nix
new file mode 100644
index 0000000..e05ae6d
--- /dev/null
+++ b/profiles/admin-user/user.nix
@@ -0,0 +1,22 @@
+{
+  adminUser,
+  pkgs,
+  ...
+}:
+{
+  nix.settings.trusted-users = [ adminUser.name ];
+  users = {
+    users.${adminUser.name} = {
+      inherit (adminUser) uid;
+      shell = pkgs.fish;
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      ];
+      extraGroups = [
+        "wheel"
+        "docker"
+      ];
+    };
+  };
+}
diff --git a/profiles/darwin.nix b/profiles/darwin.nix
index e355b72..0ff8cc0 100644
--- a/profiles/darwin.nix
+++ b/profiles/darwin.nix
@@ -1,4 +1,9 @@
-{ ... }:
+{
+  adminUser,
+  pkgs,
+  lib,
+  ...
+}:
 {
   system.defaults = {
     dock = {
@@ -43,4 +48,49 @@
 
   # Touch ID for sudo auth
   security.pam.services.sudo_local.touchIdAuth = true;
+
+  nix = {
+    extraOptions = ''
+      tarball-ttl = 900
+    '';
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 7d";
+      interval = {
+        Weekday = 0;
+        Hour = 0;
+        Minute = 0;
+      };
+    };
+    optimise = {
+      automatic = true;
+      interval = {
+        Weekday = 0;
+        Hour = 0;
+        Minute = 0;
+      };
+    };
+    package = pkgs.nixVersions.stable;
+    settings = {
+      trusted-substituters = [
+        "https://cachix.cachix.org"
+        "https://nixpkgs.cachix.org"
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
+        "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      trusted-users = [
+        "@admin"
+        adminUser.name
+      ];
+      experimental-features = lib.mkDefault [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
 }
diff --git a/profiles/default.nix b/profiles/default.nix
new file mode 100644
index 0000000..58c22eb
--- /dev/null
+++ b/profiles/default.nix
@@ -0,0 +1,74 @@
+{ pkgs, lib, ... }:
+{
+  nix = {
+    extraOptions = ''
+      tarball-ttl = 900
+    '';
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 7d";
+      dates = "weekly";
+    };
+    package = pkgs.nixVersions.stable;
+    settings = {
+      trusted-substituters = [
+        "https://cachix.cachix.org"
+        "https://nixpkgs.cachix.org"
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
+        "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      trusted-users = [ "root" ];
+      experimental-features = lib.mkDefault [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+
+  time.timeZone = "America/Los_Angeles";
+
+  # Select internationalisation properties.
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  ## only allow declarative user management
+  users.mutableUsers = false;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  programs.fish.enable = true;
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    fd
+    fish
+    git
+    htop
+    jq
+    mtr
+    pciutils
+    powertop
+    ripgrep
+    tcpdump
+    traceroute
+    vim
+  ];
+
+  ## disable that slow "building man-cache" step
+  documentation.man.generateCaches = lib.mkForce false;
+}
diff --git a/profiles/nix.nix b/profiles/nix.nix
deleted file mode 100644
index acfe151..0000000
--- a/profiles/nix.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  nix = {
-    extraOptions = ''
-      tarball-ttl = 900
-    '';
-    gc = {
-      automatic = true;
-      options = "--delete-older-than 7d";
-      interval = {
-        Weekday = 0;
-        Hour = 0;
-        Minute = 0;
-      };
-    };
-    optimise = {
-      automatic = true;
-      interval = {
-        Weekday = 0;
-        Hour = 0;
-        Minute = 0;
-      };
-    };
-    package = pkgs.nixVersions.stable;
-    settings = {
-      trusted-substituters = [
-        "https://cachix.cachix.org"
-        "https://nixpkgs.cachix.org"
-        "https://nix-community.cachix.org"
-      ];
-      trusted-public-keys = [
-        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
-        "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE="
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
-      trusted-users = [
-        "@admin"
-        "fcuny"
-      ];
-      experimental-features = lib.mkDefault [
-        "nix-command"
-        "flakes"
-      ];
-    };
-  };
-}
diff --git a/profiles/server.nix b/profiles/server.nix
index 1588314..3bcd529 100644
--- a/profiles/server.nix
+++ b/profiles/server.nix
@@ -7,41 +7,15 @@
 {
 
   imports = [
-    ./nix.nix
+    ./default.nix
   ];
 
-  time.timeZone = "America/Los_Angeles";
-
-  # Don't require password for sudo
-  security.sudo.wheelNeedsPassword = false;
-
   # Virtualization settings
   virtualisation.docker.enable = true;
 
-  # Select internationalisation properties.
-  i18n = {
-    defaultLocale = "en_US.UTF-8";
-  };
-
   boot.loader.systemd-boot.enable = true;
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  environment.systemPackages = with pkgs; [
-    curl
-    fd
-    fish
-    git
-    htop
-    jq
-    mtr
-    pciutils
-    powertop
-    ripgrep
-    tcpdump
-    traceroute
-    vim
-  ];
-
   boot.kernel.sysctl = {
     "net.ipv4.tcp_fastopen" = 3;
     "net.ipv4.tcp_tw_reuse" = 1;
@@ -56,10 +30,6 @@
     useNetworkd = lib.mkDefault true;
   };
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
 
   # Default to systemd-networkd usage.
@@ -79,7 +49,4 @@
     "8.8.8.8#dns.google"
     "1.0.0.1#cloudflare-dns.com"
   ];
-
-  ## disable that slow "building man-cache" step
-  documentation.man.generateCaches = lib.mkForce false;
 }