Group shared system settings

system/shared/services/default.nix

@@ -0,0 +1,9 @@
+_: {
+  imports = [
+    ./ssh.nix
+    ./fwupd.nix
+    ./logrotate.nix
+    ./oomd.nix
+    ./thermald.nix
+  ];
+}

system/shared/services/fwupd.nix

@@ -0,0 +1,7 @@
+{config, ...}: {
+  # firmware updater for machine hardware
+  services.fwupd = {
+    enable = true;
+    daemonSettings.EspLocation = config.boot.loader.efi.efiSysMountPoint;    
+  };
+}

system/shared/services/logrotate.nix

@@ -0,0 +1,24 @@
+{ pkgs, lib, ... }: {
+  services.logrotate.settings.header = {
+    # general
+    global = true;
+    dateext = true;
+    dateformat = "-%Y-%m-%d";
+    nomail = true;
+    missingok = true;
+    copytruncate = true;
+
+    # rotation frequency
+    priority = 1;
+    frequency = "weekly";
+    rotate = 7; # special value, means 7 days
+    minage = 7; # avoid rotating files that are less than 7 days old
+
+    # compression
+    compress = true; # compress logs to save space
+    compresscmd = "${lib.getExe' pkgs.zstd "zstd"}";
+    compressoptions = " -Xcompression-level 10";
+    compressext = "zst";
+    uncompresscmd = "${lib.getExe' pkgs.zstd "unzstd"}";
+  };
+}

system/shared/services/oomd.nix

@@ -0,0 +1,20 @@
+{ lib, ... }: {
+  systemd = {
+    # OOMd: Out Of Memory daemon
+    # By default, this will only kill cgroups. So either systemd services
+    # marked for killing uder OOM or (non-default, but enabled here) the entire user slice.
+    oomd = {
+      enable = true;
+      enableSystemSlice = true;
+      enableRootSlice = true;
+      enableUserSlices = true;
+      extraConfig = {
+        "DefaultMemoryPressureDurationSec" = "20s";
+      };
+    };
+
+    # Make nix builds more likely to get killed than other important services.
+    # The default for user slices is 100, and systemd-coredumpd is 500
+    services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 350;
+  };
+}

system/shared/services/ssh.nix

@@ -0,0 +1,12 @@
+{ ... }: {
+  # TODO: This really shouldn't be a default service in system/
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+      X11Forwarding = false;
+    };
+  };
+}
+

system/shared/services/thermald.nix

@@ -0,0 +1,4 @@
+{
+  # monitor and control temperature
+  services.thermald.enable = true;
+}