leon/nix-config
leon
/
nix-config
forked from c3d2/nix-config
1
0
Fork 0
Code Pull Requests Activity

Format

This commit is contained in:
Sandro - 2023-01-16 20:24:33 +01:00
parent 8193a1a6a4
commit 28946b1b37
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
1 changed files with 155 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

312
config/default.nix
View File

@ -3,180 +3,178 @@
# this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules.
lib.mkMerge [
{
boot = {
cleanTmpDir = true;
kernel.sysctl = {
"net.ipv4.tcp_congestion_control" = "bbr";
};
# recommend to turn off, only on by default for backwards compatibility
zfs.forceImportRoot = false;
{
boot = {
cleanTmpDir = true;
kernel.sysctl = {
"net.ipv4.tcp_congestion_control" = "bbr";
};
# recommend to turn off, only on by default for backwards compatibility
zfs.forceImportRoot = false;
};
c3d2 = {
addKnownHosts = true;
};
c3d2 = {
addKnownHosts = true;
};
documentation.nixos.enable = false;
documentation.nixos.enable = false;
environment = {
gnome.excludePackages = with pkgs; [
epiphany # we are using firefox or chromium and requires second webkitgtk
yelp # less webkitgtk's
];
noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
systemPackages = with pkgs; [
bmon
curl
dig
ethtool
fd
git
htop
iotop
mtr
pv
ripgrep
screen
tcpdump
tree
vim
wget
environment = {
gnome.excludePackages = with pkgs; [
epiphany # we are using firefox or chromium and requires second webkitgtk
yelp # less webkitgtk's
];
noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
systemPackages = with pkgs; [
bmon
curl
dig
ethtool
fd
git
htop
iotop
mtr
pv
ripgrep
screen
tcpdump
tree
vim
wget
];
};
hardware.enableRedistributableFirmware = lib.mkDefault true;
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
nix = {
settings = {
builders-use-substitutes = true; # TODO: move
connect-timeout = 20;
experimental-features = "nix-command flakes";
fallback = true;
trusted-public-keys = [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
};
gc = {
automatic = lib.mkDefault true;
dates = "06:00";
options = "--delete-older-than 21d";
randomizedDelaySec = "6h";
};
};
# trust sandro to set good defaults in nixos-modules
opinionatedDefaults = true;
programs = {
fzf.keybindings = true;
tmux = {
enable = true;
aggressiveResize = true;
baseIndex = 0;
clock24 = true;
historyLimit = 50000;
terminal = "xterm-256color";
extraConfig = ''
# mouse control
set -g mouse on
# focus events enabled for terminals that support them
set -g focus-events on
# open new tab in PWD
bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# don't clear selection on copy
bind-key -Tcopy-mode-vi MouseDragEnd1Pane send -X copy-selection-no-clear
bind-key -Tcopy-mode-vi y send -X copy-selection-no-clear
'';
};
vim.defaultEditor = true;
};
services = {
gnome = {
# less webkitgtk's
evolution-data-server.enable = lib.mkForce false;
gnome-initial-setup.enable = false;
};
hardware.enableRedistributableFirmware = lib.mkDefault true;
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
openssh = {
# Required for deployment and sops
enable = true;
permitRootLogin = "prohibit-password";
};
nix = {
settings = {
builders-use-substitutes = true; # TODO: move
connect-timeout = 20;
experimental-features = "nix-command flakes";
fallback = true;
trusted-public-keys = [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
};
gc = {
automatic = lib.mkDefault true;
dates = "06:00";
options = "--delete-older-than 21d";
randomizedDelaySec = "6h";
};
portunus = with zentralwerk.lib.config.site.net.serv; {
domain = "auth.c3d2.de";
externalIp4 = hosts4.auth;
externalIp6 = hosts6.up4.auth;
};
# trust sandro to set good defaults in nixos-modules
opinionatedDefaults = true;
programs = {
fzf.keybindings = true;
tmux = {
enable = true;
aggressiveResize = true;
baseIndex = 0;
clock24 = true;
historyLimit = 50000;
terminal = "xterm-256color";
extraConfig = ''
# mouse control
set -g mouse on
# focus events enabled for terminals that support them
set -g focus-events on
# open new tab in PWD
bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# don't clear selection on copy
bind-key -Tcopy-mode-vi MouseDragEnd1Pane send -X copy-selection-no-clear
bind-key -Tcopy-mode-vi y send -X copy-selection-no-clear
'';
};
vim.defaultEditor = true;
postgresql.upgrade = {
extraArgs = [ "--link" ]
++ lib.optional (config ? microvm) "--jobs=${toString config.microvm.vcpu}";
newPackage = pkgs.postgresql_15;
stopServices = lib.optional config.services.nginx.enable "nginx"
++ lib.optional config.c3d2.hq.statistics.enable "collectd";
};
};
services = {
gnome = {
# less webkitgtk's
evolution-data-server.enable = lib.mkForce false;
gnome-initial-setup.enable = false;
};
openssh = {
# Required for deployment and sops
enable = true;
permitRootLogin = "prohibit-password";
};
portunus = with zentralwerk.lib.config.site.net.serv; {
domain = "auth.c3d2.de";
externalIp4 = hosts4.auth;
externalIp6 = hosts6.up4.auth;
};
postgresql.upgrade = {
extraArgs = [ "--link" ]
++ lib.optional (config ? microvm) "--jobs=${toString config.microvm.vcpu}";
newPackage = pkgs.postgresql_15;
stopServices = lib.optional config.services.nginx.enable "nginx"
++ lib.optional config.c3d2.hq.statistics.enable "collectd";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "mail@c3d2.de";
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "mail@c3d2.de";
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
systemd = {
# Do not break the boot
enableEmergencyMode = false;
tmpfiles.rules = [
# never leave openssh in a state that you cannot log in
"d /etc 0755 root root -"
"d /etc/ssh 0755 root root -"
"f /etc/ssh/ssh_host_ed25519_key 0700 root root -"
"f /etc/ssh/ssh_host_ed25519_key.pub 0744 root root -"
"f /etc/ssh/ssh_host_rsa_key 0700 root root -"
"f /etc/ssh/ssh_host_rsa_key.pub 0744 root root -"
];
# Reboot on hang
watchdog = lib.mkIf (!config.boot.isContainer) {
runtimeTime = "15s";
rebootTime = "15s";
};
};
systemd = {
# Do not break the boot
enableEmergencyMode = false;
system.userActivationScripts.removeChannels = ''
echo "Removing all channels.."
rm -v /nix/var/nix/profiles/per-user/*/channels*
'';
tmpfiles.rules = [
# never leave openssh in a state that you cannot log in
"d /etc 0755 root root -"
"d /etc/ssh 0755 root root -"
"f /etc/ssh/ssh_host_ed25519_key 0700 root root -"
"f /etc/ssh/ssh_host_ed25519_key.pub 0744 root root -"
"f /etc/ssh/ssh_host_rsa_key 0700 root root -"
"f /etc/ssh/ssh_host_rsa_key.pub 0744 root root -"
];
time.timeZone = lib.mkDefault "Europe/Berlin";
# Reboot on hang
watchdog = lib.mkIf (!config.boot.isContainer) {
runtimeTime = "15s";
rebootTime = "15s";
};
};
users.motd = builtins.readFile ./motd;
system.userActivationScripts.removeChannels = ''
echo "Removing all channels.."
rm -v /nix/var/nix/profiles/per-user/*/channels*
'';
time.timeZone = lib.mkDefault "Europe/Berlin";
users.motd = builtins.readFile ./motd;
zramSwap.enable = true;
}
]
zramSwap.enable = true;
}