srvos
This commit is contained in:
parent
6ba7267844
commit
a58a31b91a
11 changed files with 98 additions and 66 deletions
|
@ -137,3 +137,6 @@ nix repl
|
|||
:p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
- https://github.com/nix-community/srvos/tree/29a48ae201fbd69b6b71acdae5e19fa2ceaa8181
|
||||
|
|
|
@ -4,12 +4,15 @@
|
|||
./docker.nix
|
||||
./fish.nix
|
||||
./git.nix
|
||||
./hardware.nix
|
||||
./home-manager.nix
|
||||
./impermanence.nix
|
||||
./locale.nix
|
||||
./network.nix
|
||||
./nix.nix
|
||||
./packages.nix
|
||||
./ripgrep.nix
|
||||
./ssh.nix
|
||||
./system.nix
|
||||
./users.nix
|
||||
./vim
|
||||
];
|
||||
|
|
4
modules/base/hardware.nix
Normal file
4
modules/base/hardware.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{ ... }: {
|
||||
# Enable all firmware with a license allowing redistribution
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
}
|
|
@ -29,9 +29,7 @@
|
|||
directories = [
|
||||
# See comment above for /tmp
|
||||
{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
|
||||
# With great power comes great responsibility, we get it
|
||||
{ directory = "/var/db/sudo/lectured"; user = "root"; group = "root"; mode = "0700"; }
|
||||
# Save the last run time of persistent timers so systemd knows if they was missed
|
||||
# Save the last run time of persistent timers so systemd knows if they were missed
|
||||
{ directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "0755"; }
|
||||
{ directory = "/var/log"; user = "root"; group = "root"; mode = "0755"; }
|
||||
];
|
||||
|
@ -40,7 +38,7 @@
|
|||
];
|
||||
users.caspervk = {
|
||||
directories = [
|
||||
"/" # entire home directory (TODO)
|
||||
"/" # entire home directory (TODO?)
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
23
modules/base/locale.nix
Normal file
23
modules/base/locale.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ lib, ... }: {
|
||||
i18n = {
|
||||
defaultLocale = "en_DK.UTF-8";
|
||||
extraLocaleSettings = {
|
||||
LC_ADDRESS = "en_DK.UTF-8";
|
||||
LC_IDENTIFICATION = "en_DK.UTF-8";
|
||||
LC_MEASUREMENT = "en_DK.UTF-8";
|
||||
LC_MONETARY = "en_DK.UTF-8";
|
||||
LC_NAME = "en_DK.UTF-8";
|
||||
LC_NUMERIC = "en_DK.UTF-8";
|
||||
LC_PAPER = "en_DK.UTF-8";
|
||||
LC_TELEPHONE = "en_DK.UTF-8";
|
||||
LC_TIME = "en_DK.UTF-8";
|
||||
};
|
||||
supportedLocales = lib.mkOptionDefault [
|
||||
"da_DK.UTF-8/UTF-8"
|
||||
];
|
||||
};
|
||||
|
||||
time = {
|
||||
timeZone = "Europe/Copenhagen";
|
||||
};
|
||||
}
|
|
@ -7,6 +7,8 @@
|
|||
# Allow some ports for ad-hoc use
|
||||
allowedTCPPorts = [ 1234 1337 8000 8080 ];
|
||||
allowedUDPPorts = [ 1234 1337 8000 8080 ];
|
||||
# Do not spam dmesg/journalctl with refused connections
|
||||
logRefusedConnections = false;
|
||||
};
|
||||
nameservers = [ "127.0.0.53" ]; # resolved stub resolver
|
||||
search = [ "caspervk.net" ];
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, nix-index-database, nixpkgs-unstable, nixpkgs, lib, pkgs, ... }: {
|
||||
{ nix-index-database, nixpkgs-unstable, nixpkgs, ... }: {
|
||||
imports = [
|
||||
nix-index-database.nixosModules.nix-index
|
||||
];
|
||||
|
@ -13,13 +13,19 @@
|
|||
dates = "weekly";
|
||||
options = "--delete-older-than 7d";
|
||||
};
