hosts/oignon.nix

   1 { config, pkgs, lib, inputs, private, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4   inherit (config.services) davfs2;
   5 in
   6 {
   7 imports = [
   8   ../profiles/dnscrypt-proxy2.nix
   9   ../profiles/security.nix
  10   oignon/hardware.nix
  11   oignon/openvpn.nix
  12   oignon/wireguard.nix
  13   oignon/tor.nix
  14   oignon/backup.nix
  15 ];
  16
  17 home-manager.users.julm = {
  18   imports = [
  19     ../homes/julm.nix
  20     inputs.nix-doom-emacs.hmModule
  21   ];
  22   host.hardware = ["ThinkPad" "X201"];
  23 };
  24 systemd.services.home-manager-julm.postStart = ''
  25   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  26 '';
  27 security.lockKernelModules = false;
  28 users.mutableUsers = false;
  29 users.users.julm = {
  30   isNormalUser = true;
  31   uid = 1000;
  32   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  33   # which is already world readable.
  34   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  35   extraGroups = [
  36     "adbusers"
  37     "lp"
  38     "networkmanager"
  39     "scanner"
  40     "tor"
  41     "video"
  42     "wheel"
  43     #"ipfs"
  44     davfs2.davGroup
  45     #"vboxusers"
  46   ];
  47   # If created, zfs-mount.service would require:
  48   # zfs set overlay=yes ${hostName}/home
  49   createHome = false;
  50 };
  51
  52 nix = {
  53   extraOptions = ''
  54     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  55   '';
  56   autoOptimiseStore = true;
  57   gc = {
  58     automatic = true;
  59     dates = "weekly";
  60     options = "--delete-older-than 7d";
  61   };
  62   nixPath = [
  63     "nixpkgs=/etc/nixpkgs"
  64     "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
  65   ];
  66   trustedUsers = [ users.julm.name ];
  67   binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
  68   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
  69 };
  70 documentation.enable = false;
  71 nix.sshServe = {
  72   enable = true;
  73   keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
  74 };
  75 users.users.julm.openssh.authorizedKeys.keys = [
  76   (lib.readFile ../private/world/julm/losurdo/ssh.pub)
  77 ];
  78 services.openssh.openFirewall = false;
  79 services.openssh.forwardX11 = true;
  80 services.openssh.passwordAuthentication = false;
  81
  82 nixpkgs.config.allowUnfree = true;
  83 environment.etc."nixpkgs".source = pkgs.path;
  84 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
  85
  86 documentation.nixos.enable = true;
  87 time.timeZone = "Europe/Paris";
  88 i18n.defaultLocale = "fr_FR.UTF-8";
  89 console.font = "Lat2-Terminus16";
  90 console.keyMap = "fr";
  91
  92 networking = {
  93   hostName = hostName;
  94   domain = "localdomain";
  95   search = [ "sourcephile.fr" ];
  96   networkmanager = {
  97     enable = true;
  98     #dhcp = "dhcpcd";
  99     logLevel = "INFO";
 100     wifi = {
 101       #backend = "iwd";
 102       #backend = "wpa_supplicant";
 103       powersave = false;
 104     };
 105   };
 106   firewall = {
 107     enable = true;
 108     allowPing = false;
 109   };
 110 };
 111
 112 sound.enable = true;
 113 hardware.pulseaudio.enable = true;
 114 hardware.sane.enable = true;
 115 hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
 116
 117 environment.variables = {
 118   EDITOR = "vim";
 119   PAGER  = "less -R";
 120   SYSTEMD_LESS = "FKMRX";
 121 };
 122 environment.systemPackages = [
 123   pkgs.mkpasswd
 124   pkgs.gdb
 125 ];
 126
 127 programs = {
 128   bash = {
 129     interactiveShellInit = ''
 130       bind '"\e[A":history-search-backward'
 131       bind '"\e[B":history-search-forward'
 132
 133       # Ignore duplicate commands, ignore commands starting with a space
 134       export HISTCONTROL=erasedups:ignorespace
 135       export HISTSIZE=42000
 136       # Append to the history instead of overwriting (good for multiple connections)
