feat: add policestation

install/keygen-config.nix

@@ -0,0 +1,141 @@
+{ config, pkgs, lib, ... }:
+{
+  config = {
+    home-manager.users.nixos = {
+      home = {
+        inherit (config.system) stateVersion;
+        username = "nixos";
+        homeDirectory = "/home/nixos";
+        keyboard.layout = "us";
+        file.".gnupg/gpg-hardened.conf" = {
+          text = ''
+            personal-cipher-preferences AES256 AES192 AES
+            personal-digest-preferences SHA512 SHA384 SHA256
+            personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
+            default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
+            cert-digest-algo SHA512
+            s2k-digest-algo SHA512
+            s2k-cipher-algo AES256
+            charset utf-8
+            no-comments
+            no-emit-version
+            no-greeting
+            keyid-format 0xlong
+            list-options show-uid-validity
+            verify-options show-uid-validity
+            with-fingerprint
+            require-cross-certification
+            require-secmem
+            no-symkey-cache
+            armor
+            use-agent
+            throw-keyids
+          '';
+        };
+      };
+
+      services.gpg-agent = {
+        enable = true;
+        enableBashIntegration = true;
+        enableSshSupport = true;
+        pinentry = {
+          package = pkgs.pinentry-curses;
+          program = "pinentry-curses";
+        };
+        defaultCacheTtl = 60;
+        maxCacheTtl = 120;
+      };
+
+      programs.gpg = {
+        enable = true;
+      };
+    };
+
+    programs = {
+      ssh.startAgent = false;
+      gnupg = {
+        dirmngr.enable = true;
+        agent = {
+          enable = true;
+          enableSSHSupport = true;
+        };
+      };
+    };
+
+    swapDevices = [ ];
+
+    services = {
+      pcscd.enable = true;
+      udev.packages = [ pkgs.yubikey-personalization ];
+      getty.autologinUser = "nixos";
+    };
+
+    nix = {
+      channel.enable = false;
+      settings.experimental-features = [ "nix-command" "flakes" ];
+    };
+
+    environment.interactiveShellInit = ''
+      unset HISTFILE
+        export GNUPGHOME="/run/user/$(id -u)/gnupg"
+        if [ ! -d "$GNUPGHOME" ]; then
+          install -m=0700 --directory="$GNUPGHOME"
+        fi
+        [ ! -f "$GNUPGHOME/gpg.conf" ] && cp /home/nixos/gpg-hardened.conf "$GNUPGHOME/gpg.conf"
+        [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp /home/nixos/gpg-agent.conf "$GNUPGHOME/gpg-agent.conf"
+    '';
+
+    environment.systemPackages = with pkgs; [
+      paperkey
+      pgpdump
+      parted
+      cryptsetup
+      yubikey-manager
+      yubikey-personalization
+      pcsc-tools
+    ];
+
+    boot = {
+      initrd.network.enable = false;
+      tmp.cleanOnBoot = true;
+      kernel.sysctl = {
+        "kernel.unprivileged_bpf_disabled" = 1;
+      };
+    };
+
+    networking = {
+      hostName = "policestation";
+      resolvconf.enable = false;
+      dhcpcd.enable = false;
+      dhcpcd.allowInterfaces = [ ];
+      interfaces = { };
+      firewall.enable = true;
+      useDHCP = false;
+      useNetworkd = false;
+      wireless.enable = false;
+      networkmanager.enable = lib.mkForce false;
+    };
+
+    users.users.nixos = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      initialHashedPassword = "";
+    };
+
+    security.sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+
+    systemd = {
+      targets = {
+        sleep.enable = false;
+        suspend.enable = false;
+        hibernate.enable = false;
+        hybrid-sleep.enable = false;
+      };
+    };
+
+    system.stateVersion = lib.mkForce "23.05";
+  };
+}