init

shared/bastion.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+    # Import dependencies
+    imports = [
+        ./bastion/wireguard.nix
+    ];
+}

shared/bastion/wireguard.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+    # TODO
+}

shared/commons.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+    # Import dependencies
+    imports = [
+        ./commons/basics.nix
+        ./commons/ssh.nix
+        ./commons/sudo.nix
+        ./commons/networking.nix
+    ];
+}

shared/commons/basics.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+    # Global packages
+    environment.systemPackages = with pkgs; [
+        #(callPackage "${builtins.fetchTarball {url = "https://github.com/ryantm/agenix/archive/main.tar.gz"; sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";}}/pkgs/agenix.nix" {})
+        bmon
+        tcpdump
+        htop
+        conntrack-tools
+        mtr
+        dig
+        molly-guard
+        fastfetch
+    ];
+
+}

shared/commons/networking.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }:
+
+let
+    # Import nodes
+    nodes = import ./../../nodes.nix;
+    myNode = nodes."${config.hostName}";
+
+    supportsIPv4 = nd: lib.hasAttr "ip4" nd;
+    supportsIPv6 = nd: lib.hasAttr "ip6" nd;
+
+    # configure addresses including subnet mask
+    addr4 = if supportsIPv4 myNode then [ myNode.ip4 ] else [];
+    addr6 = if supportsIPv6 myNode then [ myNode.ip6 ] else [];
+
+    # And routes, the gateway is assumed to be in subnet, otherwise GatewayOnLink is required
+    route4 = if supportsIPv4 myNode then [{ Gateway = myNode.gIp4; }] else [];
+    route6 = if supportsIPv6 myNode then [{ Gateway = myNode.gIp6; }] else [];
+in
+{
+    systemd.network.enable = true;
+    networking.useNetworkd = true;
+    networking.useDHCP = false;
+    systemd.network = {
+        networks."10-wan" = {
+            # match the interface by name
+            matchConfig.Name = myNode.dev;
+            address = addr4 ++ addr6;
+            routes = route4 ++ route6;
+            # DNS
+            dns = [ "1.1.1.1" ];
+            # make the routes on this interface a dependency for network-online.target
+            linkConfig.RequiredForOnline = "routable";
+        };
+        
+        config.addRouteTablesToIPRoute2 = true;
+        config.routeTables = {
+            # Act as a route bin
+            off = 999;
+        };
+    };
+    networking.firewall.enable = true;
+}

shared/commons/ssh.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+    # SSH
+    services.openssh = {
+        enable = true;
+        # require public key authentication for better security
+        settings.PasswordAuthentication = false;
+        settings.KbdInteractiveAuthentication = false;
+        settings.PermitRootLogin = "no";
+    };
+}

shared/commons/sudo.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+    security.sudo = {
+        enable = true;
+        extraRules = [
+            # Sudoers wheel can do everything without password
+            {
+                commands = [
+                    {
+                        command = "ALL";
+                        options = [ "NOPASSWD" ];
+                    }
+                ];
+                groups = [ "wheel" ];
+            }
+        ];
+    };
+}

shared/users.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }:
+
+{
+    # Users
+    # Uid 1000 - 1999 are reserved for specific system users that need uid > 999
+
+    # Wheeler
+    users.users.asyncnomi = {
+        isNormalUser = true;
+        uid = 2001;
+        home = "/home/asyncnomi";
+        description = "Sic mundus creatus est";
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQC3wkkW58044OeMnwbok+KQJrxNVPLx8Bbh4ukfADkBNFhve0+XDHMdMXRsD8MEheiRW/tlkHOljD2206cYIfW5w/lCJIWnP/EJgOfQ+vSQ5cJMXjP18Wm7HBYsyc4PYdeZLbRS6lFYisWkSwKscO1sy3s5JtftMI5/QXK6al1Xbnr5K2mkeB90w3aiaUCz2pXXe1SiHitTmIeiuEY/4iycEBxkxEupSEivCBHoSO7uBpEhasZcpSxTz/303Ti4+JgWs69xUooyEuIhcwjWH/91a0LV+5yKzOpdDQeJrSv8Cw1EQmmGM0ZJv7wFKKQ3ht9DXZd4lrvPtyWSD+JYOSRSsNCEMy6dPX7uUdcDwkwnrdPaxBOXFOB1InTGQWVnMGBsG0aK7UkwmPuoJXhaordrHFEac9aIcg5P7q1D8S+L6u/DdFq2IGZsymTrSAJsHQJ6q9wnOwGmiLaPw4WBaagzdlTmNz6WODG/9I25vQsC3z+I4Q39NG1u9/d+f465e2Z79D8X3H/pfKkAllgOrMY2eWVqjttZpjCbFo2Ckpat7JRYrvUIQCrzbhWK0uwUlH7+wGDqcPPrtpLYtVfKcWR8G4hFZl7HzN18riNHJ3158Pf4Te4/OzC6kbXa62zFpB9BWXoL8VXfDHaNv/5LB27Ikqd3QsCJfuhUBpFbndiUtlO/WSSx/ryPv3P0tWWlLcZXHTgTAzSjd+Git2FWXnSQd4QY5N48zVZE4jMK92ZBb1sqoDQnsWv5PeBWFiti/fNbJhqUJhraUerNpXgkNgxq6I1CTWG27cq8cA2v8Pf3VTM26NlQU3fR+m5ClbzS2iAeNjnh8dN9jx+q+4f5d/WS4HhsbBE+0l7sOaNp/ahOTPandZcU4wELc1sWkF/8apI1NItFtESU+So5gGs4nCoE8DXGV6kMPHsL4lmOlCVMjqe35AXu6XLQidocAKMr2sZxvaB/57oKPf6w+XjAxN2Aur8J6ocBGiePVK+VOud3NdpJLQ6QNeI4n7NHXBh9NVuS/RTy9r/EtoSXDwibINWNNDSCANLT7WQNorM4LiJRVFFfAcmwaCY1LbYnnr27qrboPTMT+jrOOQn35wZboAC531oD//qt7VP03uQeeXtFlUmZYywAdhStour7YsmwnxdEe8B+FfRmdhFaOlWdoMnUrziNdWHWTuIH0UIiB/DuF8eGLRtAdDBT3cFOHDMekx0LW/a1BYn3dXXuW+p7gTQUtEZXe+NJcgc62dSPFXwVKo8sogjFQzscupkFFXn3FSmfH91iVa8B84AhAZi/bZ5TslccHr3C+333RJ8holOOynOfFxryN5mKPP4ycypF66TNcZ5/b/klpvUt7BitvPZT asyncnomi" ];
+    };
+
+}