# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... } @ args: # Configuration local for this cluster node (hostname, IP, etc) { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # Include generic Deuxfleurs module ./deuxfleurs.nix # Configuration for this deployment (a cluster) ./cluster.nix # Configuration local for this Deuxfleurs site (set of nodes) ./site.nix # Configuration local for this cluster node (hostname, IP, etc) ./node.nix ]; # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; # Set your time zone. time.timeZone = "Europe/Paris"; # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; console = { font = "sun12x22"; keyMap = "fr"; }; boot.kernel.sysctl = { "vm.max_map_count" = 262144; }; services.journald.extraConfig = '' SystemMaxUse=1G ''; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ nmap bind inetutils pciutils vim tmux ncdu iotop jnettop nethogs wget htop smartmontools links2 git rclone docker-compose wireguard-tools ]; # Enable support for all terminal emulators such as urxvt environment.enableAllTerminfo = true; programs.vim.defaultEditor = true; # Enable network time services.ntp.enable = false; services.timesyncd.enable = true; # Enable the OpenSSH daemon and disable password login. services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; # FIXME: Temporary patch for OpenSSH (CVE-2024-6387) # Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765 programs.ssh.package = pkgs.openssh.overrideAttrs(prev: { patches = prev.patches ++ [ (pkgs.fetchpatch { url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch"; hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw="; }) (pkgs.fetchpatch { url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch"; hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4="; }) ]; doCheck = false; }); virtualisation.docker = { enable = true; extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON { dns = [ "172.17.0.1" ]; })}"; }; nix.gc.automatic = true; nix.gc.options = "--delete-older-than 30d"; }