|
|
@ -49,176 +49,184 @@ in
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
|
|
# timing-related options
|
|
|
|
# timing-related options
|
|
|
|
# - ordered by chronological order
|
|
|
|
# - ordered by chronological order
|
|
|
|
|
|
|
|
|
|
|
|
system.autoUpgrade = {
|
|
|
|
system.autoUpgrade = {
|
|
|
|
rebootWindow.lower = "01:00";
|
|
|
|
rebootWindow.lower = "01:00";
|
|
|
|
dates = "01:00";
|
|
|
|
dates = "01:00";
|
|
|
|
randomizedDelaySec = "45min";
|
|
|
|
randomizedDelaySec = "45min";
|
|
|
|
rebootWindow.upper = "04:00";
|
|
|
|
rebootWindow.upper = "04:00";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
nix.gc = {
|
|
|
|
nix.gc = {
|
|
|
|
# could take longer
|
|
|
|
# could take longer
|
|
|
|
dates = "04:15";
|
|
|
|
dates = "04:15";
|
|
|
|
randomizedDelaySec = "30min";
|
|
|
|
randomizedDelaySec = "30min";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
nix.optimise = {
|
|
|
|
nix.optimise = {
|
|
|
|
# should not take long because of auto-optimise-store
|
|
|
|
# should not take long because of auto-optimise-store
|
|
|
|
dates = "05:30";
|
|
|
|
dates = "05:30";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# all other options
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
|
|
boot = {
|
|
|
|
# all other options
|
|
|
|
|
|
|
|
|
|
|
|
kernelParams = "console=ttyS0,115200";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
loader = {
|
|
|
|
boot = {
|
|
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
|
|
|
|
grub.enable = false;
|
|
|
|
kernelParams = "console=ttyS0,115200";
|
|
|
|
systemd-boot = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
loader = {
|
|
|
|
configurationLimit = 16;
|
|
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
editor = true; # access to VM console/KVM should be locked
|
|
|
|
grub.enable = false;
|
|
|
|
|
|
|
|
systemd-boot = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
configurationLimit = 16;
|
|
|
|
|
|
|
|
editor = true; # access to VM console/KVM should be locked
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
console.keyMap = "de";
|
|
|
|
|
|
|
|
|
|
|
|
console.keyMap = "de";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# for fast debugging of systems, keep small
|
|
|
|
|
|
|
|
environment.systemPackages = [
|
|
|
|
|
|
|
|
resize
|
|
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
# for fast debugging of systems, keep small
|
|
|
|
|
|
|
|
environment.systemPackages = [
|
|
|
|
|
|
|
|
resize
|
|
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
firewall = {
|
|
|
|
|
|
|
|
logRefusedConnections = false;
|
|
|
|
|
|
|
|
# TODO
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
useDHCP = true;
|
|
|
|
|
|
|
|
useNetworkd = lib.mkDefault false;
|
|
|
|
|
|
|
|
usePredictableInterfaceNames = true;
|
|
|
|
|
|
|
|
|
|
|
|
firewall = {
|
|
|
|
|
|
|
|
logRefusedConnections = false;
|
|
|
|
|
|
|
|
# TODO
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
useDHCP = true;
|
|
|
|
|
|
|
|
useNetworkd = lib.mkDefault false;
|
|
|
|
|
|
|
|
usePredictableInterfaceNames = true;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
nix = {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
gc = {
|
|
|
|
|
|
|
|
automatic = true;
|
|
|
|
|
|
|
|
options = "--delete-older-than 30d";
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
nix = {
|
|
|
|
optimise = {
|
|
|
|
|
|
|
|
automatic = true;
|
|
|
|
gc = {
|
|
|
|
};
|
|
|
|
automatic = true;
|
|
|
|
|
|
|
|
options = "--delete-older-than 30d";
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
optimise = {
|
|
|
|
settings = {
|
|
|
|
automatic = true;
|
|
|
|
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
|
|
|
|
};
|
|
|
|
min-free = lib.mkDefault (512 * 1024 * 1024);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
|
|
|
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
|
|
|
|
|
|
|
|
min-free = lib.mkDefault (512 * 1024 * 1024);
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
security = {
|
|
|
|
|
|
|
|
|
|
|
|
security = {
|
|
|
|
apparmor.enable = true;
|
|
|
|
|
|
|
|
|
|
|
|
apparmor.enable = true;
|
|
|
|
lockKernelModules = true; # after boot loading not required on VMs
|
|
|
|
|
|
|
|
|
|
