hosts/oignon.nix

   1 { config, pkgs, lib, private, hostName, ... }:
   2 {
   3 imports = [
   4   ../nixos/profiles/dnscrypt-proxy2.nix
   5   ../nixos/profiles/security.nix
   6   ../nixos/profiles/wireguard/wg-intra.nix
   7   oignon/hardware.nix
   8   oignon/wireguard.nix
   9   oignon/tor.nix
  10   oignon/backup.nix
  11 ];
  12
  13 home-manager.users.julm = {
  14   imports = [ ../homes/julm.nix ];
  15   host.hardware = [ "ThinkPad" "X201" ];
  16 };
  17 systemd.services.home-manager-julm.postStart = ''
  18   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  19 '';
  20 security.lockKernelModules = false;
  21 users.mutableUsers = false;
  22 users.users.julm = {
  23   isNormalUser = true;
  24   uid = 1000;
  25   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  26   # which is already world readable.
  27   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  28   extraGroups = [
  29     "adbusers"
  30     "lp"
  31     "networkmanager"
  32     "scanner"
  33     "tor"
  34     "video"
  35     "wheel"
  36     #"ipfs"
  37     config.services.davfs2.davGroup
  38     #"vboxusers"
  39   ];
  40   # If created, zfs-mount.service would require:
  41   # zfs set overlay=yes ${hostName}/home
  42   createHome = false;
  43 };
  44
  45 nix = {
  46   extraOptions = ''
  47     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  48   '';
  49   autoOptimiseStore = true;
  50   gc.automatic = true;
  51   gc.dates = "weekly";
  52   gc.options = "--delete-older-than 7d";
  53   nixPath = lib.mkForce [];
  54   trustedUsers = [ config.users.users.julm.name ];
  55   binaryCaches = [
  56     "http://nix-localcache.losurdo.wg"
  57   ];
  58   binaryCachePublicKeys = map lib.readFile [
  59     ../private/shared/nix/losurdo.pub
  60   ];
  61 };
  62 #environment.etc."nixpkgs".source = pkgs.path;
  63 #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  64
  65 documentation = {
  66   enable = true;
  67   dev.enable = true;
  68   doc.enable = true;
  69   info.enable = false;
  70   man.enable = true;
  71   nixos.enable = false;
  72 };
  73
  74 nix.allowedUsers = [ config.users.users."nix-ssh".name ];
  75 nix.sshServe = {
  76   enable = true;
  77   keys = map lib.readFile [
  78     ../private/shared/ssh/julm/losurdo.pub
  79     ../private/shared/ssh/sevy/patate.pub
  80     ../private/shared/ssh/julm/oignon.pub
  81   ];
  82 };
  83 users.users.julm.openssh.authorizedKeys.keys = map lib.readFile [
  84   ../private/shared/ssh/julm/losurdo.pub
  85 ];
  86
  87 time.timeZone = "Europe/Paris";
  88 i18n.defaultLocale = "fr_FR.UTF-8";
  89 console.font = "Lat2-Terminus16";
  90 console.keyMap = "fr";
  91
  92 networking = {
  93   hostName = hostName;
  94   domain = "localdomain";
  95   search = [ "sourcephile.fr" ];
  96   networkmanager = {
  97     enable = true;
  98     #dhcp = "dhcpcd";
  99     logLevel = "INFO";
 100     wifi = {
 101       #backend = "iwd";
 102       #backend = "wpa_supplicant";
 103       powersave = false;
 104     };
 105   };
 106   firewall = {
 107     enable = true;
 108     allowPing = true;
 109   };
 110 };
 111
 112 sound.enable = true;
 113 hardware.pulseaudio.enable = true;
 114 hardware.sane.enable = true;
 115 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 116
 117 environment.variables = {
 118   EDITOR = "vim";
 119   PAGER  = "less -R";
 120   SYSTEMD_LESS = "FKMRX";
 121 };
 122
 123 programs.bash.interactiveShellInit = ''
 124   fan () {
 125     if [ $# -gt 0 ]
 126     then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 127     else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 128     fi
 129     acpi -t
 130   }
 131 '';
 132 programs.dconf.enable = true;
 133 programs.mtr.enable = true;
 134
 135 services.avahi = {
 136   enable = true;
 137   nssmdns = true;
 138   openFirewall = false;
 139   publish = {
 140     enable = false;
 141   };
 142 };
 143 services.davfs2.enable = true;
 144 fileSystems."/home/julm/mnt/ilico/severine" = {
 145   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 146   fsType = "davfs";
 147   options =
 148     let conf = pkgs.writeText "davfs2.conf" ''
 149       backup_dir /home/julm/documents/backup/ilico/severine
 150       cache_dir /home/julm/.cache/davfs2/ilico/severine
 151     ''; in
 152     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 153 };
 154 environment.systemPackages = [
 155   pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
 156 ];
 157 programs.fuse.userAllowOther = true;
 158 fileSystems."/mnt/losurdo" = {
 159   device = "${pkgs.sshfsFuse}/bin/sshfs#julm@losurdo.wg:/";
 160   fsType = "fuse";
 161   options =
 162     # Use the user's gpg-agent session to query
 163     # for the password of the SSH key when auto-mounting.
