Update stuff

author: Rory&::Emma <root@rory.gay> 2023-08-06 23:49:43 +0000
committer: Rory&::Emma <root@rory.gay> 2023-08-06 23:49:43 +0000
commit: 15cc356317a7771d26755b367dc58b2d2f7829e6 (patch)
tree: 2f7aa5ed1247c689a62025be644b455efadbdecc /modules
parent: Synapse funkery (diff)
download: Rory-Open-Architecture-15cc356317a7771d26755b367dc58b2d2f7829e6.tar.xz
5 files changed, 116 insertions, 5 deletions
diff --git a/modules/base-server.nix b/modules/base-server.nix
index d577306..76f5947 100755
--- a/modules/base-server.nix
+++ b/modules/base-server.nix
@@ -7,6 +7,56 @@
        ./users/chris.nix
     ];
   documentation.nixos.enable = false;
+  documentation.enable = false;
+  documentation.info.enable = false;
+  documentation.man.enable = false;
+
+  
+  environment.variables.BROWSER = "echo";
+
+  nix.settings.trusted-users = [ "root" "@wheel" ];
+
+  time.timeZone = lib.mkDefault "UTC";
+  systemd = {
+    # Given that our systems are headless, emergency mode is useless.
+    # We prefer the system to attempt to continue booting so
+    # that we can hopefully still access it remotely.
+    enableEmergencyMode = false;
+
+    # For more detail, see:
+    #   https://0pointer.de/blog/projects/watchdog.html
+    watchdog = {
+      # systemd will send a signal to the hardware watchdog at half
+      # the interval defined here, so every 10s.
+      # If the hardware watchdog does not get a signal for 20s,
+      # it will forcefully reboot the system.
+      runtimeTime = "20s";
+      # Forcefully reboot if the final stage of the reboot
+      # hangs without progress for more than 30s.
+      # For more info, see:
+      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+      rebootTime = "30s";
+    };
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+  };
+
+  systemd.services.NetworkManager-wait-online.enable = false;
+  systemd.network.wait-online.enable = false;
+  systemd.services.systemd-networkd.stopIfChanged = false;
+  systemd.services.systemd-resolved.stopIfChanged = false;
+  nix.settings.max-free = lib.mkDefault (1000 * 1000 * 1000);
+  nix.settings.min-free = lib.mkDefault (128 * 1000 * 1000);
+
+  # TODO: cargo culted.
+  nix.daemonCPUSchedPolicy = lib.mkDefault "batch";
+  nix.daemonIOSchedClass = lib.mkDefault "idle";
+  nix.daemonIOSchedPriority = lib.mkDefault 7;
+
+
   # My servers always use /dev/sda as boot disk...
   boot = {
     kernelPackages = pkgs.linuxPackages_latest;
@@ -26,6 +76,7 @@
   networking = {
     hostName = lib.mkDefault "Rory-nix-base-server";
     networkmanager.enable = false;
+    useNetworkd = true;
     wireless.enable = false;
     enableIPv6 = false;
     firewall = {
@@ -35,7 +86,8 @@
     };
 
     useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
+#     nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" "8.4.4.8" ];
+    nameservers = [ "10.10.0.4" "10.10.0.5" ];
     defaultGateway = "192.168.1.1";
   };
 
diff --git a/modules/base.nix b/modules/base.nix
index b0e1d95..ffc08f9 100755
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -6,7 +6,12 @@
       ./packages/vim.nix
       ./users/Rory.nix
     ];
-  boot.kernelParams = [ "memory_hotplug.memmap_on_memory=1" "memhp_default_state=online" ];
+  boot.kernelParams = [ 
+    "memory_hotplug.memmap_on_memory=1"
+    "memhp_default_state=online"
+    "net.core.default_qdisc=fq"
+    "net.ipv4.tcp_congestion_control=bbr"
+  ];
   networking = {
     hostName = lib.mkDefault "Rory-nix-base";
     firewall = {
@@ -29,8 +34,13 @@
     };	
   };
 
