From 3d717b6415d4429a2f9bc9619ac0bbff456827c3 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Thu, 23 Oct 2025 17:41:18 -0700 Subject: move a few more things back as profiles --- machines/nixos/x86_64-linux/do-rproxy/default.nix | 3 + machines/nixos/x86_64-linux/rivendell/default.nix | 3 + .../nixos/x86_64-linux/synology-vm/default.nix | 3 + modules/nixos/base.nix | 101 --------------------- modules/nixos/cgroups.nix | 75 --------------- modules/nixos/default.nix | 4 - modules/nixos/podman.nix | 13 --- modules/nixos/ssh.nix | 21 ----- profiles/cgroups.nix | 75 +++++++++++++++ profiles/defaults.nix | 88 ++++++++++++++++++ profiles/server.nix | 44 +++++++++ 11 files changed, 216 insertions(+), 214 deletions(-) delete mode 100644 modules/nixos/base.nix delete mode 100644 modules/nixos/cgroups.nix delete mode 100644 modules/nixos/podman.nix delete mode 100644 modules/nixos/ssh.nix create mode 100644 profiles/cgroups.nix create mode 100644 profiles/defaults.nix create mode 100644 profiles/server.nix diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index b49431f..fd21220 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -6,6 +6,9 @@ ./disks.nix ./secrets.nix ./profiles/nginx.nix + ../../../../profiles/defaults.nix + ../../../../profiles/server.nix + ../../../../profiles/cgroups.nix ]; networking.hostName = "do-rproxy"; diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix index fe4e0ee..abbc78f 100644 --- a/machines/nixos/x86_64-linux/rivendell/default.nix +++ b/machines/nixos/x86_64-linux/rivendell/default.nix @@ -10,6 +10,9 @@ (modulesPath + "/installer/scan/not-detected.nix") inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series ../../../../profiles/disk/btrfs-on-luks.nix + ../../../../profiles/defaults.nix + ../../../../profiles/server.nix + ../../../../profiles/cgroups.nix ../../../../profiles/forgejo.nix ../../../../profiles/keycloak.nix ../../../../profiles/tailscale.nix diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index 915d851..c1b2270 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -10,6 +10,9 @@ ./hardware.nix ./secrets.nix ./profiles/goget.nix + ../../../../profiles/defaults.nix + ../../../../profiles/server.nix + ../../../../profiles/cgroups.nix ]; boot.loader.efi.canTouchEfiVariables = true; diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix deleted file mode 100644 index 9ed3abc..0000000 --- a/modules/nixos/base.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - self, - config, - pkgs, - lib, - ... -}: -{ - boot = { - kernelPackages = pkgs.linuxPackages_latest; - kernel.sysctl = { - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_ecn" = 1; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_tw_reuse" = 1; - }; - }; - - networking = { - useNetworkd = true; - # Used by systemd-resolved, not directly by resolv.conf. - nameservers = [ - "8.8.8.8#dns.google" - "1.0.0.1#cloudflare-dns.com" - ]; - firewall = { - enable = true; - allowPing = true; - logRefusedConnections = false; - }; - }; - - systemd.network = { - enable = true; - }; - - services.resolved = { - enable = true; - dnssec = "false"; - }; - - services.fail2ban = { - enable = true; - ignoreIP = [ - "10.100.0.0/24" # wireguard - ]; - bantime = "1h"; - bantime-increment = { - enable = true; - maxtime = "168h"; - factor = "4"; - }; - }; - - i18n = { - defaultLocale = "en_US.UTF-8"; - supportedLocales = [ - "en_US.UTF-8/UTF-8" - ]; - }; - - time.timeZone = "America/Los_Angeles"; - - users.motdFile = "/etc/motd"; - - environment.etc.motd.text = '' - Machine ${config.networking.hostName} - NixOS ${config.system.nixos.release} - @ ${self.shortRev or self.dirtyShortRev} - ''; - - ## disable that slow "building man-cache" step - documentation.man.generateCaches = lib.mkForce false; - - users = { - mutableUsers = false; - users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - ]; - }; - - security.sudo.wheelNeedsPassword = false; - - environment.systemPackages = with pkgs; [ - curl - dysk - fd - fish - git - htop - jq - mtr - pciutils - powertop - ripgrep - tcpdump - traceroute - vim - wireguard-tools - ]; -} diff --git a/modules/nixos/cgroups.nix b/modules/nixos/cgroups.nix deleted file mode 100644 index 07dc964..0000000 --- a/modules/nixos/cgroups.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix -# Relatively inspired by fbtax2: -# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html -{ ... }: -let - systemCriticalSliceConfig = { - ManagedOOMMemoryPressure = "kill"; - - # guarantee availability of memory - MemoryMin = "192M"; - # default 100 - IOWeight = 1000; - # default 100 - CPUWeight = 1000; - }; -in -{ - systemd.oomd = { - enable = true; - enableRootSlice = true; - enableSystemSlice = true; - enableUserSlices = true; - }; - - systemd.services.nix-daemon = { - serviceConfig = { - CPUWeight = 10; - IOWeight = 10; - }; - }; - - systemd.slices.hostcritical = { - description = "Ensures that services to keep the system alive remain alive"; - - unitConfig = { - # required to avoid a dependency cycle on systemd-oomd. systemd will - # actually guess this right but we should fix it anyway. - DefaultDependencies = false; - }; - - sliceConfig = systemCriticalSliceConfig; - }; - - # make root logins higher priority for resources - systemd.slices."user-0" = { - sliceConfig = systemCriticalSliceConfig; - }; - - systemd.slices.system = { - sliceConfig = { - ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "50%"; - - IOWeight = 100; - }; - }; - - systemd.services.sshd = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; - - systemd.services.systemd-oomd = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; - - systemd.services.systemd-journald = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bc5c6de..a3c5d70 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,15 +2,11 @@ { imports = [ ./backups.nix - ./base.nix - ./cgroups.nix ./hardware ./home-manager.nix ./nas-client.nix ./nix.nix - ./podman.nix ./remote-unlock.nix - ./ssh.nix ./user.nix ]; } diff --git a/modules/nixos/podman.nix b/modules/nixos/podman.nix deleted file mode 100644 index bd5aa3c..0000000 --- a/modules/nixos/podman.