From d7b8d63f83cdcab29ee250237ee96ea044253ad2 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Fri, 22 Sep 2023 15:09:01 +0200
Subject: [PATCH 01/10] added sensible credentials to nerf user

---
 nixos/roles/admins.nix | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 nixos/roles/admins.nix

diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix
new file mode 100644
index 0000000..4f189e0
--- /dev/null
+++ b/nixos/roles/admins.nix
@@ -0,0 +1,30 @@
+{lib, ...} :
+with lib;
+
+let
+  admins = {
+    nerf = {
+      hashedPassword =
+        "$6$rounds=424242$FaEtIXMUScxgAYyF$Fl8GbPFgiEv.1iwrhtVpTixG1BTJys3aIfLyTzocQYZV4JymrYEXtnyCTURmVDe8stxbxgDutmtlyElfn1DQc/";
+        keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
+        ];
+    };
+  };
+
+  mkAdmin = name :
+  {hashedPassword, keys}: {
+    "${name}" = {
+      isNormalUser = true;
+      createHome = true;
+      extraGroups = [ "wheel" ];
+      group = "users";
+      home = "/home/${name}";
+      openssh.authorizedKeys = { inherit keys; };
+      inherit hashedPassword;
+    };
+  };
+
+in {
+  users.users = mkMerge (mapAttrsToList mkAdmin admins);
+}

From 4d7d32f7b6ccc8242554a6086e017595a263d60d Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Sat, 30 Sep 2023 17:19:33 +0200
Subject: [PATCH 02/10] first roles/default

---
 nixos/roles/default.nix | 50 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 3c24242..72ad163 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -1,4 +1,52 @@
-{ ... } : {
+{pkgs, config, lib, ...} : {
+
+imports = [ ./admins.nix ];
+nix = {
+  extraOptions = ''
+    experimental-features = nix-command flakes
+    builders-use-substitutes = true
+  '';
+};
+
+networking = {
+  firewall = { # these shoud be default, but better make sure!
+    enable = true;
+    allowPing = true;
+  };
+  nftables.enable = true;
+  useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
+  # hosts = # TODO write something to autogenerate ip adresses!
+};
+
+users = {
+  mutableUsers = false;
+};
 
 sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+environment = {
+  systemPackages = builtins.attrValues {
+    inherit (pkgs)
+      htop lsof tmux btop;
+  };
+};
+
+services = {
+  journald.extraConfig = "SystemMaxUse=5G";
+
+  nginx = {
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+};
+>>>>>>> 2b0eec7 (added actual hardware identifiers & atual network config)
 }

From cba8cb1ce8f7f5d0480ea14bcce0743102b5ff1b Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Sat, 30 Sep 2023 17:21:30 +0200
Subject: [PATCH 03/10] added nix_keys

---
 nixos/roles/nix_keys.nix | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 nixos/roles/nix_keys.nix

diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix
new file mode 100644
index 0000000..af3f21d
--- /dev/null
+++ b/nixos/roles/nix_keys.nix
@@ -0,0 +1,4 @@
+{lib, ...} :
+  nix.settings.trusted-public-keys = [
+    "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
+  ];

From 44a0ef0ecd18a613f99f7da286c2b13224ca85d1 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Fri, 22 Sep 2023 20:00:35 +0200
Subject: [PATCH 04/10] fixed small error in trusted nix keys handling

---
 nixos/roles/admins.nix   | 2 +-
 nixos/roles/default.nix  | 5 ++++-
 nixos/roles/nix_keys.nix | 4 +++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix
index 4f189e0..43a86aa 100644
--- a/nixos/roles/admins.nix
+++ b/nixos/roles/admins.nix
@@ -5,7 +5,7 @@ let
   admins = {
     nerf = {
       hashedPassword =
-        "$6$rounds=424242$FaEtIXMUScxgAYyF$Fl8GbPFgiEv.1iwrhtVpTixG1BTJys3aIfLyTzocQYZV4JymrYEXtnyCTURmVDe8stxbxgDutmtlyElfn1DQc/";
+        "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
         keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
         ];
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 72ad163..2bcf4dc 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -1,6 +1,9 @@
 {pkgs, config, lib, ...} : {
 
