* KbdInteractiveAuthentication: disable keyboard interactive-auth, since
we solely rely on the SSH key for connection.
* PermitEmptyPasswords: disable empty passwords for SSH connection, again,
since we use SSH keys.
* Protocol: Explicitly set the SSH protocol to 2, even though it is the
default value.
* MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try
connection.
* ChallengeResponseAuthentication: We do not require a challenge-response
setup.
* AllowTcpForwarding: Allows access to locally-running ports without having
to expose them. Since all auth methods are disabled, we can enable this.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* create new module for nginx
* setup cloudflare real_ip_header forwarding for fail2ban setup
* add hsts, improve qualys score
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* replace per-app postgresql configuration with a single, global postgres
setup
* add backup configuration to backup using restic
* add cluster upgrade script based on the NixOS Manual:
https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* lanzaboote is needed to evaluate nix configuration, even if it's not used
in the system.
* removed nixpkgs-immich since nixpkgs now has immich service
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Setting it to 10 does not play well with srvos, since it uses lib.mkDefault
to set it to 10 as well. And anyways, we don't need 10 generations to show
up during the boot menu.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* system76-scheduler was unused. Or it did not really make much of a difference
over the default scheduler.
* added `iommu=soft` to kernel param to make the ssd work fine after suspend.
This might be related to the pcie_aspm policy we had set before. I need to test
if removing the aspm policy has fixed this issue.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Umm, this is a hard one as to why it was added in the first place. I think
someone had told me about it, but it seems like it's not really required, and
not recommended to be run on systems that do not support it by default.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
New netbird version requires go-1.23, and the patch to make
buildGoModules default to 1.23 is not yet in unstable
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* add gnome and hyprland base setup
* remove unused intel-ocl from graphics
* move xdg-portal configuration to desktop environments
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Cleanup existing desktop environment configuration to allow adding more
desktop environments with shared configs.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
The new Intel Core Ultra does not work that well with older kernel versions
especially since the initial support was added in 6.8. Currently, the testing
kernel is much more stable that the latest package on this processor.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
A security issue currently plagues nix_git package, along with some other issues cropping up
in the newer versions. So we'll stick to the last stable, bug-free nix version for a while.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This is required for the document upload processing to successfully run.
Without this enabled, the document upload gets stuck on:
Upload complete, waiting...
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Yet another failed experiment to check why netbird fails to connect after
suspending the system. Turns out none of this was needed after all.
All that was needed was to stop systemd from managing foreign routing policy
rules:
systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = false;
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Since we've moved to firefox profiles managed by nix, declaratively,
we do not need profile sync daemon.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* change interface name from `enp6s0` to `enp2s0`
* add arr suite + ntfy deployment, monitoring
* add keys for ssh access
* add default_server configuration to nginx for security
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>