diff --git a/modules/base-server.nix b/modules/base-server.nix
new file mode 100755
index 0000000..cfee9de
--- /dev/null
+++ b/modules/base-server.nix
@@ -0,0 +1,79 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+{
+ imports = [
+ ./base.nix
+ ];
+ documentation.nixos.enable = false;
+ documentation.enable = false;
+ documentation.info.enable = false;
+ documentation.man.enable = false;
+
+ environment.variables.BROWSER = "echo";
+
+ time.timeZone = lib.mkDefault "UTC";
+ systemd = {
+ enableEmergencyMode = false;
+ settings = {
+ Manager = {
+ RuntimeWatchdogSec = "20s";
+ RebootWatchdogSec = "30s";
+ };
+ };
+
+ sleep.extraConfig = ''
+ AllowSuspend=no
+ AllowHibernation=no
+ '';
+ };
+
+ #systemd.services.NetworkManager-wait-online.enable = false;
+ #systemd.network.wait-online.enable = false;
+
+ # My servers always use /dev/vda as boot disk...
+ boot = {
+ kernelPackages = pkgs.linuxPackages_latest;
+ loader = {
+ grub = {
+ devices = lib.mkIf (config.fileSystems ? "/boot") [ "nodev" ];
+ # EFI
+ efiSupport = config.fileSystems ? "/boot" && config.fileSystems."/boot".fsType == "vfat";
+ efiInstallAsRemovable = config.fileSystems ? "/boot" && config.fileSystems."/boot".fsType == "vfat";
+ };
+ timeout = 1;
+ };
+ };
+
+ networking = {
+ hostName = lib.mkDefault "Rory-nix-base-server";
+ networkmanager.enable = false;
+ wireless.enable = false;
+ enableIPv6 = false;
+ firewall = {
+ enable = false;
+ allowedTCPPorts = [ 22 ];
+ };
+
+ useDHCP = false;
+ nameservers = [
+ "10.10.0.4"
+ "10.10.0.5"
+ "1.1.1.1"
+ "1.0.0.1"
+ "8.8.8.8"
+ "8.4.4.8"
+ ];
+ defaultGateway = lib.mkDefault "192.168.1.1";
+ };
+
+ services.pulseaudio.enable = false;
+
+ # This shaves off half a gigabyte of disk space...
+ hardware.enableAllFirmware = false;
+ hardware.enableRedistributableFirmware = false;
+}
diff --git a/modules/base.nix b/modules/base.nix
new file mode 100755
index 0000000..b7770c8
--- /dev/null
+++ b/modules/base.nix
@@ -0,0 +1,161 @@
+{
+ pkgs,
+ lib,
+ config,
+ nom,
+ ...
+}:
+
+{
+ imports = [
+ ./expose-vmvariant.nix
+ ./extra-substituters.nix
+ ];
+
+ boot = {
+ initrd.systemd.enable = true;
+ kernelParams = [
+ "memory_hotplug.memmap_on_memory=1"
+ "memhp_default_state=online"
+ "net.core.default_qdisc=fq"
+ "net.ipv4.tcp_congestion_control=bbr"
+ "mitigations=off"
+ "audit=0"
+ "consoleblank=0"
+ "kmemcheck=0"
+ "no_console_suspend"
+ "kernel.core_pattern=/dev/null"
+ "init_on_alloc=0"
+ "kernel.sysrq=1"
+ "kernel.dmesg_restrict=0"
+ "net.ipv4.ip_forward=1"
+ "vm.swappiness=10"
+ "net.core.netdev_max_backlog=16384"
+ "net.core.somaxconn=8192"
+ "net.core.rmem_default=1048576"
+ "net.core.rmem_max=16777216"
+ "net.core.wmem_default=1048576"
+ "net.core.wmem_max=16777216"
+ "net.core.optmem_max=65536"
+ #"net.ipv4.tcp_rmem=4096 1048576 2097152"
+ #"net.ipv4.tcp_wmem=4096 65536 16777216"
+ "net.ipv4.udp_rmem_min=4096"
+ "net.ipv4.udp_wmem_min=4096"
+ "net.ipv4.tcp_fastopen=3"
+ "net.ipv4.tcp_mtu_probing=1"
+ "net.ipv4.tcp_keepalive_time=30"
+ "net.ipv4.tcp_keepalive_intvl=15"
+ "net.ipv4.tcp_keepalive_probes=4"
+ "net.ipv4.tcp_timestamps=0"
+ ];
+ kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+ loader = {
+ grub = {
+ enable = lib.mkDefault true;
+ };
+ timeout = 1;
+ };
+ };
+
+ networking = {
+ hostName = lib.mkDefault "Rory-nix-base";
+ firewall = {
+ enable = false;
+ };
+ nameservers = lib.mkDefault [
+ "1.1.1.1"
