all: { config, pkgs, lib, options, ... }: { imports = [all]; boot.loader = { systemd-boot.editor = lib.mkDefault false; grub.extraConfig = lib.mkIf (!config.boot.loader.systemd-boot.editor) '' set superusers="" ''; }; security.rtkit.enable = lib.mkDefault true; services.earlyoom.enable = lib.mkDefault true; programs.mosh.enable = lib.mkDefault true; nix = { gc = { automatic = lib.mkDefault true; dates = lib.mkDefault "20:00"; options = lib.mkDefault "--delete-older-than 40d"; }; settings = { trusted-users = ["root" "builder" "@wheel"]; builders-use-substitutes = true; experimental-features = ["nix-command" "flakes"]; }; }; # make nginx have good logging and defaults services.nginx = { recommendedTlsSettings = lib.mkDefault true; recommendedOptimisation = lib.mkDefault true; recommendedGzipSettings = lib.mkDefault true; recommendedUwsgiSettings = lib.mkDefault true; recommendedProxySettings = lib.mkDefault true; recommendedBrotliSettings = lib.mkDefault true; appendHttpConfig = '' error_log stderr; access_log syslog:server=unix:/dev/log combined; ''; }; security.sudo.wheelNeedsPassword = lib.mkDefault false; environment.systemPackages = with pkgs; [ exfat # to stop NixOS breaking git ]; services.openssh = { enable = lib.mkDefault true; settings = { StreamLocalBindUnlink = lib.mkDefault "yes"; # lol no PermitRootLogin = lib.mkDefault "no"; PasswordAuthentication = lib.mkDefault false; # allow reverse ssh port shit to be public sometimes GatewayPorts = lib.mkDefault "clientspecified"; }; }; # Use a firewall networking.firewall.enable = lib.mkDefault true; # dont be stupid networking.firewall.allowPing = true; networking.firewall.allowedTCPPorts = lib.mkDefault [22]; # but not too much, don't break VPNs etc networking.firewall.checkReversePath = "loose"; programs.fish.enable = lib.mkDefault true; users.defaultUserShell = lib.mkOverride 900 pkgs.fish; }