first succesful deployment of a nixos using nixos-anywhere #4

nix/configuration.nix

@@ -3,7 +3,7 @@
 {
   imports = [
     ./users/users.nix
-    ./modules/ssh.nix
+    ./modules/security.nix
     ./vps/hetzner/hardware-configuration.nix
     ./modules/zsh.nix
    ];
@@ -11,8 +11,22 @@
   # nix settings
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
-  # Bootloader.
-  boot.loader.grub.enable = true;
+  # Bootloader to work with LUKS
+  boot.loader.grub = {
+    enable = true;
+    # https://github.com/NixOS/nixpkgs/issues/55332
+    device = "nodev";                    # Don't install to MBR
+    efiSupport = true;                   # Enable EFI support
+    enableCryptodisk = true;             # Enable LUKS support
+  };
+  
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # LUKS configuration
+  boot.initrd.luks.devices."crypted" = {
+    device = "/dev/disk/by-partlabel/luks";
+    allowDiscards = true;
+  };
 
   
   boot.initrd.kernelModules = [ "virtio_gpu" ];
@@ -54,9 +68,9 @@
       diskSize = 5000; # 5GB, needed to prevent docker error running out of space
 
       # Networking configuration
-      #forwardPorts = [
-      #  { from = "host"; host.port = 2222; guest.port = 22; }
-      #];
+      forwardPorts = [
+        { from = "host"; host.port = 2222; guest.port = 22; }
+      ];
     };
 
     # Add VM-specific users
@@ -69,8 +83,6 @@
       packages = with pkgs; [  ];
     };
 
-    security.sudo.wheelNeedsPassword = false;
-
     # VM-specific packages
     environment.systemPackages = with pkgs; [
     ];

nix/disko.nix

@@ -11,6 +11,7 @@
             ESP = {
               size = "500M";
               type = "EF00";
+              label = "boot";
               content = {
                 type = "filesystem";
                 format = "vfat";
@@ -20,12 +21,11 @@
             };
             luks = {
               size = "100%";
+              label = "luks";
               content = {
                 type = "luks";
                 name = "crypted";
                 settings.allowDiscards = true; # Enable SSD TRIM support
-                passwordFile = "/tmp/secret.key"; # install time key file location
-                # additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                 content = {
                   type = "filesystem";
                   format = "ext4";

nix/modules/security.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  # providing an ssh configuration
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";                    # Disable root login
+      PasswordAuthentication = false;            # Force SSH key auth only
+      PubkeyAuthentication = true;               # Enable SSH keys
+    };
+    ports = [ 22 ];
+  };
+
+  # other security hardening options can go here
+  security.sudo.wheelNeedsPassword = false;
+}

nix/modules/ssh.nix

@@ -1,8 +0,0 @@
-{ config, pkgs, inputs, ... }:
-
-{
-  services.openssh = {
-    enable = true;
-    # permitRootLogin = "no";
-  };
-}

nix/users/keys/neo.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtePfzkSorgiFNuol/pEYlR0HToDCy9fk8PPfZWMuf3 henrik@strange

nix/users/users.nix

@@ -5,15 +5,18 @@
   users.defaultUserShell = pkgs.zsh;
   users.users.neo = {
     isNormalUser = true;
-    description = "Matrix User 1";
+    description = "Neovim only user";
     extraGroups = [ "networkmanager" "wheel" ];
     shell = pkgs.zsh;
     packages = with pkgs; [ ];
+    openssh.authorizedKeys.keyFiles = [
+      ./keys/neo.pub
+    ];
   };
 
   users.users.morpheus = {
     isNormalUser = true;
-    description = "Matrix User 2";
+    description = "Insert joke here";
     extraGroups = [ "networkmanager" "wheel" ];
     shell = pkgs.zsh;
     packages = with pkgs; [ ];
@@ -21,7 +24,7 @@
 
   users.users.trinity = {
     isNormalUser = true;
-    description = "Matrix User 3";
+    description = "Named after an atom bomb test";
     extraGroups = [ "networkmanager" "wheel" ];
     shell = pkgs.zsh;
     packages = with pkgs; [ ];