|
||||
|
||||
settings = {
|
||||
# Automatically optimise the store after each build. Store optimisation
|
||||
# reduces nix store space by 25-35% by finding identical files and
|
||||
# hard-linking them to each other.
|
||||
# https://nixos.org/manual/nix/unstable/command-ref/nix-store/optimise.html
|
||||
auto-optimise-store = true;
|
||||
|
||||
# Enable flakes
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
# Timeout connections to the binary cache instead of waiting forever
|
||||
connect-timeout = 5;
|
||||
};
|
||||
|
||||
# The nix registry is used to refer to flakes using symbolic identifiers
|
||||
|
@ -35,66 +41,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Enable all firmware with a license allowing redistribution
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
bat
|
||||
black
|
||||
clang
|
||||
curl
|
||||
dig
|
||||
fd
|
||||
file
|
||||
fzf
|
||||
gcc
|
||||
git
|
||||
gnumake
|
||||
htop
|
||||
inetutils
|
||||
jq
|
||||
magic-wormhole
|
||||
ntp
|
||||
progress
|
||||
pwgen
|
||||
python310
|
||||
python311
|
||||
python312
|
||||
rsync
|
||||
sqlite
|
||||
tmux
|
||||
traceroute
|
||||
tree
|
||||
unzip
|
||||
wget
|
||||
wireguard-tools
|
||||
xkcdpass
|
||||
yq
|
||||
];
|
||||
|
||||
# https://github.com/nix-community/comma
|
||||
programs.nix-index-database.comma.enable = true;
|
||||
programs.command-not-found.enable = false;
|
||||
|
||||
i18n = {
|
||||
defaultLocale = "en_DK.UTF-8";
|
||||
extraLocaleSettings = {
|
||||
LC_ADDRESS = "en_DK.UTF-8";
|
||||
LC_IDENTIFICATION = "en_DK.UTF-8";
|
||||
LC_MEASUREMENT = "en_DK.UTF-8";
|
||||
LC_MONETARY = "en_DK.UTF-8";
|
||||
LC_NAME = "en_DK.UTF-8";
|
||||
LC_NUMERIC = "en_DK.UTF-8";
|
||||
LC_PAPER = "en_DK.UTF-8";
|
||||
LC_TELEPHONE = "en_DK.UTF-8";
|
||||
LC_TIME = "en_DK.UTF-8";
|
||||
};
|
||||
supportedLocales = lib.mkOptionDefault [
|
||||
"da_DK.UTF-8/UTF-8"
|
||||
];
|
||||
};
|
||||
|
||||
time = {
|
||||
timeZone = "Europe/Copenhagen";
|
||||
};
|
||||
}
|
35
modules/base/packages.nix
Normal file
35
modules/base/packages.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ pkgs, ... }: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
bat
|
||||
black
|
||||
clang
|
||||
curl
|
||||
dig
|
||||
fd
|
||||
file
|
||||
fzf
|
||||
gcc
|
||||
git
|
||||
gnumake
|
||||
htop
|
||||
inetutils
|
||||
jq
|
||||
magic-wormhole
|
||||
ntp
|
||||
progress
|
||||
pwgen
|
||||
python310
|
||||
python311
|
||||
python312
|
||||
rsync
|
||||
sqlite
|
||||
tmux
|
||||
traceroute
|
||||
tree
|
||||
unzip
|
||||
wget
|
||||
wireguard-tools
|
||||
xkcdpass
|
||||
yq
|
||||
];
|
||||
}
|
|
@ -2,7 +2,9 @@
|
|||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
KbdInteractiveAuthentication = false;
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
15
modules/base/sudo.nix
Normal file
15
modules/base/sudo.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ ... }: {
|
||||
security.sudo = {
|
||||
# Only allow members of the wheel group to execute sudo by setting the
|
||||
# executable’s permissions accordingly. This prevents users that are not
|
||||
# members of wheel from exploiting vulnerabilities in sudo such as
|
||||
# CVE-2021-3156.
|
||||
security.sudo.execWheelOnly = true;
|
||||
|
||||
# With great power comes great responsibility, we get it.. Also means we
|
||||
# don't have state in /var/db/sudo/lectured.
|
||||
security.sudo.extraConfig = ''
|
||||
Defaults lecture = never
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ home-manager, lib, pkgs, ... }: {
|
||||
{ ... }: {
|
||||
# PipeWire is a new low-level multimedia framework. It aims to offer capture
|
||||
# and playback for both audio and video with minimal latency and support for
|
||||
# PulseAudio-, JACK-, ALSA- and GStreamer-based applications.
|
||||
|
|
Loading…
Reference in a new issue