]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/defaults.nix
nftables: harden input checks on losurdo
[sourcephile-nix.git] / nixos / defaults.nix
1 { flakes, pkgs, lib, config, ... }:
2 let inherit (lib) types;
3 inherit (config.networking) hostName domain;
4 in
5 {
6 imports = [
7 ./modules.nix
8 defaults/predictable-interface-names.nix
9 ];
10 nix = {
11 #binaryCaches = lib.mkForce [];
12 extraOptions = ''
13 '';
14 # Use gc.automatic to keep disk space under control.
15 gc = {
16 automatic = lib.mkDefault true;
17 dates = lib.mkDefault "weekly";
18 options = lib.mkDefault "--delete-older-than 30d";
19 };
20 nixPath = [
21 # WARNING: this is a hack to avoid copying Nixpkgs
22 # a second time into the Nix store.
23 # It makes only sense when Nixpkgs is already in the Nix store,
24 # and is registered.
25 "nixpkgs=/etc/nixpkgs:nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
26 ];
27 };
28 environment.etc."nixpkgs".source = flakes.nixpkgs;
29 environment.etc."nixpkgs-overlays".source = flakes.self + "/nixpkgs";
30
31 nixpkgs = {
32 config = {
33 allowUnfree = false;
34 /*
35 packageOverrides = pkgs: {
36 postfix = pkgs.postfix.override {
37 withLDAP = true;
38 };
39 };
40 */
41 };
42 overlays = import (flakes.self + "/nixpkgs/overlays.nix");
43 };
44
45 documentation.nixos = {
46 enable = false; # NOTE: useless on a server, and CPU intensive.
47 };
48
49 time = {
50 timeZone = "Europe/Paris";
51 };
52
53 i18n = {
54 defaultLocale = "fr_FR.UTF-8";
55 };
56
57 console = {
58 font = "Lat2-Terminus16";
59 keyMap = "fr";
60 };
61
62 # Always try to start all the units (default.target)
63 # because systemd's emergency shell does not try to start sshd.
64 # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine
65 systemd.enableEmergencyMode = false;
66
67 # This is a remote headless server: always reboot on a kernel panic,
68 # to not have to physically go power cycle the apu2e4.
69 # Which happens if the wrong ZFS password is used
70 # but the boot is manually forced to continue.
71 # Using kernelParams instead of kernel.sysctl
72 # sets this up as soon as the initrd.
73 boot.kernelParams = [ "panic=10" ];
74
75 boot.cleanTmpDir = true;
76 boot.tmpOnTmpfs = true;
77
78 networking = {
79 # Fix hostname --fqdn
80 # See: https://github.com/NixOS/nixpkgs/issues/10183#issuecomment-537629621
81 hosts = {
82 "127.0.1.1" = lib.mkForce [ "${hostName}.${domain}" hostName ];
83 "::1" = lib.mkForce [ "${hostName}.${domain}" hostName "localhost" ];
84 };
85 search = [ domain ];
86 };
87
88 services = {
89 openssh = {
90 enable = true;
91 passwordAuthentication = false;
92 extraConfig = ''
93 '';
94 };
95 journald = {
96 extraConfig = ''
97 Compress=true
98 MaxRetentionSec=3month
99 Storage=persistent
100 SystemMaxUse=500M
101 '';
102 };
103 };
104
105 environment.systemPackages = with pkgs; [
106 binutils
107 bmon
108 conntrack-tools
109 #dnsutils
110 dstat
111 gnupg
112 htop
113 inetutils
114 iftop
115 iotop
116 ldns
117 linuxPackages.cpupower
118 lsof
119 mailutils
120 multitail
121 ncdu
122 nethogs
123 nload
124 nmon
125 pv
126 swaplist
127 tcpdump
128 tmux
129 tree
130 vim
131 which
132 ];
133 environment.variables.SYSTEMD_LESS = "FKMRX";
134 environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
135
136 programs = {
137 bash = {
138 interactiveShellInit = ''
139 bind '"\e[A":history-search-backward'
140 bind '"\e[B":history-search-forward'
141
142 # Ignore duplicate commands, ignore commands starting with a space
143 export HISTCONTROL=erasedups:ignorespace
144 export HISTSIZE=42000
145
146 # Append to the history instead of overwriting (good for multiple connections)
147 shopt -s histappend
148
149 # Enable ** file pattern
150 shopt -s globstar
151
152 # Convenient mkdir wrapper
153 mkcd() { mkdir -p "$1" && cd "$1"; }
154 '';
155 shellAliases = {
156 cl = "clear";
157 l = "ls -alh";
158 ll = "ls -al";
159 ls = "ls --color=tty";
160 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
161
162 s="sudo systemctl";
163 st="sudo systemctl status";
164 s-u="systemctl --user";
165 j="sudo journalctl -u";
166
167 nixos-clean="sudo nix-collect-garbage -d";
168 nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
169 nixos-rollback="sudo nixos-rebuild switch --rollback";
170 nixos-update="sudo nix-channel --update";
171 nixos-upgrade="sudo nixos-rebuild switch";
172 nixos-upstream="sudo nix-channel --list";
173 };
174 };
175 gnupg = {
176 agent = {
177 pinentryFlavor = "curses";
178 };
179 };
180 mosh.enable = true;
181 mtr.enable = true;
182 };
183 }