{ lib, config, ... }: let name = "system"; cfg = config.nixowos.defaults.${name}; in { options.nixowos.defaults.${name} = { enable = lib.mkEnableOption name; }; config = lib.mkIf cfg.enable { boot.loader.grub = lib.mkDefault { # modern installation device = "nodev"; efiSupport = true; # if your /boot partition is encrypted, this is needed # grub takes a long time to unlock a partition though, so this is undesirable # and you might also need to embed the key into initramfs to avoid needing to enter the password twice # enableCryptodisk = true; # keep the grub background black splashImage = null; # look for other efi entries and add them to the boot menu # useOSProber = true; # extra grub entry for memory testing # memtest86.enable = true; }; # use tmpfs for /tmp to minimize disk wear # consider disabling if you have very limited memory boot.tmp = lib.mkDefault { useTmpfs = true; tmpfsHugeMemoryPages = "within_size"; }; # this is useful not only for having a user named "tmp" # but also if any user wants to use a temporary directory, # it's much nicer than /tmp because it isn't filled with system files fileSystems."/home/tmp" = lib.mkDefault { fsType = "tmpfs"; # inherit options created by boot.tmp.useTmpfs if avaliable options = let tmpMount = lib.findFirst (mount: mount.where == "/tmp") null config.systemd.mounts; in lib.mkIf (tmpMount != null) (lib.splitStringBy (p: c: c == ",") false tmpMount.mountConfig.Options); }; # run fstrim monthly instead of weekly # weekly is unecessary for preventing long-term performance degredation # https://unix.stackexchange.com/questions/218076/ssd-how-often-should-i-do-fstrim services.fstrim.interval = lib.mkDefault "monthly"; # extra memory if you can spare the CPU cycles zramSwap = lib.mkDefault { enable = true; # this is the amount of uncompressed data that can be swapped out # practical maximum is 150% memoryPercent = 100; }; security.sudo-rs.enable = lib.mkDefault true; services.openssh = { enable = lib.mkDefault true; # only accept key authentication, for security settings.PasswordAuthentication = false; }; }; }