]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/defaults.nix
tor: improve type-checking and hardening (bis)
[sourcephile-nix.git] / nixos / defaults.nix
1 { inputs, pkgs, lib, config, ... }:
2 let inherit (lib) types;
3 inherit (config.networking) hostName domain;
4 in
5 {
6 imports = [
7 ./modules.nix
8 defaults/predictable-interface-names.nix
9 ];
10 nix = {
11 #binaryCaches = lib.mkForce [];
12 extraOptions = ''
13 '';
14 # Use gc.automatic to keep disk space under control.
15 gc = {
16 automatic = lib.mkDefault true;
17 dates = lib.mkDefault "weekly";
18 options = lib.mkDefault "--delete-older-than 30d";
19 };
20 nixPath = [
21 # WARNING: this is a hack to avoid copying Nixpkgs
22 # a second time into the Nix store.
23 # It makes only sense when Nixpkgs is already in the Nix store,
24 # and is registered.
25 "nixpkgs=/etc/nixpkgs:nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
26 ];
27 };
28 environment.etc."nixpkgs".source = pkgs.path;
29 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
30
31 nixpkgs = {
32 config = {
33 allowUnfree = false;
34 /*
35 packageOverrides = pkgs: {
36 postfix = pkgs.postfix.override {
37 withLDAP = true;
38 };
39 };
40 */
41 };
42 };
43
44 documentation.nixos = {
45 enable = false; # NOTE: useless on a server, and CPU intensive.
46 };
47
48 time = {
49 timeZone = "Europe/Paris";
50 };
51
52 i18n = {
53 defaultLocale = "fr_FR.UTF-8";
54 };
55
56 console = {
57 font = "Lat2-Terminus16";
58 keyMap = "fr";
59 };
60
61 # Always try to start all the units (default.target)
62 # because systemd's emergency shell does not try to start sshd.
63 # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine
64 systemd.enableEmergencyMode = false;
65
66 # This is a remote headless server: always reboot on a kernel panic,
67 # to not have to physically go power cycle the apu2e4.
68 # Which happens if the wrong ZFS password is used
69 # but the boot is manually forced to continue.
70 # Using kernelParams instead of kernel.sysctl
71 # sets this up as soon as the initrd.
72 boot.kernelParams = [ "panic=10" ];
73
74 boot.cleanTmpDir = true;
75 boot.tmpOnTmpfs = true;
76
77 networking = {
78 # Fix hostname --fqdn
79 # See: https://github.com/NixOS/nixpkgs/issues/10183#issuecomment-537629621
80 hosts = {
81 "127.0.1.1" = lib.mkForce [ "${hostName}.${domain}" hostName ];
82 "::1" = lib.mkForce [ "${hostName}.${domain}" hostName "localhost" ];
83 };
84 search = [ domain ];
85 };
86
87 services = {
88 openssh = {
89 enable = true;
90 passwordAuthentication = false;
91 extraConfig = ''
92 '';
93 };
94 journald = {
95 extraConfig = ''
96 Compress=true
97 MaxRetentionSec=3month
98 Storage=persistent
99 SystemMaxUse=500M
100 '';
101 };
102 };
103
104 environment.systemPackages = with pkgs; [
105 binutils
106 bmon
107 conntrack-tools
108 #dnsutils
109 dstat
110 gnupg
111 htop
112 inetutils
113 iftop
114 iotop
115 ldns
116 linuxPackages.cpupower
117 lsof
118 mailutils
119 multitail
120 ncdu
121 nethogs
122 nload
123 nmon
124 pv
125 swaplist
126 stress
127 tcpdump
128 tmux
129 tree
130 vim
131 which
132 ];
133 environment.variables.SYSTEMD_LESS = "FKMRX";
134 environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
135
136 programs = {
137 bash = {
138 interactiveShellInit = ''
139 bind '"\e[A":history-search-backward'
140 bind '"\e[B":history-search-forward'
141
142 # Ignore duplicate commands, ignore commands starting with a space
143 export HISTCONTROL=erasedups:ignorespace
144 export HISTSIZE=42000
145
146 # Append to the history instead of overwriting (good for multiple connections)
147 shopt -s histappend
148
149 # Enable ** file pattern
150 shopt -s globstar
151
152 # Convenient mkdir wrapper
153 mkcd() { mkdir -p "$1" && cd "$1"; }
154 '';
155 shellAliases = {
156 cl = "clear";
157 l = "ls -alh";
158 ll = "ls -al";
159 ls = "ls --color=tty";
160 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
161
162 s="sudo systemctl";
163 st="sudo systemctl status";
164 s-u="systemctl --user";
165 j="sudo journalctl -u";
166
167 nixos-clean="sudo nix-collect-garbage -d";
168 nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
169 nixos-rollback="sudo nixos-rebuild switch --rollback";
170 nixos-update="sudo nix-channel --update";
171 nixos-upgrade="sudo nixos-rebuild switch";
172 nixos-upstream="sudo nix-channel --list";
173 };
174 };
175 gnupg = {
176 agent = {
177 pinentryFlavor = "curses";
178 };
179 };
180 mosh.enable = true;
181 mtr.enable = true;
182 };
183 }