hosts/oignon.nix

   1 { config, pkgs, lib, inputs, private, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4   inherit (config.services) davfs2;
   5 in
   6 {
   7 imports = [
   8   ../profiles/dnscrypt-proxy2.nix
   9   oignon/hardware.nix
  10   oignon/openvpn.nix
  11   oignon/tor.nix
  12   oignon/backup.nix
  13 ];
  14
  15 home-manager.users.julm = {
  16   imports = [ ../homes/julm.nix ];
  17   host.name = hostName;
  18   host.hardware = ["ThinkPad" "X201"];
  19 };
  20 systemd.services.home-manager-julm.postStart = ''
  21   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  22 '';
  23 users.mutableUsers = false;
  24 users.users.julm = {
  25   isNormalUser = true;
  26   uid = 1000;
  27   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  28   # which is already world readable.
  29   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  30   extraGroups = [
  31     "adbusers"
  32     "lp"
  33     "networkmanager"
  34     "scanner"
  35     "tor"
  36     "video"
  37     "wheel"
  38     davfs2.davGroup
  39     #"vboxusers"
  40   ];
  41   # If created, zfs-mount.service would require:
  42   # zfs set overlay=yes ${hostName}/home
  43   createHome = false;
  44 };
  45
  46 nix = {
  47   extraOptions = ''
  48     auto-optimise-store = true
  49     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  50   '';
  51   gc = {
  52     automatic = true;
  53     dates = "weekly";
  54     options = "--delete-older-than 7d";
  55   };
  56   nixPath = [
  57     "nixpkgs=/etc/nixpkgs"
  58     "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
  59   ];
  60   trustedUsers = [ users.julm.name ];
  61   binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
  62   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
  63 };
  64 nix.sshServe = {
  65   enable = true;
  66   keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
  67 };
  68 users.users.julm.openssh.authorizedKeys.keys = [
  69   (lib.readFile ../private/world/julm/losurdo/ssh.pub)
  70 ];
  71 services.openssh.forwardX11 = true;
  72 services.openssh.passwordAuthentication = false;
  73
  74 nixpkgs.config = {
  75   allowUnfree = true;
  76 };
  77 environment.etc."nixpkgs".source = pkgs.path;
  78 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  79
  80 documentation.nixos.enable = true;
  81 time.timeZone = "Europe/Paris";
  82 i18n.defaultLocale = "fr_FR.UTF-8";
  83 console.font = "Lat2-Terminus16";
  84 console.keyMap = "fr";
  85
  86 networking = {
  87   hostName = hostName;
  88   domain = "localdomain";
  89   search = [ "sourcephile.fr" ];
  90   networkmanager = {
  91     enable = true;
  92     #dhcp = "dhcpcd";
  93     logLevel = "INFO";
  94     wifi = {
  95       #backend = "iwd";
  96       #backend = "wpa_supplicant";
  97       powersave = false;
  98     };
  99   };
 100   firewall = {
 101     enable = true;
 102     allowPing = false;
 103   };
 104 };
 105
 106 sound.enable = true;
 107 hardware.pulseaudio.enable = true;
 108 hardware.sane.enable = true;
 109 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 110
 111 environment.variables = {
 112   EDITOR = "vim";
 113   PAGER  = "less -R";
 114   SYSTEMD_LESS = "FKMRX";
 115 };
 116 environment.systemPackages = [
 117   pkgs.mkpasswd
 118   pkgs.gdb
 119 ];
 120
 121 programs = {
 122   bash = {
 123     interactiveShellInit = ''
 124       bind '"\e[A":history-search-backward'
 125       bind '"\e[B":history-search-forward'
 126
 127       # Ignore duplicate commands, ignore commands starting with a space
 128       export HISTCONTROL=erasedups:ignorespace
 129       export HISTSIZE=42000
 130       # Append to the history instead of overwriting (good for multiple connections)
 131       shopt -s histappend
 132
 133       # Utilities
 134       mkcd () { mkdir -p "$1"; cd "$1"; }
 135       fan () {
 136         if [ $# -gt 0 ]
 137         then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 138         else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 139         fi
 140         acpi -t
 141       }
 142     '';
 143     shellAliases = {
 144       cl = "clear";
 145       grep = "grep --color";
 146       l  = "ls -alh";
 147       ll = "ls -al";
 148       ls = "ls --color=tty";
 149       mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
 150
 151       s="sudo systemctl";
 152       st="sudo systemctl status";
 153       u="systemctl --user";
 154       j="sudo journalctl -u";
 155       jb="sudo journalctl -b";
 156
 157       nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
 158       mv = "mv -i";
 159       sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
 160     };
 161   };
 162   dconf.enable = true;
 163   mtr.enable = true;
 164 };
 165
 166 services.avahi = {
 167   enable = true;
 168   nssmdns = true;
 169   openFirewall = false;
 170   publish = {
 171     enable = false;
 172   };
 173 };
 174 services.davfs2 = {
 175   enable = true;
 176   extraConfig = ''
 177   '';
 178 };
 179 fileSystems."/home/julm/mnt/ilico/severine" = {
 180   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 181   fsType = "davfs";
 182   options =
 183     let conf = pkgs.writeText "davfs2.conf" ''
 184       backup_dir /home/julm/documents/backup/ilico/severine
 185       cache_dir /home/julm/.cache/davfs2/ilico/severine
 186     ''; in
 187     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 188 };
 189 services.dbus = {
 190   packages = [ pkgs.gnome3.dconf ];
 191 };
 192 services.gvfs = {
 193   enable = true;
 194 };
 195 services.journald = {
 196   extraConfig = ''
 197     Compress=true
 198     MaxRetentionSec=1month
 199     Storage=persistent
 200     SystemMaxUse=100M
 201   '';
 202 };
 203 services.printing = {
 204   enable = true;
 205   drivers = [
 206     pkgs.gutenprint
 207     pkgs.hplip
 208   ];
 209 };
 210 services.udev = {
 211   packages = [
 212     # Allow members of the "adbusers" group to mount Android devices via MTP
 213     pkgs.android-udev-rules
 214   ];
 215 };
 216 services.xserver = {
 217   enable = true;
 218   layout = "fr";
 219   xkbOptions = "eurosign:e";
 220   libinput.enable = true;
 221   desktopManager = {
 222     session = [
 223       # Let the session be generated by home-manager
 224       { name = "home-manager";
 225         start = ''
 226           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 227           waitPID=$!
 228         '';
 229       }
 230     ];
 231   };
 232   displayManager = {
 233     defaultSession = "home-manager";
 234     #defaultSession = "none+xmonad";
 235     autoLogin = {
 236       enable = true;
 237       user = users.julm.name;
 238     };
 239   };
 240 };
 241
 242 systemd.coredump.enable = true;
 243 #environment.enableDebugInfo = true;
 244
 245 # This value determines the NixOS release with which your system is to be
 246 # compatible, in order to avoid breaking some software such as database
 247 # servers. You should change this only after NixOS release notes say you should.
 248 system.stateVersion = "20.09"; # Did you read the comment?
 249 }