 164     let sshAsUser = user:
 165        pkgs.writeScript "sshAsUser-${user}" ''
 166          exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
 167            ${pkgs.openssh}/bin/ssh "$@"
 168       '';
 169     in [
 170       "noatime" "noexec" "nosuid"
 171       "user" "uid=julm" "gid=users" "allow_other"
 172       "_netdev" "ssh_command=${sshAsUser "julm"}" #  "reconnect"
 173       "noauto" "x-gvfs-hide" "x-systemd.automount"
 174       #"Compression=yes" # YMMV
 175       # Disconnect approximately 2*15=30 seconds after a network failure
 176       "ServerAliveCountMax=1"
 177       "ServerAliveInterval=15"
 178     ];
 179 };
 180 services.dbus = {
 181   packages = [ pkgs.gnome3.dconf ];
 182 };
 183 services.gvfs.enable = true;
 184 services.ipfs = {
 185   #enable = true;
 186   defaultMode = "online";
 187   autoMount = true;
 188   enableGC = true;
 189   localDiscovery = false;
 190   extraConfig = {
 191     Datastore.StorageMax = "10GB";
 192     Discovery.MDNS.Enabled = false;
 193     #Bootstrap = [
 194     #];
 195     #Swarm.AddrFilters = null;
 196   };
 197   startWhenNeeded = true;
 198 };
 199 services.openssh = {
 200   forwardX11 = true;
 201   openFirewall = true;
 202 };
 203 services.printing = {
 204   enable = true;
 205   drivers = [
 206     pkgs.gutenprint
 207     pkgs.hplip
 208   ];
 209 };
 210 services.udev = {
 211   packages = [
 212     # Allow members of the "adbusers" group to mount Android devices via MTP.
 213     pkgs.android-udev-rules
 214     # Allow the console user access the Yubikey USB device node,
 215     # needed for challenge/response to work correctly.
 216     pkgs.yubikey-personalization
 217   ];
 218 };
 219 services.xserver = {
 220   enable = true;
 221   layout = "fr";
 222   xkbOptions = "eurosign:e";
 223   libinput.enable = true;
 224   desktopManager = {
 225     session = [
 226       # Let the session be generated by home-manager
 227       { name = "home-manager";
 228         start = ''
 229           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 230           waitPID=$!
 231         '';
 232       }
 233     ];
 234   };
 235   displayManager = {
 236     defaultSession = "home-manager";
 237     #defaultSession = "none+xmonad";
 238     autoLogin = {
 239       enable = true;
 240       user = config.users.users.julm.name;
 241     };
 242   };
 243 };
 244
 245 systemd.coredump.enable = true;
 246 #environment.enableDebugInfo = true;
 247
 248 # This value determines the NixOS release with which your system is to be
 249 # compatible, in order to avoid breaking some software such as database
 250 # servers. You should change this only after NixOS release notes say you should.
 251 system.stateVersion = "20.09"; # Did you read the comment?
 252 }