nixos/profiles/system.nix

   1 { config, pkgs, lib, inputs, ... }:
   2 with lib;
   3 {
   4   boot.tmp.cleanOnBoot = mkDefault true;
   5   boot.tmp.useTmpfs = mkDefault true;
   6   services.logrotate.enable = true;
   7   # NOTE: mostly useless on a server, and CPU intensive.
   8   documentation = {
   9     enable = mkDefault true;
  10     dev.enable = mkDefault false;
  11     doc.enable = mkDefault true;
  12     info.enable = mkDefault false;
  13     man.enable = mkDefault true;
  14     nixos.enable = mkDefault false;
  15   };
  16   programs.vim.defaultEditor = mkDefault true;
  17   environment.variables = {
  18     EDITOR = "vim";
  19     NIXPKGS_CONFIG = mkForce "";
  20     PAGER = "less -R";
  21     SYSTEMD_LESS = "FKMRX";
  22     # Setting TZ= avoids a lot of useless syscalls reading /etc/localtime
  23     # but requires to restart the session to change the time zone for all programs.
  24     TZ = lib.mkDefault (if config.time.timeZone != null then config.time.timeZone else "Europe/Paris");
  25   };
  26   home-manager.users.root = {
  27     imports = [
  28       ../../home-manager/options.nix
  29       ../../home-manager/profiles/essential.nix
  30     ];
  31     services.gpg-agent.pinentryFlavor = "curses";
  32     #services.gpg-agent.pinentryPackage = pkgs.pinentry-curses;
  33   };
  34   nix = {
  35     settings.auto-optimise-store = mkDefault true;
  36     gc.automatic = mkDefault true;
  37     gc.dates = mkDefault "weekly";
  38     gc.options = mkDefault "--delete-older-than 7d";
  39     nixPath = mkForce [ ];
  40     # Pin the rev to the revision of the public Nixpkgs that the system was built from.
  41     # This is the version which will be locked by flakes using flake:nixpkgs
  42     #registry.nixpkgs = mkDefault { flake = inputs.nixpkgs; };
  43     registry.nixpkgs = {
  44       from = { id = "nixpkgs"; type = "indirect"; };
  45       to = {
  46         owner = "NixOS";
  47         repo = "nixpkgs";
  48         inherit (inputs.nixpkgs) rev;
  49         type = "github";
  50       };
  51     };
  52     package = pkgs.nixFlakes;
  53     settings.experimental-features = [ "nix-command" "flakes" "repl-flake" ];
  54   };
  55   security.lockKernelModules = false;
  56   services.journald = {
  57     extraConfig = ''
  58       Compress=true
  59       MaxRetentionSec=1month
  60       Storage=persistent
  61       SystemMaxUse=100M
  62     '';
  63   };
  64   # none is the recommended elevator for SSD, whereas HDD could use mq-deadline.
  65   services.udev.extraRules = ''
  66     ACTION=="add|change", KERNEL=="sd[a-z][0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  67     ACTION=="add|change", KERNEL=="nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  68   '';
  69   systemd.oomd = {
  70     enable = mkDefault true;
  71     enableRootSlice = mkDefault true;
  72     enableSystemSlice = mkDefault true;
  73     enableUserServices = mkDefault true;
  74   };
  75   systemd.services.openssh = {
  76     serviceConfig = {
  77       ManagedOOMPreference = "omit";
  78     };
  79   };
  80   /*
  81     system.nixos.versionSuffix = ".${
  82     substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
  83     inputs.self.shortRev or "dirty"}";
  84     system.nixos.revision = mkIf (inputs.self ? rev) inputs.self.rev;
  85   */
  86   # Let 'nixos-version --json' know about the Git revision of this flake.
  87   system.configurationRevision = mkIf (inputs.self ? rev) inputs.self.rev;
  88   /*
  89     system.configurationRevision =
  90     if inputs.self ? rev
  91     then inputs.self.rev
  92     else throw "Refusing to build from a dirty Git tree!";
  93   */
  94   users.mutableUsers = false;
  95 }