-{ flakes, pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
let inherit (lib) types;
inherit (config.networking) hostName domain;
in
{
imports = [
./modules.nix
+ ./options.nix
+ (inputs.julm-nix + "/nixos/profiles/security.nix")
defaults/predictable-interface-names.nix
];
nix = {
#binaryCaches = lib.mkForce [];
extraOptions = ''
'';
+ settings.auto-optimise-store = lib.mkDefault true;
# Use gc.automatic to keep disk space under control.
- gc = {
- automatic = lib.mkDefault true;
- dates = lib.mkDefault "weekly";
- options = lib.mkDefault "--delete-older-than 30d";
- };
- nixPath = [
- # WARNING: this is a hack to avoid copying Nixpkgs
- # a second time into the Nix store.
- # It makes only sense when Nixpkgs is already in the Nix store,
- # and is registered.
- "nixpkgs=/etc/nixpkgs:nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
- ];
-};
-environment.etc."nixpkgs".source = flakes.nixpkgs;
-environment.etc."nixpkgs-overlays".source = flakes.self + "/nixpkgs";
-
-nixpkgs = {
- config = {
- allowUnfree = false;
- /*
- packageOverrides = pkgs: {
- postfix = pkgs.postfix.override {
- withLDAP = true;
- };
- };
- */
- };
- overlays = import (flakes.self + "/nixpkgs/overlays.nix");
+ gc.automatic = lib.mkDefault true;
+ gc.dates = lib.mkDefault "weekly";
+ gc.options = lib.mkDefault "--delete-older-than 30d";
+ # Setting NIX_PATH is useless now that flake.nix are used.
+ nixPath = [];
};
+environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
documentation.nixos = {
- enable = false; # NOTE: useless on a server, and CPU intensive.
-};
-
-time = {
- timeZone = "Europe/Paris";
+ # NOTE: useless on a server, and CPU intensive.
+ enable = lib.mkDefault false;
};
-i18n = {
- defaultLocale = "fr_FR.UTF-8";
-};
-
-console = {
- font = "Lat2-Terminus16";
- keyMap = "fr";
-};
+console.font = "Lat2-Terminus16";
+console.keyMap = lib.mkDefault "fr";
+i18n.defaultLocale = "fr_FR.UTF-8";
+nixpkgs.config.allowUnfree = false;
+time.timeZone = "Europe/Paris";
# Always try to start all the units (default.target)
# because systemd's emergency shell does not try to start sshd.
-# https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_machine
+# https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
systemd.enableEmergencyMode = false;
-# This is a remote headless server: always reboot on a kernel panic,
-# to not have to physically go power cycle the apu2e4.
-# Which happens if the wrong ZFS password is used
+# On a remote headless server: always reboot on a kernel panic,
+# to not have to physically go power cycle the server.
+# Which may happen for instance if the wrong ZFS password is used
# but the boot is manually forced to continue.
# Using kernelParams instead of kernel.sysctl
# sets this up as soon as the initrd.
boot.kernelParams = [ "panic=10" ];
-boot.cleanTmpDir = true;
-boot.tmpOnTmpfs = true;
+boot.cleanTmpDir = lib.mkDefault true;
+boot.tmpOnTmpfs = lib.mkDefault true;
networking = {
# Fix hostname --fqdn
"::1" = lib.mkForce [ "${hostName}.${domain}" hostName "localhost" ];
};
search = [ domain ];
+ usePredictableInterfaceNames = true;
};
-services = {
- openssh = {
- enable = true;
- passwordAuthentication = false;
- extraConfig = ''
- '';
- };
- journald = {
- extraConfig = ''
- Compress=true
- MaxRetentionSec=3month
- Storage=persistent
- SystemMaxUse=500M
- '';
- };
-};
+services.logrotate.enable = true;
+
+services.openssh.enable = true;
environment.systemPackages = with pkgs; [
binutils
bmon
+ config.boot.kernelPackages.cpupower
conntrack-tools
- #dnsutils
dstat
gnupg
htop
- inetutils
iftop
+ inetutils
iotop
ldns
- linuxPackages.cpupower
+ lf
lsof
- mailutils
+ #mailutils # builds guile
multitail
ncdu
nethogs
nload
nmon
+ pciutils # Not supported by a few hardwares
+ psmisc
pv
- swaplist
+ #rdfind
+ smem
tcpdump
tmux
tree
- vim
+ usbutils
+ #vim
which
+ #dnsutils
+ #ntop
+ #stress
];
environment.variables.SYSTEMD_LESS = "FKMRX";
environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
+boot.kernel.sysctl = {
+ # Improve MTU detection
+ # This can thaw TCP connections stalled by a host
+ # requiring a lower MTU along the path,
+ # though it would do so after a little delay
+ # so it's better to set a low MTU when possible.
+ "net/ipv4/tcp_mtu_probing" = 1;
+};
+
programs = {
bash = {
interactiveShellInit = ''
# Enable ** file pattern
shopt -s globstar
- # Convenient mkdir wrapper
+ # Utilities
mkcd() { mkdir -p "$1" && cd "$1"; }
+ stress-mem() { fac="$1"; stress-ng --vm 1 --vm-keep --vm-bytes $(awk "/MemAvailable/{ printf \"%d\n\", \$2 * $fac; }" </proc/meminfo)k; }
+ sysenter() { srv="$1"; shift; nsenter -a -t "$(systemctl show --property MainPID --value "$srv")" "$@"; }
+ systrace() { srv="$1"; shift; strace -f -p "$(systemctl show --property MainPID --value "$srv")" "$@"; }
+ zfs-mount () { for d in $(zfs list -rH -o name "$@"); do sudo zfs mount -l "$d"; done; }
+ zfs-unmount () { sudo zfs unmount -u "$@"; }
'';
shellAliases = {
cl = "clear";
- l = "ls -alh";
+ l = "ls -alh";
ll = "ls -al";
ls = "ls --color=tty";
mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
+ mem-top = "smem --sort rss --autosize";
s="sudo systemctl";
st="sudo systemctl status";
- s-u="systemctl --user";
+ u="systemctl --user";
+ ut="systemctl --user status";
j="sudo journalctl -u";
nixos-clean="sudo nix-collect-garbage -d";
nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
nixos-rollback="sudo nixos-rebuild switch --rollback";
- nixos-update="sudo nix-channel --update";
- nixos-upgrade="sudo nixos-rebuild switch";
- nixos-upstream="sudo nix-channel --list";
- };
- };
- gnupg = {
- agent = {
- pinentryFlavor = "curses";
};
};
- mosh.enable = true;
- mtr.enable = true;
+ gnupg.agent.pinentryFlavor = "curses";
+ mosh.enable = lib.mkDefault true;
+ mtr.enable = lib.mkDefault true;
+ traceroute.enable = lib.mkDefault true;
};
}
sourcephile / git / sourcephile-nix.git / blobdiff