reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

reorganization

Browse source
This commit is contained in:
Reid 2026-04-22 23:21:34 -07:00
parent f1cd1e461f
commit f2c9e4d5b7
Signed by: reidlab
GPG key ID: DAF5EAF6665839FD
12 changed files with 140 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

36
modules/core/fs/fstrim.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, ... }:
with lib;
{
# if lvm is enabled, then tell it to issue discards
# (this is good for SSDs and has almost no downsides on HDDs, so
# it's a good idea to enable it unconditionally)
environment.etc."lvm/lvm.conf".text = mkIf config.services.lvm.enable ''
devices {
issue_discards = 1
}
'';
# discard blocks that are not in use by the filesystem, good for SSDs
services.fstrim = {
# we may enable this unconditionally across all systems becuase it's performance
# impact is negligible on systems without a SSD - which means it's a no-op with
# almost no downsides aside from the service firing once per week
enable = true;
# the default value, good enough for average-load systems
interval = "weekly";
};
# tweak fstrim service to run only when on AC power
# and to be nice to other processes
# (this is a good idea for any service that runs periodically)
systemd.services.fstrim = {
unitConfig.ConditionACPower = true;
serviceConfig = {
Nice = 19;
IOSchedulingClass = "idle";
};
};
}

7
modules/core/fs/lvm.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, lib, ... }:
with lib;
{
# i don't use lvm, can be disabled
services.lvm.enable = mkDefault false;
}

16
modules/core/fs/scrub.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, ... }:
with lib;
let
supportedFilesystems = builtins.map (builtins.getAttr "fsType") (builtins.attrValues config.fileSystems);
mkScrubConfig = fsType: {
enable = builtins.elem fsType supportedFilesystems;
interval = "weekly";
};
in {
services.btrfs.autoScrub = mkScrubConfig "btrfs";
services.zfs.autoScrub = mkScrubConfig "zfs";
# bcachefs exists but it was "ejected from the kernel" for "repeated violations of kernel dev. guidelines"
# linus "tech tips" torvalds said himself "nobody sane uses bcachefs and expects it to be stable" (https://en.wikipedia.org/wiki/Bcachefs#Stability)
}

13
modules/core/locale.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, pkgs, inputs, config, ... }:
with lib;
{
i18n.defaultLocale = mkDefault "en_US.UTF-8";
services.xserver.xkb = {
layout = "us";
variant = "qwerty";
};
console = {
useXkbConfig = mkDefault true;
};
}

43
modules/core/nix.nix Normal file
View file

@ -0,0 +1,43 @@
{ lib, pkgs, inputs, config, ... }:
{
environment.variables = {
NIXPKGS_ALLOW_UNFREE = "1";
};
nixpkgs.flake.setNixPath = true;
nixpkgs.flake.setFlakeRegistry = true;
nix = {
package = pkgs.nixVersions.latest;
settings = {
experimental-features = [ "nix-command" "flakes" ];
auto-optimise-store = true;
keep-outputs = true;
keep-derivations = true;
substituters = [
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
};
nix.optimise.automatic = true; # likely not needed w/ auto-optimise-store, comfy to keep though
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# compat w/ non-nix programs
programs.nix-ld.enable = true;
programs.appimage = {
enable = true;
binfmt = true;
};
}

76
modules/core/security.nix Executable file
View file

@ -0,0 +1,76 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.modules.core.security;
in {
options.modules.core.security = {
useDoas = mkEnableOption "use opendoas instead of sudo";
};
config = mkMerge [
{
boot = {
tmp.useTmpfs = lib.mkDefault true;
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
# disable kernel parameter editing on boot
loader.systemd-boot.editor = false;
kernel.sysctl = {
# magic sysrq key, allows low-level commands through keyboard input
"kernel.sysrq" = 0;
## TCP hardening
# prevent bogus ICMP errors from filling up logs
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# do not accept IP source packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# don't send ICMP redirects (again, we're not a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# incomplete protection against TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP fastopen
"net.ipv4.tcp_fastopen" = 3;
# bufferbloat mitigations + improvement in throughput and latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
kernelModules = [ "tcp_bbr" ];
};
security = {
# prevents replacing the kernel without a reboot
protectKernelImage = true;
# rtkit allows unprivileged processes to use realtime scheduling
# polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
rtkit.enable = true;
polkit.enable = true;
};
# while this is on by default, i am going to explicitly specify this
networking.firewall.enable = true;
# stay up to date on firmware
services.fwupd.enable = true;
}
(mkIf cfg.useDoas {
security.sudo.enable = false;
security.doas.enable = true;
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
})
];
}