* KbdInteractiveAuthentication: disable keyboard interactive-auth, since
we solely rely on the SSH key for connection.
* PermitEmptyPasswords: disable empty passwords for SSH connection, again,
since we use SSH keys.
* Protocol: Explicitly set the SSH protocol to 2, even though it is the
default value.
* MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try
connection.
* ChallengeResponseAuthentication: We do not require a challenge-response
setup.
* AllowTcpForwarding: Allows access to locally-running ports without having
to expose them. Since all auth methods are disabled, we can enable this.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* create new module for nginx
* setup cloudflare real_ip_header forwarding for fail2ban setup
* add hsts, improve qualys score
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* replace per-app postgresql configuration with a single, global postgres
setup
* add backup configuration to backup using restic
* add cluster upgrade script based on the NixOS Manual:
https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* lanzaboote is needed to evaluate nix configuration, even if it's not used
in the system.
* removed nixpkgs-immich since nixpkgs now has immich service
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Setting it to 10 does not play well with srvos, since it uses lib.mkDefault
to set it to 10 as well. And anyways, we don't need 10 generations to show
up during the boot menu.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Umm, this is a hard one as to why it was added in the first place. I think
someone had told me about it, but it seems like it's not really required, and
not recommended to be run on systems that do not support it by default.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* add gnome and hyprland base setup
* remove unused intel-ocl from graphics
* move xdg-portal configuration to desktop environments
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Cleanup existing desktop environment configuration to allow adding more
desktop environments with shared configs.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
A security issue currently plagues nix_git package, along with some other issues cropping up
in the newer versions. So we'll stick to the last stable, bug-free nix version for a while.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This is required for the document upload processing to successfully run.
Without this enabled, the document upload gets stuck on:
Upload complete, waiting...
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Yet another failed experiment to check why netbird fails to connect after
suspending the system. Turns out none of this was needed after all.
All that was needed was to stop systemd from managing foreign routing policy
rules:
systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = false;
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Since we've moved to firefox profiles managed by nix, declaratively,
we do not need profile sync daemon.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* VictoriaMetrics for polling/collecting metrics
* Grafana for UI
* Multiple prometheus-exporter modules for gathering data
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* Lat2-Terminus16 looks nice, not sure why I replaced it.
* Remove `udev.log_level=3` from the kernel param cmdline. This option
was added to test out plymouth on boot, which surprisingly seems to not
be working right now. Will revisit this later.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
Had been removed to debug issues with netbird connectivity after suspend.
Can be added back since the issue is unrelated.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
