infra/modules/darwin/common/default.nix

{ inputs, pkgs, ... }:
let
  authorizedKeys = {
    keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPVjRBomWFJNNkZb0g5ymLmc3pdRddIScitmJ9yC+ap" # deployment
    ];
    keyFiles = pkgs.lib.filesystem.listFilesRecursive "${toString inputs.self}/users/keys";
  };
in
{
  imports = [
    ./apfs-cleanup.nix
    ./reboot.nix
    ./telegraf.nix
    ./upgrade-diff.nix
    ../../shared/known-hosts.nix
    ../../shared/nix-daemon.nix
    inputs.agenix.darwinModules.age
  ];

  # TODO: refactor this to share /users with nixos
  users.users = {
    customer.openssh = { inherit authorizedKeys; };
    hetzner.openssh = { inherit authorizedKeys; };
  };

  services.nix-daemon.enable = true;

  programs.zsh.enable = true;

  documentation.enable = false;

  programs.info.enable = false;

  # fix darwin sandboxing
  nix.package = pkgs.nix.overrideAttrs (old: {
    patches = (old.patches or [ ]) ++ [
      (pkgs.fetchpatch {
        url = "https://github.com/NixOS/nix/commit/217fadd993da88294d0393af374b638afd99b169.patch";
        hash = "sha256-nkJouBmEj3vqgjRKhXjbHysgQqqhwebdKBArFAzIBvc=";
      })
    ];
  });

  nix.settings.trusted-users = [
    "@admin"
  ];

  # shouldn't need to set this for a nix multi-user install
  nix.gc.user = "root";

  # srvos
  nix.settings.builders-use-substitutes = true;

  # srvos
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];

  environment.systemPackages = with pkgs; [
    htop
  ];

  system.includeUninstaller = false;

  # disable application layer firewall, telegraf needs an incoming connection
  system.defaults.alf.globalstate = 0;

  # srvos
  environment.etc."ssh/sshd_config.d/darwin.conf".text = ''
    AuthorizedKeysFile none
    HostKey /etc/ssh/ssh_host_ed25519_key
    KbdInteractiveAuthentication no
    PasswordAuthentication no
  '';

  # Make sure to disable netbios on activation
  system.activationScripts.postActivation.text = ''
    echo disabling netbios... >&2
    launchctl disable system/netbiosd
    launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist 2>/dev/null || true
    echo disabling spotlight indexing... >&2
    mdutil -a -i off -d &> /dev/null
    mdutil -a -E &> /dev/null
  '';

  time.timeZone = "GMT";
}
modules/darwin/common: refactor keys 2023-12-31 12:43:17 +10:00			`{ inputs, pkgs, ... }:`
modules/darwin/common: add customer user 2024-05-16 13:52:21 +10:00			`let`
			`authorizedKeys = {`
			`keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPVjRBomWFJNNkZb0g5ymLmc3pdRddIScitmJ9yC+ap" # deployment`
			`];`
			`keyFiles = pkgs.lib.filesystem.listFilesRecursive "${toString inputs.self}/users/keys";`
			`};`
			`in`
modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`{`
			`imports = [`
modules/darwin: add apfs-cleanup 2023-12-11 09:40:00 +10:00			`./apfs-cleanup.nix`
modules/darwin: add reboot 2023-07-21 20:12:20 +10:00			`./reboot.nix`
modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`./telegraf.nix`
modules/darwin/common: add upgrade-diff 2023-08-08 13:04:28 +10:00			`./upgrade-diff.nix`
modules/shared: add known-hosts 2024-03-10 09:26:39 +10:00			`../../shared/known-hosts.nix`
modules/shared: add nix-daemon 2023-07-29 17:37:07 +10:00			`../../shared/nix-daemon.nix`
add agenix to deploy darwin secrets 2024-05-05 15:01:47 +10:00			`inputs.agenix.darwinModules.age`
modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`];`

modules/darwin/common: refactor authorizedKeys 2023-07-31 12:17:10 +10:00			`# TODO: refactor this to share /users with nixos`
			`users.users = {`
modules/darwin/common: add customer user 2024-05-16 13:52:21 +10:00			`customer.openssh = { inherit authorizedKeys; };`
			`hetzner.openssh = { inherit authorizedKeys; };`
modules/darwin/common: refactor authorizedKeys 2023-07-31 12:17:10 +10:00			`};`

modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`services.nix-daemon.enable = true;`

