hosts/nan2gua1.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   inputs,
   6   hostName,
   7   ...
   8 }:
   9 {
  10   imports = [
  11     ../nixos/profiles/builder.nix
  12     ../nixos/profiles/debug.nix
  13     ../nixos/profiles/graphical.nix
  14     ../nixos/profiles/irssi.nix
  15     ../nixos/profiles/lang-fr.nix
  16     ../nixos/profiles/laptop.nix
  17     ../nixos/profiles/printing.nix
  18     ../nixos/profiles/radio.nix
  19     ../nixos/profiles/tor.nix
  20     ../nixos/profiles/bluetooth.nix
  21     ../nixos/profiles/home.nix
  22     ../nixos/profiles/dolphin.nix
  23     nan2gua1/sanoid.nix
  24     nan2gua1/syncoid.nix
  25     nan2gua1/hardware.nix
  26     nan2gua1/nebula.nix
  27     nan2gua1/networking.nix
  28   ];
  29
  30   # Lower kernel's security for better performances
  31   security.kernel.mitigations = "off";
  32
  33   home-manager.users.julm = {
  34     imports = [ ../homes/julm.nix ];
  35   };
  36   users.users.root = {
  37     openssh.authorizedKeys.keys = map lib.readFile [
  38       # For nix -L run .#$(hostname).switch
  39       ../users/julm/ssh/nan2gua1.pub
  40       # SecurityToDo: remove
  41       ../users/julm/ssh/blackberry.pub
  42     ];
  43   };
  44   users.users.julm = {
  45     isNormalUser = true;
  46     uid = 1000;
  47     # Put the hashedPassword in /nix/store,
  48     # though /etc/shadow is not world readable...
  49     # printf %s $(mkpasswd -m md5crypt)
  50     hashedPassword = lib.readFile pumpkin/users/julm/login/hashedPassword.clear;
  51     extraGroups = [
  52       "adbusers"
  53       "dialout"
  54       "lp"
  55       "networkmanager"
  56       "plugdev" # For rtl-sdr
  57       "scanner"
  58       "tor"
  59       "tss" # For tpm2
  60       "video"
  61       "wheel"
  62       "wireshark"
  63       #"ipfs"
  64       config.services.davfs2.davGroup
  65       config.services.kubo.group
  66       #"vboxusers"
  67     ];
  68     # If created, zfs-mount.service would require:
  69     # zfs set overlay=yes ${hostName}/home
  70     createHome = false;
  71     openssh.authorizedKeys.keys = map lib.readFile [
  72       ../users/julm/ssh/losurdo.pub
  73     ];
  74   };
  75
  76   nix = {
  77     settings = {
  78       substituters = [
  79         #"http://nix-localcache.losurdo.sp"
  80         #"file:///mnt/off4/julm/nix?priority=10&trusted=true"
  81         #"ssh://nix-ssh@losurdo.sp?priority=30"
  82       ];
  83       trusted-public-keys = map lib.readFile [
  84         #../users/nix/ssh/losurdo.pub
  85       ];
  86     };
  87   };
  88   #environment.etc."nixpkgs".source = pkgs.path;
  89   #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  90
  91   nix.settings.allowed-users = [
  92     #config.users.users."nix-ssh".name
  93   ];
  94   nix.sshServe = {
  95     #enable = true;
  96     keys = map lib.readFile [
  97       ../users/julm/ssh/losurdo.pub
  98       ../users/julm/ssh/pumpkin.pub
  99       ../users/julm/ssh/nan2gua1.pub
 100       ../users/sevy/ssh/patate.pub
 101     ];
 102   };
 103
 104   environment.systemPackages = [
 105     #pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
 106   ];
 107
 108   boot.extraModulePackages = [
 109     #config.boot.kernelPackages.v4l2loopback
 110   ];
 111
 112   programs.adb.enable = true;
 113
 114   programs.fuse.userAllowOther = true;
 115
 116   services.davfs2.enable = true;
 117
 118   systemd.automounts = [
 119     {
 120       where = "/mnt/aubergine";
 121       automountConfig.TimeoutIdleSec = "5 min";
 122     }
 123   ];
 124   fileSystems =
 125     let
 126       # Use the user's gpg-agent session to query
 127       # for the password of the SSH key when auto-mounting.
