{ config, pkgs, lib, ... }: { imports = [ ./base.nix ./users/chris.nix ]; documentation.nixos.enable = false; documentation.enable = false; documentation.info.enable = false; documentation.man.enable = false; environment.variables.BROWSER = "echo"; nix.settings.trusted-users = [ "root" "@wheel" ]; time.timeZone = lib.mkDefault "UTC"; systemd = { # Given that our systems are headless, emergency mode is useless. # We prefer the system to attempt to continue booting so # that we can hopefully still access it remotely. enableEmergencyMode = false; # For more detail, see: # https://0pointer.de/blog/projects/watchdog.html watchdog = { # systemd will send a signal to the hardware watchdog at half # the interval defined here, so every 10s. # If the hardware watchdog does not get a signal for 20s, # it will forcefully reboot the system. runtimeTime = "20s"; # Forcefully reboot if the final stage of the reboot # hangs without progress for more than 30s. # For more info, see: # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog rebootTime = "30s"; }; sleep.extraConfig = '' AllowSuspend=no AllowHibernation=no ''; }; systemd.services.NetworkManager-wait-online.enable = false; systemd.network.wait-online.enable = false; # systemd.services.systemd-networkd.stopIfChanged = false; # systemd.services.systemd-resolved.stopIfChanged = false; nix.settings.max-free = lib.mkDefault (1000 * 1000 * 1000); nix.settings.min-free = lib.mkDefault (128 * 1000 * 1000); nix.daemonCPUSchedPolicy = lib.mkDefault "batch"; nix.daemonIOSchedClass = lib.mkDefault "idle"; nix.daemonIOSchedPriority = lib.mkDefault 7; # My servers always use /dev/vda as boot disk... boot = { kernelPackages = pkgs.linuxPackages_latest; loader = { grub = { devices = [ "/dev/vda" ]; # nodev for EFI only # EFI efiSupport = false; efiInstallAsRemovable = false; }; timeout = 1; }; }; networking = { hostName = lib.mkDefault "Rory-nix-base-server"; networkmanager.enable = false; useNetworkd = true; wireless.enable = false; enableIPv6 = false; firewall = { enable = false; # allowedTCPPorts = [ ... ]; # allowedUDPPorts = [ ... ]; }; useDHCP = false; # nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" "8.4.4.8" ]; nameservers = [ "10.10.0.4" "10.10.0.5" "1.1.1.1" "1.0.0.1" "8.8.8.8" "8.4.4.8" ]; resolvconf.enable = true; defaultGateway = "192.168.1.1"; }; sound.enable = false; hardware.pulseaudio.enable = false; i18n.defaultLocale = "en_US.UTF-8"; services = { prometheus = { exporters = { node = { enable = true; port = 9100; enabledCollectors = [ "logind" "systemd" "processes" "interrupts" # Testing: "buddyinfo" "cgroups" "cpu_vulnerabilities" "devstat" "ksmd" "lnstat" "mountstats" "network_route" #"perf" # requires sysctl change "qdisc" "sysctl" "softirqs" "tcpstat" ]; disabledCollectors = [ "textfile" "xfs" "zfs" "selinux" "cpufreq" "btrfs" "powersupplyclass" "mdadm" ]; }; }; }; promtail = { enable = true; configuration = { server = { http_listen_port = 3031; grpc_listen_port = 0; }; positions = { filename = "/tmp/positions.yaml"; }; clients = [ { url = "https://loki.regional.seian.cloud/loki/api/v1/push"; } ]; scrape_configs = [ { job_name = "journal"; journal = { max_age = "12h"; labels = { job = "systemd-journal"; host = "${toString config.networking.hostName}"; }; }; relabel_configs = [ { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } ]; } ]; }; }; }; }