diff options
author | tv <tv@krebsco.de> | 2017-08-29 21:08:02 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2017-08-29 21:08:02 +0200 |
commit | 957d518374368e47e519d4870e9133a265b6e47c (patch) | |
tree | 2619fa4819d4c7ca4e98e49a770b8e8729d2b2c1 /mv/1systems/stro/config.nix | |
parent | 1c65c00764146a13a0fcf8e48de599430e4a2d2e (diff) | |
parent | 15c510e05b3353b5644c488d5b97005eb877105a (diff) |
Merge remote-tracking branch 'stro/master'
Diffstat (limited to 'mv/1systems/stro/config.nix')
-rw-r--r-- | mv/1systems/stro/config.nix | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/mv/1systems/stro/config.nix b/mv/1systems/stro/config.nix new file mode 100644 index 0000000..669655e --- /dev/null +++ b/mv/1systems/stro/config.nix @@ -0,0 +1,156 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; + +{ + krebs = { + enable = true; + build = { + user = config.krebs.users.mv; + host = config.krebs.hosts.stro; + }; + }; + + imports = [ + <secrets> + <stockholm/krebs> + <stockholm/tv/2configs/audit.nix> + <stockholm/tv/2configs/bash> + <stockholm/tv/2configs/exim-retiolum.nix> + <stockholm/tv/2configs/hw/x220.nix> + <stockholm/tv/2configs/im.nix> + <stockholm/tv/2configs/mail-client.nix> + <stockholm/tv/2configs/nginx/public_html.nix> + <stockholm/tv/2configs/retiolum.nix> + <stockholm/tv/2configs/ssh.nix> + <stockholm/tv/2configs/sshd.nix> + <stockholm/tv/2configs/vim.nix> + <stockholm/tv/2configs/xdg.nix> + <stockholm/tv/2configs/xserver> + <stockholm/tv/3modules> + ]; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "xts" ]; + devices = [ + { + name = "luks1"; + device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part2"; + } + ]; + }; + + environment = { + profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; + shellAliases = mkForce { + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + ls = "ls -h --color=auto --group-directories-first"; + dmesg = "dmesg -L --reltime"; + view = "vim -R"; + + reload = "systemctl reload"; + restart = "systemctl restart"; + start = "systemctl start"; + status = "systemctl status"; + stop = "systemctl stop"; + }; + systemPackages = with pkgs; [ + dic + htop + p7zip + q + + pavucontrol + rxvt_unicode.terminfo + + # stockholm + git + gnumake + populate + ]; + variables = { + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; + }; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part1"; + }; + "/" = { + device = "/dev/mapper/vg1-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/home" = { + device = "/dev/mapper/vg1-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + networking.hostName = config.krebs.build.host.name; + + nix = { + binaryCaches = ["https://cache.nixos.org"]; + requireSignedBinaryCaches = true; + # TODO check if both are required: + sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + useSandbox = true; + }; + + nixpkgs.config.packageOverrides = import <stockholm/tv/5pkgs> pkgs; + + users = { + defaultUserShell = "/run/current-system/sw/bin/bash"; + mutableUsers = false; + users = { + mv = { + inherit (config.krebs.users.mv) home uid; + isNormalUser = true; + }; + }; + }; + + security.sudo.extraConfig = '' + Defaults env_keep+="SSH_CLIENT" + Defaults mailto="${config.krebs.users.mv.mail}" + Defaults !lecture + ''; + + services.cron.enable = false; + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + services.nscd.enable = false; + services.ntp.enable = false; + services.timesyncd.enable = true; + + time.timeZone = "Europe/Berlin"; + + tv.iptables = { + enable = true; + accept-echo-request = "internet"; + }; + + system.stateVersion = "16.03"; +} |