notgne2/nixfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

boot changes

Browse Source
This commit is contained in:
notgne2 2023-01-10 18:54:15 -07:00
parent 21ddbd068e
commit 77f6dc8d5f
Signed by: notgne2
SSH Key Fingerprint: SHA256:qlFCAimT/PvNIG3u+aYT9pIqFCWgu6sNsWjpV1vHLIE
2 changed files with 112 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
common.nix
View File

@ -7,87 +7,92 @@ all: {
}: {
imports = [all];
config = {
services.haveged.enable = lib.mkDefault true;
security.rtkit.enable = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
services.earlyoom.enable = lib.mkDefault true;
programs.mosh.enable = lib.mkDefault true;
systemd.services.nix-gc.serviceConfig.IOSchedulingPriority =
lib.mkDefault 7;
systemd.services.nix-gc.serviceConfig.IOSchedulingClass =
lib.mkDefault "idle";
systemd.services.nix-gc.serviceConfig.CPUSchedulingPolicy =
lib.mkDefault "idle";
nix = {
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "20:00";
options = lib.mkDefault "--delete-older-than 40d";
};
daemonIOSchedPriority = lib.mkDefault 7;
daemonIOSchedClass = lib.mkDefault "idle";
daemonCPUSchedPolicy = lib.mkDefault "idle";
settings = {
trusted-users = ["root" "builder" "@wheel"];
builders-use-substitutes = true;
experimental-features = ["nix-command" "flakes" "repl-flake"];
keep-outputs = true;
keep-derivations = true;
};
};
# make nginx have good logging and defaults
services.nginx = {
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
appendHttpConfig = ''
error_log stderr;
access_log syslog:server=unix:/dev/log combined;
'';
};
# set some basic system props
security.sudo.wheelNeedsPassword = lib.mkDefault false;
networking.networkmanager.enable = lib.mkDefault true;
# package list
environment.systemPackages = with pkgs; [
exfat
# to stop NixOS breaking
git
];
services.openssh = {
# Allow ssh
enable = lib.mkDefault true;
# lol no
permitRootLogin = lib.mkDefault "no";
passwordAuthentication = lib.mkDefault false;
# allow reverse ssh port shit to be public sometimes
gatewayPorts = lib.mkDefault "clientspecified";
extraConfig = ''
StreamLocalBindUnlink yes
'';
};
# Use a firewall
networking.firewall.enable = lib.mkDefault true;
networking.firewall.allowPing = true;
networking.firewall.allowedTCPPorts = lib.mkDefault [22];
programs.fish.enable = lib.mkDefault true;
users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
boot.loader = {
efi.canTouchEfiVariables = lib.mkDefault true;
systemd-boot.editor = lib.mkDefault false;
# having a user makes sure `superusers=""` gets set, which prevents editing like the above
grub.users.grubby = {};
};
services.haveged.enable = lib.mkDefault true;
security.rtkit.enable = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
services.earlyoom.enable = lib.mkDefault true;
programs.mosh.enable = lib.mkDefault true;
systemd.services.nix-gc.serviceConfig.IOSchedulingPriority =
lib.mkDefault 7;
systemd.services.nix-gc.serviceConfig.IOSchedulingClass =
lib.mkDefault "idle";
systemd.services.nix-gc.serviceConfig.CPUSchedulingPolicy =
lib.mkDefault "idle";
nix = {
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "20:00";
options = lib.mkDefault "--delete-older-than 40d";
};
daemonIOSchedPriority = lib.mkDefault 7;
daemonIOSchedClass = lib.mkDefault "idle";
daemonCPUSchedPolicy = lib.mkDefault "idle";
settings = {
trusted-users = ["root" "builder" "@wheel"];
builders-use-substitutes = true;
experimental-features = ["nix-command" "flakes" "repl-flake"];
keep-outputs = true;
keep-derivations = true;
};
};
# make nginx have good logging and defaults
services.nginx = {
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
appendHttpConfig = ''
error_log stderr;
access_log syslog:server=unix:/dev/log combined;
'';
};
# set some basic system props
security.sudo.wheelNeedsPassword = lib.mkDefault false;
networking.networkmanager.enable = lib.mkDefault true;
# package list
environment.systemPackages = with pkgs; [
exfat
# to stop NixOS breaking
git
];
services.openssh = {
# Allow ssh
enable = lib.mkDefault true;
# lol no
permitRootLogin = lib.mkDefault "no";
passwordAuthentication = lib.mkDefault false;
# allow reverse ssh port shit to be public sometimes
gatewayPorts = lib.mkDefault "clientspecified";
extraConfig = ''
StreamLocalBindUnlink yes
'';
};
# Use a firewall
networking.firewall.enable = lib.mkDefault true;
networking.firewall.allowPing = true;
networking.firewall.allowedTCPPorts = lib.mkDefault [22];
programs.fish.enable = lib.mkDefault true;
users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
}

35
modules/workstation.nix
View File

@ -23,12 +23,34 @@ in {
};
config = mkIf cfg.enable {
boot.plymouth.enable = lib.mkDefault true;
# as soon as this stops breaking _all_ my machines
boot.initrd.systemd.enable = lib.mkDefault false;
# until https://github.com/NixOS/nixpkgs/pull/199784 is merged
systemd.services.plymouth-start.restartIfChanged = false;
console = {
earlySetup = lib.mkDefault false;
};
boot = {
consoleLogLevel = lib.mkDefault 0;
initrd.verbose = lib.mkDefault false;
plymouth.enable = lib.mkDefault true;
kernelParams = [
"quiet"
"loglevel=3"
"rd.systemd.show_status=no"
"rd.udev.log_level=3"
"udev.log_priority=3"
"vt.global_cursor_default=0"
];
loader.timeout = 0;
kernel.sysctl = {
# lol anti-cheat
"abi.vsyscall32" = lib.mkDefault 0;
};
};
services.avahi = {
enable = lib.mkDefault true;
nssmdns = lib.mkDefault true;
@ -276,13 +298,6 @@ in {
services.dbus.enable = lib.mkDefault true;
services.dbus.packages = with pkgs; [dconf];
boot.kernel.sysctl = {
# better default swap
"vm.swappiness" = lib.mkDefault 45;
# lol anti-cheat
"abi.vsyscall32" = 0;
};
# self explanatory
fuckingprint.enable = lib.mkDefault true;