{ config, pkgs, lib, private, hostName, ... }: { imports = [ ../nixos/profiles/dnscrypt-proxy2.nix ../nixos/profiles/security.nix ../nixos/profiles/wireguard/wg-intra.nix oignon/hardware.nix oignon/wireguard.nix oignon/tor.nix oignon/backup.nix ]; home-manager.users.julm = { imports = [ ../homes/julm.nix ]; host.hardware = [ "ThinkPad" "X201" ]; }; systemd.services.home-manager-julm.postStart = '' ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager ''; security.lockKernelModules = false; users.mutableUsers = false; users.users.julm = { isNormalUser = true; uid = 1000; # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd # which is already world readable. hashedPassword = lib.readFile ../private/world/julm/hashedPassword; extraGroups = [ "adbusers" "lp" "networkmanager" "scanner" "tor" "video" "wheel" #"ipfs" config.services.davfs2.davGroup #"vboxusers" ]; # If created, zfs-mount.service would require: # zfs set overlay=yes ${hostName}/home createHome = false; }; nix = { extraOptions = '' secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem ''; autoOptimiseStore = true; gc.automatic = true; gc.dates = "weekly"; gc.options = "--delete-older-than 7d"; nixPath = lib.mkForce []; trustedUsers = [ config.users.users.julm.name ]; binaryCaches = [ "http://nix-localcache.losurdo.wg" ]; binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ]; }; #environment.etc."nixpkgs".source = pkgs.path; #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs"; documentation = { enable = true; dev.enable = true; doc.enable = true; info.enable = false; man.enable = true; nixos.enable = false; }; nix.sshServe = { enable = true; keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ]; }; users.users.julm.openssh.authorizedKeys.keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ]; time.timeZone = "Europe/Paris"; i18n.defaultLocale = "fr_FR.UTF-8"; console.font = "Lat2-Terminus16"; console.keyMap = "fr"; networking = { hostName = hostName; domain = "localdomain"; search = [ "sourcephile.fr" ]; networkmanager = { enable = true; #dhcp = "dhcpcd"; logLevel = "INFO"; wifi = { #backend = "iwd"; #backend = "wpa_supplicant"; powersave = false; }; }; firewall = { enable = true; allowPing = true; }; }; sound.enable = true; hardware.pulseaudio.enable = true; hardware.sane.enable = true; hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ]; environment.variables = { EDITOR = "vim"; PAGER = "less -R"; SYSTEMD_LESS = "FKMRX"; }; programs.bash.interactiveShellInit = '' fan () { if [ $# -gt 0 ] then sudo tee /proc/acpi/ibm/fan <<<"level $1" else grep '^\(level\|speed\):' /proc/acpi/ibm/fan fi acpi -t } ''; programs.dconf.enable = true; programs.mtr.enable = true; services.avahi = { enable = true; nssmdns = true; openFirewall = false; publish = { enable = false; }; }; services.davfs2.enable = true; fileSystems."/home/julm/mnt/ilico/severine" = { device = "https://nuage.ilico.org/remote.php/dav/files/severine/"; fsType = "davfs"; options = let conf = pkgs.writeText "davfs2.conf" '' backup_dir /home/julm/documents/backup/ilico/severine cache_dir /home/julm/.cache/davfs2/ilico/severine ''; in [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount" }; environment.systemPackages = [pkgs.glib.bin]; programs.fuse.userAllowOther = true; fileSystems."/mnt/losurdo" = { device = "${pkgs.sshfsFuse}/bin/sshfs#julm@losurdo.wg:/"; fsType = "fuse"; options = # Use the user's gpg-agent session to query # for the password of the SSH key when auto-mounting. let sshAsUser = user: pkgs.writeScript "sshAsUser-${user}" '' exec ${pkgs.sudo}/bin/sudo -i -u ${user} \ ${pkgs.openssh}/bin/ssh "$@" ''; in [ "noatime" "noexec" "nosuid" "user" "uid=julm" "gid=users" "allow_other" "_netdev" "ssh_command=${sshAsUser "julm"}" # "reconnect" "noauto" "x-gvfs-hide" "x-systemd.automount" #"Compression=yes" # YMMV # Disconnect approximately 2*15=30 seconds after a network failure "ServerAliveCountMax=1" "ServerAliveInterval=15" ]; }; services.dbus = { packages = [ pkgs.gnome3.dconf ]; }; services.gvfs.enable = true; services.ipfs = { #enable = true; defaultMode = "online"; autoMount = true; enableGC = true; localDiscovery = false; extraConfig = { Datastore.StorageMax = "10GB"; Discovery.MDNS.Enabled = false; #Bootstrap = [ #]; #Swarm.AddrFilters = null; }; startWhenNeeded = true; }; services.openssh = { forwardX11 = true; }; services.printing = { enable = true; drivers = [ pkgs.gutenprint pkgs.hplip ]; }; services.udev = { packages = [ # Allow members of the "adbusers" group to mount Android devices via MTP. pkgs.android-udev-rules # Allow the console user access the Yubikey USB device node, # needed for challenge/response to work correctly. pkgs.yubikey-personalization ]; }; services.xserver = { enable = true; layout = "fr"; xkbOptions = "eurosign:e"; libinput.enable = true; desktopManager = { session = [ # Let the session be generated by home-manager { name = "home-manager"; start = '' ${pkgs.runtimeShell} $HOME/.hm-xsession & waitPID=$! ''; } ]; }; displayManager = { defaultSession = "home-manager"; #defaultSession = "none+xmonad"; autoLogin = { enable = true; user = config.users.users.julm.name; }; }; }; systemd.coredump.enable = true; #environment.enableDebugInfo = true; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you should. system.stateVersion = "20.09"; # Did you read the comment? }