git: tweak config

[julm/julm-nix.git] / nixos / profiles / networking / remote.nix

diff --git a/nixos/profiles/networking/remote.nix b/nixos/profiles/networking/remote.nix
index 04306692da4b1f2ddca5d8f8f1a63f1d897f2336..b0f6b3695a01b2a38ce37733fc397992bab7e1db 100644 (file)
--- a/nixos/profiles/networking/remote.nix
+++ b/nixos/profiles/networking/remote.nix
@@ -1,4 +1,10 @@
+{ lib, ... }:
+with lib;
 {
+  imports = [
+    ./ssh.nix
+  ];
+
   # On a remote headless server: always reboot on a kernel panic,
   # to not have to physically go power cycle the server.
   # Which may happen for instance if the wrong ZFS password is used
@@ -7,13 +13,24 @@
   # sets this up as soon as the initrd.
   boot.kernelParams = [ "panic=10" ];
 
-  programs.gnupg.agent.pinentryFlavor = "curses";
-  programs.mosh.enable = mkDefault true;
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-curses;
+
+  systemd = {
+    # Always try to start all the units (default.target)
+    # because systemd's emergency shell does not try to start sshd.
+    # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
+    enableEmergencyMode = false;
 
-  # Always try to start all the units (default.target)
-  # because systemd's emergency shell does not try to start sshd.
-  # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
-  systemd.enableEmergencyMode = false;
+    # See https://0pointer.de/blog/projects/watchdog.html
+    # systemd will send a signal to the hardware watchdog at half
+    # the interval defined here, so every 60s.
+    # If the hardware watchdog does not get a signal for 120s,
+    # it will forcefully reboot the system.
+    watchdog.runtimeTime = mkDefault "120s";
 
-  services.openssh.enable = true;
+    # Forcefully reboot if the final stage of the reboot
+    # hangs without progress for more than 120s.
+    # See https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+    watchdog.rebootTime = mkDefault "120s";
+  };
 }