{pkgs, ...}: let # Helper script to update the system based on local copy of flake updateScript = pkgs.writeShellScriptBin "rebuild" '' nixos-rebuild switch --flake /etc/nixos#distrust ''; # Helper script to clear /var/log and systemd journal clearLogsScript = pkgs.writeShellScriptBin "clear_logs" '' ${pkgs.coreutils}/bin/rm -rf /var/log/* ${pkgs.systemd}/bin/journalctl --vacuum-time=0s ''; # Currently unused, calculates TOR .onion hostname based on secret key tor-hostname = import ../helpers/tor-hostname.nix {inherit pkgs;}; in { environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [updateScript tor-hostname]; # Necessary for flake support nix.settings.experimental-features = ["nix-command" "flakes"]; networking.hostName = "distrust"; zramSwap.enable = true; boot.tmp.cleanOnBoot = true; users.users = { # Disables root login by setting an invalid password root.hashedPassword = "!"; anon = { isNormalUser = true; extraGroups = ["wheel"]; hashedPassword = "$6$GAyfgaTQgaBipAbb$gF/9YBh2ucVa/9vDQvEu9DVjSbsqdvSoXwA5RX0kP7.xdCfLqXhGBLlSXHg0e4rkLLd6zI1gRTWd4TfMjnnpS/"; openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk+P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno:16_179_196"]; }; }; security.sudo.wheelNeedsPassword = true; services = { openssh = { enable = true; ports = [292]; settings.PasswordAuthentication = false; }; fail2ban.enable = true; endlessh = { enable = true; port = 22; openFirewall = true; }; }; systemd = { services.clear-var-log = { description = "Clear /var/log directory"; serviceConfig = { Type = "oneshot"; ExecStart = "${clearLogsScript}/bin/clear_logs"; User = "root"; Group = "root"; }; }; timers.clear-var-log = { description = "Hourly timer to clear /var/log"; wants = ["clear-var-log.service"]; timerConfig = { OnCalendar = "hourly"; Persistent = true; Unit = "clear-var-log.service"; }; wantedBy = ["timers.target"]; }; }; system.stateVersion = "25.05"; }