nix-config/config/default.nix

{ config, lib, pkgs, ... }:

# this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules.

lib.mkMerge [
  {
    boot.cleanTmpDir = true;

    documentation.nixos.enable = false;

    environment = {
      noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
      systemPackages = with pkgs; [
        bmon
        curl
        dig
        ethtool
        git
        htop
        iotop
        mtr
        pv
        ripgrep
        screen
        tcpdump
        tmux
        tree
        vim
        wget
      ];
    };

    i18n = {
      defaultLocale = "en_US.UTF-8";
      supportedLocales = [
        "en_US.UTF-8/UTF-8"
        "de_DE.UTF-8/UTF-8"
      ];
    };

    nix = {
      settings = {
        builders-use-substitutes = true;
        connect-timeout = 20;
        experimental-features = "nix-command flakes";
        fallback = true;
        trusted-public-keys = [
          "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
        ];
        # don't self feed hydra
        substituters = lib.mkIf (config.networking.hostName != "hydra") (
          lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
        );
      };
      gc = {
        automatic = lib.mkDefault true;
        dates = "06:00";
        options = "--delete-older-than 21d";
        randomizedDelaySec = "6h";
      };
    };

    services.openssh = {
      # Required for deployment and sops
      enable = true;
      permitRootLogin = "prohibit-password";
    };

    programs = {
      fzf.keybindings = true;
      vim.defaultEditor = true;
    };

    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "mail@c3d2.de";
        # letsencrypt staging server with way higher rate limits
        # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      };
    };

    # Reboot on hang
    systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
      runtimeTime = "15s";
      rebootTime = "15s";
    };

    time.timeZone = lib.mkDefault "Europe/Berlin";

    users.motd = builtins.readFile ./motd;

    zramSwap.enable = true;
  }

  (lib.mkIf config.services.nginx.enable {
    services.nginx = {
      openFirewall = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
    };
  })
]