stuebinm
72ca5b2888
in theory this might be ready to deploy. Potential hazards & things to
know when actually doing so:
1. the mysql version used by mattermost was updated (the old uses an
openssl which is marked insecure). Might have to migrate a database
2. lots of settings now use RFC 42-style settings, which might contain
new typos
3. this updates uffd (& changes the patches we apply). Since version
dependencies of uffd are basically "whatever debian has" we have
never bothered to match them, but afaik have also never updated uffd
since the initial deploy some years ago. No guarantee it still
works.
4. tracktrain depends on haskellPackages.conferer-warp, which is
currently marked broken. There is no reason for this (it builds
fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1.
cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a
merge of haskell-updates into 23.05
90 lines
1.9 KiB
Nix
90 lines
1.9 KiB
Nix
{ config, lib, pkgs, modules, sources, ... }:
|
|
|
|
{
|
|
imports = [
|
|
../modules
|
|
./users.nix
|
|
modules.network.nftables
|
|
];
|
|
|
|
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
|
boot.kernelParams = [ "quiet" ];
|
|
|
|
networking.domain = lib.mkDefault "hacc.space";
|
|
|
|
services.journald.extraConfig = ''
|
|
SystemMaxUse=512M
|
|
MaxRetentionSec=48h
|
|
'';
|
|
nix.gc.automatic = lib.mkDefault true;
|
|
nix.gc.options = lib.mkDefault "--delete-older-than 7d";
|
|
nix.settings.trusted-users = [ "root" "@wheel" ];
|
|
nix.extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
environment.variables.EDITOR = "vim";
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
ports = lib.mkDefault [ 62954 ];
|
|
settings = {
|
|
X11Forwarding = true;
|
|
PermitRootLogin = "prohibit-password";
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
StreamLocalBindUnlink = true;
|
|
};
|
|
};
|
|
programs.mosh.enable = true;
|
|
programs.fish.enable = true;
|
|
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
|
|
|
i18n.defaultLocale = "en_IE.UTF-8";
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
keyMap = "de";
|
|
};
|
|
programs.mtr.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
smartmontools lm_sensors htop tcpdump nload iftop
|
|
bottom
|
|
ripgrep vgrep
|
|
git wget
|
|
kitty.terminfo
|
|
rsync pv progress
|
|
parallel bc
|
|
usbutils pciutils
|
|
cryptsetup gptfdisk
|
|
zstd p7zip
|
|
file
|
|
whois
|
|
iperf
|
|
fd
|
|
exa
|
|
socat
|
|
tmux
|
|
gnupg
|
|
vim neovim
|
|
patchelf
|
|
binutils
|
|
dnsutils
|
|
flashrom ifdtool cbfstool nvramtool
|
|
nmap
|
|
s-tui stress
|
|
ffmpeg-full
|
|
bat
|
|
niv
|
|
];
|
|
|
|
security.acme.defaults.email = "info+acme@hacc.space";
|
|
security.acme.acceptTerms = true;
|
|
|
|
services.nginx.appendHttpConfig = ''
|
|
access_log off;
|
|
add_header Permissions-Policy "interest-cohort=()";
|
|
'';
|
|
|
|
networking.nftables.enable = true;
|
|
}
|