			`programs.zsh.enable = true;`

			`documentation.enable = false;`

			`programs.info.enable = false;`

modules/darwin/common: add patch to fix darwin sandbox 2024-07-06 09:58:06 +10:00			`# fix darwin sandboxing`
			`nix.package = pkgs.nix.overrideAttrs (old: {`
			`patches = (old.patches or [ ]) ++ [`
			`(pkgs.fetchpatch {`
			`url = "https://github.com/NixOS/nix/commit/217fadd993da88294d0393af374b638afd99b169.patch";`
			`hash = "sha256-nkJouBmEj3vqgjRKhXjbHysgQqqhwebdKBArFAzIBvc=";`
			`})`
			`];`
			`});`

modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`nix.settings.trusted-users = [`
			`"@admin"`
			`];`

modules/darwin/common: set nix.gc.user 2023-09-18 08:14:53 +10:00			`# shouldn't need to set this for a nix multi-user install`
			`nix.gc.user = "root";`

modules/shared: add nix-daemon 2023-07-29 17:37:07 +10:00			`# srvos`
modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`nix.settings.builders-use-substitutes = true;`

modules/shared: add nix-daemon 2023-07-29 17:37:07 +10:00			`# srvos`
modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`nix.settings.experimental-features = [`
			`"nix-command"`
			`"flakes"`
			`];`

			`environment.systemPackages = with pkgs; [`
			`htop`
			`];`

modules/darwin/common: disable `includeUninstaller` 2023-11-27 13:47:18 +10:00			`system.includeUninstaller = false;`

modules/darwin/common: disable alf 2023-07-31 14:39:08 +10:00			`# disable application layer firewall, telegraf needs an incoming connection`
			`system.defaults.alf.globalstate = 0;`

modules/darwin/common: add some ssh settings 2023-07-29 19:30:32 +10:00			`# srvos`
			`environment.etc."ssh/sshd_config.d/darwin.conf".text = ''`
modules/darwin: authorizedKeys updates 2024-06-21 09:49:19 +10:00			`AuthorizedKeysFile none`
modules/darwin/common: only allow ssh_host_ed25519_key 81dd4e0557c2a5a9e59a3b1546f098044f18b61b we do the same for nixos 2024-01-25 12:42:48 +10:00			`HostKey /etc/ssh/ssh_host_ed25519_key`
modules/darwin/common: add some ssh settings 2023-07-29 19:30:32 +10:00			`KbdInteractiveAuthentication no`
			`PasswordAuthentication no`
			`'';`

darwin: disable netbios on activation We have received a notification from the German Federal Office for Information Security (BSI) about our NetBIOS being enabled, and it potentially being used for DDoS reflection attacks. 2024-03-01 17:35:33 +01:00			`# Make sure to disable netbios on activation`
			`system.activationScripts.postActivation.text = ''`
			`echo disabling netbios... >&2`
			`launchctl disable system/netbiosd`
			`launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist 2>/dev/null \|\| true`
modules/darwin/common: add mdutil to postActivation script The official and detsys nix installers disable spotlight for /nix/store but we may as well just disable it everywhere. https://github.com/LnL7/nix-darwin/blob/eb25dc61a62efcdf47efce6cb17cd5cb3c8f2719/modules/examples/hydra.nix#L46 https://github.com/ofborg/infrastructure/blob/9ddbcdd3b77a82880a663f6b41b8a731bb84e448/darwin-configuration.nix#L58 2024-04-19 14:27:13 +10:00			`echo disabling spotlight indexing... >&2`
			`mdutil -a -i off -d &> /dev/null`
			`mdutil -a -E &> /dev/null`
darwin: disable netbios on activation We have received a notification from the German Federal Office for Information Security (BSI) about our NetBIOS being enabled, and it potentially being used for DDoS reflection attacks. 2024-03-01 17:35:33 +01:00			`'';`

modules/darwin/common: set timeZone 2023-09-16 07:56:59 +10:00			`time.timeZone = "GMT";`
modules/darwin: refactor 2023-07-17 13:53:06 +10:00			`}`
No results found.