nixos/profiles/system.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   inputs,
   6   ...
   7 }:
   8 with lib;
   9 {
  10   boot.tmp.cleanOnBoot = mkDefault true;
  11   boot.tmp.useTmpfs = mkDefault true;
  12
  13   services.logrotate.enable = true;
  14   # NOTE: mostly useless on a server, and CPU intensive.
  15   documentation = {
  16     enable = mkDefault true;
  17     dev.enable = mkDefault false;
  18     doc.enable = mkDefault true;
  19     info.enable = mkDefault false;
  20     man.enable = mkDefault true;
  21     nixos.enable = mkDefault false;
  22   };
  23   programs.vim.defaultEditor = mkDefault true;
  24   programs.vim.enable = mkDefault true;
  25   environment.variables = {
  26     EDITOR = "vim";
  27     NIXPKGS_CONFIG = mkForce "";
  28     PAGER = "less -R";
  29     SYSTEMD_LESS = "FKMRX";
  30     # Setting TZ= avoids a lot of useless syscalls reading /etc/localtime
  31     # but requires to restart the session to change the time zone for all programs.
  32     TZ = lib.mkDefault (if config.time.timeZone != null then config.time.timeZone else "Europe/Paris");
  33   };
  34   home-manager.users.root = {
  35     imports = [
  36       ../../home-manager/options.nix
  37       ../../home-manager/profiles/essential.nix
  38     ];
  39     services.gpg-agent.pinentryPackage = pkgs.pinentry-curses;
  40   };
  41   nix = {
  42     settings.auto-optimise-store = mkDefault true;
  43     gc.automatic = mkDefault true;
  44     gc.dates = mkDefault "weekly";
  45     gc.options = mkDefault "--delete-older-than 7d";
  46     nixPath = mkForce [ ];
  47     # Pin the rev to the revision of the public Nixpkgs that the system was built from.
  48     # This is the version which will be locked by flakes using flake:nixpkgs
  49     #registry.nixpkgs = mkDefault { flake = inputs.nixpkgs; };
  50     registry.nixpkgs = {
  51       from = {
  52         id = "nixpkgs";
  53         type = "indirect";
  54       };
  55       to = {
  56         owner = "NixOS";
  57         repo = "nixpkgs";
  58         inherit (inputs.nixpkgs) rev;
  59         # May be overriden by nixos/modules/installer/cd-dvd/channel.nix
  60         type = mkDefault "github";
  61       };
  62     };
  63     package = pkgs.nixVersions.stable;
  64     settings.experimental-features = [
  65       "nix-command"
  66       "flakes"
  67     ];
  68   };
  69   security.lockKernelModules = false;
  70   services.journald = {
  71     extraConfig = ''
  72       Compress=true
  73       MaxRetentionSec=1month
  74       Storage=persistent
  75       SystemMaxUse=100M
  76     '';
  77   };
  78   # none is the recommended elevator for SSD, whereas HDD could use mq-deadline.
  79   services.udev.extraRules = ''
  80     ACTION=="add|change", KERNEL=="sd[a-z][0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  81     ACTION=="add|change", KERNEL=="nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  82   '';
  83   systemd.oomd = {
  84     enable = mkDefault true;
  85     enableRootSlice = mkDefault true;
  86     enableSystemSlice = mkDefault true;
  87     enableUserSlices = mkDefault true;
  88   };
  89   systemd.services.sshd = {
  90     serviceConfig = {
  91       ManagedOOMPreference = "omit";
  92     };
  93   };
  94   /*
  95     system.nixos.versionSuffix = ".${
  96     substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
  97     inputs.self.shortRev or "dirty"}";
  98     system.nixos.revision = mkIf (inputs.self ? rev) inputs.self.rev;
  99   */
 100   # Let 'nixos-version --json' know about the Git revision of this flake.
 101   system.configurationRevision = mkIf (inputs.self ? rev) inputs.self.rev;
 102   /*
 103     system.configurationRevision =
 104     if inputs.self ? rev
 105     then inputs.self.rev
 106     else throw "Refusing to build from a dirty Git tree!";
 107   */
 108   users.mutableUsers = false;
 109 }