{ pkgs, depot, lib, rebuilder, ... }: let inherit (lib) mkDefault; in { imports = [ ./hgrc.nix ]; hardware.enableRedistributableFirmware = true; nix = { nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; trustedUsers = [ "root" "@wheel" ]; binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; }; nixpkgs.config = { allowUnfree = true; }; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "us"; time.timeZone = mkDefault "Etc/UTC"; environment.systemPackages = with pkgs; [ vim rxvt_unicode.terminfo rebuilder (mercurial.overridePythonAttrs (origAttrs: { propagatedBuildInputs = origAttrs.propagatedBuildInputs ++ [python3Packages.hg-evolve]; })) ]; networking.firewall = { allowPing = true; }; users.mutableUsers = false; users.users = let secrets = depot.ops.secrets; in { root.hashedPassword = secrets.passwordHashes.root; lukegb = { isNormalUser = true; uid = 1000; extraGroups = [ "wheel" ]; hashedPassword = secrets.passwordHashes.lukegb; }; deployer = { isSystemUser = true; uid = 1001; hashedPassword = "NP"; useDefaultShell = true; home = "/var/lib/deployer"; createHome = true; openssh.authorizedKeys.keyFiles = [ ../../secrets/deployer_ed25519.pub ]; }; }; security.sudo.extraRules = [{ users = [ "deployer" ]; commands = [{ command = "${rebuilder}/bin/rebuilder"; options = [ "NOPASSWD" ]; }]; }]; security.sudo.extraConfig = '' Defaults:deployer !requiretty ''; programs.mtr.enable = true; services.openssh.enable = true; boot = { kernelModules = [ "tcp_bbr" ]; kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; kernel.sysctl."net.core.default_qdisc" = "fq_codel"; }; }