{ config, lib, pkgs, zentralwerk, ... }: # this file contains default configuration that may be turned on depending on other config settings. # options should go to modules. lib.mkMerge [ { boot = { cleanTmpDir = true; kernel.sysctl = { "net.ipv4.tcp_congestion_control" = "bbr"; }; # recommend to turn off, only on by default for backwards compatibility zfs.forceImportRoot = false; }; c3d2 = { addKnownHosts = true; }; documentation.nixos.enable = false; environment = { gnome.excludePackages = with pkgs; [ epiphany # we are using firefox or chromium and requires second webkitgtk ]; noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ]; systemPackages = with pkgs; [ bmon curl dig ethtool fd git htop iotop mtr pv ripgrep screen tcpdump tree vim wget ]; }; hardware.enableRedistributableFirmware = lib.mkDefault true; i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = [ "en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" ]; }; nix = { settings = { builders-use-substitutes = true; # TODO: move connect-timeout = 20; experimental-features = "nix-command flakes"; fallback = true; trusted-public-keys = [ "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ]; # don't self feed hydra substituters = lib.mkIf (config.networking.hostName != "hydra") ( lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ] ); }; gc = { automatic = lib.mkDefault true; dates = "06:00"; options = "--delete-older-than 21d"; randomizedDelaySec = "6h"; }; }; # trust sandro to set good defaults in nixos-modules opinionatedDefaults = true; programs = { fzf.keybindings = true; tmux = { enable = true; aggressiveResize = true; baseIndex = 0; clock24 = true; historyLimit = 50000; terminal = "xterm-256color"; extraConfig = '' # mouse control set -g mouse on # focus events enabled for terminals that support them set -g focus-events on # open new tab in PWD bind '"' split-window -c "#{pane_current_path}" bind % split-window -h -c "#{pane_current_path}" bind c new-window -c "#{pane_current_path}" # don't clear selection on copy bind-key -Tcopy-mode-vi MouseDragEnd1Pane send -X copy-selection-no-clear bind-key -Tcopy-mode-vi y send -X copy-selection-no-clear ''; }; vim.defaultEditor = true; }; services = { gnome.gnome-initial-setup.enable = false; openssh = { # Required for deployment and sops enable = true; permitRootLogin = "prohibit-password"; }; portunus = with zentralwerk.lib.config.site.net.serv; { domain = "auth.c3d2.de"; externalIp4 = hosts4.auth; externalIp6 = hosts6.up4.auth; }; postgresql.upgrade = { extraArgs = [ "--link" ] ++ lib.optional (config ? microvm) "--jobs=${toString config.microvm.vcpu}"; newPackage = pkgs.postgresql_15; stopServices = [ "collectd" "nginx" ]; }; }; security.acme = { acceptTerms = true; defaults = { email = "mail@c3d2.de"; # letsencrypt staging server with way higher rate limits # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; systemd = { # Do not break the boot enableEmergencyMode = false; tmpfiles.rules = [ # never leave openssh in a state that you cannot log in "d /etc 0755 root root -" "d /etc/ssh 0755 root root -" "f /etc/ssh/ssh_host_ed25519_key 0700 root root -" "f /etc/ssh/ssh_host_ed25519_key.pub 0744 root root -" "f /etc/ssh/ssh_host_rsa_key 0700 root root -" "f /etc/ssh/ssh_host_rsa_key.pub 0744 root root -" ]; # Reboot on hang watchdog = lib.mkIf (!config.boot.isContainer) { runtimeTime = "15s"; rebootTime = "15s"; }; }; system.userActivationScripts.removeChannels = '' echo "Removing all channels.." rm -v /nix/var/nix/profiles/per-user/*/channels* ''; time.timeZone = lib.mkDefault "Europe/Berlin"; users.motd = builtins.readFile ./motd; zramSwap.enable = true; } ]