aboutsummaryrefslogtreecommitdiff
path: root/profiles
diff options
context:
space:
mode:
authortcmal <me@aria.rip>2024-08-23 01:03:50 +0100
committertcmal <me@aria.rip>2024-08-23 01:05:10 +0100
commit5028503d6d2a21d9e4cb3100a2f9b2795cb5d4bd (patch)
tree94f38bbdfabc7b2549b97541b4d9880b5eb332e7 /profiles
basic kiosk moduleHEADmain
Diffstat (limited to 'profiles')
-rw-r--r--profiles/common.nix139
1 files changed, 139 insertions, 0 deletions
diff --git a/profiles/common.nix b/profiles/common.nix
new file mode 100644
index 0000000..0aa496e
--- /dev/null
+++ b/profiles/common.nix
@@ -0,0 +1,139 @@
+{
+ pkgs,
+ lib,
+ inputs,
+ config,
+ ...
+}:
+let
+ inherit (lib) mkDefault;
+in
+{
+ system.stateVersion = "24.05";
+
+ environment.systemPackages = with pkgs; [
+ vim
+ curl
+ dnsutils
+ gitMinimal
+ ];
+
+ nixpkgs.config.allowUnfree = true;
+ nix = {
+ nixPath = [ ];
+
+ gc = {
+ automatic = true;
+ options = "--delete-older-than 7d";
+ };
+
+ registry = {
+ nixpkgs.to = {
+ owner = "nixos";
+ repo = "nixpkgs";
+ type = "github";
+ rev = inputs.nixpkgs.rev;
+ };
+ };
+
+ settings = {
+ # Improve nix store disk usage
+ auto-optimise-store = true;
+
+ # Prevents impurities in builds
+ sandbox = true;
+
+ experimental-features = [
+ "nix-command"
+ "flakes"
+ "ca-derivations"
+ ];
+ flake-registry = "";
+
+ connect-timeout = 20;
+ log-lines = mkDefault 25;
+
+ max-free = mkDefault (3000 * 1024 * 1024);
+ min-free = mkDefault (512 * 1024 * 1024);
+ };
+ };
+
+ # Quieter logs
+ networking.firewall.logRefusedConnections = false;
+
+ # Unnecessary / nonsensical
+ systemd.services.NetworkManager-wait-online.enable = false;
+ systemd.network.wait-online.enable = false;
+
+ # Hardening
+ users = {
+ mutableUsers = false;
+ users.root.hashedPassword = "$y$j9T$5aHaSd9AkFijcpHRJk07q1$hxRPTrwvo3hZqFcOvNIam.iJ7jDR2ZAeZsTmQYphKpA";
+ };
+ boot.tmp.cleanOnBoot = true;
+ systemd.enableEmergencyMode = false;
+
+ # Perl is a default package
+ environment.defaultPackages = [ ];
+
+ # Things that pull in perl
+ programs.less.lessopen = mkDefault null;
+ boot.enableContainers = mkDefault false;
+
+ # Unnecessary programs/services
+ networking.firewall.enable = false;
+ system.disableInstallerTools = true;
+ documentation = {
+ enable = false;
+ nixos.enable = false;
+ man.enable = false;
+ };
+ environment.variables.BROWSER = "echo";
+ programs.vim.defaultEditor = true;
+ programs.command-not-found.enable = mkDefault false;
+ environment.stub-ld.enable = mkDefault false;
+ services.logrotate.enable = mkDefault false;
+
+ xdg.autostart.enable = mkDefault false;
+ xdg.icons.enable = mkDefault false;
+ xdg.mime.enable = mkDefault false;
+ xdg.sounds.enable = mkDefault false;
+ services.udisks2.enable = mkDefault false;
+
+ # use TCP BBR has significantly increased throughput and reduced latency for connections
+ boot.kernel.sysctl = {
+ "net.core.default_qdisc" = "fq";
+ "net.ipv4.tcp_congestion_control" = "bbr";
+ };
+
+ # Show package version changes on switch
+ system.activationScripts.diff = {
+ supportsDryActivation = true;
+ text = ''
+ if [[ -e /run/current-system ]]; then
+ echo "--- diff to current-system"
+ ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
+ echo "---"
+ fi
+ '';
+ };
+
+ # SSH
+ services.openssh = {
+ enable = true;
+ settings = {
+ X11Forwarding = false;
+ KbdInteractiveAuthentication = false;
+ PasswordAuthentication = true;
+ UseDns = false;
+ PermitRootLogin = "yes";
+ KexAlgorithms = [
+ "curve25519-sha256"
+ "curve25519-sha256@libssh.org"
+ "diffie-hellman-group16-sha512"
+ "diffie-hellman-group18-sha512"
+ "sntrup761x25519-sha512@openssh.com"
+ ];
+ };
+ };
+}