commit ed148801f76b48fa88a13b6caecacfeb1f9aba1a
parent 8c6c15fccef13089d82b314ca50158695a2d4948
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 6 Mar 2025 21:28:39 +0100
parent 8c6c15fccef13089d82b314ca50158695a2d4948
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 6 Mar 2025 21:28:39 +0100
configurations/nixos/default: set more values with `lib.mkDefault`
1 file changed, 21 insertions(+), 25 deletions(-)
diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix @@ -16,7 +16,7 @@ in { networking.domain = lib.mkDefault "ctu.cx"; i18n.defaultLocale = "en_US.UTF-8"; - i18n.supportedLocales = ["de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"]; + i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" ]; age.secrets.katja-systempassword.file = ../../secrets/passwords/katja.age; age.secrets.acmeTSIGKey.file = ./. + "/../../secrets/${config.networking.hostName}/acme-tsig-key.age"; @@ -24,6 +24,7 @@ in { system = { nixos.revision = lib.mkIf (inputs.nixpkgs.sourceInfo ? rev) inputs.nixpkgs.sourceInfo.rev; nixos.versionSuffix = ".${lib.substring 0 8 (inputs.nixpkgs.sourceInfo.lastModifiedDate or inputs.nixpkgs.sourceInfo.lastModified or "19700101")}.${inputs.nixpkgs.sourceInfo.shortRev or "dirty"}"; + # thanks piegames (https://git.darmstadt.ccc.de/piegames/home-config/-/blob/master/modules/generic.nix#L84) activationScripts.diff = { supportsDryActivation = true; @@ -43,7 +44,6 @@ in { }; }; - systemd.services.nginx.onFailure = [ "email-notify@%i.service" ]; nix = { channel.enable = false; @@ -61,15 +61,17 @@ in { gc.dates = "18:00"; }; + systemd.services.nginx.onFailure = [ "email-notify@%i.service" ]; + services = { - timesyncd.enable = true; - fstrim.enable = true; - vnstat.enable = true; - vnstati.enable = (lib.mkDefault (if (config.networking.primaryIP != "") || (config.networking.primaryIP4 != "") then true else false)); + timesyncd.enable = lib.mkDefault true; + fstrim.enable = lib.mkDefault true; + vnstat.enable = lib.mkDefault true; + vnstati.enable = lib.mkDefault config.services.vnstat.enable; journald.extraConfig = "SystemMaxUse=1G"; - logind.killUserProcesses = true; + logind.killUserProcesses = lib.mkDefault true; nginx = { recommendedGzipSettings = true; @@ -82,17 +84,15 @@ in { access_log off; ''; - virtualHosts.default = { - default = true; - rejectSSL = true; - }; + + virtualHosts."${config.networking.fqdn}".default = true; }; openssh = { - enable = true; - startWhenNeeded = true; - ports = [ 22 ]; - extraConfig = "StreamLocalBindUnlink yes"; + enable = lib.mkDefault true; + startWhenNeeded = lib.mkDefault true; + ports = [ 22 ]; + extraConfig = "StreamLocalBindUnlink yes"; settings = { PasswordAuthentication = false; PermitRootLogin = "without-password"; @@ -121,21 +121,17 @@ in { config.services.nginx.virtualHosts |> lib.mapAttrsToList (key: config: [ (if config ? serverAliases then config.serverAliases else []) key ]) |> lib.flatten - |> builtins.filter (val: val != "default") ); }; }; users.mutableUsers = false; - users.users = { - root.openssh.authorizedKeys.keys = [ katja-pubkey ]; - katja = { - isNormalUser = true; - hashedPasswordFile = config.age.secrets.katja-systempassword.path; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - openssh.authorizedKeys.keys = [ katja-pubkey ]; - }; - + users.users.root.openssh.authorizedKeys.keys = [ katja-pubkey ]; + users.users.katja = { + isNormalUser = true; + hashedPasswordFile = config.age.secrets.katja-systempassword.path; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = [ katja-pubkey ]; }; home-manager.users.katja = {