-{ pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
let inherit (lib) types;
+ inherit (config.networking) hostName domain;
in
{
imports = [
./modules.nix
- ./defaults/predictable-interface-names.nix
+ ./options.nix
+ (inputs.julm-nix + "/nixos/profiles/security.nix")
+ defaults/predictable-interface-names.nix
];
-config = {
- nix = {
- autoOptimiseStore = true;
- extraOptions = ''
- '';
- # Use gc.automatic to keep disk space under control.
- gc = {
- automatic = true;
- dates = "weekly";
- options = "--delete-older-than 30d";
- };
- };
+nix = {
+ #binaryCaches = lib.mkForce [];
+ extraOptions = ''
+ '';
+ settings.auto-optimise-store = lib.mkDefault true;
+ # Use gc.automatic to keep disk space under control.
+ gc.automatic = lib.mkDefault true;
+ gc.dates = lib.mkDefault "weekly";
+ gc.options = lib.mkDefault "--delete-older-than 30d";
+ # Setting NIX_PATH is useless now that flake.nix are used.
+ nixPath = [];
+};
+environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
- nixpkgs = {
- config = {
- allowUnfree = false;
- /*
- packageOverrides = pkgs: {
- postfix = pkgs.postfix.override {
- withLDAP = true;
- };
- };
- */
- };
- #overlays = import ../overlays.nix;
- };
+documentation.nixos = {
+ # NOTE: useless on a server, and CPU intensive.
+ enable = lib.mkDefault false;
+};
- documentation.nixos = {
- enable = false; # NOTE: useless on a server, and CPU intensive.
- };
+console.font = "Lat2-Terminus16";
+console.keyMap = lib.mkDefault "fr";
+i18n.defaultLocale = "fr_FR.UTF-8";
+nixpkgs.config.allowUnfree = false;
+time.timeZone = "Europe/Paris";
- # Clean /tmp automatically on boot.
- boot.cleanTmpDir = true;
+# Always try to start all the units (default.target)
+# because systemd's emergency shell does not try to start sshd.
+# https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
+systemd.enableEmergencyMode = false;
- time = {
- timeZone = "Europe/Paris";
- };
+# On a remote headless server: always reboot on a kernel panic,
+# to not have to physically go power cycle the server.
+# Which may happen for instance if the wrong ZFS password is used
+# but the boot is manually forced to continue.
+# Using kernelParams instead of kernel.sysctl
+# sets this up as soon as the initrd.
+boot.kernelParams = [ "panic=10" ];
- i18n = {
- consoleFont = "Lat2-Terminus16";
- consoleKeyMap = "fr";
- defaultLocale = "fr_FR.UTF-8";
- };
+boot.cleanTmpDir = lib.mkDefault true;
+boot.tmpOnTmpfs = lib.mkDefault true;
- services = {
- openssh = {
- enable = true;
- extraConfig = ''
- '';
- };
- journald = {
- extraConfig = ''
- SystemMaxUse=50M
- '';
- };
+networking = {
+ # Fix hostname --fqdn
+ # See: https://github.com/NixOS/nixpkgs/issues/10183#issuecomment-537629621
+ hosts = {
+ "127.0.1.1" = lib.mkForce [ "${hostName}.${domain}" hostName ];
+ "::1" = lib.mkForce [ "${hostName}.${domain}" hostName "localhost" ];
};
+ search = [ domain ];
+ usePredictableInterfaceNames = true;
+};
- environment = {
- systemPackages = with pkgs; [
- binutils
- dnsutils
- htop
- inetutils
- iotop
- lsof
- mailutils
- multitail
- ncdu
- pv
- swaplist
- tcpdump
- tmux
- tree
- vim
- which
- ];
-
- etc."inputrc".text = lib.readFile defaults/readline/inputrc;
- };
+services.logrotate.enable = true;
+
+services.openssh.enable = true;
+
+environment.systemPackages = with pkgs; [
+ binutils
+ bmon
+ config.boot.kernelPackages.cpupower
+ conntrack-tools
+ dstat
+ gnupg
+ htop
+ iftop
+ inetutils
+ iotop
+ ldns
+ lf
+ lsof
+ #mailutils # builds guile
+ multitail
+ ncdu
+ nethogs
+ nload
+ nmon
+ pciutils # Not supported by a few hardwares
+ psmisc
+ pv
+ #rdfind
+ smem
+ tcpdump
+ tmux
+ tree
+ usbutils
+ #vim
+ which
+ #dnsutils
+ #ntop
+ #stress
+];
+environment.variables.SYSTEMD_LESS = "FKMRX";
+environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
+
+boot.kernel.sysctl = {
+ # Improve MTU detection
+ # This can thaw TCP connections stalled by a host
+ # requiring a lower MTU along the path,
+ # though it would do so after a little delay
+ # so it's better to set a low MTU when possible.
