-{ pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
let inherit (lib) types;
inherit (config.networking) hostName domain;
in
{
imports = [
./modules.nix
- defaults/security.nix
+ ./options.nix
+ (inputs.julm-nix + "/nixos/profiles/security.nix")
defaults/predictable-interface-names.nix
];
nix = {
#binaryCaches = lib.mkForce [];
extraOptions = ''
'';
- autoOptimiseStore = lib.mkDefault true;
+ settings.auto-optimise-store = lib.mkDefault true;
# Use gc.automatic to keep disk space under control.
- gc = {
- automatic = lib.mkDefault true;
- dates = lib.mkDefault "weekly";
- options = lib.mkDefault "--delete-older-than 30d";
- };
- nixPath = lib.mkForce [];
+ gc.automatic = lib.mkDefault true;
+ gc.dates = lib.mkDefault "weekly";
+ gc.options = lib.mkDefault "--delete-older-than 30d";
+ # Setting NIX_PATH is useless now that flake.nix are used.
+ nixPath = [];
};
environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
documentation.nixos = {
- enable = lib.mkDefault false; # NOTE: useless on a server, and CPU intensive.
+ # NOTE: useless on a server, and CPU intensive.
+ enable = lib.mkDefault false;
};
console.font = "Lat2-Terminus16";
# https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
systemd.enableEmergencyMode = false;
-# This is a remote headless server: always reboot on a kernel panic,
-# to not have to physically go power cycle the apu2e4.
-# Which happens if the wrong ZFS password is used
+# On a remote headless server: always reboot on a kernel panic,
+# to not have to physically go power cycle the server.
+# Which may happen for instance if the wrong ZFS password is used
# but the boot is manually forced to continue.
# Using kernelParams instead of kernel.sysctl
# sets this up as soon as the initrd.
usePredictableInterfaceNames = true;
};
-services.journald = {
- extraConfig = ''
- Compress=true
- MaxRetentionSec=1month
- Storage=persistent
- SystemMaxUse=128M
- '';
-};
+services.logrotate.enable = true;
-services.openssh = {
- enable = true;
- passwordAuthentication = false;
-};
+services.openssh.enable = true;
environment.systemPackages = with pkgs; [
binutils
inetutils
iotop
ldns
+ lf
lsof
#mailutils # builds guile
multitail
nethogs
nload
nmon
+ pciutils # Not supported by a few hardwares
+ psmisc
pv
- rdfind
+ #rdfind
smem
- swaplist
tcpdump
tmux
tree
usbutils
- vim
+ #vim
which
#dnsutils
#ntop
environment.variables.SYSTEMD_LESS = "FKMRX";
environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
+boot.kernel.sysctl = {
+ # Improve MTU detection
+ # This can thaw TCP connections stalled by a host
+ # requiring a lower MTU along the path,
+ # though it would do so after a little delay
+ # so it's better to set a low MTU when possible.
+ "net/ipv4/tcp_mtu_probing" = 1;
+};
+
programs = {
bash = {
interactiveShellInit = ''
# Utilities
mkcd() { mkdir -p "$1" && cd "$1"; }
- stress-mem() { fac="$1"; stress-ng --vm 1 --vm-keep --vm-bytes $(awk '/MemAvailable/{ printf "%d\n", $2 * $fac; }' </proc/meminfo)k; }
+ stress-mem() { fac="$1"; stress-ng --vm 1 --vm-keep --vm-bytes $(awk "/MemAvailable/{ printf \"%d\n\", \$2 * $fac; }" </proc/meminfo)k; }
sysenter() { srv="$1"; shift; nsenter -a -t "$(systemctl show --property MainPID --value "$srv")" "$@"; }
systrace() { srv="$1"; shift; strace -f -p "$(systemctl show --property MainPID --value "$srv")" "$@"; }
zfs-mount () { for d in $(zfs list -rH -o name "$@"); do sudo zfs mount -l "$d"; done; }
sourcephile / git / sourcephile-nix.git / blobdiff