{ config, lib, pkgs, ... }: { imports = [ ../../modules/website.nix ../../modules/forgejo.nix ]; # sops-nix: encrypted secrets in ./secrets.yaml, decrypted at boot using # the watcher's SSH host key as the age identity. Plaintext lands in # /run/secrets/, readable only by root by default. Edit with # `sops hosts/watcher/secrets.yaml` from inside `nix develop`. sops = { defaultSopsFile = ./secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets.example = { }; # placeholder to confirm the pipeline works }; # Boot, disk layout, and cloud-init are provided by: # - openstack-config.nix (for nixos-rebuild on the live box), or # - openstack-image.nix (when building the QCOW2 image) # Both are wired in flake.nix. system.stateVersion = "25.05"; networking.hostName = "watcher"; networking.firewall = { enable = true; allowedTCPPorts = [ 22 ]; # services like 80/443 added as they come online }; time.timeZone = "Europe/Zurich"; i18n.defaultLocale = "en_US.UTF-8"; users.mutableUsers = false; users.users.tyro = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHC7oEcIquy/HWSHjA9N62FVKA6js4aOWu9q41Qp3nNj tyrolize@nixos" ]; }; services.openssh = { enable = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; # openstack-config.nix defaults this to "prohibit-password" so cloud-init can # inject the OpenStack keypair into root. We don't need it: the same key is # already in users.users.tyro via the flake. Hard-disable root SSH. PermitRootLogin = lib.mkForce "no"; }; }; security.sudo.wheelNeedsPassword = false; environment.systemPackages = with pkgs; [ vim git htop tmux curl wget ]; nix.settings = { experimental-features = [ "nix-command" "flakes" ]; # Allow the tyro user to push pre-built closures from the laptop via # `nixos-rebuild --target-host` without re-signing every store path. trusted-users = [ "root" "@wheel" ]; }; nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 14d"; }; }