2023-04-22 23:03:14 +02:00
|
|
|
{ config, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
|
2022-12-20 04:31:37 +01:00
|
|
|
|
|
|
|
# this file contains default configuration that may be turned on depending on other config settings.
|
|
|
|
# options should go to modules.
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
{
|
2023-02-01 00:40:49 +01:00
|
|
|
assertions = [
|
|
|
|
{
|
|
|
|
assertion = config.system.replaceRuntimeDependencies == [];
|
|
|
|
message = "system.replaceRuntimeDependencies causes hydra to build the system at evaluation time. It must be removed!";
|
|
|
|
}
|
2023-03-15 21:31:21 +01:00
|
|
|
{
|
|
|
|
assertion = lib.versions.major pkgs.ceph.version != 16;
|
|
|
|
message = "Please pin ceph to major version 16!";
|
|
|
|
}
|
2023-03-20 22:25:00 +01:00
|
|
|
{
|
|
|
|
assertion = lib.versions.majorMinor pkgs.mediawiki.version != 1.39;
|
|
|
|
# https://www.mediawiki.org/wiki/Version_lifecycle
|
|
|
|
message = "Please keep mediawiki on LTS versions which is required by the LDAP extension";
|
|
|
|
}
|
2023-02-01 00:40:49 +01:00
|
|
|
];
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
boot = {
|
|
|
|
cleanTmpDir = true;
|
|
|
|
kernel.sysctl = {
|
|
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
2023-01-02 05:06:30 +01:00
|
|
|
};
|
2023-01-16 20:24:33 +01:00
|
|
|
# recommend to turn off, only on by default for backwards compatibility
|
|
|
|
zfs.forceImportRoot = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
c3d2 = {
|
2023-05-29 21:44:01 +02:00
|
|
|
# NOTE: this must be off, otherwise our nix binary cache creates a loop with itself
|
|
|
|
addBinaryCache = lib.mkForce false;
|
2023-01-16 20:24:33 +01:00
|
|
|
addKnownHosts = true;
|
2023-04-22 23:03:14 +02:00
|
|
|
sshKeys = ssh-public-keys;
|
2023-01-16 20:24:33 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
documentation.nixos.enable = false;
|
|
|
|
|
|
|
|
environment = {
|
2023-04-24 23:02:35 +02:00
|
|
|
gnome.excludePackages = with pkgs; with gnome; [
|
|
|
|
baobab
|
|
|
|
cheese
|
2023-01-16 20:24:33 +01:00
|
|
|
epiphany # we are using firefox or chromium and requires second webkitgtk
|
2023-04-24 23:02:35 +02:00
|
|
|
gnome-calendar
|
|
|
|
gnome-contacts
|
|
|
|
gnome-maps
|
|
|
|
gnome-music
|
|
|
|
gnome-photos
|
|
|
|
gnome-weather
|
|
|
|
orca
|
|
|
|
simple-scan
|
|
|
|
totem
|
2023-01-16 20:24:33 +01:00
|
|
|
yelp # less webkitgtk's
|
|
|
|
];
|
2023-05-24 22:13:30 +02:00
|
|
|
noXlibs = !config.services.xserver.enable;
|
2023-01-16 20:24:33 +01:00
|
|
|
systemPackages = with pkgs; [
|
|
|
|
bmon
|
|
|
|
curl
|
|
|
|
dig
|
|
|
|
ethtool
|
|
|
|
fd
|
|
|
|
git
|
|
|
|
htop
|
|
|
|
iotop
|
|
|
|
mtr
|
|
|
|
pv
|
|
|
|
ripgrep
|
|
|
|
screen
|
|
|
|
tcpdump
|
|
|
|
tree
|
|
|
|
vim
|
|
|
|
wget
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
hardware.enableRedistributableFirmware = lib.mkDefault true;
|
|
|
|
|
|
|
|
i18n = {
|
|
|
|
defaultLocale = "en_US.UTF-8";
|
|
|
|
supportedLocales = [
|
|
|
|
"en_US.UTF-8/UTF-8"
|
|
|
|
"de_DE.UTF-8/UTF-8"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2023-06-05 19:54:05 +02:00
|
|
|
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
|
|
|
|
