nixos/profiles/system.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   inputs,
   6   ...
   7 }:
   8 with lib;
   9 {
  10   boot.tmp.cleanOnBoot = mkDefault true;
  11   boot.tmp.useTmpfs = mkDefault true;
  12
  13   services.logrotate.enable = true;
  14   # NOTE: mostly useless on a server, and CPU intensive.
  15   documentation = {
  16     enable = mkDefault true;
  17     dev.enable = mkDefault false;
  18     doc.enable = mkDefault true;
  19     info.enable = mkDefault false;
  20     man.enable = mkDefault true;
  21     nixos.enable = mkDefault false;
  22   };
  23   programs.vim.defaultEditor = mkDefault true;
  24   programs.vim.enable = mkDefault true;
  25   environment.variables = {
  26     EDITOR = "vim";
  27     NIXPKGS_CONFIG = mkForce "";
  28     PAGER = "less -R";
  29     SYSTEMD_LESS = "FKMRX";
  30     # Setting TZ= avoids a lot of useless syscalls reading /etc/localtime
  31     # but requires to restart the session to change the time zone for all programs.
  32     TZ = lib.mkDefault (if config.time.timeZone != null then config.time.timeZone else "Europe/Paris");
  33   };
  34   home-manager.users.root = {
  35     imports = [
  36       ../../home-manager/options.nix
  37       ../../home-manager/profiles/essential.nix
  38     ];
  39     services.gpg-agent.pinentry.package = pkgs.pinentry-curses;
  40   };
  41   nix = {
  42     settings.auto-optimise-store = mkDefault true;
  43     gc.automatic = mkDefault true;
  44     gc.dates = mkDefault "weekly";
  45     gc.options = mkDefault "--delete-older-than 7d";
  46     package = pkgs.nixVersions.stable;
  47     settings.experimental-features = [
  48       "nix-command"
  49       "flakes"
  50     ];
  51   };
  52   nixpkgs.flake = {
  53     # ExplanationNote: avoid the NixOS closure
  54     # to depend on the nixpkgs sources,
  55     # which adds useless closure size
  56     # for systems where nix commands are not run.
  57     setNixPath = lib.mkDefault false;
  58     setFlakeRegistry = lib.mkDefault false;
  59   };
  60   security.lockKernelModules = false;
  61   services.journald = {
  62     extraConfig = ''
  63       Compress=true
  64       MaxRetentionSec=1month
  65       Storage=persistent
  66       SystemMaxUse=100M
  67     '';
  68   };
  69   # none is the recommended elevator for SSD, whereas HDD could use mq-deadline.
  70   services.udev.extraRules = ''
  71     ACTION=="add|change", KERNEL=="sd[a-z][0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  72     ACTION=="add|change", KERNEL=="nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  73   '';
  74   systemd.oomd = {
  75     enable = mkDefault true;
  76     enableRootSlice = mkDefault true;
  77     enableSystemSlice = mkDefault true;
  78     enableUserSlices = mkDefault true;
  79   };
  80   systemd.services.sshd = {
  81     serviceConfig = {
  82       ManagedOOMPreference = "omit";
  83     };
  84   };
  85   /*
  86     system.nixos.versionSuffix = ".${
  87     substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
  88     inputs.self.shortRev or "dirty"}";
  89     system.nixos.revision = mkIf (inputs.self ? rev) inputs.self.rev;
  90   */
  91   # Let 'nixos-version --json' know about the Git revision of this flake.
  92   system.configurationRevision = mkIf (inputs.self ? rev) inputs.self.rev;
  93   /*
  94     system.configurationRevision =
  95     if inputs.self ? rev
  96     then inputs.self.rev
  97     else throw "Refusing to build from a dirty Git tree!";
  98   */
  99   users.mutableUsers = false;
 100 }