2021-12-21 21:48:41 +00:00
|
|
|
{ config, lib, pkgs, ... }: {
|
2023-01-04 01:18:29 +00:00
|
|
|
imports = [ ./users ./microcode.nix ./no-rsa-ssh-hostkey.nix ];
|
2021-12-21 21:48:41 +00:00
|
|
|
|
2023-05-15 15:43:25 +00:00
|
|
|
boot.tmp.cleanOnBoot = true;
|
2021-12-21 21:48:41 +00:00
|
|
|
boot.kernelModules = [ "wireguard" ];
|
|
|
|
|
2021-12-26 17:01:31 +00:00
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
age
|
|
|
|
minisign
|
|
|
|
tmate
|
|
|
|
jq
|
|
|
|
nfs-utils
|
|
|
|
git
|
2022-06-22 23:55:29 +00:00
|
|
|
mosh
|
2022-07-03 14:31:43 +00:00
|
|
|
wasmer
|
2023-05-15 15:43:25 +00:00
|
|
|
wasmtime
|
2022-07-06 17:35:07 +00:00
|
|
|
nodejs-16_x
|
2021-12-26 17:01:31 +00:00
|
|
|
];
|
2021-12-21 21:48:41 +00:00
|
|
|
|
2022-08-14 13:31:46 +00:00
|
|
|
security.polkit.enable = true;
|
2023-03-04 17:36:53 +00:00
|
|
|
programs.nix-ld.enable = true;
|
2023-03-04 17:40:55 +00:00
|
|
|
|
2023-03-30 12:18:43 +00:00
|
|
|
programs.zsh.enable = true;
|
|
|
|
|
2023-03-04 17:40:55 +00:00
|
|
|
programs.fish.enable = true;
|
2023-03-04 16:50:05 +00:00
|
|
|
programs.fish.useBabelfish = true;
|
2023-03-04 17:40:08 +00:00
|
|
|
programs.fish.loginShellInit = ''
|
2023-03-04 17:05:54 +00:00
|
|
|
## XXX(Xe): unfuck nix-ld
|
|
|
|
eval (cat /etc/set-environment | grep NIX_LD)
|
|
|
|
'';
|
2022-08-14 13:31:46 +00:00
|
|
|
|
2022-10-12 17:14:48 +00:00
|
|
|
boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ];
|
2022-07-03 14:25:59 +00:00
|
|
|
|
2021-12-21 21:48:41 +00:00
|
|
|
nix = {
|
2022-09-26 17:20:13 +00:00
|
|
|
package = pkgs.nixVersions.stable;
|
2021-12-21 21:48:41 +00:00
|
|
|
extraOptions = ''
|
|
|
|
experimental-features = nix-command flakes
|
|
|
|
'';
|
|
|
|
|
2022-02-19 20:34:01 +00:00
|
|
|
settings = {
|
|
|
|
auto-optimise-store = true;
|
|
|
|
sandbox = true;
|
2022-10-12 17:14:48 +00:00
|
|
|
substituters = [
|
|
|
|
"https://xe.cachix.org"
|
|
|
|
"https://nix-community.cachix.org"
|
|
|
|
"https://cuda-maintainers.cachix.org"
|
|
|
|
"https://cache.floxdev.com?trusted=1"
|
2022-12-28 17:23:48 +00:00
|
|
|
"https://cache.garnix.io"
|
2022-10-12 17:14:48 +00:00
|
|
|
];
|
2022-02-19 20:34:01 +00:00
|
|
|
trusted-users = [ "root" "cadey" ];
|
|
|
|
trusted-public-keys = [
|
|
|
|
"xe.cachix.org-1:kT/2G09KzMvQf64WrPBDcNWTKsA79h7+y2Fn2N7Xk2Y="
|
|
|
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
2022-08-22 23:49:00 +00:00
|
|
|
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
|
2022-10-12 17:14:48 +00:00
|
|
|
"flox-store-public-0:8c/B+kjIaQ+BloCmNkRUKwaVPFWkriSAd0JJvuDu4F0="
|
2022-12-28 17:23:48 +00:00
|
|
|
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
2022-02-19 20:34:01 +00:00
|
|
|
];
|
|
|
|
};
|
2021-12-21 21:48:41 +00:00
|
|
|
};
|
|
|
|
|
2022-12-29 15:55:07 +00:00
|
|
|
services.prometheus.exporters.node.enable = true;
|
2022-02-23 17:11:13 +00:00
|
|
|
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
|
|
|
|
|
2021-12-21 21:48:41 +00:00
|
|
|
security.pam.loginLimits = [{
|
|
|
|
domain = "*";
|
|
|
|
type = "soft";
|
|
|
|
item = "nofile";
|
|
|
|
value = "unlimited";
|
|
|
|
}];
|
|
|
|
|
|
|
|
services.journald.extraConfig = ''
|
|
|
|
SystemMaxUse=100M
|
|
|
|
MaxFileSec=7day
|
|
|
|
'';
|
|
|
|
|
|
|
|
services.resolved = {
|
|
|
|
enable = true;
|
|
|
|
dnssec = "false";
|
|
|
|
};
|
2021-12-26 17:01:31 +00:00
|
|
|
|
2021-12-26 18:46:17 +00:00
|
|
|
systemd.services.nginx.serviceConfig.SupplementaryGroups = "within";
|
2021-12-26 18:38:26 +00:00
|
|
|
|
2021-12-26 17:01:31 +00:00
|
|
|
users.groups.within = { };
|
2021-12-26 18:33:00 +00:00
|
|
|
systemd.services."within.homedir-setup" = {
|
2021-12-26 17:01:31 +00:00
|
|
|
description = "Creates homedirs for /srv/within services";
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
|
|
|
|
script = with pkgs; ''
|
|
|
|
${coreutils}/bin/mkdir -p /srv/within
|
|
|
|
${coreutils}/bin/chown root:within /srv/within
|
|
|
|
${coreutils}/bin/chmod 775 /srv/within
|
|
|
|
${coreutils}/bin/mkdir -p /srv/within/run
|
|
|
|
${coreutils}/bin/chown root:within /srv/within/run
|
|
|
|
${coreutils}/bin/chmod 770 /srv/within/run
|
|
|
|
'';
|
|
|
|
};
|
2022-06-21 12:25:21 +00:00
|
|
|
|
2022-12-24 03:57:09 +00:00
|
|
|
system.stateVersion = lib.mkDefault "21.05";
|
2021-12-21 21:48:41 +00:00
|
|
|
}
|