summaryrefslogtreecommitdiff
path: root/Omni/Os/Base.nix
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2024-12-20 13:57:22 -0500
committerBen Sima <ben@bsima.me>2024-12-21 10:08:10 -0500
commit87ead51331bc57326882055e1635a84c2d409af7 (patch)
treefb82796cb4dc7247eecb73ead2904f14a96bf17e /Omni/Os/Base.nix
parente7d6505ff6bfefa927466361570cedde799e94a6 (diff)
Create a bootstrap image for Digital Ocean droplets
I need a way to reliably get a NixOS VM provisioned in the cloud, and the easiest way to do this is to create a qcow2 image, upload it to Digital Ocean, and use that to start a droplet. This is very much a manual process, but that's fine, I shouldn't need to do it very often (for now).
Diffstat (limited to 'Omni/Os/Base.nix')
-rw-r--r--Omni/Os/Base.nix35
1 files changed, 35 insertions, 0 deletions
diff --git a/Omni/Os/Base.nix b/Omni/Os/Base.nix
new file mode 100644
index 0000000..8e301e1
--- /dev/null
+++ b/Omni/Os/Base.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+
+# This module defines common default settings that all OS builds should include.
+
+let ports = import ../Cloud/Ports.nix;
+in {
+ boot.tmp.cleanOnBoot = true;
+ networking.firewall.allowPing = true;
+ nix.settings.substituters =
+ [ "https://cache.nixos.org" ]; # "ssh://dev.simatime.com" ];
+ nix.gc.automatic = true;
+ nix.gc.dates = "Sunday 02:15";
+ nix.optimise.automatic = true;
+ nix.optimise.dates = [ "Sunday 02:30" ];
+ nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+ nix.settings.trusted-users = [ "ben" ];
+ programs.ccache.enable = true;
+ programs.mosh.enable = true;
+ programs.mosh.withUtempter = true;
+ security.acme.defaults.email = "ben@bsima.me";
+ security.acme.acceptTerms = true;
+ security.sudo.wheelNeedsPassword = false;
+ services.clamav.daemon.enable = true; # security
+ services.clamav.updater.enable = true; # security
+ services.fail2ban.enable = true; # security
+ services.fail2ban.ignoreIP = [ ports.bensIp ]; # my home IP
+ services.fail2ban.maxretry = 10;
+ services.openssh.enable = true;
+ services.openssh.openFirewall = true;
+ services.openssh.settings.X11Forwarding = true;
+ services.openssh.settings.PasswordAuthentication = false;
+ services.openssh.settings.PermitRootLogin = "prohibit-password";
+ system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin
+ zramSwap.enable = true;
+}