hosts/blackberry.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   inputs,
   6   hostName,
   7   ...
   8 }:
   9 {
  10   imports = [
  11     #../nixos/profiles/debug.nix
  12     ../nixos/profiles/graphical.nix
  13     #../nixos/profiles/irssi.nix
  14     ../nixos/profiles/lang-fr.nix
  15     ../nixos/profiles/desktop.nix
  16     ../nixos/profiles/printing.nix
  17     #../nixos/profiles/radio.nix
  18     ../nixos/profiles/tor.nix
  19     ../nixos/profiles/bluetooth.nix
  20     ../nixos/profiles/home.nix
  21     #blackberry/backup.nix
  22     blackberry/hardware.nix
  23     blackberry/nebula.nix
  24     blackberry/networking.nix
  25     #blackberry/pixiecore.nix
  26     blackberry/nix-ssh.nix
  27   ];
  28
  29   # Lower kernel's security for better performances
  30   security.kernel.mitigations = "off";
  31
  32   home-manager.users.julm = {
  33     imports = [ ../homes/julm.nix ];
  34   };
  35   users.users.root = {
  36     openssh.authorizedKeys.keys = map lib.readFile [
  37       # For nix -L run .#pumpkin.switch
  38       ../users/julm/ssh/oignon.pub
  39       ../users/julm/ssh/pumpkin.pub
  40       ../users/julm/ssh/blackberry.pub
  41     ];
  42   };
  43   users.users.julm = {
  44     isNormalUser = true;
  45     uid = 1000;
  46     # Put the hashedPassword in /nix/store,
  47     # though /etc/shadow is not world readable...
  48     # printf %s $(mkpasswd -m md5crypt)
  49     hashedPassword = lib.readFile blackberry/users/julm/login/hashedPassword.clear;
  50     extraGroups = [
  51       "adbusers"
  52       "dialout"
  53       "lp"
  54       "networkmanager"
  55       "plugdev" # For rtl-sdr
  56       "scanner"
  57       "tor"
  58       "video"
  59       "wheel"
  60       "wireshark"
  61       #"ipfs"
  62       config.services.davfs2.davGroup
  63       #"vboxusers"
  64     ];
  65     # If created, zfs-mount.service would require:
  66     # zfs set overlay=yes ${hostName}/home
  67     createHome = false;
  68     openssh.authorizedKeys.keys = map lib.readFile [
  69       ../users/julm/ssh/oignon.pub
  70       ../users/julm/ssh/pumpkin.pub
  71       ../users/julm/ssh/losurdo.pub
  72     ];
  73   };
  74
  75   nix = {
  76     extraOptions = '''';
  77     settings = {
  78       substituters = [
  79       ];
  80       trusted-public-keys = map lib.readFile [
  81       ];
  82     };
  83   };
  84
  85   environment.systemPackages = [
  86     #pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
  87   ];
  88
  89   boot.extraModulePackages = [
  90     #config.boot.kernelPackages.v4l2loopback
  91   ];
  92
  93   programs.fuse.userAllowOther = true;
  94
  95   systemd.automounts = [
  96     {
  97       where = "/mnt/aubergine";
  98       automountConfig.TimeoutIdleSec = "5 min";
  99     }
 100   ];
 101   fileSystems =
 102     let
 103       # Use the user's gpg-agent session to query
 104       # for the password of the SSH key when auto-mounting.
 105       sshAsUser = pkgs.writeScript "sshAsUser" ''
 106         user="$1"; shift
 107         exec ${pkgs.sudo}/bin/sudo -i -u "$user" \
 108           ${pkgs.openssh}/bin/ssh "$@"
 109       '';
 110       options = [
 111         "user"
 112         "uid=julm"
 113         "gid=users"
 114         "allow_other"
 115         "exec" # Override "user"'s noexec
 116         "noatime"
 117         "nosuid"
 118         "_netdev"
 119         "ssh_command=${sshAsUser}\\040julm"
 120         "noauto"
 121         "x-gvfs-hide"
 122         "x-systemd.automount"
 123         #"Compression=yes" # YMMV
 124         # Disconnect approximately 2*15=30 seconds after a network failure
 125         "ServerAliveCountMax=1"
 126         "ServerAliveInterval=15"
 127         "dir_cache=no"
 128         #"reconnect"
 129       ];
 130     in
 131     {
 132       "/mnt/aubergine" = {
 133         device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.sp:/";
 134         fsType = "fuse";
 135         inherit options;
 136       };
 137     };
 138
 139   networking.firewall.extraCommands = ''
 140     ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 8000 -j ACCEPT
 141   '';
 142
 143   services.xserver = {
 144     xkb = {
 145       layout = "fr,us(altgr-intl)";
 146     };
 147     desktopManager = {
 148       session = [
 149         # Let the session be generated by home-manager
 150         {
 151           name = "home-manager";
 152           start = ''
 153             ${pkgs.runtimeShell} $HOME/.hm-xsession &
 154             waitPID=$!
 155           '';
 156         }
 157       ];
 158     };
 159   };
 160
 161   services.displayManager = {
 162     defaultSession = "home-manager";
 163     #defaultSession = "none+xmonad";
 164     #defaultSession = "mate";
 165     #defaultSession = "cinnamon";
 166     autoLogin = {
 167       user = config.users.users.julm.name;
 168     };
 169   };
 170
 171   nixpkgs.config.allowUnfreePredicate =
 172     pkg:
 173     builtins.elem (lib.getName pkg) [
 174       "canon-cups-ufr2"
 175       "geogebra"
 176       "hplip"
 177       "memtest86-efi"
 178       #"shipwright"
 179     ];
 180
 181   # This value determines the NixOS release with which your system is to be
 182   # compatible, in order to avoid breaking some software such as database
 183   # servers. You should change this only after NixOS release notes say you should.
 184   system.stateVersion = "24.05"; # Did you read the comment?
 185 }