wireguard: restart peer on failure (eg. DNS)

[julm/julm-nix.git] / hosts / patate.nix

{ config, pkgs, lib, inputs, hostName, ... }:
let inherit (config.users) users; in
{
imports = [
  ../profiles/dnscrypt-proxy2.nix
  ../profiles/security.nix
  patate/backup.nix
  patate/hardware.nix
];

home-manager.users.sevy = {
  imports = [ ../homes/sevy.nix ];
  host.name = hostName;
  host.hardware = ["ThinkPad" "X200"];
};
systemd.services.home-manager-julm.postStart = ''
  ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/sevy/home-manager
'';
users.mutableUsers = false;
users.users.sevy = {
  isNormalUser = true;
  uid = 1000;
  # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  # which is already world readable.
  hashedPassword = lib.readFile ../private/world/sevy/hashedPassword;
  extraGroups = [
    "adbusers"
    config.services.davfs2.davGroup
    "lp"
    "networkmanager"
    "scanner"
    "systemd-journal"
    "tor"
    "vboxusers"
    "video"
    "wheel"
  ];
};

nix = {
  extraOptions = ''
    auto-optimise-store = true
  '';
  gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 7d";
  };
  nixPath = [
    "nixpkgs=/etc/nixpkgs"
    "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
  ];
  trustedUsers = [ users.sevy.name ];
  binaryCaches = [
    "https://nix-localcache.sourcephile.fr"
    #"ssh://nix-ssh@192.168.0.115" # FIXME: use wireguard
  ];
  binaryCachePublicKeys = [
    "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los="
    "oignon.sourcephile.fr:slxL7XLsGXlD1r6gvw1imL5uQntW0TTlQgGQt3LBJgQ="
  ];
};
services.openssh.passwordAuthentication = false;

nixpkgs.config = {
  allowUnfree = true;
};
environment.etc."nixpkgs".source = pkgs.path;
environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";

documentation.nixos.enable = true;
time.timeZone = "Europe/Paris";
i18n.defaultLocale = "fr_FR.UTF-8";
console.font = "Lat2-Terminus16";
console.keyMap = "fr";

networking = {
  hostName = hostName;
  domain = "localdomain";
  networkmanager = {
    enable = true;
    #dhcp = "dhcpcd";
    logLevel = "INFO";
    wifi = {
      #backend = "iwd";
      #backend = "wpa_supplicant";
      powersave = false;
    };
  };
  firewall = {
    enable = true;
    allowPing = false;
    allowedTCPPorts = [
      51413 # transmission-gtk
      4662 # edonkey
    ];
    allowedUDPPorts = [
      51413 # transmission-gtk
      4667 # edonkey
      4672 # edonkey
    ];
  };
};

sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];

environment.variables = {
  EDITOR = "vim -g";
  PAGER  = "less -R";
  SYSTEMD_LESS = "FKMRX";
};

programs = {
  bash = {
    interactiveShellInit = ''
      bind '"\e[A":history-search-backward'
      bind '"\e[B":history-search-forward'

      # Ignore duplicate commands, ignore commands starting with a space
      export HISTCONTROL=erasedups:ignorespace
      export HISTSIZE=42000
      # Append to the history instead of overwriting (good for multiple connections)
      shopt -s histappend

      # Utilities
      mkcd () { mkdir -p "$1"; cd "$1"; }
      fan () {
        if [ $# -gt 0 ]
        then sudo tee /proc/acpi/ibm/fan <<<"level $1"
        else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
        fi
        acpi -t
      }
    '';
    shellAliases = {
      cl = "clear";
      grep = "grep --color";
      l  = "ls -alh";
      ll = "ls -al";
      ls = "ls --color=tty";
      mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";

      s="sudo systemctl";
      st="sudo systemctl status";
      u="systemctl --user";
      j="sudo journalctl -u";
      jb="sudo journalctl -b";

      nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
      mv = "mv -i";
      sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
    };
  };
  dconf.enable = true;
  mtr.enable = true;
};

services.avahi = {
  enable  = true;
  nssmdns = true;
  openFirewall = false;
  publish = {
    enable = false;
  };
};
services.davfs2 = {
  enable = true;
  extraConfig = ''
  '';
};
fileSystems."/home/sevy/mnt/ilico/severine" = {
  device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
  fsType = "davfs";
  options =
    let conf = pkgs.writeText "davfs2.conf" ''
      backup_dir /home/sevy/Documents/EnTransfert/ilico/severine
      cache_dir /home/sevy/.cache/davfs2/ilico/severine
    ''; in
    [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
};
services.dbus = {
  packages = [ pkgs.gnome3.dconf ];
};
services.gvfs = {
  enable = true;
};
services.journald = {
  extraConfig = ''
    Compress=true
    MaxRetentionSec=1month
    Storage=persistent
    SystemMaxUse=100M
  '';
};
services.physlock = {
  enable = true;
  allowAnyUser = true;
  # NOTE: xfconf-query -c xfce4-session -p /general/LockCommand -s "physlock" --create -t string
};
services.printing = {
  enable = true;
  drivers = [
    pkgs.gutenprint
    pkgs.hplip
  ];
};
services.udev = {
  packages = [
    # Allow members of the "adbusers" group to mount Android devices via MTP
    pkgs.android-udev-rules
  ];
};
services.xserver = {
  enable = true;
  layout = "fr";
  xkbOptions = "eurosign:e";
  libinput.enable = true;
  desktopManager = {
    xfce = {
      enable = true;
      thunarPlugins = [
        #pkgs.xfce.thunar-archive-plugin
      ];
    };
    xterm.enable = false;
  };
  displayManager = {
    defaultSession = "xfce";
    autoLogin = {
      enable = true;
      user = users.sevy.name;
    };
  };
};

virtualisation.virtualbox.host.enable = true;

# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you should.
system.stateVersion = "20.03"; # Did you read the comment?
}