modularize baseline system configuration

2024-12-02 14:04:55 -06:00 · 2024-12-02 14:04:55 -06:00 · d5afd4b1a7
commit d5afd4b1a7
parent 80e5a5e8a6
7 changed files with 107 additions and 70 deletions
--- a/sys/modules/baseline.nix
+++ b/sys/modules/baseline.nix
@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.baseline;
+in {
+  options.local.sys.baseline = {
+    enable = mkEnableOption "Basic system settings";
+  };
+  config = mkIf cfg.enable {
+    system.stateVersion = "24.05"; # DO NOT CHANGE
+
+    nix = {
+      package = pkgs.nixVersions.stable;
+
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+
+      # Not interested in the global flake registry
+      settings.flake-registry = "";
+    };
+
+    console = {
+      keyMap = "us";
+    };
+
+    programs = {
+      zsh.enable = true;
+      fuse.userAllowOther = true;
+    };
+
+    environment = {
+      pathsToLink = [
+        "/share/zsh"
+      ];
+
+      systemPackages = with pkgs;
+        [
+          git
+          vim
+        ]
+        ++ optionals (!config.boot.isContainer) [
+          lm_sensors
+          lshw
+          parted
+          pciutils
+          smartmontools
+          usbutils
+        ];
+    };
+
+    services = {
+      openssh.enable = mkDefault true;
+
+      earlyoom = {
+        enable = mkDefault true;
+        enableNotifications = true;
+      };
+    };
+
+    # Coredumps are a security risk and may use up a lot of disk space
+    systemd.coredump.extraConfig = ''
+      Storage=none
+      ProcessSizeMax=0
+    '';
+
+    security.dhparams = {
+      enable = true;
+      defaultBitSize = 4096;
+    };
+  };
+}
--- a/sys/modules/default.nix
+++ b/sys/modules/default.nix
@ -0,0 +1,10 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./baseline.nix
+  ];
+}