+ "1.0.0.1"
+ "8.8.8.8"
+ "8.4.4.8"
+ ];
+ };
+
+ environment.etc."resolv.conf" = lib.mkDefault {
+ text = lib.concatStringsSep "\n" (
+ lib.optionals (config.networking ? nameservers) (map (nameserver: "nameserver ${nameserver}") (config.networking.nameservers))
+ #++ lib.optionals (config.networking ? enableIPv6 && !config.networking.enableIPv6) [ "options no-aaaa" ]
+ ++ lib.optionals (config.networking ? enableIPv6 && config.networking.enableIPv6) [
+ "options single-request"
+ "options single-request-reopen"
+ "options inet6"
+ ]
+ );
+ };
+
+ i18n.defaultLocale = "en_US.UTF-8";
+
+ services = {
+ openssh = {
+ enable = true;
+ settings.PermitRootLogin = "yes";
+ #allow more logins in cases where i have many ssh keys on a system
+ extraConfig = ''
+ MaxAuthTries 32
+ '';
+ };
+ resolved = {
+ enable = lib.mkForce false;
+ dnssec = lib.mkForce "false";
+ dnsovertls = lib.mkForce "false";
+ };
+ };
+
+ systemd = {
+ sleep.extraConfig = ''
+ AllowSuspend=no
+ AllowHibernation=no
+ '';
+ };
+
+ environment.systemPackages = with pkgs; [
+ nom.packages.${system}.default
+ ];
+
+ systemd.coredump.extraConfig = lib.mkDefault ''
+ Storage=none
+ '';
+ nix = {
+ settings = {
+ experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+ auto-optimise-store = true;
+ trusted-users = [
+ "@wheel"
+ "root"
+ ];
+ };
+ };
+ nixpkgs = {
+ config.allowUnfree = true;
+ };
+ security = {
+ polkit.enable = true;
+ sudo.wheelNeedsPassword = false;
+ };
+ virtualisation.vmVariant = {
+ services.getty.autologinUser = "root";
+ virtualisation = {
+ memorySize = 8192;
+ cores = 6;
+ msize = 1 * 1024 * 1024;
+ };
+
+ services.xserver.videoDrivers = [ "qxl" ];
+ services.spice-vdagentd.enable = true;
+ virtualisation.qemu.guestAgent.enable = true;
+ services.qemuGuest.enable = true;
+ virtualisation.qemu.options = [
+ "-vga qxl -device virtio-serial-pci -spice port=5930,disable-ticketing=on -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent"
+ "-display gtk,zoom-to-fit=off,show-cursor=on"
+ "-device virtio-balloon"
+ ];
+ virtualisation.forwardPorts = [
+ # { hostPort = 2222; guestPort = 22; } # Probably shouldn't do this with root:root lol
+ { from = "host"; host.port = 8080; guest.port = 80; }
+ ];
+
+ networking.useDHCP = lib.mkOverride 51 true;
+ };
+}
diff --git a/modules/expose-vmvariant.nix b/modules/expose-vmvariant.nix
new file mode 100755
index 0000000..ab1bad0
--- /dev/null
+++ b/modules/expose-vmvariant.nix
@@ -0,0 +1,22 @@
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}:
+
+{
+ options.virtualisation = {
+ isVmVariant = lib.mkOption {
+ default = false;
+ example = true;
+ description = "Whether this build is a VM build.";
+ type = lib.types.bool;
+ };
+ };
+ config = {
+ virtualisation.vmVariant = {
+ virtualisation.isVmVariant = true;
+ };
+ };
+}
diff --git a/modules/extra-substituters.nix b/modules/extra-substituters.nix
new file mode 100644
index 0000000..35efcb7
--- /dev/null
+++ b/modules/extra-substituters.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ nix.settings.trusted-substituters = [
+ "https://nix-community.cachix.org"
+ "https://cache.garnix.io"
+ "https://numtide.cachix.org"
+ ];
+
+ nix.settings.trusted-public-keys = [
+ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+ "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+ "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+ ];
+
+}
|
