4 files changed, 70 insertions, 0 deletions

diff --git a/profiles/nixos/default.nix b/profiles/nixos/default.nix
new file mode 100644
index 0000000..078ee24
--- /dev/null
+++ b/profiles/nixos/default.nix
@@ -0,0 +1,9 @@
+_: {
+  imports = [
+    ../base
+    ../../users/root
+    ./locale.nix
+    ./security.nix
+    ./systemd.nix
+  ];
+}
diff --git a/profiles/nixos/locale.nix b/profiles/nixos/locale.nix
new file mode 100644
index 0000000..45589ef
--- /dev/null
+++ b/profiles/nixos/locale.nix
@@ -0,0 +1,13 @@
+_: {
+  i18n = {
+    supportedLocales = [
+      "en_US.UTF-8/UTF-8"
+    ];
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  time = {
+    hardwareClockInLocalTime = true;
+    timeZone = "America/New_York";
+  };
+}
diff --git a/profiles/nixos/security.nix b/profiles/nixos/security.nix
new file mode 100644
index 0000000..7ad0069
--- /dev/null
+++ b/profiles/nixos/security.nix
@@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  security = {
+    apparmor.enable = lib.mkDefault true;
+    audit.enable = lib.mkDefault true;
+    auditd.enable = lib.mkDefault true;
+    rtkit.enable = true;
+    sudo = {
+      execWheelOnly = true;
+      extraRules = [
+        {
+          users = ["root"];
+          groups = ["root"];
+          commands = ["ALL"];
+        }
+        {
+          users = ["seth"];
+          commands = ["ALL"];
+        }
+      ];
+    };
+    polkit.enable = true;
+  };
+
+  users = {
+    defaultUserShell = pkgs.bash;
+    mutableUsers = false;
+  };
+}
diff --git a/profiles/nixos/systemd.nix b/profiles/nixos/systemd.nix
new file mode 100644
index 0000000..0e40e39
--- /dev/null
+++ b/profiles/nixos/systemd.nix
@@ -0,0 +1,16 @@
+{lib, ...}: {
+  services = {
+    journald.extraConfig = ''
+      MaxRetentionSec=1w
+    '';
+    resolved = {
+      enable = lib.mkDefault true;
+      dnssec = "allow-downgrade";
+      extraConfig = ''
+        [Resolve]
+        DNS=1.1.1.1 1.0.0.1
+        DNSOverTLS=yes
+      '';
+    };
+  };
+}