{ pkgs, lib, modulesPath, vm ? true, ... }: { imports = [ ./admins.nix ./nix_keys.nix ./prometheusNodeExporter.nix ../modules/impermanence.nix ] ++ (if vm then [./vm.nix] else [./hardware.nix]); nix = { extraOptions = '' experimental-features = nix-command flakes builders-use-substitutes = true ''; }; networking = { firewall = { # these shoud be default, but better make sure! enable = true; allowPing = true; }; nftables.enable = true; useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface # hosts = # TODO write something to autogenerate ip adresses! }; users = { mutableUsers = false; users.root.hashedPassword = "!"; }; impermanence.enable = true; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; environment = { systemPackages = builtins.attrValues { inherit (pkgs) htop lsof tmux btop ; }; }; services = { journald.extraConfig = "SystemMaxUse=5G"; nginx = { recommendedOptimisation = true; recommendedGzipSettings = true; recommendedTlsSettings = true; }; openssh = { enable = true; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; }; #Prevent clock drift due to interaction problem with xen hardware clock timesyncd.enable = lib.mkForce true; }; }