stuebinm
3e40d82579
Since Lix is now in nixpkgs-unstable-small, I think it's a good time to use it. This does mean that we now pull in our nix implementation from an unstable channel, but overall I'm more confident in the Lix team's ability to not break things than I am in the Nix team's ability to backport (& then actually release) security updates. (once Lix is on a stable channel, we can switch back to using it from there)
89 lines
1.9 KiB
Nix
89 lines
1.9 KiB
Nix
{ config, lib, pkgs, modules, sources, ... }:
|
|
|
|
{
|
|
imports = [
|
|
../modules
|
|
./users.nix
|
|
];
|
|
|
|
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
|
boot.kernelParams = [ "quiet" ];
|
|
|
|
networking.domain = lib.mkDefault "hacc.space";
|
|
|
|
services.journald.extraConfig = ''
|
|
SystemMaxUse=512M
|
|
MaxRetentionSec=48h
|
|
'';
|
|
nix.package = pkgs.lix;
|
|
nix.gc.automatic = lib.mkDefault true;
|
|
nix.gc.options = lib.mkDefault "--delete-older-than 7d";
|
|
nix.settings.trusted-users = [ "root" "@wheel" ];
|
|
nix.extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
environment.variables.EDITOR = "vim";
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
ports = lib.mkDefault [ 62954 ];
|
|
settings = {
|
|
X11Forwarding = true;
|
|
PermitRootLogin = "prohibit-password";
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
StreamLocalBindUnlink = true;
|
|
};
|
|
};
|
|
programs.mosh.enable = true;
|
|
programs.fish.enable = true;
|
|
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
|
|
|
i18n.defaultLocale = "en_IE.UTF-8";
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
keyMap = "de";
|
|
};
|
|
programs.mtr.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
smartmontools lm_sensors htop tcpdump nload iftop
|
|
bottom
|
|
ripgrep vgrep
|
|
git wget
|
|
kitty.terminfo
|
|
rsync pv progress
|
|
parallel bc
|
|
usbutils pciutils
|
|
cryptsetup gptfdisk
|
|
zstd p7zip
|
|
file
|
|
whois
|
|
iperf
|
|
fd
|
|
eza
|
|
socat
|
|
tmux
|
|
gnupg
|
|
vim neovim
|
|
patchelf
|
|
binutils
|
|
dnsutils
|
|
flashrom ifdtool cbfstool nvramtool
|
|
nmap
|
|
s-tui stress
|
|
ffmpeg-full
|
|
bat
|
|
niv
|
|
];
|
|
|
|
security.acme.defaults.email = "info+acme@hacc.space";
|
|
security.acme.acceptTerms = true;
|
|
|
|
services.nginx.appendHttpConfig = ''
|
|
access_log off;
|
|
add_header Permissions-Policy "interest-cohort=()";
|
|
'';
|
|
|
|
networking.nftables.enable = true;
|
|
}
|