# proxy protocol used by public-access-proxy
|
|
|
|
8080
|
|
|
|
8443
|
|
|
|
];
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
nix = {
|
2023-01-17 00:35:16 +01:00
|
|
|
deleteChannels = true;
|
|
|
|
deleteUserProfiles = true;
|
|
|
|
gc = {
|
|
|
|
automatic = lib.mkDefault true;
|
|
|
|
dates = "06:00";
|
|
|
|
options = "--delete-older-than 21d";
|
|
|
|
randomizedDelaySec = "6h";
|
|
|
|
};
|
2023-02-01 01:27:35 +01:00
|
|
|
nixPath = [
|
2023-04-04 20:48:48 +02:00
|
|
|
"nixpkgs=${builtins.unsafeDiscardStringContext nixos}"
|
|
|
|
"nixos=${builtins.unsafeDiscardStringContext nixos}"
|
2023-02-01 01:27:35 +01:00
|
|
|
"nixos-config=/you/shall/deploy/from/the/flake"
|
|
|
|
];
|
2023-04-04 20:48:48 +02:00
|
|
|
registry.nixpkgs.flake = nixos;
|
2023-01-16 20:24:33 +01:00
|
|
|
settings = {
|
|
|
|
builders-use-substitutes = true; # TODO: move
|
|
|
|
connect-timeout = 20;
|
|
|
|
experimental-features = "nix-command flakes";
|
|
|
|
fallback = true;
|
|
|
|
trusted-public-keys = [
|
2023-04-03 20:34:04 +02:00
|
|
|
"nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
2022-12-22 01:15:10 +01:00
|
|
|
];
|
2023-01-16 20:24:33 +01:00
|
|
|
# don't self feed hydra
|
|
|
|
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
2023-04-03 20:34:04 +02:00
|
|
|
lib.mkBefore [ "https://nix-cache.hq.c3d2.de" ]
|
2023-01-16 20:24:33 +01:00
|
|
|
);
|
2022-12-22 01:15:10 +01:00
|
|
|
};
|
2023-01-16 20:24:33 +01:00
|
|
|
};
|
|
|
|
|
2023-05-19 02:20:57 +02:00
|
|
|
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [
|
|
|
|
"drone.io"
|
|
|
|
"drone-runner-ssh"
|
|
|
|
"elasticsearch" # mastodon
|
|
|
|
"factorio-headless"
|
|
|
|
];
|
2023-01-29 22:45:53 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
# trust sandro to set good defaults in nixos-modules
|
|
|
|
opinionatedDefaults = true;
|
|
|
|
|
|
|
|
programs = {
|
|
|
|
fzf.keybindings = true;
|
2023-01-30 00:35:32 +01:00
|
|
|
|
|
|
|
git = {
|
|
|
|
enable = true;
|
|
|
|
# silence hints in various programs like drone
|
|
|
|
config.init.defaultBranch = "master";
|
|
|
|
};
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
tmux = {
|
|
|
|
enable = true;
|
|
|
|
historyLimit = 50000;
|
|
|
|
extraConfig = ''
|
|
|
|
# mouse control
|
|
|
|
set -g mouse on
|
|
|
|
|
|
|
|
# don't clear selection on copy
|
|
|
|
bind-key -Tcopy-mode-vi MouseDragEnd1Pane send -X copy-selection-no-clear
|
|
|
|
bind-key -Tcopy-mode-vi y send -X copy-selection-no-clear
|
|
|
|
'';
|
2022-12-22 01:15:10 +01:00
|
|
|
};
|
2023-01-30 00:35:32 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
vim.defaultEditor = true;
|
|
|
|
};
|
|
|
|
|
2023-01-17 00:35:25 +01:00
|
|
|
security.ldap.domainComponent = [ "c3d2" "de" ];
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
services = {
|
|
|
|
gnome = {
|
|
|
|
# less webkitgtk's
|
|
|
|
evolution-data-server.enable = lib.mkForce false;
|
|
|
|
gnome-initial-setup.enable = false;
|
2022-12-22 01:15:10 +01:00
|
|
|
};
|
|
|
|
|
2023-04-11 01:11:43 +02:00
|
|
|
nginx = {
|
|
|
|
appendHttpConfig = ''
|
|
|
|
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
|
|
|
'"$request" $status $body_bytes_sent '
|
|
|
|
'"$http_referer" "$http_user_agent"';
