From 5028503d6d2a21d9e4cb3100a2f9b2795cb5d4bd Mon Sep 17 00:00:00 2001 From: tcmal Date: Fri, 23 Aug 2024 01:03:50 +0100 Subject: basic kiosk module --- profiles/common.nix | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 profiles/common.nix (limited to 'profiles') diff --git a/profiles/common.nix b/profiles/common.nix new file mode 100644 index 0000000..0aa496e --- /dev/null +++ b/profiles/common.nix @@ -0,0 +1,139 @@ +{ + pkgs, + lib, + inputs, + config, + ... +}: +let + inherit (lib) mkDefault; +in +{ + system.stateVersion = "24.05"; + + environment.systemPackages = with pkgs; [ + vim + curl + dnsutils + gitMinimal + ]; + + nixpkgs.config.allowUnfree = true; + nix = { + nixPath = [ ]; + + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + + registry = { + nixpkgs.to = { + owner = "nixos"; + repo = "nixpkgs"; + type = "github"; + rev = inputs.nixpkgs.rev; + }; + }; + + settings = { + # Improve nix store disk usage + auto-optimise-store = true; + + # Prevents impurities in builds + sandbox = true; + + experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + ]; + flake-registry = ""; + + connect-timeout = 20; + log-lines = mkDefault 25; + + max-free = mkDefault (3000 * 1024 * 1024); + min-free = mkDefault (512 * 1024 * 1024); + }; + }; + + # Quieter logs + networking.firewall.logRefusedConnections = false; + + # Unnecessary / nonsensical + systemd.services.NetworkManager-wait-online.enable = false; + systemd.network.wait-online.enable = false; + + # Hardening + users = { + mutableUsers = false; + users.root.hashedPassword = "$y$j9T$5aHaSd9AkFijcpHRJk07q1$hxRPTrwvo3hZqFcOvNIam.iJ7jDR2ZAeZsTmQYphKpA"; + }; + boot.tmp.cleanOnBoot = true; + systemd.enableEmergencyMode = false; + + # Perl is a default package + environment.defaultPackages = [ ]; + + # Things that pull in perl + programs.less.lessopen = mkDefault null; + boot.enableContainers = mkDefault false; + + # Unnecessary programs/services + networking.firewall.enable = false; + system.disableInstallerTools = true; + documentation = { + enable = false; + nixos.enable = false; + man.enable = false; + }; + environment.variables.BROWSER = "echo"; + programs.vim.defaultEditor = true; + programs.command-not-found.enable = mkDefault false; + environment.stub-ld.enable = mkDefault false; + services.logrotate.enable = mkDefault false; + + xdg.autostart.enable = mkDefault false; + xdg.icons.enable = mkDefault false; + xdg.mime.enable = mkDefault false; + xdg.sounds.enable = mkDefault false; + services.udisks2.enable = mkDefault false; + + # use TCP BBR has significantly increased throughput and reduced latency for connections + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + # Show package version changes on switch + system.activationScripts.diff = { + supportsDryActivation = true; + text = '' + if [[ -e /run/current-system ]]; then + echo "--- diff to current-system" + ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" + echo "---" + fi + ''; + }; + + # SSH + services.openssh = { + enable = true; + settings = { + X11Forwarding = false; + KbdInteractiveAuthentication = false; + PasswordAuthentication = true; + UseDns = false; + PermitRootLogin = "yes"; + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + "sntrup761x25519-sha512@openssh.com" + ]; + }; + }; +} -- cgit v1.2.3