pvv-nixos-config/base.nix

{ config, lib, pkgs, inputs, values, ... }:

{
  imports = [
    ./users
    ./modules/snakeoil-certs.nix
  ];

  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;

  systemd.network.enable = true;

  services.resolved = {
    enable = lib.mkDefault true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };

  time.timeZone = "Europe/Oslo";

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "no";
  };

  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--update-input" "nixpkgs"
      "--update-input" "nixpkgs-unstable"
      "--no-write-lock-file"
    ];
  };
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 2d";

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  /* This makes commandline tools like
  ** nix run nixpkgs#hello
  ** and nix-shell -p hello
  ** use the same channel the system
  ** was built with
  */
  nix.registry = {
    nixpkgs.flake = inputs.nixpkgs;
  };
  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];

  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget

    kitty.terminfo
  ];

  programs.zsh.enable = true;

  users.groups."drift".name = "drift";

  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";

  services.openssh = {
    enable = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
    '';
    settings.PermitRootLogin = "yes";
  };

  # nginx return 444 for all nonexistent virtualhosts

  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];

  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };

  services.nginx = {
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    appendConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) ''
      pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) ''
      worker_connections 2048;
      use epoll;
      multi_accept on;
    '';
  };

  systemd.services.nginx.serviceConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) {
    LimitNOFILE = 65536;
  };

  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };

  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
  };
}
Simplify networking configs Introduces values.nix, a place to store information relevant across systems 2023-01-17 10:27:18 +01:00			`{ config, lib, pkgs, inputs, values, ... }:`
Split common options into base 2021-12-18 22:07:27 +01:00
			`{`
			`imports = [`
			`./users`
base/nginx: 444 requests to nonexistent virtualhosts 2024-03-30 00:02:22 +01:00			`./modules/snakeoil-certs.nix`
Split common options into base 2021-12-18 22:07:27 +01:00			`];`

Disable dhcp and set domain again 2023-03-04 02:13:00 +01:00			`networking.domain = "pvv.ntnu.no";`
			`networking.useDHCP = false;`
switch to networkd 2023-03-03 22:28:26 +01:00			`# networking.search = [ "pvv.ntnu.no" "pvv.org" ];`
			`# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];`
			`# networking.tempAddresses = lib.mkDefault "disabled";`
			`# networking.defaultGateway = values.hosts.gateway;`
switch to systemd-resolved and add domains to search for fqdns from hostnames 2022-12-10 10:16:15 +01:00
switch to networkd 2023-03-03 22:28:26 +01:00			`systemd.network.enable = true;`
Upgrade to nixpkgs 23.05 2023-05-31 11:04:38 +02:00
switch to systemd-resolved and add domains to search for fqdns from hostnames 2022-12-10 10:16:15 +01:00			`services.resolved = {`
jokum: move to systemd-nspawn container on bicep 2023-02-26 19:23:00 +01:00			`enable = lib.mkDefault true;`
switch to systemd-resolved and add domains to search for fqdns from hostnames 2022-12-10 10:16:15 +01:00			`dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...`
			`};`
Split common options into base 2021-12-18 22:07:27 +01:00
			`time.timeZone = "Europe/Oslo";`

			`i18n.defaultLocale = "en_US.UTF-8";`
			`console = {`
			`font = "Lat2-Terminus16";`
			`keyMap = "no";`
			`};`

base: fix autoUpgrade autoupgrade now pulls from the remote git repo but overrides the nixpkgs input with a newer version 2022-12-09 02:55:18 +01:00			`system.autoUpgrade = {`
			`enable = true;`
base: autoUpgrade - simplify flake url, add unstable to upgraded inputs 2022-12-09 03:21:18 +01:00			`flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";`
base: fix autoUpgrade autoupgrade now pulls from the remote git repo but overrides the nixpkgs input with a newer version 2022-12-09 02:55:18 +01:00			`flags = [`
			`"--update-input" "nixpkgs"`
rename input: unstable -> nixpkgs-unstable 2023-11-05 01:22:36 +01:00			`"--update-input" "nixpkgs-unstable"`
base: fix autoUpgrade autoupgrade now pulls from the remote git repo but overrides the nixpkgs input with a newer version 2022-12-09 02:55:18 +01:00			`"--no-write-lock-file"`
			`];`
			`};`
base: auto-upgrade 2022-04-02 00:57:53 +02:00			`nix.gc.automatic = true;`
base: nix-gc delete generations older than 2d 2022-12-09 06:38:15 +01:00			`nix.gc.options = "--delete-older-than 2d";`
base: auto-upgrade 2022-04-02 00:57:53 +02:00
Enable flakes 2022-12-07 10:02:56 +01:00			`nix.settings.experimental-features = [ "nix-command" "flakes" ];`

lock nix-path and local flake registry to sytem nixpkgs 2022-12-09 05:25:07 +01:00			`/* This makes commandline tools like`
			`** nix run nixpkgs#hello`
			`** and nix-shell -p hello`
			`** use the same channel the system`
			`** was built with`
			`*/`
			`nix.registry = {`
			`nixpkgs.flake = inputs.nixpkgs;`
			`};`
			`nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];`

