82 lines
2.1 KiB
Nix
82 lines
2.1 KiB
Nix
all: {
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
options,
|
|
...
|
|
}: {
|
|
imports = [all];
|
|
|
|
boot.loader = {
|
|
systemd-boot.editor = lib.mkDefault false;
|
|
grub.extraConfig = lib.mkIf (!config.boot.loader.systemd-boot.editor) ''
|
|
set superusers=""
|
|
'';
|
|
};
|
|
|
|
security.rtkit.enable = lib.mkDefault true;
|
|
|
|
services.earlyoom.enable = lib.mkDefault true;
|
|
|
|
programs.mosh.enable = lib.mkDefault true;
|
|
|
|
nix = {
|
|
gc = {
|
|
automatic = lib.mkDefault true;
|
|
dates = lib.mkDefault "20:00";
|
|
options = lib.mkDefault "--delete-older-than 40d";
|
|
};
|
|
|
|
settings = {
|
|
trusted-users = ["root" "builder" "@wheel"];
|
|
builders-use-substitutes = true;
|
|
experimental-features = ["nix-command" "flakes"];
|
|
};
|
|
};
|
|
|
|
# make nginx have good logging and defaults
|
|
services.nginx = {
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
recommendedUwsgiSettings = lib.mkDefault true;
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
recommendedBrotliSettings = lib.mkDefault true;
|
|
appendHttpConfig = ''
|
|
error_log stderr;
|
|
access_log syslog:server=unix:/dev/log combined;
|
|
'';
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
exfat
|
|
|
|
# to stop NixOS breaking
|
|
git
|
|
];
|
|
|
|
services.openssh = {
|
|
enable = lib.mkDefault true;
|
|
settings = {
|
|
StreamLocalBindUnlink = lib.mkDefault "yes";
|
|
# lol no
|
|
PermitRootLogin = lib.mkDefault "no";
|
|
PasswordAuthentication = lib.mkDefault false;
|
|
# allow reverse ssh port shit to be public sometimes
|
|
GatewayPorts = lib.mkDefault "clientspecified";
|
|
};
|
|
};
|
|
|
|
# Use a firewall
|
|
networking.firewall.enable = lib.mkDefault true;
|
|
# dont be stupid
|
|
networking.firewall.allowPing = true;
|
|
networking.firewall.allowedTCPPorts = lib.mkDefault [22];
|
|
# but not too much, don't break VPNs etc
|
|
networking.firewall.checkReversePath = "loose";
|
|
|
|
programs.fish.enable = lib.mkDefault true;
|
|
users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
|
|
}
|