From 2fea36c19eb904125e2db5ba230b28d72dc881db Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Fri, 12 Sep 2025 13:11:20 -0700 Subject: start to refactor nixos modules --- modules/nixos/base.nix | 65 ++++++++++++++++++++++++++++++++++++++++ modules/nixos/cgroups.nix | 75 +++++++++++++++++++++++++++++++++++++++++++++++ modules/nixos/default.nix | 8 +++++ modules/nixos/ssh.nix | 21 +++++++++++++ 4 files changed, 169 insertions(+) create mode 100644 modules/nixos/base.nix create mode 100644 modules/nixos/cgroups.nix create mode 100644 modules/nixos/default.nix create mode 100644 modules/nixos/ssh.nix (limited to 'modules/nixos') diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix new file mode 100644 index 0000000..f3dece1 --- /dev/null +++ b/modules/nixos/base.nix @@ -0,0 +1,65 @@ +{ + self, + config, + pkgs, + lib, + ... +}: +{ + boot = { + kernelPackages = pkgs.linuxPackages_latest; + kernel.sysctl = { + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.ipv4.tcp_ecn" = 1; + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_tw_reuse" = 1; + }; + }; + + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + }; + + time.timeZone = "America/Los_Angeles"; + + users.motdFile = "/etc/motd"; + + environment.etc.motd.text = '' + Machine ${config.networking.hostName} + NixOS ${config.system.nixos.release} + @ ${self.shortRev or self.dirtyShortRev} + ''; + + ## disable that slow "building man-cache" step + documentation.man.generateCaches = lib.mkForce false; + + users = { + mutableUsers = false; + users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + curl + dysk + fd + fish + git + htop + jq + mtr + pciutils + powertop + ripgrep + tcpdump + traceroute + vim + wireguard-tools + ]; +} diff --git a/modules/nixos/cgroups.nix b/modules/nixos/cgroups.nix new file mode 100644 index 0000000..07dc964 --- /dev/null +++ b/modules/nixos/cgroups.nix @@ -0,0 +1,75 @@ +# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix +# Relatively inspired by fbtax2: +# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html +{ ... }: +let + systemCriticalSliceConfig = { + ManagedOOMMemoryPressure = "kill"; + + # guarantee availability of memory + MemoryMin = "192M"; + # default 100 + IOWeight = 1000; + # default 100 + CPUWeight = 1000; + }; +in +{ + systemd.oomd = { + enable = true; + enableRootSlice = true; + enableSystemSlice = true; + enableUserSlices = true; + }; + + systemd.services.nix-daemon = { + serviceConfig = { + CPUWeight = 10; + IOWeight = 10; + }; + }; + + systemd.slices.hostcritical = { + description = "Ensures that services to keep the system alive remain alive"; + + unitConfig = { + # required to avoid a dependency cycle on systemd-oomd. systemd will + # actually guess this right but we should fix it anyway. + DefaultDependencies = false; + }; + + sliceConfig = systemCriticalSliceConfig; + }; + + # make root logins higher priority for resources + systemd.slices."user-0" = { + sliceConfig = systemCriticalSliceConfig; + }; + + systemd.slices.system = { + sliceConfig = { + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "50%"; + + IOWeight = 100; + }; + }; + + systemd.services.sshd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-oomd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-journald = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..669cd75 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./base.nix + ./cgroups.nix + ./ssh.nix + ]; +} diff --git a/modules/nixos/ssh.nix b/modules/nixos/ssh.nix new file mode 100644 index 0000000..b4c8772 --- /dev/null +++ b/modules/nixos/ssh.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +{ + networking.firewall.allowedTCPPorts = [ 22 ]; + + services.openssh = { + enable = lib.mkDefault true; + settings = { + PasswordAuthentication = lib.mkForce false; + KbdInteractiveAuthentication = lib.mkForce false; + + PermitRootLogin = lib.mkForce "prohibit-password"; + }; + openFirewall = lib.mkDefault true; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; +} -- cgit v1.2.3