|
|
lockKernelModules = true; # after boot loading not required on VMs
|
|
|
|
sudo = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
execWheelOnly = lib.mkDefault true;
|
|
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
|
|
Defaults lecture = never
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
sudo = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
execWheelOnly = lib.mkDefault true;
|
|
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
|
|
Defaults lecture = never
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
services = {
|
|
|
|
|
|
|
|
|
|
|
|
services = {
|
|
|
|
qemuGuest.enable = true;
|
|
|
|
|
|
|
|
|
|
|
|
qemuGuest.enable = true;
|
|
|
|
openssh = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
authorizedKeysInHomedir = false;
|
|
|
|
|
|
|
|
authorizedKeysOnly = true;
|
|
|
|
|
|
|
|
openFirewall = true;
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
openssh = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
authorizedKeysInHomedir = false;
|
|
|
|
|
|
|
|
authorizedKeysOnly = true;
|
|
|
|
|
|
|
|
openFirewall = true;
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sound.enable = false;
|
|
|
|
|
|
|
|
|
|
|
|
sound.enable = false;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
system.autoUpgrade = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
allowReboot = true;
|
|
|
|
|
|
|
|
fixedRandomDelay = true;
|
|
|
|
|
|
|
|
flags = [
|
|
|
|
|
|
|
|
"--no-allow-dirty"
|
|
|
|
|
|
|
|
"--no-use-registries"
|
|
|
|
|
|
|
|
"--no-update-lock-file"
|
|
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url===
|
|
|
|
|
|
|
|
operation = "boot"; # change only on reboots
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
system.autoUpgrade = {
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
allowReboot = true;
|
|
|
|
|
|
|
|
fixedRandomDelay = true;
|
|
|
|
|
|
|
|
flags = [
|
|
|
|
|
|
|
|
"--no-allow-dirty"
|
|
|
|
|
|
|
|
"--no-use-registries"
|
|
|
|
|
|
|
|
"--no-update-lock-file"
|
|
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url===
|
|
|
|
|
|
|
|
operation = "boot"; # change only on reboots
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
|
|
|
|
|
|
|
|
|
|
|
|
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
time.hardwareClockInLocalTime = false; # just to make sure
|
|
|
|
|
|
|
|
|
|
|
|
time.hardwareClockInLocalTime = false; # just to make sure
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
x-banananetwork = {
|
|
|
|
|
|
|
|
|
|
|
|
x-banananetwork = {
|
|
|
|
allCommon.enable = true;
|
|
|
|
|
|
|
|
debugMinimal.enable = true;
|
|
|
|
|
|
|
|
# TODO think about
|
|
|
|
|
|
|
|
#privacy.enable = true;
|
|
|
|
|
|
|
|
|
|
|
|
allCommon.enable = true;
|
|
|
|
};
|
|
|
|
debugMinimal.enable = true;
|
|
|
|
|
|
|
|
# TODO think about
|
|
|
|
|
|
|
|
#privacy.enable = true;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
|
|
|
|
|
|
|
|
|
|
|
|
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# TODO wishlist items (in prio order):
|
|
|
|
|
|
|
|
# - ntfy.sh as mailer
|
|
|
|
|
|
|
|
# own script
|
|
|
|
|
|
|
|
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
|
|
|
|
|
|
|
|
# & connect to: journalwatch, smartd
|
|
|
|
|
|
|
|
# - add support for automatic boot assessment (will be added to 24.11)
|
|
|
|
|
|
|
|
# - programs.atop.enable = true
|
|
|
|
|
|
|
|
# - think about zramSwap
|
|
|
|
|
|
|
|
# - NixOS test: ssh-audit
|
|
|
|
|
|
|
|
# - networking.useNetworkd
|
|
|
|
|
|
|
|
# - networking.tcpcrypt
|
|
|
|
|
|
|
|
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
|
|
|
|
|
|
|
|
|
|
|
|
# TODO wishlist items (in prio order):
|
|
|
|
|
|
|
|
# - ntfy.sh as mailer
|
|
|
|
|
|
|
|
# own script
|
|
|
|
|
|
|
|
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
|
|
|
|
|
|
|
|
# & connect to: journalwatch, smartd
|
|
|
|
|
|
|
|
# - add support for automatic boot assessment (will be added to 24.11)
|
|
|
|
|
|
|
|
# - programs.atop.enable = true
|
|
|
|
|
|
|
|
# - think about zramSwap
|
|
|
|
|
|
|
|
# - NixOS test: ssh-audit
|
|
|
|
|
|
|
|
# - networking.useNetworkd
|
|
|
|
|
|
|
|
# - networking.tcpcrypt
|
|
|
|
|
|
|
|
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|