 128       sshAsUser = pkgs.writeScript "sshAsUser" ''
 129         user="$1"; shift
 130         exec ${pkgs.sudo}/bin/sudo -i -u "$user" \
 131           ${pkgs.openssh}/bin/ssh "$@"
 132       '';
 133       options = [
 134         "user"
 135         "uid=julm"
 136         "gid=users"
 137         "allow_other"
 138         "exec" # Override "user"'s noexec
 139         "noatime"
 140         "nosuid"
 141         "_netdev"
 142         "ssh_command=${sshAsUser}\\040julm"
 143         "noauto"
 144         "x-gvfs-hide"
 145         "x-systemd.automount"
 146         #"Compression=yes" # YMMV
 147         # Disconnect approximately 2*15=30 seconds after a network failure
 148         "ServerAliveCountMax=1"
 149         "ServerAliveInterval=15"
 150         "dir_cache=no"
 151         #"reconnect"
 152       ];
 153     in
 154     {
 155       "/mnt/aubergine" = {
 156         device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.sp:/";
 157         fsType = "fuse";
 158         inherit options;
 159       };
 160       "/mnt/losurdo" = {
 161         device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.sp:/";
 162         fsType = "fuse";
 163         inherit options;
 164       };
 165       "/mnt/mermet" = {
 166         device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.sp:/";
 167         fsType = "fuse";
 168         inherit options;
 169       };
 170       /*
 171         "/mnt/ilico/severine" = {
 172           device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 173           fsType = "davfs";
 174           options =
 175             let
 176               conf = pkgs.writeText "davfs2.conf" ''
 177                 backup_dir /home/julm/.local/share/davfs2/ilico/severine
 178                 secrets /home/julm/.davfs2/secrets
 179               '';
 180             in
 181             [
 182               "conf=${conf}"
 183               "user"
 184               "noexec"
 185               "nosuid"
 186               "noauto"
 187               "nofail"
 188               "_netdev"
 189               "reconnect"
 190               "x-systemd.automount"
 191               "x-systemd.device-timeout=1m"
 192               "x-systemd.idle-timeout=1m"
 193               "x-systemd.mount-timeout=10s"
 194             ];
 195         };
 196       */
 197     };
 198
 199   services.udev.packages = [
 200     # Allow the console user access the Yubikey USB device node,
 201     # needed for challenge/response to work correctly.
 202     pkgs.yubikey-personalization
 203   ];
 204
 205   services.xserver = {
 206     xkb = {
 207       layout = "fr,us(altgr-intl)";
 208     };
 209     desktopManager = {
 210       session = [
 211         # Let the session be generated by home-manager
 212         {
 213           name = "home-manager";
 214           start = ''
 215             ${pkgs.runtimeShell} $HOME/.hm-xsession &
 216             waitPID=$!
 217           '';
 218         }
 219       ];
 220     };
 221   };
 222
 223   services.displayManager = {
 224     defaultSession = "home-manager";
 225     #defaultSession = "none+xmonad";
 226     #defaultSession = "mate";
 227     #defaultSession = "cinnamon";
 228     autoLogin = {
 229       user = config.users.users.julm.name;
 230     };
 231   };
 232
 233   nixpkgs.config.allowUnfreePredicate =
 234     pkg:
 235     builtins.elem (lib.getName pkg) [
 236       "canon-cups-ufr2"
 237       "cuda_cccl"
 238       "cuda_cudart"
 239       "cuda_cupti"
 240       "cuda_nvcc"
 241       "cuda_nvrtc"
 242       "cuda_nvtx"
 243       "cudnn"
 244       "geogebra"
 245       "hplip"
 246       "libcublas"
 247       "libcufft"
 248       "libcurand"
 249       "libcusolver"
 250       "libcusparse"
 251       "libnvjitlink"
 252       "memtest86-efi"
 253       "shipwright"
 254       "steam"
 255       "steam-unwrapped"
 256       "synthesia"
 257       "torch"
 258       "triton"
 259     ];
 260
 261   # This value determines the NixOS release with which your system is to be
 262   # compatible, in order to avoid breaking some software such as database
 263   # servers. You should change this only after NixOS release notes say you should.
 264   system.stateVersion = "25.05"; # Did you read the comment?
 265 }