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - virtualisation.podman = { - enable = true; - dockerCompat = true; - autoPrune.enable = true; - autoPrune.flags = [ - "--all" - ]; - defaultNetwork.settings.dns_enabled = true; - }; - - virtualisation.oci-containers.backend = "podman"; -} diff --git a/modules/nixos/ssh.nix b/modules/nixos/ssh.nix deleted file mode 100644 index b4c8772..0000000 --- a/modules/nixos/ssh.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, ... }: -{ - networking.firewall.allowedTCPPorts = [ 22 ]; - - services.openssh = { - enable = lib.mkDefault true; - settings = { - PasswordAuthentication = lib.mkForce false; - KbdInteractiveAuthentication = lib.mkForce false; - - PermitRootLogin = lib.mkForce "prohibit-password"; - }; - openFirewall = lib.mkDefault true; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; -} diff --git a/profiles/cgroups.nix b/profiles/cgroups.nix new file mode 100644 index 0000000..07dc964 --- /dev/null +++ b/profiles/cgroups.nix @@ -0,0 +1,75 @@ +# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix +# Relatively inspired by fbtax2: +# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html +{ ... }: +let + systemCriticalSliceConfig = { + ManagedOOMMemoryPressure = "kill"; + + # guarantee availability of memory + MemoryMin = "192M"; + # default 100 + IOWeight = 1000; + # default 100 + CPUWeight = 1000; + }; +in +{ + systemd.oomd = { + enable = true; + enableRootSlice = true; + enableSystemSlice = true; + enableUserSlices = true; + }; + + systemd.services.nix-daemon = { + serviceConfig = { + CPUWeight = 10; + IOWeight = 10; + }; + }; + + systemd.slices.hostcritical = { + description = "Ensures that services to keep the system alive remain alive"; + + unitConfig = { + # required to avoid a dependency cycle on systemd-oomd. systemd will + # actually guess this right but we should fix it anyway. + DefaultDependencies = false; + }; + + sliceConfig = systemCriticalSliceConfig; + }; + + # make root logins higher priority for resources + systemd.slices."user-0" = { + sliceConfig = systemCriticalSliceConfig; + }; + + systemd.slices.system = { + sliceConfig = { + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "50%"; + + IOWeight = 100; + }; + }; + + systemd.services.sshd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-oomd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-journald = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; +} diff --git a/profiles/defaults.nix b/profiles/defaults.nix new file mode 100644 index 0000000..7c8a7fb --- /dev/null +++ b/profiles/defaults.nix @@ -0,0 +1,88 @@ +{ + self, + config, + pkgs, + lib, + ... +}: +{ + boot = { + kernelPackages = pkgs.linuxPackages_latest; + kernel.sysctl = { + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.ipv4.tcp_ecn" = 1; + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_tw_reuse" = 1; + }; + }; + + networking = { + useNetworkd = true; + # Used by systemd-resolved, not directly by resolv.conf. + nameservers = [ + "8.8.8.8#dns.google" + "1.0.0.1#cloudflare-dns.com" + ]; + firewall = { + enable = true; + allowPing = true; + logRefusedConnections = false; + }; + }; + + systemd.network = { + enable = true; + }; + + services.resolved = { + enable = true; + dnssec = "false"; + }; + + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + }; + + time.timeZone = "America/Los_Angeles"; + + users.motdFile = "/etc/motd"; + + environment.etc.motd.text = '' + Machine ${config.networking.hostName} + NixOS ${config.system.nixos.release} + @ ${self.shortRev or self.dirtyShortRev} + ''; + + ## disable that slow "building man-cache" step + documentation.man.generateCaches = lib.mkForce false; + + users = { + mutableUsers = false; + users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + curl + dysk + fd + fish + git + htop + jq + mtr + pciutils + powertop + ripgrep + tcpdump + traceroute + vim + wireguard-tools + ]; +} diff --git a/profiles/server.nix b/profiles/server.nix new file mode 100644 index 0000000..fe59484 --- /dev/null +++ b/profiles/server.nix @@ -0,0 +1,44 @@ +{ ... }: +{ + services.fail2ban = { + enable = true; + ignoreIP = [ + "10.100.0.0/24" # wireguard + ]; + bantime = "1h"; + bantime-increment = { + enable = true; + maxtime = "168h"; + factor = "4"; + }; + }; + + virtualisation.podman = { + enable = true; + dockerCompat = true; + autoPrune.enable = true; + autoPrune.flags = [ + "--all" + ]; + defaultNetwork.settings.dns_enabled = true; + }; + + virtualisation.oci-containers.backend = "podman"; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + + PermitRootLogin = "prohibit-password"; + }; + openFirewall = true; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; +} -- cgit v1.2.3