init

shared/commons/basics.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+    # Global packages
+    environment.systemPackages = with pkgs; [
+        #(callPackage "${builtins.fetchTarball {url = "https://github.com/ryantm/agenix/archive/main.tar.gz"; sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";}}/pkgs/agenix.nix" {})
+        bmon
+        tcpdump
+        htop
+        conntrack-tools
+        mtr
+        dig
+        molly-guard
+        fastfetch
+    ];
+
+}

shared/commons/networking.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }:
+
+let
+    # Import nodes
+    nodes = import ./../../nodes.nix;
+    myNode = nodes."${config.hostName}";
+
+    supportsIPv4 = nd: lib.hasAttr "ip4" nd;
+    supportsIPv6 = nd: lib.hasAttr "ip6" nd;
+
+    # configure addresses including subnet mask
+    addr4 = if supportsIPv4 myNode then [ myNode.ip4 ] else [];
+    addr6 = if supportsIPv6 myNode then [ myNode.ip6 ] else [];
+
+    # And routes, the gateway is assumed to be in subnet, otherwise GatewayOnLink is required
+    route4 = if supportsIPv4 myNode then [{ Gateway = myNode.gIp4; }] else [];
+    route6 = if supportsIPv6 myNode then [{ Gateway = myNode.gIp6; }] else [];
+in
+{
+    systemd.network.enable = true;
+    networking.useNetworkd = true;
+    networking.useDHCP = false;
+    systemd.network = {
+        networks."10-wan" = {
+            # match the interface by name
+            matchConfig.Name = myNode.dev;
+            address = addr4 ++ addr6;
+            routes = route4 ++ route6;
+            # DNS
+            dns = [ "1.1.1.1" ];
+            # make the routes on this interface a dependency for network-online.target
+            linkConfig.RequiredForOnline = "routable";
+        };
+        
+        config.addRouteTablesToIPRoute2 = true;
+        config.routeTables = {
+            # Act as a route bin
+            off = 999;
+        };
+    };
+    networking.firewall.enable = true;
+}

shared/commons/ssh.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+    # SSH
+    services.openssh = {
+        enable = true;
+        # require public key authentication for better security
+        settings.PasswordAuthentication = false;
+        settings.KbdInteractiveAuthentication = false;
+        settings.PermitRootLogin = "no";
+    };
+}

shared/commons/sudo.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+    security.sudo = {
+        enable = true;
+        extraRules = [
+            # Sudoers wheel can do everything without password
+            {
+                commands = [
+                    {
+                        command = "ALL";
+                        options = [ "NOPASSWD" ];
+                    }
+                ];
+                groups = [ "wheel" ];
+            }
+        ];
+    };
+}