nixos-modules/vmCommon: separate timed from non-timed config via mkMerge

due to Nix evaluation errors because of name clashing otherwise
secrix-issue25
Felix Stupp 3 months ago
parent 3fc09eb8b9
commit 536a0780b5
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -49,176 +49,184 @@ in
};
config = lib.mkIf cfg.enable {
config = lib.mkIf cfg.enable (lib.mkMerge [
{
# timing-related options
# - ordered by chronological order
# timing-related options
# - ordered by chronological order
system.autoUpgrade = {
rebootWindow.lower = "01:00";
dates = "01:00";
randomizedDelaySec = "45min";
rebootWindow.upper = "04:00";
};
system.autoUpgrade = {
rebootWindow.lower = "01:00";
dates = "01:00";
randomizedDelaySec = "45min";
rebootWindow.upper = "04:00";
};
nix.gc = {
# could take longer
dates = "04:15";
randomizedDelaySec = "30min";
};
nix.gc = {
# could take longer
dates = "04:15";
randomizedDelaySec = "30min";
};
nix.optimise = {
# should not take long because of auto-optimise-store
dates = "05:30";
};
nix.optimise = {
# should not take long because of auto-optimise-store
dates = "05:30";
};
}
# all other options
{
boot = {
# all other options
kernelParams = "console=ttyS0,115200";
loader = {
efi.canTouchEfiVariables = true;
grub.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 16;
editor = true; # access to VM console/KVM should be locked
boot = {
kernelParams = "console=ttyS0,115200";
loader = {
efi.canTouchEfiVariables = true;
grub.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 16;
editor = true; # access to VM console/KVM should be locked
};
};
};
};
console.keyMap = "de";
console.keyMap = "de";
# for fast debugging of systems, keep small
environment.systemPackages = [
resize
];
# for fast debugging of systems, keep small
environment.systemPackages = [
resize
];
networking = {
networking = {
firewall = {
logRefusedConnections = false;
# TODO
};
useDHCP = true;
useNetworkd = lib.mkDefault false;
usePredictableInterfaceNames = true;
firewall = {
logRefusedConnections = false;
# TODO
};
useDHCP = true;
useNetworkd = lib.mkDefault false;
usePredictableInterfaceNames = true;
};
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise = {
automatic = true;
};
optimise = {
automatic = true;
};
settings = {
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
min-free = lib.mkDefault (512 * 1024 * 1024);
};
settings = {
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
min-free = lib.mkDefault (512 * 1024 * 1024);
};
};
security = {
security = {
apparmor.enable = true;
apparmor.enable = true;
lockKernelModules = true; # after boot loading not required on VMs
lockKernelModules = true; # after boot loading not required on VMs
sudo = {
enable = true;
execWheelOnly = lib.mkDefault true;
extraConfig = ''
Defaults lecture = never
'';
};
sudo = {
enable = true;
execWheelOnly = lib.mkDefault true;
extraConfig = ''
Defaults lecture = never
'';
};
};
services = {
services = {
qemuGuest.enable = true;
qemuGuest.enable = true;
openssh = {
enable = true;
authorizedKeysInHomedir = false;
authorizedKeysOnly = true;
openFirewall = true;
};
openssh = {
enable = true;
authorizedKeysInHomedir = false;
authorizedKeysOnly = true;
openFirewall = true;
};
};
sound.enable = false;
sound.enable = false;
system.autoUpgrade = {
enable = true;
allowReboot = true;
fixedRandomDelay = true;
flags = [
"--no-allow-dirty"
"--no-use-registries"
"--no-update-lock-file"
];
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url===
operation = "boot"; # change only on reboots
};
system.autoUpgrade = {
enable = true;
allowReboot = true;
fixedRandomDelay = true;
flags = [
"--no-allow-dirty"
"--no-use-registries"
"--no-update-lock-file"
];
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url===
operation = "boot"; # change only on reboots
};
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
time.hardwareClockInLocalTime = false; # just to make sure
time.hardwareClockInLocalTime = false; # just to make sure
x-banananetwork = {
x-banananetwork = {
allCommon.enable = true;
debugMinimal.enable = true;
# TODO think about
#privacy.enable = true;
allCommon.enable = true;
debugMinimal.enable = true;
# TODO think about
#privacy.enable = true;
};
};
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
# TODO wishlist items (in prio order):
# - ntfy.sh as mailer
# own script
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
# & connect to: journalwatch, smartd
# - add support for automatic boot assessment (will be added to 24.11)
# - programs.atop.enable = true
# - think about zramSwap
# - NixOS test: ssh-audit
# - networking.useNetworkd
# - networking.tcpcrypt
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
# TODO wishlist items (in prio order):
# - ntfy.sh as mailer
# own script
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
# & connect to: journalwatch, smartd
# - add support for automatic boot assessment (will be added to 24.11)
# - programs.atop.enable = true
# - think about zramSwap
# - NixOS test: ssh-audit
# - networking.useNetworkd
# - networking.tcpcrypt
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
}
};
]);
}

Loading…
Cancel
Save