nixos/defaults.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (lib) types;
   3     inherit (config.networking) hostName domain;
   4 in
   5 {
   6 imports = [
   7   ./modules.nix
   8   defaults/security.nix
   9   defaults/predictable-interface-names.nix
  10 ];
  11 nix = {
  12   #binaryCaches = lib.mkForce [];
  13   extraOptions = ''
  14   '';
  15   autoOptimiseStore = lib.mkDefault true;
  16   # Use gc.automatic to keep disk space under control.
  17   gc = {
  18     automatic = lib.mkDefault true;
  19     dates = lib.mkDefault "weekly";
  20     options = lib.mkDefault "--delete-older-than 30d";
  21   };
  22   nixPath = lib.mkForce [];
  23 };
  24 environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
  25
  26 documentation.nixos = {
  27   enable = lib.mkDefault false; # NOTE: useless on a server, and CPU intensive.
  28 };
  29
  30 console.font = "Lat2-Terminus16";
  31 console.keyMap = lib.mkDefault "fr";
  32 i18n.defaultLocale = "fr_FR.UTF-8";
  33 nixpkgs.config.allowUnfree = false;
  34 time.timeZone = "Europe/Paris";
  35
  36 # Always try to start all the units (default.target)
  37 # because systemd's emergency shell does not try to start sshd.
  38 # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
  39 systemd.enableEmergencyMode = false;
  40
  41 # This is a remote headless server: always reboot on a kernel panic,
  42 # to not have to physically go power cycle the apu2e4.
  43 # Which happens if the wrong ZFS password is used
  44 # but the boot is manually forced to continue.
  45 # Using kernelParams instead of kernel.sysctl
  46 # sets this up as soon as the initrd.
  47 boot.kernelParams = [ "panic=10" ];
  48
  49 boot.cleanTmpDir = lib.mkDefault true;
  50 boot.tmpOnTmpfs = lib.mkDefault true;
  51
  52 networking = {
  53   # Fix hostname --fqdn
  54   # See: https://github.com/NixOS/nixpkgs/issues/10183#issuecomment-537629621
  55   hosts = {
  56     "127.0.1.1" = lib.mkForce [ "${hostName}.${domain}" hostName ];
  57     "::1"       = lib.mkForce [ "${hostName}.${domain}" hostName "localhost" ];
  58   };
  59   search = [ domain ];
  60   usePredictableInterfaceNames = true;
  61 };
  62
  63 services.journald = {
  64   extraConfig = ''
  65     Compress=true
  66     MaxRetentionSec=1month
  67     Storage=persistent
  68     SystemMaxUse=128M
  69   '';
  70 };
  71
  72 services.openssh = {
  73   enable = true;
  74   passwordAuthentication = false;
  75 };
  76
  77 environment.systemPackages = with pkgs; [
  78   binutils
  79   bmon
  80   config.boot.kernelPackages.cpupower
  81   conntrack-tools
  82   dstat
  83   gnupg
  84   htop
  85   iftop
  86   inetutils
  87   iotop
  88   ldns
  89   lsof
  90   #mailutils # builds guile
  91   multitail
  92   ncdu
  93   nethogs
  94   nload
  95   nmon
  96   pv
  97   rdfind
  98   smem
  99   swaplist
 100   tcpdump
 101   tmux
 102   tree
 103   usbutils
 104   vim
 105   which
 106   #dnsutils
 107   #ntop
 108   #stress
 109 ];
 110 environment.variables.SYSTEMD_LESS = "FKMRX";
 111 environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
 112
 113 boot.kernel.sysctl = {
 114   # Improve MTU detection
 115   # This can thaw TCP connections stalled by a host
 116   # requiring a lower MTU along the path,
 117   # though it would do so after a little delay
 118   # so it's better to set a low MTU when possible.
 119   "net/ipv4/tcp_mtu_probing" = 1;
 120 };
 121
 122 programs = {
 123   bash = {
 124     interactiveShellInit = ''
 125       bind '"\e[A":history-search-backward'
 126       bind '"\e[B":history-search-forward'
 127
 128       # Ignore duplicate commands, ignore commands starting with a space
 129       export HISTCONTROL=erasedups:ignorespace
 130       export HISTSIZE=42000
 131
 132       # Append to the history instead of overwriting (good for multiple connections)
 133       shopt -s histappend
 134
 135       # Enable ** file pattern
 136       shopt -s globstar
 137
 138       # Utilities
 139       mkcd() { mkdir -p "$1" && cd "$1"; }
 140       stress-mem() { fac="$1"; stress-ng --vm 1 --vm-keep --vm-bytes $(awk "/MemAvailable/{ printf \"%d\n\", \$2 * $fac; }" </proc/meminfo)k; }
 141       sysenter() { srv="$1"; shift; nsenter -a -t "$(systemctl show --property MainPID --value "$srv")" "$@"; }
 142       systrace() { srv="$1"; shift; strace -f -p "$(systemctl show --property MainPID --value "$srv")" "$@"; }
 143       zfs-mount () { for d in $(zfs list -rH -o name "$@"); do sudo zfs mount -l "$d"; done; }
 144       zfs-unmount () { sudo zfs unmount -u "$@"; }
 145     '';
 146     shellAliases = {
 147       cl = "clear";
 148       l = "ls -alh";
 149       ll = "ls -al";
 150       ls = "ls --color=tty";
 151       mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
 152       mem-top = "smem --sort rss --autosize";
 153
 154       s="sudo systemctl";
 155       st="sudo systemctl status";
 156       u="systemctl --user";
 157       ut="systemctl --user status";
 158       j="sudo journalctl -u";
 159
 160       nixos-clean="sudo nix-collect-garbage -d";
 161       nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
 162       nixos-rollback="sudo nixos-rebuild switch --rollback";
 163     };
 164   };
 165   gnupg.agent.pinentryFlavor = "curses";
 166   mosh.enable = lib.mkDefault true;
 167   mtr.enable = lib.mkDefault true;
 168   traceroute.enable = lib.mkDefault true;
 169 };
 170 }