diff options
author | jeschli <jeschli@gmail.com> | 2018-10-26 12:25:40 +0200 |
---|---|---|
committer | jeschli <jeschli@gmail.com> | 2018-10-26 12:25:40 +0200 |
commit | a6670e5090dd71aacd7c7605b12d8d3410d25daa (patch) | |
tree | 8475a3cc3583d94959a1cc8b6effcd3b8c10a32a /makefu/2configs/minimal.nix | |
parent | f6ad60a0c6cbac45e8ba715b24a7a37f8e2560dc (diff) | |
parent | 24f4e8dcf0eca55378fa018a9ed980625222653d (diff) |
Merge remote-tracking branch 'origin/master'
Diffstat (limited to 'makefu/2configs/minimal.nix')
-rw-r--r-- | makefu/2configs/minimal.nix | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/makefu/2configs/minimal.nix b/makefu/2configs/minimal.nix new file mode 100644 index 000000000..d764e5624 --- /dev/null +++ b/makefu/2configs/minimal.nix @@ -0,0 +1,88 @@ +{ lib, pkgs, config, ... }: +# minimal subset of sane configuration for stockholm +{ + # nobody needs this + programs.command-not-found.enable = false; + + # the only true timezone (even after the the removal of DST) + time.timeZone = "Europe/Berlin"; + + networking.hostName = config.krebs.build.host.name; + nix.buildCores = config.krebs.build.host.cores; + + # we use gpg if necessary (or nothing at all) + programs.ssh.startAgent = false; + + # all boxes look the same + nix.useSandbox = true; + # we configure users via nix + users.mutableUsers = false; + + # sane firewalling + networking.firewall.rejectPackets = true; + networking.firewall.allowPing = true; + + # openssh all the way down + services.openssh.enable = true; + + # we use stockholm via populate + nix.nixPath = [ "/var/src" ]; + + environment.variables = let + ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + in { + NIX_PATH = lib.mkForce "/var/src"; + EDITOR = lib.mkForce "vim"; + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=900001 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + ''; + + promptInit = '' + case $UID in + 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; + 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; + *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + # trust the cool guys + networking.timeServers = [ + "pool.ntp.org" + "time.nist.gov" + ]; + + # the only locale you will ever need + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; + + # suppress chrome autit event messages + security.audit = { + rules = [ + "-a task,never" + ]; + }; + + # Enable IPv6 Privacy Extensions + boot.kernel.sysctl = { + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; +} |