]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/oignon.nix
carotte: add to wg-intra
[julm/julm-nix.git] / hosts / oignon.nix
1 { config, pkgs, lib, inputs, private, hostName, ... }:
2 let
3 inherit (config.users) users;
4 inherit (config.services) davfs2;
5 in
6 {
7 imports = [
8 ../profiles/dnscrypt-proxy2.nix
9 ../profiles/security.nix
10 ../networking/wireguard/wg-intra.nix
11 oignon/hardware.nix
12 oignon/wireguard.nix
13 oignon/tor.nix
14 oignon/backup.nix
15 ];
16
17 home-manager.users.julm = {
18 imports = [
19 ../homes/julm.nix
20 inputs.nix-doom-emacs.hmModule
21 ];
22 host.hardware = ["ThinkPad" "X201"];
23 };
24 systemd.services.home-manager-julm.postStart = ''
25 ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
26 '';
27 security.lockKernelModules = false;
28 users.mutableUsers = false;
29 users.users.julm = {
30 isNormalUser = true;
31 uid = 1000;
32 # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
33 # which is already world readable.
34 hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
35 extraGroups = [
36 "adbusers"
37 "lp"
38 "networkmanager"
39 "scanner"
40 "tor"
41 "video"
42 "wheel"
43 #"ipfs"
44 davfs2.davGroup
45 #"vboxusers"
46 ];
47 # If created, zfs-mount.service would require:
48 # zfs set overlay=yes ${hostName}/home
49 createHome = false;
50 };
51
52 nix = {
53 extraOptions = ''
54 secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
55 '';
56 autoOptimiseStore = true;
57 gc = {
58 automatic = true;
59 dates = "weekly";
60 options = "--delete-older-than 7d";
61 };
62 nixPath = [
63 "nixpkgs=/etc/nixpkgs"
64 "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
65 ];
66 trustedUsers = [ users.julm.name ];
67 binaryCaches = [ "http://nix-localcache.losurdo.wg" ];
68 binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
69 };
70 documentation = {
71 enable = true;
72 dev.enable = true;
73 doc.enable = true;
74 info.enable = false;
75 man.enable = true;
76 nixos.enable = false;
77 };
78 nix.sshServe = {
79 enable = true;
80 keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
81 };
82 users.users.julm.openssh.authorizedKeys.keys = [
83 (lib.readFile ../private/world/julm/losurdo/ssh.pub)
84 ];
85 services.openssh.openFirewall = false;
86 services.openssh.forwardX11 = true;
87 services.openssh.passwordAuthentication = false;
88
89 nixpkgs.config.allowUnfree = true;
90 environment.etc."nixpkgs".source = pkgs.path;
91 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
92
93 time.timeZone = "Europe/Paris";
94 i18n.defaultLocale = "fr_FR.UTF-8";
95 console.font = "Lat2-Terminus16";
96 console.keyMap = "fr";
97
98 networking = {
99 hostName = hostName;
100 domain = "localdomain";
101 search = [ "sourcephile.fr" ];
102 networkmanager = {
103 enable = true;
104 #dhcp = "dhcpcd";
105 logLevel = "INFO";
106 wifi = {
107 #backend = "iwd";
108 #backend = "wpa_supplicant";
109 powersave = false;
110 };
111 };
112 firewall = {
113 enable = true;
114 allowPing = false;
115 };
116 };
117
118 sound.enable = true;
119 hardware.pulseaudio.enable = true;
120 hardware.sane.enable = true;
121 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
122
123 environment.variables = {
124 EDITOR = "vim";
125 PAGER = "less -R";
126 SYSTEMD_LESS = "FKMRX";
127 };
128 environment.systemPackages = [
129 pkgs.mkpasswd
130 pkgs.gdb
131 pkgs.riseup-vpn
132 (pkgs.libsForQt5.callPackage
133 (pkgs.fetchurl {
134 url = "https://raw.githubusercontent.com/ju1m/nixpkgs/bitmask/pkgs/tools/networking/bitmask-vpn/default.nix";
135 hash = "sha256-j9S+7GHrHF9sP5V/jtRai9v5OzxkxC0/chQDDc03+5A=";
136 #hash = lib.fakeHash;
137 })
138 { provider = "riseup" /* or "calyx" */; })
139 #pkgs.riseup-vpn
140 #pkgs.calyx-vpn
141 ];
142
143 programs = {
