hosts/oignon.nix

   1 { config, pkgs, lib, inputs, private, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4   inherit (config.services) davfs2;
   5 in
   6 {
   7 imports = [
   8   ../profiles/dnscrypt-proxy2.nix
   9   ../profiles/security.nix
  10   oignon/hardware.nix
  11   oignon/openvpn.nix
  12   oignon/wireguard.nix
  13   oignon/tor.nix
  14   oignon/backup.nix
  15 ];
  16
  17 home-manager.users.julm = {
  18   imports = [ ../homes/julm.nix ];
  19   host.name = hostName;
  20   host.hardware = ["ThinkPad" "X201"];
  21 };
  22 systemd.services.home-manager-julm.postStart = ''
  23   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  24 '';
  25 users.mutableUsers = false;
  26 users.users.julm = {
  27   isNormalUser = true;
  28   uid = 1000;
  29   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  30   # which is already world readable.
  31   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  32   extraGroups = [
  33     "adbusers"
  34     "lp"
  35     "networkmanager"
  36     "scanner"
  37     "tor"
  38     "video"
  39     "wheel"
  40     #"ipfs"
  41     davfs2.davGroup
  42     #"vboxusers"
  43   ];
  44   # If created, zfs-mount.service would require:
  45   # zfs set overlay=yes ${hostName}/home
  46   createHome = false;
  47 };
  48
  49 nix = {
  50   extraOptions = ''
  51     auto-optimise-store = true
  52     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  53   '';
  54   gc = {
  55     automatic = true;
  56     dates = "weekly";
  57     options = "--delete-older-than 7d";
  58   };
  59   nixPath = [
  60     "nixpkgs=/etc/nixpkgs"
  61     "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
  62   ];
  63   trustedUsers = [ users.julm.name ];
  64   binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
  65   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
  66 };
  67 nix.sshServe = {
  68   enable = true;
  69   keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
  70 };
  71 users.users.julm.openssh.authorizedKeys.keys = [
  72   (lib.readFile ../private/world/julm/losurdo/ssh.pub)
  73 ];
  74 services.openssh.openFirewall = false;
  75 services.openssh.forwardX11 = true;
  76 services.openssh.passwordAuthentication = false;
  77
  78 nixpkgs.config.allowUnfree = true;
  79 environment.etc."nixpkgs".source = pkgs.path;
  80 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  81
  82 documentation.nixos.enable = true;
  83 time.timeZone = "Europe/Paris";
  84 i18n.defaultLocale = "fr_FR.UTF-8";
  85 console.font = "Lat2-Terminus16";
  86 console.keyMap = "fr";
  87
  88 networking = {
  89   hostName = hostName;
  90   domain = "localdomain";
  91   search = [ "sourcephile.fr" ];
  92   networkmanager = {
  93     enable = true;
  94     #dhcp = "dhcpcd";
  95     logLevel = "INFO";
  96     wifi = {
  97       #backend = "iwd";
  98       #backend = "wpa_supplicant";
  99       powersave = false;
 100     };
 101   };
 102   firewall = {
 103     enable = true;
 104     allowPing = false;
 105   };
 106 };
 107
 108 sound.enable = true;
 109 hardware.pulseaudio.enable = true;
 110 hardware.sane.enable = true;
 111 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 112
 113 environment.variables = {
 114   EDITOR = "vim";
 115   PAGER  = "less -R";
 116   SYSTEMD_LESS = "FKMRX";
 117 };
 118 environment.systemPackages = [
 119   pkgs.mkpasswd
 120   pkgs.gdb
 121 ];
 122
 123 programs = {
 124   bash = {
 125     interactiveShellInit = ''
 126       bind '"\e[A":history-search-backward'
 127       bind '"\e[B":history-search-forward'
 128
 129       # Ignore duplicate commands, ignore commands starting with a space
 130       export HISTCONTROL=erasedups:ignorespace
 131       export HISTSIZE=42000
 132       # Append to the history instead of overwriting (good for multiple connections)
 133       shopt -s histappend
 134
 135       # Utilities
 136       mkcd () { mkdir -p "$1"; cd "$1"; }
 137       fan () {
 138         if [ $# -gt 0 ]
 139         then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 140         else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 141         fi
 142         acpi -t
 143       }
 144     '';
 145     shellAliases = {
 146       cl = "clear";
 147       grep = "grep --color";
 148       l  = "ls -alh";
 149       ll = "ls -al";
 150       ls = "ls --color=tty";
 151       mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
 152
 153       s="sudo systemctl";
 154       st="sudo systemctl status";
 155       u="systemctl --user";
 156       j="sudo journalctl -u";
 157       jb="sudo journalctl -b";
 158
 159       nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
 160       mv = "mv -i";
 161       sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
 162     };
 163   };
 164   dconf.enable = true;
 165   mtr.enable = true;
 166 };
 167
 168 services.avahi = {
 169   enable = true;
 170   nssmdns = true;
 171   openFirewall = false;
 172   publish = {
 173     enable = false;
 174   };
 175 };
 176 services.davfs2 = {
 177   enable = true;
 178   extraConfig = ''
 179   '';
 180 };
 181 fileSystems."/home/julm/mnt/ilico/severine" = {
 182   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 183   fsType = "davfs";
 184   options =
 185     let conf = pkgs.writeText "davfs2.conf" ''
 186       backup_dir /home/julm/documents/backup/ilico/severine
 187       cache_dir /home/julm/.cache/davfs2/ilico/severine
 188     ''; in
 189     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 190 };
 191 services.dbus = {
 192   packages = [ pkgs.gnome3.dconf ];
 193 };
 194 services.gvfs = {
 195   enable = true;
 196 };
 197 services.ipfs = {
 198   #enable = true;
 199   defaultMode = "online";
 200   autoMount = true;
 201   enableGC = true;
 202   localDiscovery = false;
 203   extraConfig = {
 204     Datastore.StorageMax = "10GB";
 205     Discovery.MDNS.Enabled = false;
 206     #Bootstrap = [
 207     #];
 208     #Swarm.AddrFilters = null;
 209   };
 210   startWhenNeeded = true;
 211 };
 212 services.journald = {
 213   extraConfig = ''
 214     Compress=true
 215     MaxRetentionSec=1month
 216     Storage=persistent
 217     SystemMaxUse=100M
 218   '';
 219 };
 220 services.printing = {
 221   enable = true;
 222   drivers = [
 223     pkgs.gutenprint
 224     pkgs.hplip
 225   ];
 226 };
 227 services.udev = {
 228   packages = [
 229     # Allow members of the "adbusers" group to mount Android devices via MTP
 230     pkgs.android-udev-rules
 231   ];
 232 };
 233 services.xserver = {
 234   enable = true;
 235   layout = "fr";
 236   xkbOptions = "eurosign:e";
 237   libinput.enable = true;
 238   desktopManager = {
 239     session = [
 240       # Let the session be generated by home-manager
 241       { name = "home-manager";
 242         start = ''
 243           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 244           waitPID=$!
 245         '';
 246       }
 247     ];
 248   };
 249   displayManager = {
 250     defaultSession = "home-manager";
 251     #defaultSession = "none+xmonad";
 252     autoLogin = {
 253       enable = true;
 254       user = users.julm.name;
 255     };
 256   };
 257 };
 258
 259 systemd.coredump.enable = true;
 260 #environment.enableDebugInfo = true;
 261
 262 # This value determines the NixOS release with which your system is to be
 263 # compatible, in order to avoid breaking some software such as database
 264 # servers. You should change this only after NixOS release notes say you should.
 265 system.stateVersion = "20.09"; # Did you read the comment?
 266 }