summaryrefslogtreecommitdiff
path: root/modules/nixos/base.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos/base.nix')
-rw-r--r--modules/nixos/base.nix103
1 files changed, 103 insertions, 0 deletions
diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix
new file mode 100644
index 0000000..ca696dd
--- /dev/null
+++ b/modules/nixos/base.nix
@@ -0,0 +1,103 @@
+{
+ config,
+ lib,
+ pkgs,
+ inputs,
+ ...
+}: let
+ inherit (lib) mkDefault;
+ channelPath = i: "/etc/nix/channels/${i}";
+
+ mapInputs = fn: map fn (builtins.filter (n: n != "self") (builtins.attrNames inputs));
+
+ # yes this is a bad way to detect which option should be used (or exists)
+ # but i'm lazy. please do not copy this
+ passwordFile =
+ if lib.versionAtLeast config.system.stateVersion "23.11"
+ then "hashedPasswordFile"
+ else "passwordFile";
+in {
+ imports = [
+ ../shared
+ ];
+
+ environment.systemPackages = with pkgs; [man-pages man-pages-posix];
+
+ documentation.man = {
+ generateCaches = mkDefault true;
+ man-db.enable = mkDefault true;
+ };
+
+ i18n = {
+ supportedLocales = [
+ "en_US.UTF-8/UTF-8"
+ ];
+
+ defaultLocale = "en_US.UTF-8";
+ };
+
+ networking.networkmanager = {
+ enable = mkDefault true;
+ dns = mkDefault "systemd-resolved";
+ };
+
+ nix = {
+ nixPath = mapInputs (i: "${i}=${channelPath i}");
+ gc.dates = mkDefault "weekly";
+ settings.trusted-users = ["root" "@wheel"];
+ };
+
+ programs = {
+ git.enable = mkDefault true;
+ vim.defaultEditor = mkDefault true;
+ };
+
+ security = {
+ apparmor.enable = mkDefault true;
+ audit.enable = mkDefault true;
+ auditd.enable = mkDefault true;
+ polkit.enable = mkDefault true;
+ rtkit.enable = mkDefault true;
+ sudo.execWheelOnly = true;
+ };
+
+ services = {
+ dbus.apparmor = mkDefault "enabled";
+
+ resolved = {
+ enable = mkDefault true;
+ dnssec = mkDefault "allow-downgrade";
+ extraConfig = mkDefault ''
+ [Resolve]
+ DNS=1.1.1.1 1.0.0.1
+ DNSOverTLS=yes
+ '';
+ };
+
+ journald.extraConfig = ''
+ MaxRetentionSec=1w
+ '';
+ };
+
+ system.activationScripts."upgrade-diff" = {
+ supportsDryActivation = true;
+ text = ''
+ ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
+ '';
+ };
+
+ systemd.tmpfiles.rules =
+ mapInputs (i: "L+ ${channelPath i} - - - - ${inputs.${i}.outPath}");
+
+ users = {
+ defaultUserShell = pkgs.bash;
+ mutableUsers = false;
+
+ users.root = {
+ home = mkDefault "/root";
+ uid = mkDefault config.ids.uids.root;
+ group = mkDefault "root";
+ "${passwordFile}" = mkDefault config.age.secrets.rootPassword.path;
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 12:33:27 +0000