Initial commit

system/default.nix

@@ -0,0 +1,7 @@
+{ ... }: {
+  import = [
+    ./sops.nix
+    ./root-user.nix
+    ./sshd.nix
+  ];
+}

system/root-user.nix

@@ -0,0 +1,13 @@
+{ pkgs, config, ... }: {
+  programs.zsh.enable = true;
+  sops.secrets.root_password_hash = { };
+  sops.secrets.root_password_hash.neededForUsers = true;
+
+  users.users.root = {
+    shell = pkgs.zsh;
+    hashedPasswordFile = config.sops.secrets.root_password_hash.path;
+    opennsh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
+    ];
+  };
+}

system/sops.nix

@@ -0,0 +1,7 @@
+{ ... }: {
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    age.keyFile = "/var/lib/sops-nix/key.txt";
+    age.generateKey = true;
+  };
+}

system/sshd.nix

@@ -0,0 +1,9 @@
+{ ... }: {
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    # TODO: Allow root login from certain hosts.
+    # Then dissallow rest.
+    passwordAuthentication = true;
+  };
+}