-
Notifications
You must be signed in to change notification settings - Fork 26
/
default.nix
89 lines (71 loc) · 2.5 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# A default configuration that applies to all servers.
# Common configuration accross *all* the machines
{ pkgs, lib, ... }:
{
imports = [
../common
];
# List packages installed in system profile.
environment.systemPackages = map lib.lowPrio [
pkgs.curl
pkgs.dnsutils
pkgs.gitMinimal
pkgs.htop
pkgs.jq
pkgs.tmux
];
# Notice this also disables --help for some commands such es nixos-rebuild
documentation.enable = lib.mkDefault false;
documentation.info.enable = lib.mkDefault false;
documentation.man.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;
# No need for fonts on a server
fonts.fontconfig.enable = lib.mkDefault false;
programs.vim.defaultEditor = lib.mkDefault true;
# Print the URL instead on servers
environment.variables.BROWSER = "echo";
# Make sure firewall is enabled
networking.firewall.enable = true;
# Delegate the hostname setting to dhcp/cloud-init by default
networking.hostName = lib.mkDefault "";
# If the user is in @wheel they are trusted by default.
nix.settings.trusted-users = [ "root" "@wheel" ];
security.sudo.wheelNeedsPassword = false;
# Enable SSH everywhere
services.openssh.enable = true;
# No need for sound on a server
sound.enable = false;
# UTC everywhere!
time.timeZone = lib.mkDefault "UTC";
# No mutable users by default
users.mutableUsers = false;
systemd = {
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
enableEmergencyMode = false;
# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 10s.
# If the hardware watchdog does not get a signal for 20s,
# it will forcefully reboot the system.
runtimeTime = "20s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
};
sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
'';
};
# use TCP BBR has significantly increased throughput and reduced latency for connections
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
}