 137       shopt -s histappend
 138
 139       # Utilities
 140       mkcd () { mkdir -p "$1"; cd "$1"; }
 141       fan () {
 142         if [ $# -gt 0 ]
 143         then sudo tee /proc/acpi/ibm/fan <<<"level $1"
 144         else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
 145         fi
 146         acpi -t
 147       }
 148     '';
 149     shellAliases = {
 150       cl = "clear";
 151       grep = "grep --color";
 152       l  = "ls -alh";
 153       ll = "ls -al";
 154       ls = "ls --color=tty";
 155       mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
 156
 157       s="sudo systemctl";
 158       st="sudo systemctl status";
 159       u="systemctl --user";
 160       j="sudo journalctl -u";
 161       jb="sudo journalctl -b";
 162
 163       nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
 164       mv = "mv -i";
 165       sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
 166     };
 167   };
 168   dconf.enable = true;
 169   mtr.enable = true;
 170 };
 171
 172 services.avahi = {
 173   enable = true;
 174   nssmdns = true;
 175   openFirewall = false;
 176   publish = {
 177     enable = false;
 178   };
 179 };
 180 services.davfs2 = {
 181   enable = true;
 182   extraConfig = ''
 183   '';
 184 };
 185 fileSystems."/home/julm/mnt/ilico/severine" = {
 186   device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
 187   fsType = "davfs";
 188   options =
 189     let conf = pkgs.writeText "davfs2.conf" ''
 190       backup_dir /home/julm/documents/backup/ilico/severine
 191       cache_dir /home/julm/.cache/davfs2/ilico/severine
 192     ''; in
 193     [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
 194 };
 195 services.dbus = {
 196   packages = [ pkgs.gnome3.dconf ];
 197 };
 198 services.gvfs = {
 199   enable = true;
 200 };
 201 services.ipfs = {
 202   #enable = true;
 203   defaultMode = "online";
 204   autoMount = true;
 205   enableGC = true;
 206   localDiscovery = false;
 207   extraConfig = {
 208     Datastore.StorageMax = "10GB";
 209     Discovery.MDNS.Enabled = false;
 210     #Bootstrap = [
 211     #];
 212     #Swarm.AddrFilters = null;
 213   };
 214   startWhenNeeded = true;
 215 };
 216 services.journald = {
 217   extraConfig = ''
 218     Compress=true
 219     MaxRetentionSec=1month
 220     Storage=persistent
 221     SystemMaxUse=100M
 222   '';
 223 };
 224 services.printing = {
 225   enable = true;
 226   drivers = [
 227     pkgs.gutenprint
 228     pkgs.hplip
 229   ];
 230 };
 231 services.udev = {
 232   packages = [
 233     # Allow members of the "adbusers" group to mount Android devices via MTP.
 234     pkgs.android-udev-rules
 235     # Allow the console user access the Yubikey USB device node,
 236     # needed for challenge/response to work correctly.
 237     pkgs.yubikey-personalization
 238   ];
 239 };
 240 services.xserver = {
 241   enable = true;
 242   layout = "fr";
 243   xkbOptions = "eurosign:e";
 244   libinput.enable = true;
 245   desktopManager = {
 246     session = [
 247       # Let the session be generated by home-manager
 248       { name = "home-manager";
 249         start = ''
 250           ${pkgs.runtimeShell} $HOME/.hm-xsession &
 251           waitPID=$!
 252         '';
 253       }
 254     ];
 255   };
 256   displayManager = {
 257     defaultSession = "home-manager";
 258     #defaultSession = "none+xmonad";
 259     autoLogin = {
 260       enable = true;
 261       user = users.julm.name;
 262     };
 263   };
 264 };
 265
 266 systemd.coredump.enable = true;
 267 #environment.enableDebugInfo = true;
 268
 269 # This value determines the NixOS release with which your system is to be
 270 # compatible, in order to avoid breaking some software such as database
 271 # servers. You should change this only after NixOS release notes say you should.
 272 system.stateVersion = "20.09"; # Did you read the comment?
 273 }