hosts/oignon.nix

   1 { config, pkgs, lib, private, hostName, ... }:
   2 {
   3 imports = [
   4   ../nixos/profiles/dnscrypt-proxy2.nix
   5   ../nixos/profiles/security.nix
   6   ../nixos/profiles/wireguard/wg-intra.nix
   7   oignon/hardware.nix
   8   oignon/wireguard.nix
   9   oignon/tor.nix
  10   oignon/backup.nix
  11 ];
  12
  13 home-manager.users.julm = {
  14   imports = [ ../homes/julm.nix ];
  15   host.hardware = [ "ThinkPad" "X201" ];
  16 };
  17 systemd.services.home-manager-julm.postStart = ''
  18   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  19 '';
  20 security.lockKernelModules = false;
  21 users.mutableUsers = false;
  22 users.users.julm = {
  23   isNormalUser = true;
  24   uid = 1000;
  25   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  26   # which is already world readable.
  27   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  28   extraGroups = [
  29     "adbusers"
  30     "lp"
  31     "networkmanager"
  32     "scanner"
  33     "tor"
  34     "video"
  35     "wheel"
  36     #"ipfs"
  37     config.services.davfs2.davGroup
  38     #"vboxusers"
  39   ];
  40   # If created, zfs-mount.service would require:
  41   # zfs set overlay=yes ${hostName}/home
  42   createHome = false;
  43 };
  44
  45 nix = {
  46   extraOptions = ''
  47     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  48   '';
  49   autoOptimiseStore = true;
  50   gc.automatic = true;
  51   gc.dates = "weekly";
  52   gc.options = "--delete-older-than 7d";
  53   nixPath = lib.mkForce [];
  54   trustedUsers = [ config.users.users.julm.name ];
  55   binaryCaches = [ "http://nix-localcache.losurdo.wg" ];
  56   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
  57 };
  58 #environment.etc."nixpkgs".source = pkgs.path;
  59 #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  60
  61 documentation = {
  62   enable = true;
  63   dev.enable = true;
  64   doc.enable = true;
  65   info.enable = false;
  66   man.enable = true;
  67   nixos.enable = false;
  68 };
  69
  70 nix.allowedUsers = [ config.users.users."nix-ssh".name ];
  71 nix.sshServe = {
  72   enable = true;
  73   keys = [
  74     (lib.readFile ../private/shared/ssh/julm/losurdo.pub)
  75     (lib.readFile ../private/shared/ssh/sevy/patate.pub)
  76     (lib.readFile ../private/shared/ssh/julm/oignon.pub)
  77   ];
  78 };
  79 users.users.julm.openssh.authorizedKeys.keys = [
  80   (lib.readFile ../private/shared/ssh/julm/losurdo.pub)
  81 ];
  82
  83 time.timeZone = "Europe/Paris";
  84 i18n.defaultLocale = "fr_FR.UTF-8";
  85 console.font = "Lat2-Terminus16";
  86 console.keyMap = "fr";
  87
  88 networking = {
  89   hostName = hostName;
  90   domain = "localdomain";
  91   search = [ "sourcephile.fr" ];
  92   networkmanager = {
  93     enable = true;
  94     #dhcp = "dhcpcd";
  95     logLevel = "INFO";
  96     wifi = {
  97       #backend = "iwd";
  98       #backend = "wpa_supplicant";
  99       powersave = false;
 100     };
 101   };
 102   firewall = {
 103     enable = true;
 104     allowPing = true;
 105   };
 106 };
 107
 108 sound.enable = true;
 109 hardware.pulseaudio.enable = true;
 110 hardware.sane.enable = true;
 111 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 112
 113 environment.variables = {
 114   EDITOR = "vim";
 115   PAGER  = "less -R";
 116   SYSTEMD_LESS = "FKMRX";
 117 };
 118
 119 programs.bash.interactiveShellInit = ''
 120   fan () {
 121     if [ $# -gt 0 ]
 122     then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 123     else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 124     fi
 125     acpi -t
 126   }
 127 '';
 128 programs.dconf.enable = true;
 129 programs.mtr.enable = true;
 130
 131 services.avahi = {
 132   enable = true;
 133   nssmdns = true;
 134   openFirewall = false;
 135   publish = {
 136     enable = false;
 137   };
 138 };
 139 services.davfs2.enable = true;
 140 fileSystems."/home/julm/mnt/ilico/severine" = {
 141   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 142   fsType = "davfs";
 143   options =
 144     let conf = pkgs.writeText "davfs2.conf" ''
 145       backup_dir /home/julm/documents/backup/ilico/severine
 146       cache_dir /home/julm/.cache/davfs2/ilico/severine
 147     ''; in
 148     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 149 };
 150 environment.systemPackages = [pkgs.glib.bin];
 151 programs.fuse.userAllowOther = true;
 152 fileSystems."/mnt/losurdo" = {
 153   device = "${pkgs.sshfsFuse}/bin/sshfs#julm@losurdo.wg:/";
 154   fsType = "fuse";
 155   options =
 156     # Use the user's gpg-agent session to query
 157     # for the password of the SSH key when auto-mounting.
