chaos-jetzt-nixfiles/common/default.nix

87 lines
2.3 KiB
Nix
Raw Normal View History

2022-11-27 23:11:34 +01:00
{ config, lib, pkgs, nixpkgs, ... }: {
imports = [
./users.nix
];
environment.systemPackages = with pkgs; [
htop
vim
tmux
rsync
curl
wget
bat
fd
ripgrep
];
nix = {
package = pkgs.nixVersions.stable;
settings.auto-optimise-store = lib.mkDefault true;
settings.trusted-users = [ "root" "@wheel" ];
registry.nixpkgs.flake = nixpkgs;
extraOptions = ''
experimental-features = nix-command flakes
'';
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
};
documentation.nixos.enable = false;
console.keyMap = "de";
time.timeZone = "Europe/Berlin";
i18n = {
defaultLocale = "de_DE.UTF-8";
extraLocaleSettings.LC_MESSAGES = "en_US.UTF-8";
};
networking.domain = "net.chaos.jetzt";
networking.firewall = {
logRefusedConnections = false;
enable = true;
allowedTCPPorts = (lib.optionals (config.services.nginx.enable) [ 80 443 ])
++ config.services.openssh.ports;
};
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
};
# That way we can't forget to disable the access logs for each individual website
services.nginx.appendHttpConfig = ''
access_log off;
'';
security.acme = {
acceptTerms = true;
defaults.email = "acme+${config.networking.hostName}@chaos.jetzt";
defaults.webroot = "/var/lib/acme/acme-challenge";
};
sops = {
defaultSopsFile = lib.mkDefault (../secrets + ("/" + config.networking.hostName) + "/secrets.yaml");
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
users.motd = ''
##### #####
#### #### _____ _ ___ _ _
### ### / __ \ | |_ | | | | |
## # ## | / \/ |__ __ _ ___ ___ | | ___| |_ ___| |_
# ### # | | | '_ \ / _` |/ _ \/ __| | |/ _ \ __|_ / __|
# # # | \__/\ | | | (_| | (_) \__ \_/\__/ / __/ |_ / /| |_
# # \____/_| |_|\__,_|\___/|___(_)____/ \___|\__/___|\__|
## ##
## # # ##
# ## ## # ${config.networking.fqdn}
# ## ## #
# ####### #
'';
}