+maint/clarity(ssh): systemd-ssh-proxy is enabled by default

[julm/julm-nix.git] / nixos / profiles / system.nix

{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
with lib;
{
  boot.tmp.cleanOnBoot = mkDefault true;
  boot.tmp.useTmpfs = mkDefault true;
  boot.tmp.tmpfsHugeMemoryPages = mkDefault "within_size";
  fileSystems = mkIf config.boot.tmp.useTmpfs {
    # NIX_STATE_DIR, where nix (>= 2.30) builds.
    "/nix/var/nix/builds" = {
      fsType = "tmpfs";
      options = [
        #"mode=755"
        "nosuid"
        "nodev"
        "rw"
        "size=${toString config.boot.tmp.tmpfsSize}"
        "huge=${config.boot.tmp.tmpfsHugeMemoryPages}"
      ];
    };
  };

  services.logrotate.enable = true;
  # NOTE: mostly useless on a server, and CPU intensive.
  documentation = {
    enable = mkDefault true;
    dev.enable = mkDefault false;
    doc.enable = mkDefault true;
    info.enable = mkDefault false;
    man.enable = mkDefault true;
    nixos.enable = mkDefault false;
  };
  programs.ssh.systemd-ssh-proxy.enable = true;
  programs.vim.defaultEditor = mkDefault true;
  programs.vim.enable = mkDefault true;
  environment.variables = {
    EDITOR = "vim";
    NIXPKGS_CONFIG = mkForce "";
    PAGER = "less -R";
    SYSTEMD_LESS = "FKMRX";
    # Setting TZ= avoids a lot of useless syscalls reading /etc/localtime
    # but requires to restart the session to change the time zone for all programs.
    TZ = lib.mkDefault (if config.time.timeZone != null then config.time.timeZone else "Europe/Paris");
  };
  home-manager.users.root = {
    imports = [
      ../../home-manager/options.nix
      ../../home-manager/profiles/essential.nix
    ];
    services.gpg-agent.pinentry.package = pkgs.pinentry-curses;
  };
  nix = {
    settings.auto-optimise-store = mkDefault true;
    gc.automatic = mkDefault true;
    gc.dates = mkDefault "weekly";
    gc.options = mkDefault "--delete-older-than 7d";
    package = pkgs.nixVersions.stable;
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };
  nixpkgs.flake = {
    # ExplanationNote: avoid the NixOS closure
    # to depend on the nixpkgs sources,
    # which adds useless closure size
    # for systems where nix commands are not run.
    setNixPath = lib.mkDefault false;
    setFlakeRegistry = lib.mkDefault false;
  };
  security.lockKernelModules = false;
  services.journald = {
    extraConfig = ''
      Compress=true
      MaxRetentionSec=1month
      Storage=persistent
      SystemMaxUse=100M
    '';
  };
  # none is the recommended elevator for SSD, whereas HDD could use mq-deadline.
  services.udev.extraRules = ''
    ACTION=="add|change", KERNEL=="sd[a-z][0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
    ACTION=="add|change", KERNEL=="nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  '';
  systemd.oomd = {
    enable = mkDefault true;
    enableRootSlice = mkDefault true;
    enableSystemSlice = mkDefault true;
    enableUserSlices = mkDefault true;
  };
  systemd.services.sshd = {
    serviceConfig = {
      ManagedOOMPreference = "omit";
    };
  };
  /*
    system.nixos.versionSuffix = ".${
    substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
    inputs.self.shortRev or "dirty"}";
    system.nixos.revision = mkIf (inputs.self ? rev) inputs.self.rev;
  */
  # Let 'nixos-version --json' know about the Git revision of this flake.
  system.configurationRevision = mkIf (inputs.self ? rev) inputs.self.rev;
  /*
    system.configurationRevision =
    if inputs.self ? rev
    then inputs.self.rev
    else throw "Refusing to build from a dirty Git tree!";
  */
  users.mutableUsers = false;
}