-imports = [ ./admins.nix ];
+imports = [
+  ./admins.nix
+  ./nix_keys.nix
+  ];
 nix = {
   extraOptions = ''
     experimental-features = nix-command flakes
diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix
index af3f21d..85c7835 100644
--- a/nixos/roles/nix_keys.nix
+++ b/nixos/roles/nix_keys.nix
@@ -1,4 +1,6 @@
-{lib, ...} :
+{
+  imports = [ ];
   nix.settings.trusted-public-keys = [
     "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
   ];
+}

From 16fee6f1f91c1a7383676f872e21525c262d8dba Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Sun, 24 Sep 2023 02:04:39 +0200
Subject: [PATCH 05/10] refactored xen_guest.nix

---
 nixos/roles/xen_guest.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 nixos/roles/xen_guest.nix

diff --git a/nixos/roles/xen_guest.nix b/nixos/roles/xen_guest.nix
new file mode 100644
index 0000000..9c9ee32
--- /dev/null
+++ b/nixos/roles/xen_guest.nix
@@ -0,0 +1,15 @@
+{...}: {
+  imports = [ ];
+  boot = {
+    loader.grub = {
+      device = "nodev";
+      enable = true;
+    };
+    initrd = {
+      availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ];
+      kernelModules = [ ];
+    };
+    extraModulePackages = [ ];
+  };
+}
+

From c7825cbd017fbf4ee975247e0ceeb54fe99b4160 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Mon, 25 Sep 2023 16:05:41 +0200
Subject: [PATCH 06/10] make /tmp/ a tmpfs

---
 nixos/roles/xen_guest.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/roles/xen_guest.nix b/nixos/roles/xen_guest.nix
index 9c9ee32..f7cef3e 100644
--- a/nixos/roles/xen_guest.nix
+++ b/nixos/roles/xen_guest.nix
@@ -10,6 +10,7 @@
       kernelModules = [ ];
     };
     extraModulePackages = [ ];
+    tmp.useTmpfs = true;
   };
 }
 

From d0d7237fa607fa33d6d086e93943a6423d8f6706 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Fri, 29 Sep 2023 01:13:30 +0200
Subject: [PATCH 07/10] disable root login

---
 nixos/roles/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 2bcf4dc..7696270 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -23,6 +23,7 @@ networking = {
 
 users = {
   mutableUsers = false;
+  users.root.hashedPassword = "!";
 };
 
 sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

From 4ccc9c83e63af79ab778386f84f35c6843917c8c Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Sat, 30 Sep 2023 17:31:19 +0200
Subject: [PATCH 08/10] removed leftover merge marker

---
 nixos/roles/default.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 7696270..a59d36c 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -52,5 +52,4 @@ services = {
     };
   };
 };
->>>>>>> 2b0eec7 (added actual hardware identifiers & atual network config)
 }

From 3dc8c90a2725560b48738f49655b334c23aeddd5 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Sat, 30 Sep 2023 17:33:12 +0200
Subject: [PATCH 09/10] [#11] default role setup

---
 nixos/roles/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index a59d36c..b3156ba 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -3,6 +3,7 @@
 imports = [
   ./admins.nix
   ./nix_keys.nix
+  ./xen_guest.nix
   ];
 nix = {
   extraOptions = ''

From 4f414fa1d7bf9be6efebfc7d37caef5e1b1e9727 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Thu, 5 Oct 2023 00:16:25 +0200
Subject: [PATCH 10/10] use the nixpkgs xen module

---
 nixos/roles/default.nix   |  4 ++--
 nixos/roles/xen_guest.nix | 16 ----------------
 2 files changed, 2 insertions(+), 18 deletions(-)
 delete mode 100644 nixos/roles/xen_guest.nix

diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index b3156ba..7296a1d 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -1,9 +1,9 @@
-{pkgs, config, lib, ...} : {
+{pkgs, config, lib, modulesPath, ...} : {
 
 imports = [
   ./admins.nix
   ./nix_keys.nix
-  ./xen_guest.nix
+  (modulesPath + "/virtualisation/xen-domU.nix")
   ];
 nix = {
   extraOptions = ''
diff --git a/nixos/roles/xen_guest.nix b/nixos/roles/xen_guest.nix
deleted file mode 100644
index f7cef3e..0000000
--- a/nixos/roles/xen_guest.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{...}: {
-  imports = [ ];
-  boot = {
-    loader.grub = {
-      device = "nodev";
-      enable = true;
-    };
-    initrd = {
-      availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ];
-      kernelModules = [ ];
-    };
-    extraModulePackages = [ ];
-    tmp.useTmpfs = true;
-  };
-}
-