{ config, lib, pkgs, ... }: with import <stockholm/lib>; { krebs = { enable = true; build = { user = config.krebs.users.mv; host = config.krebs.hosts.stro; source = let HOME = getEnv "HOME"; host = config.krebs.build.host; in { nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix"; secrets.file = "${HOME}/secrets/${host.name}"; stockholm.file = "${HOME}/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; }; }; }; }; imports = [ <secrets> <stockholm/krebs> <stockholm/tv/2configs/audit.nix> <stockholm/tv/2configs/bash.nix> <stockholm/tv/2configs/exim-retiolum.nix> <stockholm/tv/2configs/hw/x220.nix> <stockholm/tv/2configs/im.nix> <stockholm/tv/2configs/mail-client.nix> <stockholm/tv/2configs/nginx/public_html.nix> <stockholm/tv/2configs/retiolum.nix> <stockholm/tv/2configs/ssh.nix> <stockholm/tv/2configs/sshd.nix> <stockholm/tv/2configs/vim.nix> <stockholm/tv/2configs/xdg.nix> <stockholm/tv/2configs/xserver> <stockholm/tv/3modules> <stockholm/tv/5pkgs> ]; boot.kernel.sysctl = { # Enable IPv6 Privacy Extensions "net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2; }; boot.initrd.luks = { cryptoModules = [ "aes" "sha512" "xts" ]; devices = [ { name = "luks1"; device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part2"; } ]; }; environment = { profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; shellAliases = mkForce { gp = "${pkgs.pari}/bin/gp -q"; df = "df -h"; du = "du -h"; ls = "ls -h --color=auto --group-directories-first"; dmesg = "dmesg -L --reltime"; view = "vim -R"; reload = "systemctl reload"; restart = "systemctl restart"; start = "systemctl start"; status = "systemctl status"; stop = "systemctl stop"; }; systemPackages = with pkgs; [ dic htop p7zip q pavucontrol rxvt_unicode.terminfo # stockholm git gnumake populate ]; variables = { NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; }; }; fileSystems = { "/boot" = { device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part1"; }; "/" = { device = "/dev/mapper/vg1-root"; fsType = "btrfs"; options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; "/home" = { device = "/dev/mapper/vg1-home"; fsType = "btrfs"; options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; "/tmp" = { device = "tmpfs"; fsType = "tmpfs"; options = ["nosuid" "nodev" "noatime"]; }; }; hardware.pulseaudio = { enable = true; systemWide = true; }; networking.hostName = config.krebs.build.host.name; nix = { binaryCaches = ["https://cache.nixos.org"]; # TODO check if both are required: chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; requireSignedBinaryCaches = true; useChroot = true; }; nixpkgs.config.allowUnfree = false; users = { defaultUserShell = "/run/current-system/sw/bin/bash"; mutableUsers = false; users = { mv = { inherit (config.krebs.users.mv) home uid; isNormalUser = true; }; }; }; security.setuidPrograms = [ "sendmail" ]; security.sudo.extraConfig = '' Defaults env_keep+="SSH_CLIENT" Defaults mailto="${config.krebs.users.mv.mail}" Defaults !lecture ''; services.cron.enable = false; services.journald.extraConfig = '' SystemMaxUse=1G RuntimeMaxUse=128M ''; services.nscd.enable = false; services.ntp.enable = false; services.timesyncd.enable = true; time.timeZone = "Europe/Berlin"; tv.iptables = { enable = true; accept-echo-request = "internet"; }; system.stateVersion = "16.03"; }