{ config, pkgs, lib, ... }: { imports = [ ./cgroups.nix ]; boot = { kernelPackages = pkgs.linuxPackages_latest; plymouth.enable = true; kernelParams = [ "quiet" "splash" "rd.systemd.show_status=false" "boot.shell_on_fail" ]; kernel.sysctl = { "net.ipv4.tcp_congestion_control" = "bbr"; "net.ipv4.tcp_ecn" = 1; "net.ipv4.tcp_fastopen" = 3; "net.ipv4.tcp_tw_reuse" = 1; }; }; console = { earlySetup = true; font = "ter-132n"; packages = with pkgs; [ terminus_font ]; keyMap = "us"; }; nix = { gc = { automatic = true; options = "--delete-older-than 14d"; }; optimise.automatic = true; extraOptions = '' tarball-ttl = 900 ''; package = pkgs.nixVersions.stable; settings = { trusted-substituters = [ "https://cachix.cachix.org" "https://nixpkgs.cachix.org" "https://nix-community.cachix.org" ]; trusted-public-keys = [ "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; trusted-users = [ "root" ]; experimental-features = lib.mkDefault [ "nix-command" "flakes" ]; }; }; networking = { useNetworkd = true; # Used by systemd-resolved, not directly by resolv.conf. nameservers = [ "8.8.8.8#dns.google" "1.0.0.1#cloudflare-dns.com" ]; firewall = { enable = true; allowPing = true; logRefusedConnections = false; }; }; systemd.network = { enable = true; }; services.resolved = { enable = true; dnssec = "false"; }; i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = [ "en_US.UTF-8/UTF-8" ]; }; time.timeZone = "America/Los_Angeles"; users.motdFile = "/etc/motd"; environment.etc.motd.text = '' Machine ${config.networking.hostName} NixOS ${config.system.nixos.versionSuffix} @ ${config.system.configurationRevision} ''; ## disable that slow "building man-cache" step documentation.man.generateCaches = lib.mkForce false; users = { mutableUsers = false; users.root.openssh.authorizedKeys.keys = [ # 1password "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" # YubiKey 5C Nano (personal) "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:" # Yubikey 5C (keychain) "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:" # Yubikey 5C NFC (backup) "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:" # Yubikey 5C Nano (work) "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo=" # Yubikey Security Key C NFC (work, backup) "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo=" ]; }; security.sudo.wheelNeedsPassword = false; programs.fish.enable = true; environment.systemPackages = with pkgs; [ bandwhich bottom curl dust dysk htop jless jq kitty.terminfo mtr pciutils powertop procs ripgrep tcpdump traceroute vim wireguard-tools ]; }