|
|
|
|
|
|
|
|
access_log /var/log/nginx/access.log proxyCombined;
|
|
|
|
'';
|
|
|
|
commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
|
|
|
|
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
|
|
|
set_real_ip_from ${hosts4.public-access-proxy};
|
|
|
|
set_real_ip_from ${hosts6.up4.public-access-proxy};
|
|
|
|
|
|
|
|
real_ip_header proxy_protocol;
|
|
|
|
|
|
|
|
proxy_set_header X-Real-IP $proxy_protocol_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
|
|
|
'';
|
|
|
|
};
|
2023-01-18 01:52:47 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
openssh = {
|
|
|
|
# Required for deployment and sops
|
|
|
|
enable = true;
|
2023-05-16 18:49:32 +02:00
|
|
|
passwordAuthentication = lib.mkIf (!config.c3d2.k-ot.enable) false;
|
2023-05-20 01:53:53 +02:00
|
|
|
permitRootLogin = lib.mkOverride 900 "prohibit-password";
|
2022-12-31 02:44:22 +01:00
|
|
|
};
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
portunus = with zentralwerk.lib.config.site.net.serv; {
|
|
|
|
domain = "auth.c3d2.de";
|
2023-02-23 00:35:25 +01:00
|
|
|
internalIp4 = hosts4.auth;
|
|
|
|
internalIp6 = hosts6.up4.auth;
|
2023-01-17 00:35:25 +01:00
|
|
|
ldapPreset = true;
|
2022-12-22 01:15:10 +01:00
|
|
|
};
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
postgresql.upgrade = {
|
|
|
|
extraArgs = [ "--link" ]
|
|
|
|
++ lib.optional (config ? microvm) "--jobs=${toString config.microvm.vcpu}";
|
|
|
|
newPackage = pkgs.postgresql_15;
|
|
|
|
stopServices = lib.optional config.services.nginx.enable "nginx"
|
|
|
|
++ lib.optional config.c3d2.hq.statistics.enable "collectd";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults = {
|
|
|
|
email = "mail@c3d2.de";
|
|
|
|
# letsencrypt staging server with way higher rate limits
|
|
|
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-05-20 19:11:38 +02:00
|
|
|
# does not suceed on installation which is okay
|
2023-05-16 18:49:51 +02:00
|
|
|
system.activationScripts.deleteOldSystemProfiles = lib.mkIf config.nix.gc.automatic ''
|
|
|
|
echo "Deleting old system profiles..."
|
2023-05-20 22:11:42 +02:00
|
|
|
${config.nix.package}/bin/nix-env --profile /nix/var/nix/profiles/system --delete-generations +10 || true
|
2023-05-16 18:49:51 +02:00
|
|
|
'';
|
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
systemd = {
|
2023-05-29 20:59:21 +02:00
|
|
|
services.nix-daemon.serviceConfig = {
|
|
|
|
# kill all worker thread when restarting
|
|
|
|
KillMode = "control-group";
|
|
|
|
# restart if killed eg oom killed
|
|
|
|
Restart = "on-failure";
|
|
|
|
};
|
2023-01-18 20:51:38 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
# Reboot on hang
|
|
|
|
watchdog = lib.mkIf (!config.boot.isContainer) {
|
|
|
|
runtimeTime = "15s";
|
|
|
|
rebootTime = "15s";
|
2022-12-22 01:15:10 +01:00
|
|
|
};
|
2023-01-16 20:24:33 +01:00
|
|
|
};
|
2022-12-22 01:15:10 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
time.timeZone = lib.mkDefault "Europe/Berlin";
|
2022-12-22 01:15:10 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
users.motd = builtins.readFile ./motd;
|
2022-12-22 01:15:10 +01:00
|
|
|
|
2023-01-16 20:24:33 +01:00
|
|
|
zramSwap.enable = true;
|
|
|
|
}
|