2023-01-17 10:27:18 +01:00
|
|
|
{ config, lib, pkgs, inputs, values, ... }:
|
2021-12-18 22:07:27 +01:00
|
|
|
|
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
./users
|
2024-03-30 00:02:22 +01:00
|
|
|
./modules/snakeoil-certs.nix
|
2021-12-18 22:07:27 +01:00
|
|
|
];
|
|
|
|
|
2023-03-04 02:13:00 +01:00
|
|
|
networking.domain = "pvv.ntnu.no";
|
|
|
|
networking.useDHCP = false;
|
2023-03-03 22:28:26 +01:00
|
|
|
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
|
|
|
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
|
|
|
|
# networking.tempAddresses = lib.mkDefault "disabled";
|
|
|
|
# networking.defaultGateway = values.hosts.gateway;
|
2022-12-10 10:16:15 +01:00
|
|
|
|
2023-03-03 22:28:26 +01:00
|
|
|
systemd.network.enable = true;
|
2023-05-31 11:04:38 +02:00
|
|
|
|
2022-12-10 10:16:15 +01:00
|
|
|
services.resolved = {
|
2023-02-26 19:23:00 +01:00
|
|
|
enable = lib.mkDefault true;
|
2022-12-10 10:16:15 +01:00
|
|
|
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
|
|
|
|
};
|
2021-12-18 22:07:27 +01:00
|
|
|
|
|
|
|
time.timeZone = "Europe/Oslo";
|
|
|
|
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
console = {
|
|
|
|
font = "Lat2-Terminus16";
|
|
|
|
keyMap = "no";
|
|
|
|
};
|
|
|
|
|
2022-12-09 02:55:18 +01:00
|
|
|
system.autoUpgrade = {
|
|
|
|
enable = true;
|
2022-12-09 03:21:18 +01:00
|
|
|
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
|
2022-12-09 02:55:18 +01:00
|
|
|
flags = [
|
|
|
|
"--update-input" "nixpkgs"
|
2023-11-05 01:22:36 +01:00
|
|
|
"--update-input" "nixpkgs-unstable"
|
2022-12-09 02:55:18 +01:00
|
|
|
"--no-write-lock-file"
|
|
|
|
];
|
|
|
|
};
|
2022-04-02 00:57:53 +02:00
|
|
|
nix.gc.automatic = true;
|
2022-12-09 06:38:15 +01:00
|
|
|
nix.gc.options = "--delete-older-than 2d";
|
2022-04-02 00:57:53 +02:00
|
|
|
|
2022-12-07 10:02:56 +01:00
|
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
|
|
|
2022-12-09 05:25:07 +01:00
|
|
|
/* This makes commandline tools like
|
|
|
|
** nix run nixpkgs#hello
|
|
|
|
** and nix-shell -p hello
|
|
|
|
** use the same channel the system
|
|
|
|
** was built with
|
|
|
|
*/
|
|
|
|
nix.registry = {
|
|
|
|
nixpkgs.flake = inputs.nixpkgs;
|
|
|
|
};
|
|
|
|
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
|
|
|
|
|
2021-12-18 22:07:27 +01:00
|
|
|
environment.systemPackages = with pkgs; [
|
2022-09-08 17:49:33 +02:00
|
|
|
file
|
2021-12-18 22:07:27 +01:00
|
|
|
git
|
2023-01-28 20:26:21 +01:00
|
|
|
gnupg
|
2022-09-08 17:49:33 +02:00
|
|
|
htop
|
2021-12-18 22:07:27 +01:00
|
|
|
nano
|
2024-03-30 21:06:39 +01:00
|
|
|
ripgrep
|
2023-01-28 20:26:21 +01:00
|
|
|
rsync
|
|
|
|
screen
|
2021-12-18 22:07:27 +01:00
|
|
|
tmux
|
2022-09-08 17:49:33 +02:00
|
|
|
vim
|
|
|
|
wget
|
|
|
|
|
2021-12-18 22:07:27 +01:00
|
|
|
kitty.terminfo
|
2024-09-15 01:49:23 +02:00
|
|
|
foot.terminfo
|
2021-12-18 22:07:27 +01:00
|
|
|
];
|
|
|
|
|
2023-05-31 11:04:38 +02:00
|
|
|
programs.zsh.enable = true;
|
|
|
|
|
2022-04-02 01:52:13 +02:00
|
|
|
users.groups."drift".name = "drift";
|
|
|
|
|
2023-11-05 03:12:35 +01:00
|
|
|
# Trusted users on the nix builder machines
|
|
|
|
users.groups."nix-builder-users".name = "nix-builder-users";
|
|
|
|
|
2022-12-07 10:07:32 +01:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
extraConfig = ''
|
|
|
|
PubkeyAcceptedAlgorithms=+ssh-rsa
|
|
|
|
'';
|
2023-05-31 11:04:38 +02:00
|
|
|
settings.PermitRootLogin = "yes";
|
2022-12-07 10:07:32 +01:00
|
|
|
};
|
|
|
|
|
2024-03-30 00:02:22 +01:00
|
|
|
# nginx return 444 for all nonexistent virtualhosts
|
2021-12-18 22:07:27 +01:00
|
|
|
|
2024-03-30 00:02:22 +01:00
|
|
|
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
|
|
|
|
|
2024-04-10 22:01:19 +02:00
|
|
|
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
|
2024-03-30 00:02:22 +01:00
|
|
|
"/etc/certs/nginx" = {
|
|
|
|
owner = "nginx";
|
|
|
|
group = "nginx";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-04-10 22:38:30 +02:00
|
|
|
services.nginx = {
|
2024-04-10 22:01:19 +02:00
|
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
|
2024-04-11 20:41:02 +02:00
|
|
|
appendConfig = ''
|
2024-04-10 22:01:19 +02:00
|
|
|
pcre_jit on;
|
|
|
|
worker_processes auto;
|
|
|
|
worker_rlimit_nofile 100000;
|
|
|
|
'';
|
2024-04-11 20:41:02 +02:00
|
|
|
eventsConfig = ''
|
2024-04-10 22:01:19 +02:00
|
|
|
worker_connections 2048;
|
|
|
|
use epoll;
|
|
|
|
multi_accept on;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2024-04-11 20:41:02 +02:00
|
|
|
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
|
2024-04-11 10:28:36 +02:00
|
|
|
LimitNOFILE = 65536;
|
|
|
|
};
|
|
|
|
|
2024-04-10 22:38:30 +02:00
|
|
|
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
|
2024-03-30 00:02:22 +01:00
|
|
|
sslCertificate = "/etc/certs/nginx.crt";
|
|
|
|
sslCertificateKey = "/etc/certs/nginx.key";
|
|
|
|
addSSL = true;
|
|
|
|
extraConfig = "return 444;";
|
|
|
|
};
|
2024-04-10 22:38:30 +02:00
|
|
|
|
2024-04-10 22:01:19 +02:00
|
|
|
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
|
|
|
|
|
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults.email = "drift@pvv.ntnu.no";
|
2024-03-30 00:02:22 +01:00
|
|
|
};
|
2021-12-18 22:07:27 +01:00
|
|
|
}
|