-  sound.enable = lib.mkDefault true;
-  hardware.pulseaudio.enable = lib.mkDefault true;
+
+  systemd = {
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+      '';
+  };
 
   environment.systemPackages = with pkgs; [
     wget
@@ -47,12 +57,26 @@
     neovim
 #    vimPlugins.vim-nix
     tmux
+    jq
+    yq
+    pv
+    dig
+    cloud-utils
   ];
 
   systemd.coredump.extraConfig = lib.mkDefault ''
     Storage=none
   '';
-
+  nix.settings.trusted-substituters = [
+    "https://nix-community.cachix.org"
+    "https://cache.garnix.io"
+    "https://numtide.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+    "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+  ];
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   nixpkgs.config.allowUnfree = true;
   security.sudo.wheelNeedsPassword = false;
diff --git a/modules/users/Rory.nix b/modules/users/Rory.nix
index 3079f7b..b9c5722 100755
--- a/modules/users/Rory.nix
+++ b/modules/users/Rory.nix
@@ -13,6 +13,7 @@
       #"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT+53Hy3wbIlNVIomK2RroaimMWrTlUkndjHt1dFuyh root@pfSense-arcane-home.localdomain"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILF2IuNu//0DP/wKMuDvBgVT3YBS2uULsipbdrhJCTM7 thearcanebrony@tab-linux-desktop"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/kNkY/E5b6rvCQLMaSbpLQ/xoyywIwVVu9uo2j/B6p Rory@RoryNix"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNhsYWo5pEilXQGcn2SOuvzIdy67QpdtC7vnmlJB9WX Administrator@nt-6mnnvobcjimo"
     ];
   };
 
diff --git a/modules/users/db2k.nix b/modules/users/db2k.nix
new file mode 100755
index 0000000..a6dc7cd
--- /dev/null
+++ b/modules/users/db2k.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  users.groups.db2k = {};
+  users.users.db2k = {
+    isSystemUser = true;
+    extraGroups = [ "ocp" ];
+    group = "db2k";
+    home = "/data/nginx/html_git/.ocp";
+    shell = "${pkgs.git}/bin/git-shell";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMfXA4Oh0LZqY8LAS/lnANKVDBlemHGPWdtep1GE/LId garyzipperer09@gmail.com"
+    ];
+  };
+}
+
diff --git a/modules/users/levi.nix b/modules/users/levi.nix
new file mode 100755
index 0000000..bb28656
--- /dev/null
+++ b/modules/users/levi.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+
+{
+  users.groups.levi = {};
+  users.users.levi = {
+    isSystemUser = true;
+    extraGroups = [ "ocp" ];
+    group = "levi";
+    home = "/data/nginx/html_git/.ocp";
+    shell = "${pkgs.git}/bin/git-shell";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/DfjjvYlNVRSwuhxYq3MkUNQch5UJ4ktpDAAAYUTVa"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5c7dxZ3eOYxNo4pB5c/EdtR5E8RSqG4jJEjrIvVPws0Ab2zJ9tyzDmLMuUZqUWljbj/fVQhXRWuL92NtQUYnhwhdTC+hCf+hxWXahX6KU+mMUtlaLGD3BGGWKM6NO9uJq0wGIKemCX8dXfCSgVewV2Y6WBHnu5JLrnemStEMy67AT8uffVAgPiIKoIWhKxkSVqiWWQNhX/TPq1aOl+7igH9bV7Zc3eu1ST7SnNuR+Ma4OxDZUMV66Ovl5543vmNBbiTpRgs7nsOWTPT3oIMRL9bIMjwXh5GA0qUA1jXx+QFMyqsaReco9RtcM7tSp2KxP+ekYjWWthaa1JVzeuLFuR90NqASpUyXyWfZmwAZlimralBkWGx2fxviOu80h9HPUjYQEzoYBokSQVx/6H6O/na6IASw0GUTmQWINVhuFEcRJDXRs5nXPnZXp5aKgZjBDgK7T4U3M1fGdv/94oWPZG+BqcuM/JHeNGnqaitCobRXDprB0TTVefDsj+E0uJV8= levijordan007@gmail.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILF2IuNu//0DP/wKMuDvBgVT3YBS2uULsipbdrhJCTM7 thearcanebrony@tab-linux-desktop"
+    ];
+  };
+}
+
author	Rory&::Emma <root@rory.gay>	2023-08-06 23:49:43 +0000
committer	Rory&::Emma <root@rory.gay>	2023-08-06 23:49:43 +0000
commit	15cc356317a7771d26755b367dc58b2d2f7829e6 (patch)
tree	2f7aa5ed1247c689a62025be644b455efadbdecc /modules
parent	Synapse funkery (diff)
download	Rory-Open-Architecture-15cc356317a7771d26755b367dc58b2d2f7829e6.tar.xz