]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/oignon.nix
mastodon-archive: install on julm
[julm/julm-nix.git] / hosts / oignon.nix
1 { config, pkgs, lib, inputs, private, hostName, ... }:
2 let
3 inherit (config.users) users;
4 inherit (config.services) davfs2;
5 in
6 {
7 imports = [
8 ../profiles/dnscrypt-proxy2.nix
9 ../profiles/security.nix
10 oignon/hardware.nix
11 oignon/openvpn.nix
12 oignon/wireguard.nix
13 oignon/tor.nix
14 oignon/backup.nix
15 ];
16
17 home-manager.users.julm = {
18 imports = [
19 ../homes/julm.nix
20 inputs.nix-doom-emacs.hmModule
21 ];
22 host.name = hostName;
23 host.hardware = ["ThinkPad" "X201"];
24 };
25 systemd.services.home-manager-julm.postStart = ''
26 ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
27 '';
28 security.lockKernelModules = false;
29 users.mutableUsers = false;
30 users.users.julm = {
31 isNormalUser = true;
32 uid = 1000;
33 # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
34 # which is already world readable.
35 hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
36 extraGroups = [
37 "adbusers"
38 "lp"
39 "networkmanager"
40 "scanner"
41 "tor"
42 "video"
43 "wheel"
44 #"ipfs"
45 davfs2.davGroup
46 #"vboxusers"
47 ];
48 # If created, zfs-mount.service would require:
49 # zfs set overlay=yes ${hostName}/home
50 createHome = false;
51 };
52
53 nix = {
54 extraOptions = ''
55 secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
56 '';
57 autoOptimiseStore = true;
58 gc = {
59 automatic = true;
60 dates = "weekly";
61 options = "--delete-older-than 7d";
62 };
63 nixPath = [
64 "nixpkgs=/etc/nixpkgs"
65 "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
66 ];
67 trustedUsers = [ users.julm.name ];
68 binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
69 binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
70 };
71 documentation.enable = false;
72 nix.sshServe = {
73 enable = true;
74 keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
75 };
76 users.users.julm.openssh.authorizedKeys.keys = [
77 (lib.readFile ../private/world/julm/losurdo/ssh.pub)
78 ];
79 services.openssh.openFirewall = false;
80 services.openssh.forwardX11 = true;
81 services.openssh.passwordAuthentication = false;
82
83 nixpkgs.config.allowUnfree = true;
84 environment.etc."nixpkgs".source = pkgs.path;
85 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
86
87 documentation.nixos.enable = true;
88 time.timeZone = "Europe/Paris";
89 i18n.defaultLocale = "fr_FR.UTF-8";
90 console.font = "Lat2-Terminus16";
91 console.keyMap = "fr";
92
93 networking = {
94 hostName = hostName;
95 domain = "localdomain";
96 search = [ "sourcephile.fr" ];
97 networkmanager = {
98 enable = true;
99 #dhcp = "dhcpcd";
100 logLevel = "INFO";
101 wifi = {
102 #backend = "iwd";
103 #backend = "wpa_supplicant";
104 powersave = false;
105 };
106 };
107 firewall = {
108 enable = true;
109 allowPing = false;
110 };
111 };
112
113 sound.enable = true;
114 hardware.pulseaudio.enable = true;
115 hardware.sane.enable = true;
116 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
117
118 environment.variables = {
119 EDITOR = "vim";
120 PAGER = "less -R";
121 SYSTEMD_LESS = "FKMRX";
122 };
123 environment.systemPackages = [
124 pkgs.mkpasswd
125 pkgs.gdb
126 ];
127
128 programs = {
129 bash = {
130 interactiveShellInit = ''
131 bind '"\e[A":history-search-backward'
132 bind '"\e[B":history-search-forward'
133
134 # Ignore duplicate commands, ignore commands starting with a space
135 export HISTCONTROL=erasedups:ignorespace
136 export HISTSIZE=42000
137 # Append to the history instead of overwriting (good for multiple connections)
138 shopt -s histappend
139
140 # Utilities
141 mkcd () { mkdir -p "$1"; cd "$1"; }
142 fan () {
143 if [ $# -gt 0 ]
144 then sudo tee /proc/acpi/ibm/fan <<<"level $1"
145 else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
146 fi
147 acpi -t
148 }
149 '';
150 shellAliases = {
151 cl = "clear";
152 grep = "grep --color";
153 l = "ls -alh";
154 ll = "ls -al";
155 ls = "ls --color=tty";
156 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
157
158 s="sudo systemctl";
159 st="sudo systemctl status";
160 u="systemctl --user";
161 j="sudo journalctl -u";
162 jb="sudo journalctl -b";
163
164 nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
165 mv = "mv -i";
166 sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
167 };
168 };
169 dconf.enable = true;
170 mtr.enable = true;
171 };
172
173 services.avahi = {
174 enable = true;
175 nssmdns = true;
176 openFirewall = false;
177 publish = {
178 enable = false;
179 };
180 };
181 services.davfs2 = {
182 enable = true;
183 extraConfig = ''
184 '';
185 };
186 fileSystems."/home/julm/mnt/ilico/severine" = {
187 device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
188 fsType = "davfs";
189 options =
190 let conf = pkgs.writeText "davfs2.conf" ''
191 backup_dir /home/julm/documents/backup/ilico/severine
192 cache_dir /home/julm/.cache/davfs2/ilico/severine
193 ''; in
194 [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
195 };
196 services.dbus = {
197 packages = [ pkgs.gnome3.dconf ];
198 };
199 services.gvfs = {
200 enable = true;
201 };
202 services.ipfs = {
203 #enable = true;
204 defaultMode = "online";
205 autoMount = true;
206 enableGC = true;
207 localDiscovery = false;
208 extraConfig = {
209 Datastore.StorageMax = "10GB";
210 Discovery.MDNS.Enabled = false;
211 #Bootstrap = [
212 #];
213 #Swarm.AddrFilters = null;
214 };
215 startWhenNeeded = true;
216 };
217 services.journald = {
218 extraConfig = ''
219 Compress=true
220 MaxRetentionSec=1month
221 Storage=persistent
222 SystemMaxUse=100M
223 '';
224 };
225 services.printing = {
226 enable = true;
227 drivers = [
228 pkgs.gutenprint
229 pkgs.hplip
230 ];
231 };
232 services.udev = {
233 packages = [
234 # Allow members of the "adbusers" group to mount Android devices via MTP.
235 pkgs.android-udev-rules
236 # Allow the console user access the Yubikey USB device node,
237 # needed for challenge/response to work correctly.
238 pkgs.yubikey-personalization
239 ];
240 };
241 services.xserver = {
242 enable = true;
243 layout = "fr";
244 xkbOptions = "eurosign:e";
245 libinput.enable = true;
246 desktopManager = {
247 session = [
248 # Let the session be generated by home-manager
249 { name = "home-manager";
250 start = ''
251 ${pkgs.runtimeShell} $HOME/.hm-xsession &
252 waitPID=$!
253 '';
254 }
255 ];
256 };
257 displayManager = {
258 defaultSession = "home-manager";
259 #defaultSession = "none+xmonad";
260 autoLogin = {
261 enable = true;
262 user = users.julm.name;
263 };
264 };
265 };
266
267 systemd.coredump.enable = true;
268 #environment.enableDebugInfo = true;
269
270 # This value determines the NixOS release with which your system is to be
271 # compatible, in order to avoid breaking some software such as database
272 # servers. You should change this only after NixOS release notes say you should.
273 system.stateVersion = "20.09"; # Did you read the comment?
274 }