fix groups/default.nix should be groups/all/default.nix

2026-02-12 14:21:45 +10:00 · 2026-02-12 14:21:45 +10:00 · 27bc2ec0af
commit 27bc2ec0af
parent 9757cd823d
7 changed files with 111 additions and 94 deletions
--- a/groups/all/default.nix
+++ b/groups/all/default.nix
@ -1,5 +1,66 @@
-{lib, ...}: {
+{
+  root,
+  inputs,
+  config,
+  pkgs,
+  upkgs,
+  lib,
+  ...
+}: {
  # NOTE: mkDefault is 1000 and mkForce is 50
  # NOTE: so this is like a second mkDefault
  security.sudo.wheelNeedsPassword = lib.mkOverride 900 true;
+
+  networking = {
+    networkmanager.enable = true;
+
+    nftables.enable = true;
+    firewall.enable = lib.mkDefault true;
+
+    # Use CloudFlare's WARP+ 1.1.1.1 DNS service
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+    ];
+  };
+
+  nix.settings = {
+    # make wheel group trusted users allows my "ae" user
+    # to import packages not signed by a trusted key
+    # (aka super duper easier to remote deploy)
+    trusted-users = ["root" "@wheel"];
+    experimental-features = [
+      "nix-command"
+      "flakes"
+      "pipe-operators"
+    ];
+    download-buffer-size = 524288000; # 500 MiB
+  };
+
+  time.timeZone = lib.mkDefault "Australia/Brisbane";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  users.defaultUserShell = pkgs.bash;
+
+  home-manager = {
+    users =
+      config.users.users
+      |> builtins.attrNames
+      |> builtins.filter (x: builtins.pathExists (root + "/homes/${x}"))
+      |> (x: lib.genAttrs x (y: import (root + "/homes/${y}")));
+
+    extraSpecialArgs = {inherit inputs pkgs upkgs;};
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    vim
+    wget
+    tree
+  ];
 }
--- a/groups/default.nix
+++ b/groups/default.nix
@ -1,49 +0,0 @@
-{
-  root,
-  pkgs,
-  upkgs,
-  lib,
-  inputs,
-  config,
-  ...
-}: {
-  nix.settings = {
-    # make wheel group trusted users allows my "ae" user
-    # to import packages not signed by a trusted key
-    # (aka super duper easier to remote deploy)
-    trusted-users = ["root" "@wheel"];
-    experimental-features = [
-      "nix-command"
-      "flakes"
-      "pipe-operators"
-    ];
-    download-buffer-size = 524288000; # 500 MiB
-  };
-
-  time.timeZone = lib.mkDefault "Australia/Brisbane";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "us";
-  };
-
-  users.defaultUserShell = pkgs.bash;
-
-  home-manager = {
-    users =
-      config.users.users
-      |> builtins.attrNames
-      |> builtins.filter (x: builtins.pathExists (root + "/homes/${x}"))
-      |> lib.genAttrs (x: import (root + "/homes/${x}"));
-
-    extraSpecialArgs = {inherit inputs pkgs upkgs;};
-  };
-
-  environment.systemPackages = with pkgs; [
-    git
-    vim
-    wget
-    tree
-  ];
-}
--- a/groups/server/default.nix
+++ b/groups/server/default.nix
@ -1,19 +1,8 @@
 {lib, ...}: {
-  networking = {
-    networkmanager.enable = true;
-
-    # Use CloudFlare's WARP+ 1.1.1.1 DNS service
-    nameservers = [
-      "1.1.1.1"
-      "1.0.0.1"
+  networking.firewall = {
+    allowedTCPPorts = [
+      22
    ];
-
-    firewall = {
-      enable = lib.mkDefault true;
-      allowedTCPPorts = [
-        22
-      ];
-    };
  };

  security = {
@ -29,7 +18,7 @@
    };
    # allow SSH keys for passwordless auth
    pam = {
-      enableSSHAgentAuth = true;
+      sshAgentAuth.enable = true;
      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
    };
  };
@ -41,7 +30,7 @@
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
-        # AllowUsers = ["cry"]; # DO NOT ALLOW ALL
+        AllowUsers = ["cry"]; # DO NOT ALLOW ALL
        UseDns = true;
        X11Forwarding = false;
      };