add headless & server profiles

modules/profiles/headless/default.nix

@@ -0,0 +1,10 @@
+{
+  imports = [
+    ./documentation.nix
+    ./environment.nix
+    ./fonts.nix
+    ./services.nix
+    ./systemd.nix
+    ./xdg.nix
+  ];
+}

modules/profiles/headless/documentation.nix

@@ -0,0 +1,18 @@
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+  inherit (lib.attrsets) mapAttrs;
+in {
+  documentation = mapAttrs (_: mkForce) {
+    enable = false;
+    dev.enable = false;
+    doc.enable = false;
+    info.enable = false;
+    nixos.enable = false;
+    man = {
+      enable = false;
+      generateCaches = false;
+      man-db.enable = false;
+      mandoc.enable = false;
+    };
+  };
+}

modules/profiles/headless/environment.nix

@@ -0,0 +1,4 @@
+{
+  # print the URL instead on servers
+  environment.variables.BROWSER = "echo";
+}

modules/profiles/headless/fonts.nix

@@ -0,0 +1,12 @@
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+  inherit (lib.attrsets) mapAttrs;
+in {
+  # we don't need fonts on a server
+  # since there are no fonts to be configured outside the console
+  fonts = mapAttrs (_: mkForce) {
+    packages = [];
+    fontDir.enable = false;
+    fontconfig.enable = false;
+  };
+}

modules/profiles/headless/services.nix

@@ -0,0 +1,5 @@
+{lib, ...}: {
+  # a headless system should not mount any removable media
+  # without explicit user action
+  services.udisks2.enable = lib.modules.mkForce false;
+}

modules/profiles/headless/systemd.nix

@@ -0,0 +1,29 @@
+{
+  # https://github.com/numtide/srvos/blob/main/nixos/server/default.nix
+  systemd = {
+    # given that our systems are headless, emergency mode is useless.
+    # we prefer the system to attempt to continue booting so
+    # that we can hopefully still access it remotely.
+    enableEmergencyMode = false;
+
+    # For more detail, see:
+    # https://0pointer.de/blog/projects/watchdog.html
+    watchdog = {
+      # systemd will send a signal to the hardware watchdog at half
+      # the interval defined here, so every 10s.
+      # If the hardware watchdog does not get a signal for 20s,
+      # it will forcefully reboot the system.
+      runtimeTime = "20s";
+      # Forcefully reboot if the final stage of the reboot
+      # hangs without progress for more than 30s.
+      # For more info, see:
+      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+      rebootTime = "30s";
+    };
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+  };
+}

modules/profiles/headless/xdg.nix

@@ -0,0 +1,12 @@
+{lib, ...}: let
+  inherit (lib.attrsets) mapAttrs;
+  inherit (lib.modules) mkForce;
+in {
+  xdg = mapAttrs (_: mkForce) {
+    sounds.enable = false;
+    mime.enable = false;
+    menus.enable = false;
+    icons.enable = false;
+    autostart.enable = false;
+  };
+}

modules/profiles/server/default.nix

@@ -0,0 +1,5 @@
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+in {
+  time.timeZone = mkForce "UTC";
+}