hosts/oignon.nix

   1 { config, pkgs, lib, inputs, private, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4   inherit (config.services) davfs2;
   5 in
   6 {
   7 imports = [
   8   ../profiles/dnscrypt-proxy2.nix
   9   oignon/hardware.nix
  10   oignon/openvpn.nix
  11   oignon/wireguard.nix
  12   oignon/tor.nix
  13   oignon/backup.nix
  14 ];
  15
  16 home-manager.users.julm = {
  17   imports = [ ../homes/julm.nix ];
  18   host.name = hostName;
  19   host.hardware = ["ThinkPad" "X201"];
  20 };
  21 systemd.services.home-manager-julm.postStart = ''
  22   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  23 '';
  24 users.mutableUsers = false;
  25 users.users.julm = {
  26   isNormalUser = true;
  27   uid = 1000;
  28   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  29   # which is already world readable.
  30   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  31   extraGroups = [
  32     "adbusers"
  33     "lp"
  34     "networkmanager"
  35     "scanner"
  36     "tor"
  37     "video"
  38     "wheel"
  39     #"ipfs"
  40     davfs2.davGroup
  41     #"vboxusers"
  42   ];
  43   # If created, zfs-mount.service would require:
  44   # zfs set overlay=yes ${hostName}/home
  45   createHome = false;
  46 };
  47
  48 nix = {
  49   extraOptions = ''
  50     auto-optimise-store = true
  51     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  52   '';
  53   gc = {
  54     automatic = true;
  55     dates = "weekly";
  56     options = "--delete-older-than 7d";
  57   };
  58   nixPath = [
  59     "nixpkgs=/etc/nixpkgs"
  60     "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
  61   ];
  62   trustedUsers = [ users.julm.name ];
  63   binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
  64   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
  65 };
  66 nix.sshServe = {
  67   enable = true;
  68   keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
  69 };
  70 users.users.julm.openssh.authorizedKeys.keys = [
  71   (lib.readFile ../private/world/julm/losurdo/ssh.pub)
  72 ];
  73 services.openssh.openFirewall = false;
  74 services.openssh.forwardX11 = true;
  75 services.openssh.passwordAuthentication = false;
  76
  77 nixpkgs.config.allowUnfree = true;
  78 environment.etc."nixpkgs".source = pkgs.path;
  79 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  80
  81 documentation.nixos.enable = true;
  82 time.timeZone = "Europe/Paris";
  83 i18n.defaultLocale = "fr_FR.UTF-8";
  84 console.font = "Lat2-Terminus16";
  85 console.keyMap = "fr";
  86
  87 networking = {
  88   hostName = hostName;
  89   domain = "localdomain";
  90   search = [ "sourcephile.fr" ];
  91   networkmanager = {
  92     enable = true;
  93     #dhcp = "dhcpcd";
  94     logLevel = "INFO";
  95     wifi = {
  96       #backend = "iwd";
  97       #backend = "wpa_supplicant";
  98       powersave = false;
  99     };
 100   };
 101   firewall = {
 102     enable = true;
 103     allowPing = false;
 104   };
 105 };
 106
 107 sound.enable = true;
 108 hardware.pulseaudio.enable = true;
 109 hardware.sane.enable = true;
 110 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 111
 112 environment.variables = {
 113   EDITOR = "vim";
 114   PAGER  = "less -R";
 115   SYSTEMD_LESS = "FKMRX";
 116 };
 117 environment.systemPackages = [
 118   pkgs.mkpasswd
 119   pkgs.gdb
 120 ];
 121
 122 programs = {
 123   bash = {
 124     interactiveShellInit = ''
 125       bind '"\e[A":history-search-backward'
 126       bind '"\e[B":history-search-forward'
 127
 128       # Ignore duplicate commands, ignore commands starting with a space
 129       export HISTCONTROL=erasedups:ignorespace
 130       export HISTSIZE=42000
 131       # Append to the history instead of overwriting (good for multiple connections)
 132       shopt -s histappend
 133
 134       # Utilities
 135       mkcd () { mkdir -p "$1"; cd "$1"; }
 136       fan () {
 137         if [ $# -gt 0 ]
 138         then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 139         else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 140         fi
 141         acpi -t
 142       }
 143     '';
 144     shellAliases = {
 145       cl = "clear";
 146       grep = "grep --color";
 147       l  = "ls -alh";
 148       ll = "ls -al";
 149       ls = "ls --color=tty";
 150       mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
 151
 152       s="sudo systemctl";
 153       st="sudo systemctl status";
 154       u="systemctl --user";
 155       j="sudo journalctl -u";
 156       jb="sudo journalctl -b";
 157
 158       nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
 159       mv = "mv -i";
 160       sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
 161     };
 162   };
 163   dconf.enable = true;
 164   mtr.enable = true;
 165 };
 166
 167 services.avahi = {
 168   enable = true;
 169   nssmdns = true;
 170   openFirewall = false;
 171   publish = {
 172     enable = false;
 173   };
 174 };
 175 services.davfs2 = {
 176   enable = true;
 177   extraConfig = ''
 178   '';
 179 };
 180 fileSystems."/home/julm/mnt/ilico/severine" = {
 181   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 182   fsType = "davfs";
 183   options =
 184     let conf = pkgs.writeText "davfs2.conf" ''
 185       backup_dir /home/julm/documents/backup/ilico/severine
 186       cache_dir /home/julm/.cache/davfs2/ilico/severine
 187     ''; in
 188     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 189 };
 190 services.dbus = {
 191   packages = [ pkgs.gnome3.dconf ];
 192 };
 193 services.gvfs = {
 194   enable = true;
 195 };
 196 services.ipfs = {
 197   #enable = true;
 198   defaultMode = "online";
 199   autoMount = true;
 200   enableGC = true;
 201   localDiscovery = false;
 202   extraConfig = {
 203     Datastore.StorageMax = "10GB";
 204     Discovery.MDNS.Enabled = false;
 205     #Bootstrap = [
 206     #];
 207     #Swarm.AddrFilters = null;
 208   };
 209   startWhenNeeded = true;
 210 };
 211 services.journald = {
 212   extraConfig = ''
 213     Compress=true
 214     MaxRetentionSec=1month
 215     Storage=persistent
 216     SystemMaxUse=100M
 217   '';
 218 };
 219 services.printing = {
 220   enable = true;
 221   drivers = [
 222     pkgs.gutenprint
 223     pkgs.hplip
 224   ];
 225 };
 226 services.udev = {
 227   packages = [
 228     # Allow members of the "adbusers" group to mount Android devices via MTP
 229     pkgs.android-udev-rules
 230   ];
 231 };
 232 services.xserver = {
 233   enable = true;
 234   layout = "fr";
 235   xkbOptions = "eurosign:e";
 236   libinput.enable = true;
 237   desktopManager = {
 238     session = [
 239       # Let the session be generated by home-manager
 240       { name = "home-manager";
 241         start = ''
 242           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 243           waitPID=$!
 244         '';
 245       }
 246     ];
 247   };
 248   displayManager = {
 249     defaultSession = "home-manager";
 250     #defaultSession = "none+xmonad";
 251     autoLogin = {
 252       enable = true;
 253       user = users.julm.name;
 254     };
 255   };
 256 };
 257
 258 systemd.coredump.enable = true;
 259 #environment.enableDebugInfo = true;
 260
 261 # This value determines the NixOS release with which your system is to be
 262 # compatible, in order to avoid breaking some software such as database
 263 # servers. You should change this only after NixOS release notes say you should.
 264 system.stateVersion = "20.09"; # Did you read the comment?
 265 }