diff --git a/nix/nixos-modules/vmCommon.nix b/nix/nixos-modules/vmCommon.nix index 0810927..0733037 100644 --- a/nix/nixos-modules/vmCommon.nix +++ b/nix/nixos-modules/vmCommon.nix @@ -49,176 +49,184 @@ in }; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.enable (lib.mkMerge [ + { - # timing-related options - # - ordered by chronological order + # timing-related options + # - ordered by chronological order - system.autoUpgrade = { - rebootWindow.lower = "01:00"; - dates = "01:00"; - randomizedDelaySec = "45min"; - rebootWindow.upper = "04:00"; - }; + system.autoUpgrade = { + rebootWindow.lower = "01:00"; + dates = "01:00"; + randomizedDelaySec = "45min"; + rebootWindow.upper = "04:00"; + }; - nix.gc = { - # could take longer - dates = "04:15"; - randomizedDelaySec = "30min"; - }; + nix.gc = { + # could take longer + dates = "04:15"; + randomizedDelaySec = "30min"; + }; - nix.optimise = { - # should not take long because of auto-optimise-store - dates = "05:30"; - }; + nix.optimise = { + # should not take long because of auto-optimise-store + dates = "05:30"; + }; + } - # all other options + { - boot = { + # all other options - kernelParams = "console=ttyS0,115200"; - loader = { - efi.canTouchEfiVariables = true; - grub.enable = false; - systemd-boot = { - enable = true; - configurationLimit = 16; - editor = true; # access to VM console/KVM should be locked + boot = { + + kernelParams = "console=ttyS0,115200"; + + loader = { + efi.canTouchEfiVariables = true; + grub.enable = false; + systemd-boot = { + enable = true; + configurationLimit = 16; + editor = true; # access to VM console/KVM should be locked + }; }; + }; - }; + console.keyMap = "de"; - console.keyMap = "de"; + # for fast debugging of systems, keep small + environment.systemPackages = [ + resize + ]; - # for fast debugging of systems, keep small - environment.systemPackages = [ - resize - ]; + networking = { - networking = { + firewall = { + logRefusedConnections = false; + # TODO + }; + + useDHCP = true; + useNetworkd = lib.mkDefault false; + usePredictableInterfaceNames = true; - firewall = { - logRefusedConnections = false; - # TODO }; - useDHCP = true; - useNetworkd = lib.mkDefault false; - usePredictableInterfaceNames = true; - }; + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; - nix = { - - gc = { - automatic = true; - options = "--delete-older-than 30d"; - }; + optimise = { + automatic = true; + }; - optimise = { - automatic = true; - }; + settings = { + max-free = lib.mkDefault (3 * 1024 * 1024 * 1024); + min-free = lib.mkDefault (512 * 1024 * 1024); + }; - settings = { - max-free = lib.mkDefault (3 * 1024 * 1024 * 1024); - min-free = lib.mkDefault (512 * 1024 * 1024); }; - }; + security = { - security = { + apparmor.enable = true; - apparmor.enable = true; + lockKernelModules = true; # after boot loading not required on VMs - lockKernelModules = true; # after boot loading not required on VMs + sudo = { + enable = true; + execWheelOnly = lib.mkDefault true; + extraConfig = '' + Defaults lecture = never + ''; + }; - sudo = { - enable = true; - execWheelOnly = lib.mkDefault true; - extraConfig = '' - Defaults lecture = never - ''; }; - }; + services = { - services = { + qemuGuest.enable = true; - qemuGuest.enable = true; + openssh = { + enable = true; + authorizedKeysInHomedir = false; + authorizedKeysOnly = true; + openFirewall = true; + }; - openssh = { - enable = true; - authorizedKeysInHomedir = false; - authorizedKeysOnly = true; - openFirewall = true; }; - }; + sound.enable = false; - sound.enable = false; + system.autoUpgrade = { + enable = true; + allowReboot = true; + fixedRandomDelay = true; + flags = [ + "--no-allow-dirty" + "--no-use-registries" + "--no-update-lock-file" + ]; + flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url=== + operation = "boot"; # change only on reboots + }; - system.autoUpgrade = { - enable = true; - allowReboot = true; - fixedRandomDelay = true; - flags = [ - "--no-allow-dirty" - "--no-use-registries" - "--no-update-lock-file" - ]; - flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url=== - operation = "boot"; # change only on reboots - }; + systemd.services."serial-getty@".environment.TERM = "xterm-256color"; - systemd.services."serial-getty@".environment.TERM = "xterm-256color"; + time.hardwareClockInLocalTime = false; # just to make sure - time.hardwareClockInLocalTime = false; # just to make sure + x-banananetwork = { - x-banananetwork = { + allCommon.enable = true; + debugMinimal.enable = true; + # TODO think about + #privacy.enable = true; - allCommon.enable = true; - debugMinimal.enable = true; - # TODO think about - #privacy.enable = true; + }; - }; + # TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md - # TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md + # TODO wishlist items (in prio order): + # - ntfy.sh as mailer + # own script + # or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/ + # & connect to: journalwatch, smartd + # - add support for automatic boot assessment (will be added to 24.11) + # - programs.atop.enable = true + # - think about zramSwap + # - NixOS test: ssh-audit + # - networking.useNetworkd + # - networking.tcpcrypt + # environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix) - # TODO wishlist items (in prio order): - # - ntfy.sh as mailer - # own script - # or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/ - # & connect to: journalwatch, smartd - # - add support for automatic boot assessment (will be added to 24.11) - # - programs.atop.enable = true - # - think about zramSwap - # - NixOS test: ssh-audit - # - networking.useNetworkd - # - networking.tcpcrypt - # environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix) + } - }; + + ]); }