diff options
author | Ben Sima <ben@bsima.me> | 2024-12-20 13:57:22 -0500 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2024-12-21 10:08:10 -0500 |
commit | 87ead51331bc57326882055e1635a84c2d409af7 (patch) | |
tree | fb82796cb4dc7247eecb73ead2904f14a96bf17e /Omni/Os/Base.nix | |
parent | e7d6505ff6bfefa927466361570cedde799e94a6 (diff) |
Create a bootstrap image for Digital Ocean droplets
I need a way to reliably get a NixOS VM provisioned in the cloud, and the
easiest way to do this is to create a qcow2 image, upload it to Digital Ocean,
and use that to start a droplet. This is very much a manual process, but that's
fine, I shouldn't need to do it very often (for now).
Diffstat (limited to 'Omni/Os/Base.nix')
-rw-r--r-- | Omni/Os/Base.nix | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/Omni/Os/Base.nix b/Omni/Os/Base.nix new file mode 100644 index 0000000..8e301e1 --- /dev/null +++ b/Omni/Os/Base.nix @@ -0,0 +1,35 @@ +{ config, ... }: + +# This module defines common default settings that all OS builds should include. + +let ports = import ../Cloud/Ports.nix; +in { + boot.tmp.cleanOnBoot = true; + networking.firewall.allowPing = true; + nix.settings.substituters = + [ "https://cache.nixos.org" ]; # "ssh://dev.simatime.com" ]; + nix.gc.automatic = true; + nix.gc.dates = "Sunday 02:15"; + nix.optimise.automatic = true; + nix.optimise.dates = [ "Sunday 02:30" ]; + nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + nix.settings.trusted-users = [ "ben" ]; + programs.ccache.enable = true; + programs.mosh.enable = true; + programs.mosh.withUtempter = true; + security.acme.defaults.email = "ben@bsima.me"; + security.acme.acceptTerms = true; + security.sudo.wheelNeedsPassword = false; + services.clamav.daemon.enable = true; # security + services.clamav.updater.enable = true; # security + services.fail2ban.enable = true; # security + services.fail2ban.ignoreIP = [ ports.bensIp ]; # my home IP + services.fail2ban.maxretry = 10; + services.openssh.enable = true; + services.openssh.openFirewall = true; + services.openssh.settings.X11Forwarding = true; + services.openssh.settings.PasswordAuthentication = false; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin + zramSwap.enable = true; +} |