hosts/oignon.nix

   1 { config, pkgs, lib, inputs, private, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4   inherit (config.services) davfs2;
   5 in
   6 {
   7 imports = [
   8   ../profiles/dnscrypt-proxy2.nix
   9   ../profiles/security.nix
  10   oignon/hardware.nix
  11   oignon/openvpn.nix
  12   oignon/wireguard.nix
  13   oignon/tor.nix
  14   oignon/backup.nix
  15 ];
  16
  17 home-manager.users.julm = {
  18   imports = [ ../homes/julm.nix ];
  19   host.name = hostName;
  20   host.hardware = ["ThinkPad" "X201"];
  21 };
  22 systemd.services.home-manager-julm.postStart = ''
  23   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  24 '';
  25 security.lockKernelModules = false;
  26 users.mutableUsers = false;
  27 users.users.julm = {
  28   isNormalUser = true;
  29   uid = 1000;
  30   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  31   # which is already world readable.
  32   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  33   extraGroups = [
  34     "adbusers"
  35     "lp"
  36     "networkmanager"
  37     "scanner"
  38     "tor"
  39     "video"
  40     "wheel"
  41     #"ipfs"
  42     davfs2.davGroup
  43     #"vboxusers"
  44   ];
  45   # If created, zfs-mount.service would require:
  46   # zfs set overlay=yes ${hostName}/home
  47   createHome = false;
  48 };
  49
  50 nix = {
  51   extraOptions = ''
  52     auto-optimise-store = true
  53     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  54   '';
  55   gc = {
  56     automatic = true;
  57     dates = "weekly";
  58     options = "--delete-older-than 7d";
  59   };
  60   nixPath = [
  61     "nixpkgs=/etc/nixpkgs"
  62     "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
  63   ];
  64   trustedUsers = [ users.julm.name ];
  65   binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
  66   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
  67 };
  68 documentation.enable = false;
  69 nix.sshServe = {
  70   enable = true;
  71   keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
  72 };
  73 users.users.julm.openssh.authorizedKeys.keys = [
  74   (lib.readFile ../private/world/julm/losurdo/ssh.pub)
  75 ];
  76 services.openssh.openFirewall = false;
  77 services.openssh.forwardX11 = true;
  78 services.openssh.passwordAuthentication = false;
  79
  80 nixpkgs.config.allowUnfree = true;
  81 environment.etc."nixpkgs".source = pkgs.path;
  82 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  83
  84 documentation.nixos.enable = true;
  85 time.timeZone = "Europe/Paris";
  86 i18n.defaultLocale = "fr_FR.UTF-8";
  87 console.font = "Lat2-Terminus16";
  88 console.keyMap = "fr";
  89
  90 networking = {
  91   hostName = hostName;
  92   domain = "localdomain";
  93   search = [ "sourcephile.fr" ];
  94   networkmanager = {
  95     enable = true;
  96     #dhcp = "dhcpcd";
  97     logLevel = "INFO";
  98     wifi = {
  99       #backend = "iwd";
 100       #backend = "wpa_supplicant";
 101       powersave = false;
 102     };
 103   };
 104   firewall = {
 105     enable = true;
 106     allowPing = false;
 107   };
 108 };
 109
 110 sound.enable = true;
 111 hardware.pulseaudio.enable = true;
 112 hardware.sane.enable = true;
 113 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 114
 115 environment.variables = {
 116   EDITOR = "vim";
 117   PAGER  = "less -R";
 118   SYSTEMD_LESS = "FKMRX";
 119 };
 120 environment.systemPackages = [
 121   pkgs.mkpasswd
 122   pkgs.gdb
 123 ];
 124
 125 programs = {
 126   bash = {
 127     interactiveShellInit = ''
 128       bind '"\e[A":history-search-backward'
 129       bind '"\e[B":history-search-forward'
 130
 131       # Ignore duplicate commands, ignore commands starting with a space
 132       export HISTCONTROL=erasedups:ignorespace
 133       export HISTSIZE=42000
 134       # Append to the history instead of overwriting (good for multiple connections)
