131 lines
3.7 KiB
Nix
131 lines
3.7 KiB
Nix
{ pkgs, config, lib, ... }: {
|
|
imports = [ ../../common ./admin.nix ../../cachix.nix ];
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
# For nixos-rebuild
|
|
nixpkgs.overlays =
|
|
[ (_: _: (import ../../channels.nix).${config.networking.hostName}) ]
|
|
++ import ../../overlays { inherit lib; };
|
|
|
|
time.timeZone = "Europe/Berlin";
|
|
|
|
networking = {
|
|
firewall.allowPing = true;
|
|
useDHCP = false;
|
|
hosts = lib.zipAttrs
|
|
(
|
|
lib.mapAttrsToList (host: ip: if builtins.typeOf ip == "set" then { } else { "${ip}" = "${host} ${host}.m-0.eu"; })
|
|
config.m-0.hosts
|
|
);
|
|
};
|
|
|
|
security.acme = {
|
|
email = "security@maralorn.de";
|
|
acceptTerms = true;
|
|
};
|
|
|
|
users = {
|
|
defaultUserShell = pkgs.zsh;
|
|
mutableUsers = false;
|
|
};
|
|
|
|
environment = {
|
|
etc = lib.mapAttrs'
|
|
(name: value: lib.nameValuePair "nix-path/${name}" { source = value; })
|
|
(lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // {
|
|
"nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
|
"nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
|
"nix-path/home-manager".source =
|
|
pkgs.sources.${pkgs.home-manager-channel};
|
|
};
|
|
variables =
|
|
lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ]
|
|
(_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt");
|
|
};
|
|
|
|
system.activationScripts =
|
|
lib.mkIf (!pkgs.withSecrets) { text = "echo No secrets loaded!; exit 1;"; };
|
|
|
|
nix = {
|
|
binaryCaches = lib.mkAfter (
|
|
pkgs.privateValue [ ] "binary-caches"
|
|
# ++ (
|
|
# if config.networking.hostName != "hera" then [ "ssh-ng://nix-ssh@hera.m-0.eu?trusted=true&priority=100" ] else [ ]
|
|
# )
|
|
);
|
|
binaryCachePublicKeys =
|
|
[
|
|
"ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
|
|
"hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
|
|
"nixbuild.net/maralorn-1:cpqv21sJgRL+ROaKY1Gr0k7AKolAKaP3S3iemGxK/30="
|
|
];
|
|
nixPath = [ "/etc/nix-path" ];
|
|
trustedUsers = [ "maralorn" "laminar" ];
|
|
buildMachines = pkgs.privateValue [ ] "remote-builders";
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
fallback = true
|
|
auto-optimise-store = true
|
|
builders-use-substitutes = true
|
|
'';
|
|
optimise = {
|
|
dates = [ ];
|
|
automatic = true;
|
|
};
|
|
};
|
|
|
|
systemd.services =
|
|
let
|
|
hosts = builtins.attrNames config.services.nginx.virtualHosts;
|
|
makeConfig = host: {
|
|
name = "acme-${host}";
|
|
value = {
|
|
serviceConfig = {
|
|
Restart = "on-failure";
|
|
RestartSec = 600;
|
|
};
|
|
unitConfig = {
|
|
StartLimitIntervalSec = 2400;
|
|
StartLimitBurst = 3;
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{ nix-optimise.serviceConfig.Type = "oneshot"; } // builtins.listToAttrs (map makeConfig hosts);
|
|
|
|
services = {
|
|
logind.killUserProcesses = false;
|
|
journald.extraConfig = "SystemMaxUse=5G";
|
|
prometheus.exporters = {
|
|
node = {
|
|
enable = true;
|
|
enabledCollectors = [ "systemd" "logind" ];
|
|
disabledCollectors = [ "timex" ];
|
|
};
|
|
nginx = {
|
|
enable = config.services.nginx.enable;
|
|
openFirewall = true;
|
|
};
|
|
};
|
|
nginx = {
|
|
statusPage = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedTlsSettings = true;
|
|
clientMaxBodySize = "500m";
|
|
};
|
|
};
|
|
programs = {
|
|
command-not-found.dbPath = "${builtins.fetchTarball {
|
|
url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz";
|
|
}}/programs.sqlite";
|
|
zsh = {
|
|
enable = true;
|
|
autosuggestions.enable = true;
|
|
enableCompletion = true;
|
|
syntaxHighlighting.enable = true;
|
|
};
|
|
};
|
|
}
|