{ config, lib, pkgs, ... }: # this file contains default configuration that may be turned on depending on other config settings. # options should go to modules. lib.mkMerge [ { boot.cleanTmpDir = true; documentation.nixos.enable = false; environment = { noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ]; systemPackages = with pkgs; [ bmon curl dig ethtool git htop iotop mtr pv ripgrep screen tcpdump tmux tree vim wget ]; }; i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = [ "en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" ]; }; nix = { settings = { builders-use-substitutes = true; connect-timeout = 20; experimental-features = "nix-command flakes"; fallback = true; trusted-public-keys = [ "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ]; # don't self feed hydra substituters = lib.mkIf (config.networking.hostName != "hydra") ( lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ] ); }; gc = { automatic = lib.mkDefault true; dates = "06:00"; options = "--delete-older-than 21d"; randomizedDelaySec = "6h"; }; }; services.openssh = { # Required for deployment and sops enable = true; permitRootLogin = "prohibit-password"; }; programs = { fzf.keybindings = true; vim.defaultEditor = true; }; security.acme = { acceptTerms = true; defaults = { email = "mail@c3d2.de"; # letsencrypt staging server with way higher rate limits # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; # Reboot on hang systemd.watchdog = lib.mkIf (!config.boot.isContainer) { runtimeTime = "15s"; rebootTime = "15s"; }; time.timeZone = lib.mkDefault "Europe/Berlin"; users.motd = builtins.readFile ./motd; zramSwap.enable = true; } (lib.mkIf config.services.nginx.enable { services.nginx = { openFirewall = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; }; }) ]