blob: 678717a619fe39243dfe46230e347ea1ff4ff1a8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
{
inputs,
config,
lib,
pkgs,
...
}:
{
nix.settings = {
trusted-users = [
"@wheel"
"root"
];
# Experimental?! How about always enable!
experimental-features = lib.mkDefault [
"nix-command"
"flakes"
];
# During builds, save disk space by replacing duplicates with a hard-link
# to a single copy. This may slow down some builds.
auto-optimise-store = true;
};
# Periodically clean the store and remove older boot entries. We could also
# limit boot entries with `boot.loader.systemd-boot.configurationLimit`, but
# this should be frequent enough.
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
nixpkgs = {
config = {
allowUnfree = true;
allowUnfreePredicate = (_: true);
};
# Allow choice between stable and unstable pkgs.
overlays = [
(final: _prev: {
unstable = import inputs.nixpkgs-unstable {
system = final.system;
config.allowUnfree = true;
};
})
];
};
security.polkit.enable = true;
security.sudo = {
enable = lib.mkDefault true;
wheelNeedsPassword = lib.mkDefault false;
};
# /tmp is mounted in RAM. This makes tmp file management go BRRRR on SSDs and
# also more secure (and volatile). The tmpfs is wiped on reboot.
boot.tmp.useTmpfs = lib.mkDefault true;
# If not using tmpfs (purged on reboot), we must clean it ourselves.
boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
# Fix security hole in place for backwards compatibility. See desc in
# nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
boot.loader.systemd-boot.editor = false;
# Tweak runtime kernel parameters.
boot.kernel.sysctl = {
# Disable "Magic SysRq" key, since we don't need it.
"kernel.sysrq" = 0;
# Don't accept IP source packets (we aren't a router).
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (we still aren't a router).
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigation).
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protect against SYN flood attacks.
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection against TIME-WAIT assassination.
"net.ipv4.tcp_rfc1337" = 1;
# Mitigate IP spoofing with reverse path filtering. This forces the kernel
# to do source validation of packets received from all interfaces.
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
# Reduce network latency by packing data in sender's initial TCP SYN.
# A value of '3' enables TCP Fast Open for both incoming and outgoing
# connections.
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations and slight improvement in throughput and latency.
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = [ "tcp_bbr" ];
programs.git.enable = true;
programs.htop.enable = true;
# Ensure we have the latest available neovim by default.
programs.neovim = {
enable = true;
package = pkgs.unstable.neovim-unwrapped;
viAlias = true;
vimAlias = true;
defaultEditor = true;
};
}
|
