{ pkgs, depot, lib, rebuilder, ... }: let inherit (lib) mkDefault; in { hardware.enableRedistributableFirmware = true; nix = { nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; trustedUsers = [ "root" "@wheel" ]; binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; }; nixpkgs.config = { allowUnfree = true; }; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "us"; time.timeZone = mkDefault "Etc/UTC"; environment.systemPackages = with pkgs; [ vim mercurial rxvt_unicode.terminfo rebuilder ]; networking.firewall = { allowPing = true; }; users.mutableUsers = false; users.users = let secrets = depot.ops.secrets; in { root.hashedPassword = secrets.passwordHashes.root; lukegb = { isNormalUser = true; uid = 1000; extraGroups = [ "wheel" ]; hashedPassword = secrets.passwordHashes.lukegb; }; deployer = { isSystemUser = true; uid = 1001; hashedPassword = "NP"; openssh.authorizedKeys.keyFiles = [ ../../secrets/deployer_ed25519.pub ]; }; }; security.sudo.extraRules = [{ users = [ "deployer" ]; commands = [{ command = "${rebuilder}/bin/rebuilder"; options = [ "NOPASSWD" ]; }]; }]; security.sudo.extraConfig = '' Defaults:deployer !requiretty ''; programs.mtr.enable = true; services.openssh.enable = true; boot = { kernelModules = [ "tcp_bbr" ]; kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; kernel.sysctl."net.core.default_qdisc" = "fq_codel"; }; }