From 3d717b6415d4429a2f9bc9619ac0bbff456827c3 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Thu, 23 Oct 2025 17:41:18 -0700 Subject: move a few more things back as profiles --- modules/nixos/base.nix | 101 ---------------------------------------------- modules/nixos/cgroups.nix | 75 ---------------------------------- modules/nixos/default.nix | 4 -- modules/nixos/podman.nix | 13 ------ modules/nixos/ssh.nix | 21 ---------- 5 files changed, 214 deletions(-) delete mode 100644 modules/nixos/base.nix delete mode 100644 modules/nixos/cgroups.nix delete mode 100644 modules/nixos/podman.nix delete mode 100644 modules/nixos/ssh.nix (limited to 'modules/nixos') diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix deleted file mode 100644 index 9ed3abc..0000000 --- a/modules/nixos/base.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - self, - config, - pkgs, - lib, - ... -}: -{ - boot = { - kernelPackages = pkgs.linuxPackages_latest; - kernel.sysctl = { - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_ecn" = 1; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_tw_reuse" = 1; - }; - }; - - networking = { - useNetworkd = true; - # Used by systemd-resolved, not directly by resolv.conf. - nameservers = [ - "8.8.8.8#dns.google" - "1.0.0.1#cloudflare-dns.com" - ]; - firewall = { - enable = true; - allowPing = true; - logRefusedConnections = false; - }; - }; - - systemd.network = { - enable = true; - }; - - services.resolved = { - enable = true; - dnssec = "false"; - }; - - services.fail2ban = { - enable = true; - ignoreIP = [ - "10.100.0.0/24" # wireguard - ]; - bantime = "1h"; - bantime-increment = { - enable = true; - maxtime = "168h"; - factor = "4"; - }; - }; - - i18n = { - defaultLocale = "en_US.UTF-8"; - supportedLocales = [ - "en_US.UTF-8/UTF-8" - ]; - }; - - time.timeZone = "America/Los_Angeles"; - - users.motdFile = "/etc/motd"; - - environment.etc.motd.text = '' - Machine ${config.networking.hostName} - NixOS ${config.system.nixos.release} - @ ${self.shortRev or self.dirtyShortRev} - ''; - - ## disable that slow "building man-cache" step - documentation.man.generateCaches = lib.mkForce false; - - users = { - mutableUsers = false; - users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - ]; - }; - - security.sudo.wheelNeedsPassword = false; - - environment.systemPackages = with pkgs; [ - curl - dysk - fd - fish - git - htop - jq - mtr - pciutils - powertop - ripgrep - tcpdump - traceroute - vim - wireguard-tools - ]; -} diff --git a/modules/nixos/cgroups.nix b/modules/nixos/cgroups.nix deleted file mode 100644 index 07dc964..0000000 --- a/modules/nixos/cgroups.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix -# Relatively inspired by fbtax2: -# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html -{ ... }: -let - systemCriticalSliceConfig = { - ManagedOOMMemoryPressure = "kill"; - - # guarantee availability of memory - MemoryMin = "192M"; - # default 100 - IOWeight = 1000; - # default 100 - CPUWeight = 1000; - }; -in -{ - systemd.oomd = { - enable = true; - enableRootSlice = true; - enableSystemSlice = true; - enableUserSlices = true; - }; - - systemd.services.nix-daemon = { - serviceConfig = { - CPUWeight = 10; - IOWeight = 10; - }; - }; - - systemd.slices.hostcritical = { - description = "Ensures that services to keep the system alive remain alive"; - - unitConfig = { - # required to avoid a dependency cycle on systemd-oomd. systemd will - # actually guess this right but we should fix it anyway. - DefaultDependencies = false; - }; - - sliceConfig = systemCriticalSliceConfig; - }; - - # make root logins higher priority for resources - systemd.slices."user-0" = { - sliceConfig = systemCriticalSliceConfig; - }; - - systemd.slices.system = { - sliceConfig = { - ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "50%"; - - IOWeight = 100; - }; - }; - - systemd.services.sshd = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; - - systemd.services.systemd-oomd = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; - - systemd.services.systemd-journald = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bc5c6de..a3c5d70 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,15 +2,11 @@ { imports = [ ./backups.nix - ./base.nix - ./cgroups.nix ./hardware ./home-manager.nix ./nas-client.nix ./nix.nix - ./podman.nix ./remote-unlock.nix - ./ssh.nix ./user.nix ]; } diff --git a/modules/nixos/podman.nix b/modules/nixos/podman.nix deleted file mode 100644 index bd5aa3c..0000000 --- a/modules/nixos/podman.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - virtualisation.podman = { - enable = true; - dockerCompat = true; - autoPrune.enable = true; - autoPrune.flags = [ - "--all" - ]; - defaultNetwork.settings.dns_enabled = true; - }; - - virtualisation.oci-containers.backend = "podman"; -} diff --git a/modules/nixos/ssh.nix b/modules/nixos/ssh.nix deleted file mode 100644 index b4c8772..0000000 --- a/modules/nixos/ssh.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, ... }: -{ - networking.firewall.allowedTCPPorts = [ 22 ]; - - services.openssh = { - enable = lib.mkDefault true; - settings = { - PasswordAuthentication = lib.mkForce false; - KbdInteractiveAuthentication = lib.mkForce false; - - PermitRootLogin = lib.mkForce "prohibit-password"; - }; - openFirewall = lib.mkDefault true; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; -} -- cgit v1.2.3