]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/oignon.nix
git-crypt: change binary-cache keys
[julm/julm-nix.git] / hosts / oignon.nix
1 { config, pkgs, lib, inputs, private, hostName, ... }:
2 let inherit (config.users) users; in
3 {
4 imports = [
5 ../profiles/dnscrypt-proxy2.nix
6 oignon/hardware.nix
7 oignon/tor.nix
8 oignon/backup.nix
9 ];
10
11 home-manager.users.julm = {
12 imports = [ ../homes/julm.nix ];
13 host.name = hostName;
14 host.hardware = ["ThinkPad" "X201"];
15 };
16 systemd.services.home-manager-julm.postStart = ''
17 ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
18 '';
19 users.mutableUsers = false;
20 users.users.julm = {
21 isNormalUser = true;
22 uid = 1000;
23 # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
24 # which is already world readable.
25 hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
26 extraGroups = [
27 "adbusers"
28 "lp"
29 "networkmanager"
30 "scanner"
31 "tor"
32 "video"
33 "wheel"
34 "networkmanager"
35 #"vboxusers"
36 ];
37 # If created, zfs-mount.service would require:
38 # zfs set overlay=yes ${hostName}/home
39 createHome = false;
40 };
41
42 nix = {
43 extraOptions = ''
44 auto-optimise-store = true
45 secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
46 '';
47 gc = {
48 automatic = true;
49 dates = "weekly";
50 options = "--delete-older-than 7d";
51 };
52 nixPath = [
53 "nixpkgs=/etc/nixpkgs"
54 "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
55 ];
56 trustedUsers = [ users.julm.name ];
57 binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
58 binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
59 };
60 nix.sshServe = {
61 enable = true;
62 keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
63 };
64 users.users.julm.openssh.authorizedKeys.keys = [
65 (lib.readFile ../private/world/julm/losurdo/ssh.pub)
66 ];
67 services.openssh.forwardX11 = true;
68 services.openssh.passwordAuthentication = false;
69
70 nixpkgs.config = {
71 allowUnfree = true;
72 };
73 environment.etc."nixpkgs".source = pkgs.path;
74 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
75
76 documentation.nixos.enable = true;
77 time.timeZone = "Europe/Paris";
78 i18n.defaultLocale = "fr_FR.UTF-8";
79 console.font = "Lat2-Terminus16";
80 console.keyMap = "fr";
81
82 networking = {
83 hostName = hostName;
84 domain = "localdomain";
85 search = [ "sourcephile.fr" ];
86 networkmanager = {
87 enable = true;
88 #dhcp = "dhcpcd";
89 logLevel = "INFO";
90 wifi = {
91 #backend = "iwd";
92 #backend = "wpa_supplicant";
93 powersave = false;
94 };
95 };
96 firewall = {
97 enable = true;
98 allowPing = false;
99 };
100 };
101
102 sound.enable = true;
103 hardware.pulseaudio.enable = true;
104 hardware.sane.enable = true;
105 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
106
107 environment.variables = {
108 EDITOR = "vim";
109 PAGER = "less -R";
110 SYSTEMD_LESS = "FKMRX";
111 };
112 environment.systemPackages = [
113 pkgs.mkpasswd
114 pkgs.gdb
115 ];
116
117 programs = {
118 bash = {
119 interactiveShellInit = ''
120 bind '"\e[A":history-search-backward'
121 bind '"\e[B":history-search-forward'
122
123 # Ignore duplicate commands, ignore commands starting with a space
124 export HISTCONTROL=erasedups:ignorespace
125 export HISTSIZE=42000
126 # Append to the history instead of overwriting (good for multiple connections)
127 shopt -s histappend
128
129 # Utilities
130 mkcd () { mkdir -p "$1"; cd "$1"; }
131 fan () {
132 if [ $# -gt 0 ]
133 then sudo tee /proc/acpi/ibm/fan <<<"level $1"
134 else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
135 fi
136 acpi -t
137 }
138 '';
139 shellAliases = {
140 cl = "clear";
141 grep = "grep --color";
142 l = "ls -alh";
143 ll = "ls -al";
144 ls = "ls --color=tty";
145 mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
146
147 s="sudo systemctl";
148 st="sudo systemctl status";
149 u="systemctl --user";
150 j="sudo journalctl -u";
151 jb="sudo journalctl -b";
152
153 nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
154 mv = "mv -i";
155 sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
156 };
157 };
158 dconf.enable = true;
159 mtr.enable = true;
160 };
161
162 services = {
163 avahi = {
164 enable = true;
165 nssmdns = true;
166 openFirewall = false;
167 publish = {
168 enable = false;
169 };
170 };
171 dbus = {
172 packages = [ pkgs.gnome3.dconf ];
173 };
174 gvfs = {
175 enable = true;
176 };
177 journald = {
178 extraConfig = ''
179 Compress=true
180 MaxRetentionSec=1month
181 Storage=persistent
182 SystemMaxUse=100M
183 '';
184 };
185 printing = {
186 enable = true;
187 drivers = [
188 pkgs.gutenprint
189 pkgs.hplip
190 ];
191 };
192 udev = {
193 packages = [
194 # Allow members of the "adbusers" group to mount Android devices via MTP
195 pkgs.android-udev-rules
196 ];
197 };
198 xserver = {
199 enable = true;
200 layout = "fr";
201 xkbOptions = "eurosign:e";
202 libinput.enable = true;
203 desktopManager = {
204 session = [
205 # Let the session be generated by home-manager
206 { name = "home-manager";
207 start = ''
208 ${pkgs.runtimeShell} $HOME/.hm-xsession &
209 waitPID=$!
210 '';
211 }
212 ];
213 };
214 displayManager = {
215 defaultSession = "home-manager";
216 #defaultSession = "none+xmonad";
217 autoLogin = {
218 enable = true;
219 user = users.julm.name;
220 };
221 };
222 };
223 };
224
225 systemd.coredump.enable = true;
226 #environment.enableDebugInfo = true;
227
228 # This value determines the NixOS release with which your system is to be
229 # compatible, in order to avoid breaking some software such as database
230 # servers. You should change this only after NixOS release notes say you should.
231 system.stateVersion = "20.09"; # Did you read the comment?
232 }