feat: add initialdeploy hashed password to root

README.md

@@ -39,7 +39,6 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
-| [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
@@ -58,7 +57,6 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
-[glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine

base/default.nix

@@ -84,6 +84,8 @@
 
   # users.mutableUsers = lib.mkDefault false;
 
+  users.users.root.initialHashedPassword = "$y$j9T$ahP6GAdttD17OMBo7Yqeh.$Ad7qBcFvTL7HrJ9uTtrQzksN3220Nj9t/CrP6DwgK34"; # generated using mkpasswd, see huttiheita root on vaultwarden
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/hardening.nix

@@ -7,13 +7,7 @@
     "ax25"
     "batman-adv"
     "can"
-    "dccp"
-    "ipx"
-    "llc"
-    "n-hdlc"
     "netrom"
-    "p8022"
-    "p8023"
     "psnap"
     "rds"
     "rose"
@@ -29,6 +23,7 @@
     "cramfs"
     "efs"
     "exofs"
+    "orangefs"
     "freevxfs"
     "gfs2"
     "hfs"
@@ -40,12 +35,10 @@
     "nilfs2"
     "ntfs"
     "omfs"
-    "orangefs"
     "qnx4"
     "qnx6"
     "sysv"
     "ubifs"
-    "udf"
     "ufs"
 
     # Legacy hardware

base/mitigations.nix

@@ -1,24 +1,17 @@
-{ pkgs, lib, ... }:
+{ ... }:
-let
-  modulesToBan = [
-    # copy.fail
-    "af_alg"
-    "algif_aead"
-    "algif_hash"
-    "algif_rng"
-    "algif_skcipher"
 
-    # dirtyfrag / Fragnesia
-    "esp4"
-    "esp6"
-    "rxrpc"
-
-    # PinTheft
-    "rds"
-  ];
-in
 {
-  boot.blacklistedKernelModules = modulesToBan;
+  boot.blacklistedKernelModules = [
-
+  "rxrpc" # dirtyfrag
-  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
+  "esp6" # dirtyfrag
+  "esp4" # dirtyfrag
+];
+boot.extraModprobeConfig = ''
+  # dirtyfrag
+  install esp4 /bin/false
+  # dirtyfrag
+  install esp6 /bin/false
+  # dirtyfrag
+  install rxrpc /bin/false
+'';
 }

base/services/acme.nix

@@ -8,6 +8,5 @@
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
-    users.users.root.initialPassword = "root";
   };
 }

hosts/bicep/services/matrix/livekit.nix

@@ -64,11 +64,4 @@ in
       '';
     };
   };
-
-  networking.firewall.allowedUDPPortRanges = [
-    {
-      from = cfg.settings.rtc.port_range_start;
-      to = cfg.settings.rtc.port_range_end;
-    }
-  ];
 }

hosts/bicep/services/postgresql/cleanup-timers.nix

@@ -1,37 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.postgresql;
-in
-{
-  config = lib.mkIf cfg.enable {
-    systemd.services = {
-      postgresql-repack = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.target" ];
-        description = "Repack all PostgreSQL databases";
-        startAt = "Mon 06:00:00";
-        serviceConfig = {
-          Type = "oneshot";
-          User = "postgres";
-          Group = "postgres";
-
-          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --port=${builtins.toString cfg.settings.port} --all";
-        };
-      };
-
-      postgresql-vacuum-analyze = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.target" ];
-        description = "Vacuum and analyze all PostgreSQL databases";
-        startAt = "Tue 06:00:00";
-        serviceConfig = {
-          Type = "oneshot";
-          User = "postgres";
-          Group = "postgres";
-
-          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
-        };
-      };
-    };
-  };
-}

hosts/bicep/services/postgresql/default.nix

@@ -3,15 +3,11 @@ let
   cfg = config.services.postgresql;
 in
 {
-  imports = [
+  imports = [ ./backup.nix ];
-    ./backup.nix
-    ./cleanup-timers.nix
-  ];
 
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_18;
-    extensions = ps: with ps; [ pg_repack ];
     enableTCPIP = true;
 
     authentication = ''

hosts/gluttony/hardware-configuration.nix

@@ -22,7 +22,7 @@
     "sd_mod"
   ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
@@ -31,7 +31,7 @@
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/BD97-FCA0";
+    device = "/dev/disk/by-uuid/933A-3005";
     fsType = "vfat";
     options = [
       "fmask=0077"

hosts/ildkule/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:

values.nix

@@ -86,10 +86,10 @@ in rec {
       ipv6 = pvv-ipv6 167;
     };
     gluttony = {
-      ipv4 = "129.241.100.37";
+      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.1.219";
+      ipv4_internal = "192.168.20.77";
-      ipv4_internal_gw = "192.168.1.1";
+      ipv4_internal_gw = "192.168.20.1";
-      ipv6 = "2001:700:305:8a0f:f816:3eff:fe9b:7a46";
+      ipv6 = "2001:700:305:aa07::3b3";
     };
     wenche = {
       ipv4 = pvv-ipv4 240;