-
Notifications
You must be signed in to change notification settings - Fork 2
/
base.nix
96 lines (79 loc) · 3.01 KB
/
base.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# The base system without services
{ config, pkgs, lib, ... }:
with lib;
let
options = {
nixbitcoinorg.hardware = {
numCPUs = mkOption {
type = types.int;
};
memorySizeGiB = mkOption {
type = types.int;
};
};
};
baseConfig = {
networking.hostName = "nixbitcoin";
networking.hostId = "d1af0f9b";
time.timeZone = "UTC";
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
hostKeys = lib.mkForce [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users.users.root = {
# Create with:
# gpg --decrypt ./secrets/client-side/root-password.gpg 2>/dev/null | mkpasswd -m sha-512 --stdin
hashedPassword = "$6$Fdp45EVNdszmIRSn$5vw8Rs8u1v7v1YUT3BfVwwDnVbTsuyyvKcjzsOpLvbUxOeW14IFs./3MV1dEomv.Ao4RrCqW9qghcJvNFfb0Y0";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjOWkBbvyTd5VhlWHecyAbsTFbQyxnXOJw+or9uQG5fbq7DlQFhFbDpD62jUzoNlsmfeLOgudyrD5A++Mk8NQLzGauBvmjql5RmfL1ZScqHPQi01sXQcEqbCRRR7O4tBynpJYktXGs7QJOIPikPBDBP2hBIxKkuHfv2nryiDcOT3DxgWbzEqvCRfHlH/D5NimPFP142gyGALbItCEBjoNKOPEOj/9t4FGEwXlX7bmggVLfIi6GakgxF78V2X1+5RIlQWbvfMrfQWSjKzqdS/vIqp7jZJziK66lqrJo+BQGNorh81Bsgy/p0SMdv8KoN3Xvrdxf/4pyADxmkyr1y5ryGabMHy2xqB3gna6XrrJThhMEbOD1xfwOZ7vKDu8YIfK1wzXnt3cwl+fHMlPicmi/Vh2qkYuBPbVxo1g5+XyCq9roatdvzsVdSX3+a1U1CeGee1q1p8Hf8oY5PrQBhv80RqI3HAbr3tdZD7HlPL9XY9arbm4XP67qrxM+P1L4eBx5N9vCkOjKs0Pp1XHwyfGGiTYFYsZCR6MG8SKZ6Q+zWR4UKTEgY0rNT2//wlnDlkaUl6OYAKJUYtxffZo5WjIpqAzq7qSi+Me0AD/M6QPRZpXjKOrlisagO9uV9/WycV/pVjryJcmlhyDlAwaTQeypyleeryxHNEwBYoVdyMz52Q==" # nixbitcoindev
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVyeXpwHsOV8RMtQwzPGhOlJ8n5/+4hGa2jc7T47CJC" # nickler
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW0rZHTE+/gRpbPVw0Q6Wr3csEgU7P+Q8Kw6V2xxDsG" # Erik Arvstedt
];
};
# Refused connections are happening constantly on a public server and can be ignored
networking.firewall.logRefusedConnections = false;
environment.systemPackages = with pkgs; [
htop
tree
vim
tmux
pv
];
boot.tmp.cleanOnBoot = true;
documentation.nixos.enable = false; # Speeds up evaluation
nix.gc = {
automatic = true;
options = "--delete-older-than 30d";
};
services.logind.killUserProcesses = true;
# We never deal with multiple NICs in VPS deployments.
# This allows us to stably address the external interface as `eth0`.
networking.usePredictableInterfaceNames = false;
nix = {
settings.experimental-features = "nix-command flakes";
};
system.stateVersion = "23.05";
};
hardwareConfig = {
imports = [ ./hardware.nix ];
config = {
services.postgresql.settings.shared_buffers = let
size = hardwareCfg.memorySizeGiB / 4;
in
assert size >= 1; "${toString size}GB";
};
};
hardwareCfg = config.nixbitcoinorg.hardware;
in {
inherit options;
imports = [
baseConfig
hardwareConfig
];
}