forked from the-distro/infra
76 lines
1.8 KiB
Nix
76 lines
1.8 KiB
Nix
{ lib, pkgs, ... }: {
|
|
imports = [
|
|
./known-ssh-keys.nix
|
|
./cgroups.nix
|
|
];
|
|
|
|
nixpkgs.overlays = import ../overlays;
|
|
|
|
nix.package = lib.mkDefault pkgs.lix;
|
|
system.tools.nixos-option.enable = false;
|
|
services.openssh.enable = lib.mkForce true;
|
|
|
|
networking.nftables.enable = true;
|
|
networking.firewall.enable = true;
|
|
networking.firewall.logRefusedConnections = false;
|
|
networking.firewall.logReversePathDrops = true;
|
|
|
|
services.nginx = {
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
eventsConfig = ''
|
|
worker_connections 8192;
|
|
'';
|
|
appendConfig = ''
|
|
worker_rlimit_nofile 16384;
|
|
'';
|
|
};
|
|
|
|
nix.gc = {
|
|
automatic = true;
|
|
persistent = true;
|
|
dates = lib.mkDefault "daily";
|
|
options = lib.mkDefault "--delete-older-than 30d";
|
|
};
|
|
|
|
services.journald.extraConfig = "SystemMaxUse=512M";
|
|
|
|
boot.kernelParams = [
|
|
"panic=30" "boot.panic_on_fail"
|
|
];
|
|
|
|
boot.kernel.sysctl = {
|
|
# Set default TCP congestion control algorithm
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
|
|
# Enable ECN
|
|
"net.ipv4.tcp_ecn" = 1;
|
|
|
|
# Enable TCP fast open
|
|
"net.ipv4.tcp_fastopen" = 3;
|
|
};
|
|
|
|
# reduce closure size, feel free to add your locale here
|
|
i18n.supportedLocales = [
|
|
"en_US.UTF-8/UTF-8"
|
|
"fr_FR.UTF-8/UTF-8"
|
|
];
|
|
|
|
time.timeZone = "UTC";
|
|
|
|
security.acme.acceptTerms = true;
|
|
security.acme.defaults.email = "infra@forkos.org";
|
|
|
|
# Enable system diffs.
|
|
system.activationScripts.system-diff = {
|
|
supportsDryActivation = true; # safe: only outputs to stdout
|
|
text = ''
|
|
if [ -e /run/current-system ]; then
|
|
PATH=$PATH:${pkgs.nix}/bin ${pkgs.nvd}/bin/nvd diff /run/current-system $systemConfig
|
|
fi
|
|
'';
|
|
};
|
|
}
|