]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/oignon.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
oignon: sshfs: automount losurdo
[julm/julm-nix.git] / hosts / oignon.nix
1 { config, pkgs, lib, private, hostName, ... }:
2 {
3 imports = [
4 ../nixos/profiles/dnscrypt-proxy2.nix
5 ../nixos/profiles/security.nix
6 ../nixos/profiles/wireguard/wg-intra.nix
7 oignon/hardware.nix
8 oignon/wireguard.nix
9 oignon/tor.nix
10 oignon/backup.nix
11 ];
12
13 home-manager.users.julm = {
14 imports = [ ../homes/julm.nix ];
15 host.hardware = [ "ThinkPad" "X201" ];
16 };
17 systemd.services.home-manager-julm.postStart = ''
18 ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
19 '';
20 security.lockKernelModules = false;
21 users.mutableUsers = false;
22 users.users.julm = {
23 isNormalUser = true;
24 uid = 1000;
25 # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
26 # which is already world readable.
27 hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
28 extraGroups = [
29 "adbusers"
30 "lp"
31 "networkmanager"
32 "scanner"
33 "tor"
34 "video"
35 "wheel"
36 #"ipfs"
37 config.services.davfs2.davGroup
38 #"vboxusers"
39 ];
40 # If created, zfs-mount.service would require:
41 # zfs set overlay=yes ${hostName}/home
42 createHome = false;
43 };
44
45 nix = {
46 extraOptions = ''
47 secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
48 '';
49 autoOptimiseStore = true;
50 gc.automatic = true;
51 gc.dates = "weekly";
52 gc.options = "--delete-older-than 7d";
53 nixPath = lib.mkForce [];
54 trustedUsers = [ config.users.users.julm.name ];
55 binaryCaches = [ "http://nix-localcache.losurdo.wg" ];
56 binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
57 };
58 #environment.etc."nixpkgs".source = pkgs.path;
59 #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
60
61 documentation = {
62 enable = true;
63 dev.enable = true;
64 doc.enable = true;
65 info.enable = false;
66 man.enable = true;
67 nixos.enable = false;
68 };
69 nix.sshServe = {
70 enable = true;
71 keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
72 };
73 users.users.julm.openssh.authorizedKeys.keys = [
74 (lib.readFile ../private/world/julm/losurdo/ssh.pub)
75 ];
76
77 time.timeZone = "Europe/Paris";
78 i18n.defaultLocale = "fr_FR.UTF-8";
79 console.font = "Lat2-Terminus16";
80 console.keyMap = "fr";
81
82 networking = {
83 hostName = hostName;
84 domain = "localdomain";
85 search = [ "sourcephile.fr" ];
86 networkmanager = {
87 enable = true;
88 #dhcp = "dhcpcd";
89 logLevel = "INFO";
90 wifi = {
91 #backend = "iwd";
92 #backend = "wpa_supplicant";
93 powersave = false;
94 };
95 };
96 firewall = {
97 enable = true;
98 allowPing = true;
99 };
100 };
101
102 sound.enable = true;
103 hardware.pulseaudio.enable = true;
104 hardware.sane.enable = true;
105 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
106
107 environment.variables = {
108 EDITOR = "vim";
109 PAGER = "less -R";
110 SYSTEMD_LESS = "FKMRX";
111 };
112
113 programs.bash.interactiveShellInit = ''
114 fan () {
115 if [ $# -gt 0 ]
116 then sudo tee /proc/acpi/ibm/fan <<<"level $1"
117 else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
118 fi
119 acpi -t
120 }
121 '';
122 programs.dconf.enable = true;
123 programs.mtr.enable = true;
124
125 services.avahi = {
126 enable = true;
127 nssmdns = true;
128 openFirewall = false;
129 publish = {
130 enable = false;
131 };
132 };
133 services.davfs2 = {
134 enable = true;
135 extraConfig = ''
136 '';
137 };
138 fileSystems."/home/julm/mnt/ilico/severine" = {
139 device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
140 fsType = "davfs";
141 options =
142 let conf = pkgs.writeText "davfs2.conf" ''
143 backup_dir /home/julm/documents/backup/ilico/severine
144 cache_dir /home/julm/.cache/davfs2/ilico/severine
145 ''; in
146 [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
147 };
148 programs.fuse.userAllowOther = true;
149 fileSystems."/mnt/losurdo" = {
150 device = "${pkgs.sshfsFuse}/bin/sshfs#julm@losurdo.wg:/";
151 fsType = "fuse";
152 options =
153 # Use the user's gpg-agent session to query
154 # for the password of the SSH key when auto-mounting.
155 let sshAsUser = user:
156 pkgs.writeScript "sshAsUser-${user}" ''
157 exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
158 ${pkgs.openssh}/bin/ssh "$@"
159 '';
160 in [
161 "noatime" "noexec" "nosuid"
162 "user" "uid=julm" "gid=users" "allow_other"
163 "_netdev" "reconnect" "ssh_command=${sshAsUser "julm"}"
164 "noauto" "x-gvfs-hide" "x-systemd.automount"
165 "Cipher=arcfour" # No need for encryption over Wireguard
166 #"Compression=yes" # YMMV
167 # Disconnect approximately 2*15=30 seconds after a network failure
168 "ServerAliveCountMax=2"
169 "ServerAliveInterval=15"
170 ];
171 };
172 services.dbus = {
173 packages = [ pkgs.gnome3.dconf ];
174 };
175 services.gvfs.enable = true;
176 services.ipfs = {
177 #enable = true;
178 defaultMode = "online";
179 autoMount = true;
180 enableGC = true;
181 localDiscovery = false;
182 extraConfig = {
183 Datastore.StorageMax = "10GB";
184 Discovery.MDNS.Enabled = false;
185 #Bootstrap = [
186 #];
187 #Swarm.AddrFilters = null;
188 };
189 startWhenNeeded = true;
190 };
191 services.openssh = {
192 forwardX11 = true;
193 };
194 services.printing = {
195 enable = true;
196 drivers = [
197 pkgs.gutenprint
198 pkgs.hplip
199 ];
200 };
201 services.udev = {
202 packages = [
203 # Allow members of the "adbusers" group to mount Android devices via MTP.
204 pkgs.android-udev-rules
205 # Allow the console user access the Yubikey USB device node,
206 # needed for challenge/response to work correctly.
207 pkgs.yubikey-personalization
208 ];
209 };
210 services.xserver = {
211 enable = true;
212 layout = "fr";
213 xkbOptions = "eurosign:e";
214 libinput.enable = true;
215 desktopManager = {
216 session = [
217 # Let the session be generated by home-manager
218 { name = "home-manager";
219 start = ''
220 ${pkgs.runtimeShell} $HOME/.hm-xsession &
221 waitPID=$!
222 '';
223 }
224 ];
225 };
226 displayManager = {
227 defaultSession = "home-manager";
228 #defaultSession = "none+xmonad";
229 autoLogin = {
230 enable = true;
231 user = config.users.users.julm.name;
232 };
233 };
234 };
235
236 systemd.coredump.enable = true;
237 #environment.enableDebugInfo = true;
238
239 # This value determines the NixOS release with which your system is to be
240 # compatible, in order to avoid breaking some software such as database
241 # servers. You should change this only after NixOS release notes say you should.
242 system.stateVersion = "20.09"; # Did you read the comment?
243 }
julm's NixOS and home-manager configs