]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/oignon.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: cleanup
[julm/julm-nix.git] / hosts / oignon.nix
1 { config, pkgs, lib, private, hostName, ... }:
2 let
3 inherit (config.users) users;
4 inherit (config.services) davfs2;
5 in
6 {
7 imports = [
8 ../profiles/dnscrypt-proxy2.nix
9 ../profiles/security.nix
10 ../networking/wireguard/wg-intra.nix
11 oignon/hardware.nix
12 oignon/wireguard.nix
13 oignon/tor.nix
14 oignon/backup.nix
15 ];
16
17 home-manager.users.julm = {
18 imports = [
19 ../homes/julm.nix
20 ];
21 host.hardware = ["ThinkPad" "X201"];
22 };
23 systemd.services.home-manager-julm.postStart = ''
24 ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
25 '';
26 security.lockKernelModules = false;
27 users.mutableUsers = false;
28 users.users.julm = {
29 isNormalUser = true;
30 uid = 1000;
31 # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
32 # which is already world readable.
33 hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
34 extraGroups = [
35 "adbusers"
36 "lp"
37 "networkmanager"
38 "scanner"
39 "tor"
40 "video"
41 "wheel"
42 #"ipfs"
43 davfs2.davGroup
44 #"vboxusers"
45 ];
46 # If created, zfs-mount.service would require:
47 # zfs set overlay=yes ${hostName}/home
48 createHome = false;
49 };
50
51 nix = {
52 extraOptions = ''
53 secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
54 '';
55 autoOptimiseStore = true;
56 gc = {
57 automatic = true;
58 dates = "weekly";
59 options = "--delete-older-than 7d";
60 };
61 /*
62 nixPath = [
63 "nixpkgs=/etc/nixpkgs"
64 "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
65 ];
66 */
67 nixPath = lib.mkForce [];
68 trustedUsers = [ users.julm.name ];
69 binaryCaches = [ "http://nix-localcache.losurdo.wg" ];
70 binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
71 };
72 #environment.etc."nixpkgs".source = pkgs.path;
73 #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
74
75 documentation = {
76 enable = true;
77 dev.enable = true;
78 doc.enable = true;
79 info.enable = false;
80 man.enable = true;
81 nixos.enable = false;
82 };
83 nix.sshServe = {
84 enable = true;
85 keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
86 };
87 users.users.julm.openssh.authorizedKeys.keys = [
88 (lib.readFile ../private/world/julm/losurdo/ssh.pub)
89 ];
90 services.openssh.openFirewall = false;
91 services.openssh.forwardX11 = true;
92 services.openssh.passwordAuthentication = false;
93
94 time.timeZone = "Europe/Paris";
95 i18n.defaultLocale = "fr_FR.UTF-8";
96 console.font = "Lat2-Terminus16";
97 console.keyMap = "fr";
98
99 networking = {
100 hostName = hostName;
101 domain = "localdomain";
102 search = [ "sourcephile.fr" ];
103 networkmanager = {
104 enable = true;
105 #dhcp = "dhcpcd";
106 logLevel = "INFO";
107 wifi = {
108 #backend = "iwd";
109 #backend = "wpa_supplicant";
110 powersave = false;
111 };
112 };
113 firewall = {
114 enable = true;
115 allowPing = false;
116 };
117 };
118
119 sound.enable = true;
120 hardware.pulseaudio.enable = true;
121 hardware.sane.enable = true;
122 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
123
124 environment.variables = {
125 EDITOR = "vim";
126 PAGER = "less -R";
127 SYSTEMD_LESS = "FKMRX";
128 };
129 environment.systemPackages = [
130 pkgs.mkpasswd
131 pkgs.gdb
132 pkgs.riseup-vpn
133 #pkgs.calyx-vpn
134 ];
135
136 programs = {
137 bash = {
138 interactiveShellInit = ''
139 bind '"\e[A":history-search-backward'
140 bind '"\e[B":history-search-forward'
141
142 # Ignore duplicate commands, ignore commands starting with a space
