pvv-nixos-config/base.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

235 lines
6.1 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, inputs, values, ... }:
2021-12-18 22:07:27 +01:00
{
imports = [
./users
./modules/snakeoil-certs.nix
2021-12-18 22:07:27 +01:00
];
2023-03-04 02:13:00 +01:00
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
2023-03-03 22:28:26 +01:00
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
2023-03-03 22:28:26 +01:00
systemd.network.enable = true;
2023-05-31 11:04:38 +02:00
services.resolved = {
enable = lib.mkDefault true;
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
};
2021-12-18 22:07:27 +01:00
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
2022-04-02 00:57:53 +02:00
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
2022-04-02 00:57:53 +02:00
2022-12-07 10:02:56 +01:00
nix.settings.experimental-features = [ "nix-command" "flakes" ];
/* This makes commandline tools like
** nix run nixpkgs#hello
** and nix-shell -p hello
** use the same channel the system
** was built with
*/
nix.registry = {
nixpkgs.flake = inputs.nixpkgs;
};
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
2021-12-18 22:07:27 +01:00
environment.systemPackages = with pkgs; [
2022-09-08 17:49:33 +02:00
file
2021-12-18 22:07:27 +01:00
git
2023-01-28 20:26:21 +01:00
gnupg
2022-09-08 17:49:33 +02:00
htop
2021-12-18 22:07:27 +01:00
nano
2024-03-30 21:06:39 +01:00
ripgrep
2023-01-28 20:26:21 +01:00
rsync
screen
2021-12-18 22:07:27 +01:00
tmux
2022-09-08 17:49:33 +02:00
vim
wget
2021-12-18 22:07:27 +01:00
kitty.terminfo
];
2023-05-31 11:04:38 +02:00
programs.zsh.enable = true;
2022-04-02 01:52:13 +02:00
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
2024-08-10 23:55:29 +02:00
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
(config.nixpkgs.system == "x86_64-linux")
(!config.boot.isContainer or false)
]) true;
2024-08-22 22:56:24 +02:00
systemd.services.thermald = lib.mkIf config.services.thermald.enable {
documentation = [ "man:thermald(8)" "man:thermal-conf.xml(5)" ];
unitConfig.ConditionVirtualization = "no";
serviceConfig = {
PrivateUsers = true;
PrivateNetwork = true;
# AmbientCapabilities = [ "" ];
# CapabilityBoundingSet = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
# PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = "yes";
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true; #?
ProtectProc = "invisible"; #?
ProtectSystem = "strict";
RemoveIPC = true;
UMask = "0777";
RestrictNamespaces = true;
# RestrictRealtime = true; #?
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SocketBindDeny = [ "any" ];
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
};
};
services.openssh = {
enable = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
Match Group wheel
PasswordAuthentication no
Match All
'';
2023-05-31 11:04:38 +02:00
settings.PermitRootLogin = "yes";
};
# nginx return 444 for all nonexistent virtualhosts
2021-12-18 22:07:27 +01:00
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
2024-04-10 22:01:19 +02:00
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
"/etc/certs/nginx" = {
owner = "nginx";
group = "nginx";
};
};
services.nginx = {
2024-04-10 22:01:19 +02:00
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
appendConfig = ''
2024-04-10 22:01:19 +02:00
pcre_jit on;
worker_processes auto;
worker_rlimit_nofile 100000;
'';
eventsConfig = ''
2024-04-10 22:01:19 +02:00
worker_connections 2048;
use epoll;
multi_accept on;
'';
};
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
LimitNOFILE = 65536;
};
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true;
extraConfig = "return 444;";
};
2024-08-22 22:56:24 +02:00
# TODO: upstream
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
# "~@privileged"
# "~@resources"
];
};
};
2024-04-10 22:01:19 +02:00
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no";
};
2024-08-14 17:25:55 +02:00
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
security.acme.preliminarySelfsigned = true;
users.users.root.initialPassword = "root";
};
2021-12-18 22:07:27 +01:00
}