Split common options into base 2021-12-18 22:07:27 +01:00			`environment.systemPackages = with pkgs; [`
Add and sort system packages 2022-09-08 17:49:33 +02:00			`file`
Split common options into base 2021-12-18 22:07:27 +01:00			`git`
Add globally installed packages 2023-01-28 20:26:21 +01:00			`gnupg`
Add and sort system packages 2022-09-08 17:49:33 +02:00			`htop`
Split common options into base 2021-12-18 22:07:27 +01:00			`nano`
base: add ripgrep 2024-03-30 21:06:39 +01:00			`ripgrep`
Add globally installed packages 2023-01-28 20:26:21 +01:00			`rsync`
			`screen`
Split common options into base 2021-12-18 22:07:27 +01:00			`tmux`
Add and sort system packages 2022-09-08 17:49:33 +02:00			`vim`
			`wget`

Split common options into base 2021-12-18 22:07:27 +01:00			`kitty.terminfo`
			`];`

Upgrade to nixpkgs 23.05 2023-05-31 11:04:38 +02:00			`programs.zsh.enable = true;`

Add danio to drift 2022-04-02 01:52:13 +02:00			`users.groups."drift".name = "drift";`

bob: init Cool beeg nix builder for now anyways 2023-11-05 03:12:35 +01:00			`# Trusted users on the nix builder machines`
			`users.groups."nix-builder-users".name = "nix-builder-users";`

Enable rsa-ssh and root login over ssh for backup 2022-12-07 10:07:32 +01:00			`services.openssh = {`
			`enable = true;`
			`extraConfig = ''`
			`PubkeyAcceptedAlgorithms=+ssh-rsa`
			`'';`
Upgrade to nixpkgs 23.05 2023-05-31 11:04:38 +02:00			`settings.PermitRootLogin = "yes";`
Enable rsa-ssh and root login over ssh for backup 2022-12-07 10:07:32 +01:00			`};`

base/nginx: 444 requests to nonexistent virtualhosts 2024-03-30 00:02:22 +01:00			`# nginx return 444 for all nonexistent virtualhosts`
Split common options into base 2021-12-18 22:07:27 +01:00
base/nginx: 444 requests to nonexistent virtualhosts 2024-03-30 00:02:22 +01:00			`systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];`

treewide: nginx optimizations 2024-04-10 22:01:19 +02:00			`environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {`
base/nginx: 444 requests to nonexistent virtualhosts 2024-03-30 00:02:22 +01:00			`"/etc/certs/nginx" = {`
			`owner = "nginx";`
			`group = "nginx";`
			`};`
			`};`

Merge pull request 'treewide: nginx optimizations' (!29) from treewide-nginx-optimizations into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/29 2024-04-10 22:38:30 +02:00			`services.nginx = {`
treewide: nginx optimizations 2024-04-10 22:01:19 +02:00			`recommendedTlsSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
			`recommendedGzipSettings = true;`

base.nix: hotfix for nginx on bicep the matrix-synapse-next module seems to already add some of the nginx options we set in base.nix, making it fail. These should only be set if they're not already set by this module 2024-04-11 10:28:36 +02:00			`appendConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) ''`
treewide: nginx optimizations 2024-04-10 22:01:19 +02:00			`pcre_jit on;`
			`worker_processes auto;`
			`worker_rlimit_nofile 100000;`
			`'';`
base.nix: hotfix for nginx on bicep the matrix-synapse-next module seems to already add some of the nginx options we set in base.nix, making it fail. These should only be set if they're not already set by this module 2024-04-11 10:28:36 +02:00			`eventsConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) ''`
treewide: nginx optimizations 2024-04-10 22:01:19 +02:00			`worker_connections 2048;`
			`use epoll;`
			`multi_accept on;`
			`'';`
			`};`

base.nix: hotfix for nginx on bicep the matrix-synapse-next module seems to already add some of the nginx options we set in base.nix, making it fail. These should only be set if they're not already set by this module 2024-04-11 10:28:36 +02:00			`systemd.services.nginx.serviceConfig = lib.mkIf (!config.services.matrix-synapse-next.enable or false) {`
			`LimitNOFILE = 65536;`
			`};`

Merge pull request 'treewide: nginx optimizations' (!29) from treewide-nginx-optimizations into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/29 2024-04-10 22:38:30 +02:00			`services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {`
base/nginx: 444 requests to nonexistent virtualhosts 2024-03-30 00:02:22 +01:00			`sslCertificate = "/etc/certs/nginx.crt";`
			`sslCertificateKey = "/etc/certs/nginx.key";`
			`addSSL = true;`
			`extraConfig = "return 444;";`
			`};`
Merge pull request 'treewide: nginx optimizations' (!29) from treewide-nginx-optimizations into main Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/29 2024-04-10 22:38:30 +02:00
treewide: nginx optimizations 2024-04-10 22:01:19 +02:00			`networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "drift@pvv.ntnu.no";`
base/nginx: 444 requests to nonexistent virtualhosts 2024-03-30 00:02:22 +01:00			`};`
Split common options into base 2021-12-18 22:07:27 +01:00			`}`