143 export HISTCONTROL=erasedups:ignorespace
144 export HISTSIZE=42000
145 # Append to the history instead of overwriting (good for multiple connections)
146 shopt -s histappend
147
148 # Utilities
149 mkcd () { mkdir -p "$1"; cd "$1"; }
150 fan () {
151 if [ $# -gt 0 ]
152 then sudo tee /proc/acpi/ibm/fan <<<"level $1"
153 else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
154 fi
155 acpi -t
156 }
157 '';
158 shellAliases = {
159 cl = "clear";
160 grep = "grep --color";
161 l = "ls -alh";
162 ll = "ls -al";
163 ls = "ls --color=tty";
164 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
165
166 s="sudo systemctl";
167 st="sudo systemctl status";
168 u="systemctl --user";
169 j="sudo journalctl -u";
170 jb="sudo journalctl -b";
171
172 nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
173 mv = "mv -i";
174 sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
175 };
176 };
177 dconf.enable = true;
178 mtr.enable = true;
179 };
180
181 services.avahi = {
182 enable = true;
183 nssmdns = true;
184 openFirewall = false;
185 publish = {
186 enable = false;
187 };
188 };
189 services.davfs2 = {
190 enable = true;
191 extraConfig = ''
192 '';
193 };
194 fileSystems."/home/julm/mnt/ilico/severine" = {
195 device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
196 fsType = "davfs";
197 options =
198 let conf = pkgs.writeText "davfs2.conf" ''
199 backup_dir /home/julm/documents/backup/ilico/severine
200 cache_dir /home/julm/.cache/davfs2/ilico/severine
201 ''; in
202 [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
203 };
204 services.dbus = {
205 packages = [ pkgs.gnome3.dconf ];
206 };
207 services.gvfs = {
208 enable = true;
209 };
210 services.ipfs = {
211 #enable = true;
212 defaultMode = "online";
213 autoMount = true;
214 enableGC = true;
215 localDiscovery = false;
216 extraConfig = {
217 Datastore.StorageMax = "10GB";
218 Discovery.MDNS.Enabled = false;
219 #Bootstrap = [
220 #];
221 #Swarm.AddrFilters = null;
222 };
223 startWhenNeeded = true;
224 };
225 services.journald = {
226 extraConfig = ''
227 Compress=true
228 MaxRetentionSec=1month
229 Storage=persistent
230 SystemMaxUse=100M
231 '';
232 };
233 services.printing = {
234 enable = true;
235 drivers = [
236 pkgs.gutenprint
237 pkgs.hplip
238 ];
239 };
240 services.udev = {
241 packages = [
242 # Allow members of the "adbusers" group to mount Android devices via MTP.
243 pkgs.android-udev-rules
244 # Allow the console user access the Yubikey USB device node,
245 # needed for challenge/response to work correctly.
246 pkgs.yubikey-personalization
247 ];
248 };
249 services.xserver = {
250 enable = true;
251 layout = "fr";
252 xkbOptions = "eurosign:e";
253 libinput.enable = true;
254 desktopManager = {
255 session = [
256 # Let the session be generated by home-manager
257 { name = "home-manager";
258 start = ''
259 ${pkgs.runtimeShell} $HOME/.hm-xsession &
260 waitPID=$!
261 '';
262 }
263 ];
264 };
265 displayManager = {
266 defaultSession = "home-manager";
267 #defaultSession = "none+xmonad";
268 autoLogin = {
269 enable = true;
270 user = users.julm.name;
271 };
272 };
273 };
274
275 systemd.coredump.enable = true;
276 #environment.enableDebugInfo = true;
277
278 # This value determines the NixOS release with which your system is to be
279 # compatible, in order to avoid breaking some software such as database
280 # servers. You should change this only after NixOS release notes say you should.
281 system.stateVersion = "20.09"; # Did you read the comment?
282 }
julm's NixOS and home-manager configs