super massive rewrite

2026-02-09 01:51:30 +10:00 · 2026-02-09 01:51:30 +10:00 · 1de15c45f2
commit 1de15c45f2
parent a2192c9341
19 changed files with 746 additions and 1000 deletions
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@ -1,45 +1,10 @@
-{
-  pkgs,
-  upkgs,
-  ...
-}: let
-  home-manager = builtins.fetchTarball {
-    url = "https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz";
-    sha256 = "07pk5m6mxi666dclaxdwf7xrinifv01vvgxn49bjr8rsbh31syaq";
-  };
-in {
+{pkgs, ...}: {
  imports = [
    ./hardware-configuration.nix
-    (import "${home-manager}/nixos")

-    ./services/forgejo.nix
-    ./services/vaultwarden.nix
-    ./services/nginx.nix
-    # ./mailserver.nix # TEMP: location
-    # ./minecraft-server.nix # TEMP: location
-
-    ../modules/bashistrans.nix
+    ./services
  ];

-  nix.settings = {
-    # make wheel group trusted users allows my "ae" user
-    # to import packages not signed by a trusted key
-    # (aka super duper easier to remote deploy)
-    trusted-users = ["root" "@wheel"];
-    experimental-features = [
-      "nix-command"
-      "flakes"
-    ];
-  };
-
-  time.timeZone = "Australia/Brisbane";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "us";
-  };
-
  # super duper minimum grub2 config
  boot.loader.grub = {
    enable = true;
@ -48,29 +13,10 @@ in {

  networking = {
    hostName = "hyrule";
-    networkmanager.enable = true;
-
-    # Use CloudFlare's WARP+ 1.1.1.1 DNS service
-    nameservers = [
-      "1.1.1.1"
-      "1.0.0.1"
-    ];
-
    firewall = {
-      enable = true;
      allowedTCPPorts = [
-        22 # sshd
        80 # nginx
-        # 143 # IMAP4
        443 # nginx
-        # 587 # SMTPS
-        2222 # forgejo ssh
-        2035 # debug (for my job)
-        # 3000 (INTERNAL) forgejo
-        # 3306 (INTERNAL) forgejo sqlite3 database
-        5000 # debug (for my job)
-        # 8222 (INTERNAL) vaultwarden
-        45000 # minecaft server
      ];
      allowedUDPPorts = [
        54231 # Wireguard
@ -102,11 +48,9 @@ in {
  };

  users = {
-    defaultUserShell = pkgs.bash;
-
    users = {
      # primary user
-      ae = {
+      cry = {
        isNormalUser = true;
        extraGroups = ["wheel"];
        shell = pkgs.bash;
@ -115,16 +59,6 @@ in {
        ];
      };

-      # TODO: reduce security implications of subspace
-      subspace = {
-        isNormalUser = true;
-        shell = pkgs.bash;
-        home = "/home/subspace";
-        packages = with pkgs; [
-          wishlist
-        ];
-      };
-
      friends = {
        isNormalUser = true;
        shell = pkgs.fish;
@ -135,54 +69,5 @@ in {

  virtualisation.docker.enable = true;

-  home-manager = {
-    users = {
-      ae = import ../../homes/ae;
-      subspace = import ../../homes/subspace;
-    };
-  };
-
-  services = {
-    openssh = {
-      enable = true;
-      ports = [22];
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-        AllowUsers = ["ae" "subspace"]; # DO NOT ALLOW ALL
-        UseDns = true;
-        X11Forwarding = false;
-      };
-    };
-  };
-
-  security = {
-    # accept Lets Encrypt's security policy (for nginx)
-    acme = {
-      acceptTerms = true;
-      # TODO: change this to me@imbored.dev
-      defaults.email = "eclarkboman@gmail.com";
-    };
-
-    sudo = {
-      enable = true;
-      wheelNeedsPassword = true;
-    };
-    # allow SSH keys for passwordless auth
-    # TODO: DO NOT USE THIS (create my own alternative to colmena)
-    pam = {
-      enableSSHAgentAuth = true;
-      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    eza
-    git
-    vim
-    helix
-    tcpdump
-  ];
-
  system.stateVersion = "24.11"; # DO NOT MODIFY
 }