super massive rewrite

2026-02-09 01:51:30 +10:00 · 2026-02-09 01:51:30 +10:00 · 1de15c45f2
commit 1de15c45f2
parent a2192c9341
19 changed files with 746 additions and 1000 deletions
--- a/groups/server/default.nix
+++ b/groups/server/default.nix
@ -0,0 +1,54 @@
+{
+  lib,
+  sshPort ? 22,
+  ...
+}: {
+  networking = {
+    networkmanager.enable = true;
+
+    # Use CloudFlare's WARP+ 1.1.1.1 DNS service
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+    ];
+
+    firewall = {
+      enable = lib.mkDefault true;
+      allowedTCPPorts = [
+        sshPort
+      ];
+    };
+  };
+
+  security = {
+    # accept Lets Encrypt's security policy
+    acme = {
+      acceptTerms = true;
+      defaults.email = "them@dobutterfliescry.net";
+    };
+
+    sudo = {
+      enable = true;
+      wheelNeedsPassword = true;
+    };
+    # allow SSH keys for passwordless auth
+    pam = {
+      enableSSHAgentAuth = true;
+      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
+    };
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      ports = [sshPort];
+      settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        # AllowUsers = ["cry"]; # DO NOT ALLOW ALL
+        UseDns = true;
+        X11Forwarding = false;
+      };
+    };
+  };
+}