+ "net/ipv4/tcp_mtu_probing" = 1;
+};
+
+programs = {
+ bash = {
+ interactiveShellInit = ''
+ bind '"\e[A":history-search-backward'
+ bind '"\e[B":history-search-forward'
+
+ # Ignore duplicate commands, ignore commands starting with a space
+ export HISTCONTROL=erasedups:ignorespace
+ export HISTSIZE=42000
+
+ # Append to the history instead of overwriting (good for multiple connections)
+ shopt -s histappend
+
+ # Enable ** file pattern
+ shopt -s globstar
+
+ # Utilities
+ mkcd() { mkdir -p "$1" && cd "$1"; }
+ stress-mem() { fac="$1"; stress-ng --vm 1 --vm-keep --vm-bytes $(awk "/MemAvailable/{ printf \"%d\n\", \$2 * $fac; }" </proc/meminfo)k; }
+ sysenter() { srv="$1"; shift; nsenter -a -t "$(systemctl show --property MainPID --value "$srv")" "$@"; }
+ systrace() { srv="$1"; shift; strace -f -p "$(systemctl show --property MainPID --value "$srv")" "$@"; }
+ zfs-mount () { for d in $(zfs list -rH -o name "$@"); do sudo zfs mount -l "$d"; done; }
+ zfs-unmount () { sudo zfs unmount -u "$@"; }
+ '';
+ shellAliases = {
+ cl = "clear";
+ l = "ls -alh";
+ ll = "ls -al";
+ ls = "ls --color=tty";
+ mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
+ mem-top = "smem --sort rss --autosize";
+
+ s="sudo systemctl";
+ st="sudo systemctl status";
+ u="systemctl --user";
+ ut="systemctl --user status";
+ j="sudo journalctl -u";
- programs = {
- bash = {
- interactiveShellInit = ''
- bind '"\e[A":history-search-backward'
- bind '"\e[B":history-search-forward'
-
- # Ignore duplicate commands, ignore commands starting with a space
- export HISTCONTROL=erasedups:ignorespace
- export HISTSIZE=42000
-
- # Append to the history instead of overwriting (good for multiple connections)
- shopt -s histappend
- '';
- shellAliases = {
- cl = "clear";
- l = "ls -alh";
- ll = "ls -l";
- ls = "ls --color=tty";
- mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
-
- s="sudo systemctl";
- s-u="systemctl --user";
-
- nixos-clean="sudo nix-collect-garbage -d";
- nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
- nixos-rollback="sudo nixos-rebuild switch --rollback";
- nixos-update="sudo nix-channel --update";
- nixos-upgrade="sudo nixos-rebuild switch";
- nixos-upstream="sudo nix-channel --list";
- };
+ nixos-clean="sudo nix-collect-garbage -d";
+ nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
+ nixos-rollback="sudo nixos-rebuild switch --rollback";
};
- mtr.enable = true;
};
+ gnupg.agent.pinentryFlavor = "curses";
+ mosh.enable = lib.mkDefault true;
+ mtr.enable = lib.mkDefault true;
+ traceroute.enable = lib.mkDefault true;
};
}
sourcephile / git / sourcephile-nix.git / blobdiff