-{ pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
let inherit (lib) types;
+ inherit (config.networking) hostName domain;
in
{
imports = [
./modules.nix
- ./defaults/predictable-interface-names.nix
+ defaults/security.nix
+ defaults/predictable-interface-names.nix
];
-config = {
- nix = {
- autoOptimiseStore = true;
- extraOptions = ''
- '';
- # Use gc.automatic to keep disk space under control.
- gc = {
- automatic = true;
- dates = "weekly";
- options = "--delete-older-than 30d";
- };
- nixPath = [
- "nixpkgs=${pkgs.path}"
- ];
+nix = {
+ #binaryCaches = lib.mkForce [];
+ extraOptions = ''
+ '';
+ # Use gc.automatic to keep disk space under control.
+ gc = {
+ automatic = lib.mkDefault true;
+ dates = lib.mkDefault "weekly";
+ options = lib.mkDefault "--delete-older-than 30d";
};
+ nixPath = [
+ # WARNING: this is a hack to avoid copying Nixpkgs
+ # a second time into the Nix store.
+ # It makes only sense when Nixpkgs is already in the Nix store,
+ # and is registered.
+ "nixpkgs=/etc/nixpkgs:nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
+ ];
+};
+environment.etc."nixpkgs".source = pkgs.path;
+environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
- nixpkgs = {
- config = {
- allowUnfree = false;
- /*
- packageOverrides = pkgs: {
- postfix = pkgs.postfix.override {
- withLDAP = true;
- };
+nixpkgs = {
+ config = {
+ allowUnfree = false;
+ /*
+ packageOverrides = pkgs: {
+ postfix = pkgs.postfix.override {
+ withLDAP = true;
};
- */
};
- #overlays = import ../overlays.nix;
+ */
};
+};
- documentation.nixos = {
- enable = false; # NOTE: useless on a server, and CPU intensive.
- };
+documentation.nixos = {
+ enable = false; # NOTE: useless on a server, and CPU intensive.
+};
- # Clean /tmp automatically on boot.
- boot.cleanTmpDir = true;
+time = {
+ timeZone = "Europe/Paris";
+};
- time = {
- timeZone = "Europe/Paris";
- };
+i18n = {
+ defaultLocale = "fr_FR.UTF-8";
+};
- i18n = {
- consoleFont = "Lat2-Terminus16";
- consoleKeyMap = "fr";
- defaultLocale = "fr_FR.UTF-8";
- };
+console = {
+ font = "Lat2-Terminus16";
+ keyMap = "fr";
+};
- services = {
- openssh = {
- enable = true;
- passwordAuthentication = false;
- extraConfig = ''
- '';
- };
- journald = {
- extraConfig = ''
- SystemMaxUse=50M
- '';
- };
+# Always try to start all the units (default.target)
+# because systemd's emergency shell does not try to start sshd.
+# https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
+systemd.enableEmergencyMode = false;
+
+# This is a remote headless server: always reboot on a kernel panic,
+# to not have to physically go power cycle the apu2e4.
+# Which happens if the wrong ZFS password is used
+# but the boot is manually forced to continue.
+# Using kernelParams instead of kernel.sysctl
+# sets this up as soon as the initrd.
+boot.kernelParams = [ "panic=10" ];
+
+boot.cleanTmpDir = true;
+boot.tmpOnTmpfs = true;
+
+networking = {
+ # Fix hostname --fqdn
+ # See: https://github.com/NixOS/nixpkgs/issues/10183#issuecomment-537629621
+ hosts = {
+ "127.0.1.1" = lib.mkForce [ "${hostName}.${domain}" hostName ];
+ "::1" = lib.mkForce [ "${hostName}.${domain}" hostName "localhost" ];
};
+ search = [ domain ];
+ usePredictableInterfaceNames = true;
+};
- environment = {
- systemPackages = with pkgs; [
- binutils
- dnsutils
- htop
- inetutils
- iotop
- lsof
- mailutils
- multitail
- ncdu
- pv
- swaplist
- tcpdump
- tmux
- tree
- vim
- which
- ];
-
- etc."inputrc".text = lib.readFile defaults/readline/inputrc;
+services = {
+ openssh = {
+ enable = true;
+ passwordAuthentication = false;
+ extraConfig = ''
+ '';
+ };
+ journald = {
+ extraConfig = ''
+ Compress=true
+ MaxRetentionSec=1month
+ Storage=persistent
+ SystemMaxUse=128M
+ '';
};
+};
- programs = {
- bash = {
- interactiveShellInit = ''
- bind '"\e[A":history-search-backward'
- bind '"\e[B":history-search-forward'
-
- # Ignore duplicate commands, ignore commands starting with a space
- export HISTCONTROL=erasedups:ignorespace
- export HISTSIZE=42000
-
- # Append to the history instead of overwriting (good for multiple connections)
- shopt -s histappend
- '';
- shellAliases = {
- cl = "clear";
- l = "ls -alh";
- ll = "ls -l";
- ls = "ls --color=tty";
- mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
-
- s="sudo systemctl";
- s-u="systemctl --user";
-
- nixos-clean="sudo nix-collect-garbage -d";
- nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
- nixos-rollback="sudo nixos-rebuild switch --rollback";
- nixos-update="sudo nix-channel --update";
- nixos-upgrade="sudo nixos-rebuild switch";
- nixos-upstream="sudo nix-channel --list";
- };
+environment.systemPackages = with pkgs; [
+ binutils
+ bmon
+ conntrack-tools
+ #dnsutils
+ dstat
+ gnupg
+ htop
+ iftop
+ inetutils
+ iotop
+ ldns
+ linuxPackages.cpupower
+ lsof
+ mailutils
+ multitail
+ ncdu
+ nethogs
+ nload
+ nmon
+ pv
+ rdfind
+ smem
+ stress
+ swaplist
+ tcpdump
+ tmux
+ tree
+ usbutils
+ vim
+ which
+];
+environment.variables.SYSTEMD_LESS = "FKMRX";
+environment.etc."inputrc".text = lib.readFile defaults/readline/inputrc;
+
+programs = {
+ bash = {
+ interactiveShellInit = ''
+ bind '"\e[A":history-search-backward'
+ bind '"\e[B":history-search-forward'
+
+ # Ignore duplicate commands, ignore commands starting with a space
+ export HISTCONTROL=erasedups:ignorespace
+ export HISTSIZE=42000
+
+ # Append to the history instead of overwriting (good for multiple connections)
+ shopt -s histappend
+
+ # Enable ** file pattern
+ shopt -s globstar
+
+ # Convenient mkdir wrapper
+ mkcd() { mkdir -p "$1" && cd "$1"; }
+ '';
+ shellAliases = {
+ cl = "clear";
+ l = "ls -alh";
+ ll = "ls -al";
+ ls = "ls --color=tty";
+ mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
+
+ s="sudo systemctl";
+ st="sudo systemctl status";
+ s-u="systemctl --user";
+ j="sudo journalctl -u";
+
+ nixos-clean="sudo nix-collect-garbage -d";
+ nixos-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
+ nixos-rollback="sudo nixos-rebuild switch --rollback";
+ nixos-update="sudo nix-channel --update";
+ nixos-upgrade="sudo nixos-rebuild switch";
+ nixos-upstream="sudo nix-channel --list";
+ };
+ };
+ gnupg = {
+ agent = {
+ pinentryFlavor = "curses";
};
- mtr.enable = true;
};
+ mosh.enable = true;
+ mtr.enable = true;
+ traceroute.enable = true;
};
}
sourcephile / git / sourcephile-nix.git / blobdiff