+m3-hermes

hosts/m3-hermes/configuration.nix

@@ -0,0 +1,43 @@
+{pkgs, ...}: {
+  imports = [
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  # Bootloader.
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  networking.hostName = "m3-hermes";
+  networking.hostId = "a1b2c3d4"; # TODO: Generate unique hostId
+  networking.networkmanager.enable = true;
+  time.timeZone = "Europe/Berlin";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  environment.systemPackages = with pkgs; [neovim git];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+
+  services.fstrim = {
+    enable = true;
+    interval = "weekly";
+  };
+
+  # Firewall: outbound only, SSH inbound
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [22]; # SSH only
+    allowedUDPPorts = [];
+    allowPing = false;
+  };
+
+  system.stateVersion = "25.05";
+}