 158     let sshAsUser = user:
 159        pkgs.writeScript "sshAsUser-${user}" ''
 160          exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
 161            ${pkgs.openssh}/bin/ssh "$@"
 162       '';
 163     in [
 164       "noatime" "noexec" "nosuid"
 165       "user" "uid=julm" "gid=users" "allow_other"
 166       "_netdev" "ssh_command=${sshAsUser "julm"}" #  "reconnect"
 167       "noauto" "x-gvfs-hide" "x-systemd.automount"
 168       #"Compression=yes" # YMMV
 169       # Disconnect approximately 2*15=30 seconds after a network failure
 170       "ServerAliveCountMax=1"
 171       "ServerAliveInterval=15"
 172     ];
 173 };
 174 services.dbus = {
 175   packages = [ pkgs.gnome3.dconf ];
 176 };
 177 services.gvfs.enable = true;
 178 services.ipfs = {
 179   #enable = true;
 180   defaultMode = "online";
 181   autoMount = true;
 182   enableGC = true;
 183   localDiscovery = false;
 184   extraConfig = {
 185     Datastore.StorageMax = "10GB";
 186     Discovery.MDNS.Enabled = false;
 187     #Bootstrap = [
 188     #];
 189     #Swarm.AddrFilters = null;
 190   };
 191   startWhenNeeded = true;
 192 };
 193 services.openssh = {
 194   forwardX11 = true;
 195   openFirewall = true;
 196 };
 197 services.printing = {
 198   enable = true;
 199   drivers = [
 200     pkgs.gutenprint
 201     pkgs.hplip
 202   ];
 203 };
 204 services.udev = {
 205   packages = [
 206     # Allow members of the "adbusers" group to mount Android devices via MTP.
 207     pkgs.android-udev-rules
 208     # Allow the console user access the Yubikey USB device node,
 209     # needed for challenge/response to work correctly.
 210     pkgs.yubikey-personalization
 211   ];
 212 };
 213 services.xserver = {
 214   enable = true;
 215   layout = "fr";
 216   xkbOptions = "eurosign:e";
 217   libinput.enable = true;
 218   desktopManager = {
 219     session = [
 220       # Let the session be generated by home-manager
 221       { name = "home-manager";
 222         start = ''
 223           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 224           waitPID=$!
 225         '';
 226       }
 227     ];
 228   };
 229   displayManager = {
 230     defaultSession = "home-manager";
 231     #defaultSession = "none+xmonad";
 232     autoLogin = {
 233       enable = true;
 234       user = config.users.users.julm.name;
 235     };
 236   };
 237 };
 238
 239 systemd.coredump.enable = true;
 240 #environment.enableDebugInfo = true;
 241
 242 # This value determines the NixOS release with which your system is to be
 243 # compatible, in order to avoid breaking some software such as database
 244 # servers. You should change this only after NixOS release notes say you should.
 245 system.stateVersion = "20.09"; # Did you read the comment?
 246 }