You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
180 lines
4.9 KiB
Nix
180 lines
4.9 KiB
Nix
# applies to all of my machines
|
|
# examples: PCs, laptops, VMs, hypervisors, ...
|
|
|
|
{
|
|
config,
|
|
lib,
|
|
options,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.x-banananetwork.allCommon;
|
|
in
|
|
{
|
|
|
|
options = {
|
|
|
|
x-banananetwork.allCommon = {
|
|
|
|
enable = lib.mkEnableOption ''
|
|
settings common to all systems
|
|
a set of opionated options to make systems useable & debugable for users.
|
|
|
|
This means e.g. adding common, useful tools and add documentation.
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
assertions = [
|
|
(
|
|
let
|
|
defName = options.networking.hostName.default;
|
|
in
|
|
{
|
|
assertion = config.networking.hostName != defName;
|
|
message = "you must define a hostname (different from default: ${defName})";
|
|
}
|
|
)
|
|
];
|
|
|
|
documentation = {
|
|
|
|
man.mandoc.settings.output = {
|
|
paper = lib.mkDefault "a4";
|
|
};
|
|
|
|
};
|
|
|
|
i18n = {
|
|
# inspired by https://wiki.archlinux.org/title/Locale
|
|
defaultLocale = lib.mkDefault "en_US.UTF-8";
|
|
extraLocaleSettings = {
|
|
LANGUAGE = lib.mkDefault "en_US:en:C:de_DE";
|
|
LC_COLLATE = lib.mkDefault "C.UTF-8"; # language independent sorting
|
|
LC_MEASUREMENT = "de_DE.UTF-8"; # metric
|
|
LC_PAPER = "de_DE.UTF-8"; # metric
|
|
LC_TELEPHONE = "de_DE.UTF-8";
|
|
LC_TIME = lib.mkDefault "en_DK.UTF-8"; # ISO 8601
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
|
|
channel.enable = false;
|
|
|
|
daemonCPUSchedPolicy = "batch";
|
|
daemonIOSchedClass = "best-effort";
|
|
daemonIOSchedPriority = 7;
|
|
|
|
settings = {
|
|
allowed-users = [
|
|
"root"
|
|
"@wheel"
|
|
];
|
|
auto-optimise-store = true;
|
|
experimental-features = [
|
|
"flakes"
|
|
"nix-command"
|
|
];
|
|
hashed-mirrors = [ "https://tarballs.nixos.org/" ];
|
|
trusted-users = [ "root" ];
|
|
};
|
|
|
|
};
|
|
systemd.services.nix-daemon.serviceConfig = {
|
|
OOMScoreAdjust = lib.mkDefault 250;
|
|
};
|
|
|
|
# well-known public keys
|
|
programs.ssh = {
|
|
hostKeyAlgorithms = [
|
|
"ssh-ed25519"
|
|
"ssh-rsa"
|
|
];
|
|
knownHosts = {
|
|
"git.banananet.work".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE854AkY/LYJ8kMe1olR+OsAxKIgvZ/JK+G+e0mMVWdH";
|
|
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
|
|
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
|
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
|
|
};
|
|
};
|
|
|
|
security = {
|
|
|
|
pki = {
|
|
# in general, these are not blacklisted because those are problematic
|
|
# its more about reducing attack vectors where it is possible
|
|
# and I (most probably) do not rely on services using these CAs
|
|
caCertificateBlacklist = lib.mkDefault [
|
|
# Agence Nationale de Certification Electronique (TN)
|
|
"TunTrust Root CA"
|
|
# BEJING CERTIFICATE AUTHORITY (CN)
|
|
"BJCA Global Root CA1"
|
|
"BJCA Global Root CA2"
|
|
# China Financial Certification Authority (CN)
|
|
"CFCA EV ROOT"
|
|
# Chunghwa Telecom Co., Ltd. (TW)
|
|
"HiPKI Root CA - G1"
|
|
"ePKI Root Certification Authority"
|
|
# GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. (CN)
|
|
"GDCA TrustAUTH R5 ROOT"
|
|
# Hongkong Post (HK)
|
|
"Hongkong Post Root CA 3"
|
|
# iTrusChina Co.,Ltd. (CN)
|
|
"vTrus ECC Root CA"
|
|
"vTrus Root CA"
|
|
# TAIWAN-CA (TW)
|
|
"TWCA Root Certification Authority"
|
|
"TWCA Global Root CA"
|
|
# TrustAsia Technologies, Inc.
|
|
"TrustAsia Global Root CA G3"
|
|
"TrustAsia Global Root CA G4"
|
|
# Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK (TR)
|
|
"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
|
|
# UniTrust (CA)
|
|
"UCA Global G2 Root"
|
|
"UCA Extended Validation Root"
|
|
];
|
|
};
|
|
|
|
};
|
|
|
|
system.activationScripts.diff = {
|
|
supportsDryActivation = true;
|
|
text = ''
|
|
if [[ -e /run/current-system ]]; then
|
|
echo "--- diff to current-system"
|
|
${lib.getExe pkgs.nvd} --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
|
|
echo "---"
|
|
fi
|
|
'';
|
|
};
|
|
|
|
# ensure activation scripts are fine
|
|
# TODO upstream, probably replacing https://github.com/NixOS/nixpkgs/pull/149932
|
|
system.activatableSystemBuilderCommands = lib.mkAfter ''
|
|
${lib.getExe pkgs.shellcheck} --check-sourced --external-sources --norc --severity=warning $out/activate $out/dry-activate
|
|
'';
|
|
|
|
time = {
|
|
hardwareClockInLocalTime = lib.mkDefault false;
|
|
timeZone = lib.mkDefault "Etc/UTC";
|
|
};
|
|
|
|
x-banananetwork = {
|
|
improvedDefaults.enable = true;
|
|
secrix = {
|
|
enable = true;
|
|
hostKeyType = "ed25519";
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
}
|