feat: add policestation

2026-04-14 21:29:12 +02:00 · 2026-03-25 22:51:31 +01:00 · 2026-03-25 22:51:31 +01:00 · f22f61ccdb
commit f22f61ccdb
parent 361f77a447
5 changed files with 294 additions and 7 deletions
--- a/install/keygen-config.nix
+++ b/install/keygen-config.nix
@ -0,0 +1,116 @@
+{ config, pkgs, lib, ... }:
+{
+  config = {
+    home-manager.users.nixos = {
+      home = {
+        inherit (config.system) stateVersion;
+        username = "nixos";
+        homeDirectory = "/home/nixos";
+        keyboard.layout = "us";
+      };
+
+      services.gpg-agent = {
+        enable = true;
+        enableBashIntegration = true;
+        enableSshSupport = true;
+        pinentry = {
+          package = pkgs.pinentry-curses;
+          program = "pinentry-curses";
+        };
+        defaultCacheTtl = 60;
+        maxCacheTtl = 120;
+      };
+
+      programs.gpg = {
+        enable = true;
+      };
+    };
+
+    programs = {
+      ssh.startAgent = false;
+      gnupg = {
+        dirmngr.enable = true;
+        agent = {
+          enable = true;
+          enableSSHSupport = true;
+        };
+      };
+    };
+
+    swapDevices = [ ];
+
+    services = {
+      pcscd.enable = true;
+      udev.packages = [ pkgs.yubikey-personalization ];
+      getty.autologinUser = "nixos";
+    };
+
+    nix = {
+      channel.enable = false;
+      settings.experimental-features = [ "nix-command" "flakes" ];
+    };
+
+    environment.interactiveShellInit = ''
+      unset HISTFILE
+      export GNUPGHOME="/run/user/$(id -u)/gnupg"
+      if [ ! -d "$GNUPGHOME" ]; then
+        install -m=0700 --directory="$GNUPGHOME"
+      fi
+      [ ! -f "$GNUPGHOME/gpg.conf" ] && cp /home/nixos/gpg.conf "$GNUPGHOME/gpg.conf"
+      [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp /home/nixos/gpg-agent.conf "$GNUPGHOME/gpg-agent.conf"
+    '';
+
+    environment.systemPackages = with pkgs; [
+      paperkey
+      pgpdump
+      parted
+      cryptsetup
+      yubikey-manager
+      yubikey-personalization
+      pcsc-tools
+    ];
+
+    boot = {
+      initrd.network.enable = false;
+      tmp.cleanOnBoot = true;
+      kernel.sysctl = {
+        "kernel.unprivileged_bpf_disabled" = 1;
+      };
+    };
+
+    networking = {
+      hostName = "policestation";
+      resolvconf.enable = false;
+      dhcpcd.enable = false;
+      dhcpcd.allowInterfaces = [ ];
+      interfaces = { };
+      firewall.enable = true;
+      useDHCP = false;
+      useNetworkd = false;
+      wireless.enable = false;
+      networkmanager.enable = lib.mkForce false;
+    };
+
+    users.users.nixos = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      initialHashedPassword = "";
+    };
+
+    security.sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+
+    systemd = {
+      targets = {
+        sleep.enable = false;
+        suspend.enable = false;
+        hibernate.enable = false;
+        hybrid-sleep.enable = false;
+      };
+    };
+
+    system.stateVersion = lib.mkForce "23.05";
+  };
+}