 135       shopt -s histappend
 136
 137       # Utilities
 138       mkcd () { mkdir -p "$1"; cd "$1"; }
 139       fan () {
 140         if [ $# -gt 0 ]
 141         then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 142         else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 143         fi
 144         acpi -t
 145       }
 146     '';
 147     shellAliases = {
 148       cl = "clear";
 149       grep = "grep --color";
 150       l  = "ls -alh";
 151       ll = "ls -al";
 152       ls = "ls --color=tty";
 153       mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
 154
 155       s="sudo systemctl";
 156       st="sudo systemctl status";
 157       u="systemctl --user";
 158       j="sudo journalctl -u";
 159       jb="sudo journalctl -b";
 160
 161       nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
 162       mv = "mv -i";
 163       sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
 164     };
 165   };
 166   dconf.enable = true;
 167   mtr.enable = true;
 168 };
 169
 170 services.avahi = {
 171   enable = true;
 172   nssmdns = true;
 173   openFirewall = false;
 174   publish = {
 175     enable = false;
 176   };
 177 };
 178 services.davfs2 = {
 179   enable = true;
 180   extraConfig = ''
 181   '';
 182 };
 183 fileSystems."/home/julm/mnt/ilico/severine" = {
 184   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 185   fsType = "davfs";
 186   options =
 187     let conf = pkgs.writeText "davfs2.conf" ''
 188       backup_dir /home/julm/documents/backup/ilico/severine
 189       cache_dir /home/julm/.cache/davfs2/ilico/severine
 190     ''; in
 191     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 192 };
 193 services.dbus = {
 194   packages = [ pkgs.gnome3.dconf ];
 195 };
 196 services.gvfs = {
 197   enable = true;
 198 };
 199 services.ipfs = {
 200   #enable = true;
 201   defaultMode = "online";
 202   autoMount = true;
 203   enableGC = true;
 204   localDiscovery = false;
 205   extraConfig = {
 206     Datastore.StorageMax = "10GB";
 207     Discovery.MDNS.Enabled = false;
 208     #Bootstrap = [
 209     #];
 210     #Swarm.AddrFilters = null;
 211   };
 212   startWhenNeeded = true;
 213 };
 214 services.journald = {
 215   extraConfig = ''
 216     Compress=true
 217     MaxRetentionSec=1month
 218     Storage=persistent
 219     SystemMaxUse=100M
 220   '';
 221 };
 222 services.printing = {
 223   enable = true;
 224   drivers = [
 225     pkgs.gutenprint
 226     pkgs.hplip
 227   ];
 228 };
 229 services.udev = {
 230   packages = [
 231     # Allow members of the "adbusers" group to mount Android devices via MTP.
 232     pkgs.android-udev-rules
 233     # Allow the console user access the Yubikey USB device node,
 234     # needed for challenge/response to work correctly.
 235     pkgs.yubikey-personalization
 236   ];
 237 };
 238 services.xserver = {
 239   enable = true;
 240   layout = "fr";
 241   xkbOptions = "eurosign:e";
 242   libinput.enable = true;
 243   desktopManager = {
 244     session = [
 245       # Let the session be generated by home-manager
 246       { name = "home-manager";
 247         start = ''
 248           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 249           waitPID=$!
 250         '';
 251       }
 252     ];
 253   };
 254   displayManager = {
 255     defaultSession = "home-manager";
 256     #defaultSession = "none+xmonad";
 257     autoLogin = {
 258       enable = true;
 259       user = users.julm.name;
 260     };
 261   };
 262 };
 263
 264 systemd.coredump.enable = true;
 265 #environment.enableDebugInfo = true;
 266
 267 # This value determines the NixOS release with which your system is to be
 268 # compatible, in order to avoid breaking some software such as database
 269 # servers. You should change this only after NixOS release notes say you should.
 270 system.stateVersion = "20.09"; # Did you read the comment?
 271 }