]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/patate.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: move secrets to private
[julm/julm-nix.git] / hosts / patate.nix
1 { config, pkgs, lib, inputs, hostName, ... }:
2 let inherit (config.users) users; in
3 {
4 imports = [
5 ../profiles/dnscrypt-proxy2.nix
6 patate/backup.nix
7 patate/hardware.nix
8 ];
9
10 home-manager.users.sevy = {
11 imports = [ ../homes/sevy.nix ];
12 host.name = hostName;
13 host.hardware = ["ThinkPad" "X200"];
14 };
15 systemd.services.home-manager-julm.postStart = ''
16 ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/sevy/home-manager
17 '';
18 users.mutableUsers = false;
19 users.users.sevy = {
20 isNormalUser = true;
21 uid = 1000;
22 # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
23 # which is already world readable.
24 hashedPassword = lib.readFile ../private/world/sevy/hashedPassword;
25 extraGroups = [
26 "adbusers"
27 "lp"
28 "networkmanager"
29 "scanner"
30 "systemd-journal"
31 "tor"
32 "vboxusers"
33 "video"
34 "wheel"
35 ];
36 };
37
38 nix = {
39 extraOptions = ''
40 auto-optimise-store = true
41 '';
42 gc = {
43 automatic = true;
44 dates = "weekly";
45 options = "--delete-older-than 7d";
46 };
47 nixPath = [
48 "nixpkgs=/etc/nixpkgs"
49 "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
50 ];
51 trustedUsers = [ users.sevy.name ];
52 binaryCaches = [
53 "https://nix-localcache.sourcephile.fr"
54 "ssh://nix-ssh@192.168.0.115" # FIXME: use wireguard
55 ];
56 binaryCachePublicKeys = [
57 "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los="
58 "oignon.sourcephile.fr:slxL7XLsGXlD1r6gvw1imL5uQntW0TTlQgGQt3LBJgQ="
59 ];
60 };
61 services.openssh.passwordAuthentication = false;
62
63 nixpkgs.config = {
64 allowUnfree = true;
65 };
66 environment.etc."nixpkgs".source = pkgs.path;
67 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
68
69 documentation.nixos.enable = true;
70 time.timeZone = "Europe/Paris";
71 i18n.defaultLocale = "fr_FR.UTF-8";
72 console.font = "Lat2-Terminus16";
73 console.keyMap = "fr";
74
75 networking = {
76 hostName = hostName;
77 domain = "localdomain";
78 networkmanager = {
79 enable = true;
80 #dhcp = "dhcpcd";
81 logLevel = "INFO";
82 wifi = {
83 #backend = "iwd";
84 #backend = "wpa_supplicant";
85 powersave = false;
86 };
87 };
88 firewall = {
89 enable = true;
90 allowPing = false;
91 allowedTCPPorts = [
92 51413 # transmission-gtk
93 4662 # edonkey
94 ];
95 allowedUDPPorts = [
96 51413 # transmission-gtk
97 4667 # edonkey
98 4672 # edonkey
99 ];
100 };
101 };
102
103 sound.enable = true;
104 hardware.pulseaudio.enable = true;
105 hardware.sane.enable = true;
106 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
107
108 environment.variables = {
109 EDITOR = "vim -g";
110 PAGER = "less -R";
111 SYSTEMD_LESS = "FKMRX";
112 };
113
114 programs = {
115 bash = {
116 interactiveShellInit = ''
117 bind '"\e[A":history-search-backward'
118 bind '"\e[B":history-search-forward'
119
120 # Ignore duplicate commands, ignore commands starting with a space
121 export HISTCONTROL=erasedups:ignorespace
122 export HISTSIZE=42000
123 # Append to the history instead of overwriting (good for multiple connections)
124 shopt -s histappend
125
126 # Utilities
127 mkcd () { mkdir -p "$1"; cd "$1"; }
128 fan () {
129 if [ $# -gt 0 ]
130 then sudo tee /proc/acpi/ibm/fan <<<"level $1"
131 else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
132 fi
133 acpi -t
134 }
135 '';
136 shellAliases = {
137 cl = "clear";
138 grep = "grep --color";
139 l = "ls -alh";
140 ll = "ls -al";
141 ls = "ls --color=tty";
142 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
143
144 s="sudo systemctl";
145 st="sudo systemctl status";
146 u="systemctl --user";
147 j="sudo journalctl -u";
148 jb="sudo journalctl -b";
149
150 nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
151 mv = "mv -i";
152 sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
153 };
154 };
155 dconf.enable = true;
156 mtr.enable = true;
157 };
158
159 services = {
160 avahi = {
161 enable = true;
162 nssmdns = true;
163 openFirewall = false;
164 publish = {
165 enable = false;
166 };
167 };
168 dbus = {
169 packages = [ pkgs.gnome3.dconf ];
170 };
171 gvfs = {
172 enable = true;
173 };
174 journald = {
175 extraConfig = ''
176 Compress=true
177 MaxRetentionSec=1month
178 Storage=persistent
179 SystemMaxUse=100M
180 '';
181 };
182 physlock = {
183 enable = true;
184 allowAnyUser = true;
185 # NOTE: xfconf-query -c xfce4-session -p /general/LockCommand -s "physlock" --create -t string
186 };
187 printing = {
188 enable = true;
189 drivers = [
190 pkgs.gutenprint
191 pkgs.hplip
192 ];
193 };
194 udev = {
195 packages = [
196 # Allow members of the "adbusers" group to mount Android devices via MTP
197 pkgs.android-udev-rules
198 ];
199 };
200 xserver = {
201 enable = true;
202 layout = "fr";
203 xkbOptions = "eurosign:e";
204 libinput.enable = true;
205 desktopManager = {
206 xfce = {
207 enable = true;
208 thunarPlugins = [
209 #pkgs.xfce.thunar-archive-plugin
210 ];
211 };
212 xterm.enable = false;
213 };
214 displayManager = {
215 defaultSession = "xfce";
216 autoLogin = {
217 enable = true;
218 user = users.sevy.name;
219 };
220 };
221 };
222 };
223
224 virtualisation.virtualbox.host.enable = true;
225
226 # This value determines the NixOS release with which your system is to be
227 # compatible, in order to avoid breaking some software such as database
228 # servers. You should change this only after NixOS release notes say you should.
229 system.stateVersion = "20.03"; # Did you read the comment?
230 }
julm's NixOS and home-manager configs