144 bash = {
145 interactiveShellInit = ''
146 bind '"\e[A":history-search-backward'
147 bind '"\e[B":history-search-forward'
148
149 # Ignore duplicate commands, ignore commands starting with a space
150 export HISTCONTROL=erasedups:ignorespace
151 export HISTSIZE=42000
152 # Append to the history instead of overwriting (good for multiple connections)
153 shopt -s histappend
154
155 # Utilities
156 mkcd () { mkdir -p "$1"; cd "$1"; }
157 fan () {
158 if [ $# -gt 0 ]
159 then sudo tee /proc/acpi/ibm/fan <<<"level $1"
160 else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
161 fi
162 acpi -t
163 }
164 '';
165 shellAliases = {
166 cl = "clear";
167 grep = "grep --color";
168 l = "ls -alh";
169 ll = "ls -al";
170 ls = "ls --color=tty";
171 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
172
173 s="sudo systemctl";
174 st="sudo systemctl status";
175 u="systemctl --user";
176 j="sudo journalctl -u";
177 jb="sudo journalctl -b";
178
179 nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
180 mv = "mv -i";
181 sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
182 };
183 };
184 dconf.enable = true;
185 mtr.enable = true;
186 };
187
188 services.avahi = {
189 enable = true;
190 nssmdns = true;
191 openFirewall = false;
192 publish = {
193 enable = false;
194 };
195 };
196 services.davfs2 = {
197 enable = true;
198 extraConfig = ''
199 '';
200 };
201 fileSystems."/home/julm/mnt/ilico/severine" = {
202 device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
203 fsType = "davfs";
204 options =
205 let conf = pkgs.writeText "davfs2.conf" ''
206 backup_dir /home/julm/documents/backup/ilico/severine
207 cache_dir /home/julm/.cache/davfs2/ilico/severine
208 ''; in
209 [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
210 };
211 services.dbus = {
212 packages = [ pkgs.gnome3.dconf ];
213 };
214 services.gvfs = {
215 enable = true;
216 };
217 services.ipfs = {
218 #enable = true;
219 defaultMode = "online";
220 autoMount = true;
221 enableGC = true;
222 localDiscovery = false;
223 extraConfig = {
224 Datastore.StorageMax = "10GB";
225 Discovery.MDNS.Enabled = false;
226 #Bootstrap = [
227 #];
228 #Swarm.AddrFilters = null;
229 };
230 startWhenNeeded = true;
231 };
232 services.journald = {
233 extraConfig = ''
234 Compress=true
235 MaxRetentionSec=1month
236 Storage=persistent
237 SystemMaxUse=100M
238 '';
239 };
240 services.printing = {
241 enable = true;
242 drivers = [
243 pkgs.gutenprint
244 pkgs.hplip
245 ];
246 };
247 services.udev = {
248 packages = [
249 # Allow members of the "adbusers" group to mount Android devices via MTP.
250 pkgs.android-udev-rules
251 # Allow the console user access the Yubikey USB device node,
252 # needed for challenge/response to work correctly.
253 pkgs.yubikey-personalization
254 ];
255 };
256 services.xserver = {
257 enable = true;
258 layout = "fr";
259 xkbOptions = "eurosign:e";
260 libinput.enable = true;
261 desktopManager = {
262 session = [
263 # Let the session be generated by home-manager
264 { name = "home-manager";
265 start = ''
266 ${pkgs.runtimeShell} $HOME/.hm-xsession &
267 waitPID=$!
268 '';
269 }
270 ];
271 };
272 displayManager = {
273 defaultSession = "home-manager";
274 #defaultSession = "none+xmonad";
275 autoLogin = {
276 enable = true;
277 user = users.julm.name;
278 };
279 };
280 };
281
282 systemd.coredump.enable = true;
283 #environment.enableDebugInfo = true;
284
285 # This value determines the NixOS release with which your system is to be
286 # compatible, in order to avoid breaking some software such as database
287 # servers. You should change this only after NixOS release notes say you should.
288 system.stateVersion = "20.09"; # Did you read the comment?
289 }