{ lib, pkgs, ... }: { imports = [ ./known-ssh-keys.nix ./cgroups.nix ]; nixpkgs.overlays = import ../overlays; nix.package = lib.mkDefault pkgs.lix; services.openssh.enable = lib.mkForce true; networking.nftables.enable = true; networking.firewall.enable = true; networking.firewall.logRefusedConnections = false; networking.firewall.logReversePathDrops = true; services.nginx = { recommendedOptimisation = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true; recommendedProxySettings = lib.mkDefault true; recommendedGzipSettings = lib.mkDefault true; eventsConfig = '' worker_connections 8192; ''; appendConfig = '' worker_rlimit_nofile 16384; ''; }; nix.gc = { automatic = true; persistent = true; dates = lib.mkDefault "daily"; options = "--delete-older-than 30d"; }; services.journald.extraConfig = "SystemMaxUse=512M"; boot.kernelParams = [ "panic=30" "boot.panic_on_fail" ]; boot.kernel.sysctl = { # Set default TCP congestion control algorithm "net.ipv4.tcp_congestion_control" = "bbr"; # Enable ECN "net.ipv4.tcp_ecn" = 1; # Enable TCP fast open "net.ipv4.tcp_fastopen" = 3; }; # reduce closure size, feel free to add your locale here i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" "fr_FR.UTF-8/UTF-8" ]; time.timeZone = "UTC"; security.acme.acceptTerms = true; security.acme.defaults.email = "infra@forkos.org"; # Enable system diffs. system.activationScripts.system-diff = { supportsDryActivation = true; # safe: only outputs to stdout text = '' if [ -e /run/current-system ]; then PATH=$PATH:${pkgs.nix}/bin ${pkgs.nvd}/bin/nvd diff /run/current-system $systemConfig fi ''; }; }