nix: update patches

[julm/julm-nix.git] / hosts / oignon.nix

diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index 6a23d0976093688ebd8196a531182444f4987f12..0668eaac057ec952e5ea6a079252caf03b1f971f 100644 (file)
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -1,29 +1,34 @@
-{ config, pkgs, lib, inputs, hostName, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  hostName,
+  ...
+}:
 {
   imports = [
-    ../nixos/profiles/builder.nix
     ../nixos/profiles/debug.nix
     ../nixos/profiles/graphical.nix
+    ../nixos/profiles/irssi.nix
     ../nixos/profiles/lang-fr.nix
+    ../nixos/profiles/laptop.nix
     ../nixos/profiles/printing.nix
-    ../nixos/profiles/security.nix
-    ../nixos/profiles/system.nix
+    ../nixos/profiles/radio.nix
     ../nixos/profiles/tor.nix
-    ../nixos/profiles/irssi.nix
+    ../nixos/profiles/bluetooth.nix
     oignon/backup.nix
     oignon/hardware.nix
+    oignon/nebula.nix
     oignon/networking.nix
   ];
 
   # Lower kernel's security for better performances
-  boot.kernelParams = [ "mitigations=off" ];
+  security.kernel.mitigations = "off";
 
   home-manager.users.julm = {
     imports = [ ../homes/julm.nix ];
   };
-  systemd.services.home-manager-julm.postStart = ''
-    ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
-  '';
   users.users.root = {
     openssh.authorizedKeys.keys = map lib.readFile [
       # For nix -L run .#oignon.switch
@@ -42,6 +47,7 @@
       "dialout"
       "lp"
       "networkmanager"
+      "plugdev" # For rtl-sdr
       "scanner"
       "tor"
       "video"
@@ -58,20 +64,22 @@
     ];
   };
 
-  systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted =
-    [ ("${hostName}.key:" + inputs.self + "/hosts/${hostName}/nix/secret-key-files.priv.pem.cred") ];
+  systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted = [
+    "${hostName}.key:${
+      builtins.path { path = ./. + "/${hostName}/nix/secret-key-files.priv.pem.cred"; }
+    }"
+  ];
   nix = {
     extraOptions = ''
       secret-key-files = /run/credentials/nix-daemon.service/${hostName}.key
     '';
     settings = {
-      trusted-users = [ config.users.users."julm".name ];
       substituters = [
-        #"http://nix-localcache.losurdo.wg"
-        "ssh://nix-ssh@losurdo.wg?priority=30"
+        #"http://nix-localcache.losurdo.sp"
+        "ssh://nix-ssh@losurdo.sp?priority=30"
       ];
       trusted-public-keys = map lib.readFile [
-        ../hosts/losurdo/nix/key.pub
+        ../users/nix/ssh/losurdo.pub
       ];
     };
     nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
@@ -101,48 +109,55 @@
 
   services.davfs2.enable = true;
 
+  systemd.automounts = [
+    {
+      where = "/mnt/aubergine";
+      automountConfig.TimeoutIdleSec = "5 min";
+    }
+  ];
   fileSystems =
-    # Use the user's gpg-agent session to query
-    # for the password of the SSH key when auto-mounting.
     let
-      sshAsUser = user:
-        pkgs.writeScript "sshAsUser-${user}" ''
-          exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
-            ${pkgs.openssh}/bin/ssh "$@"
-        '';
-      options =
-        [
-          "noatime"
-          "noexec"
-          "nosuid"
-          "user"
-          "uid=julm"
-          "gid=users"
-          "allow_other"
-          "_netdev"
-          "ssh_command=${sshAsUser "julm"}" #  "reconnect"
-          "noauto"
-          "x-gvfs-hide"
-          "x-systemd.automount"
-          #"Compression=yes" # YMMV
-          # Disconnect approximately 2*15=30 seconds after a network failure
-          "ServerAliveCountMax=1"
-          "ServerAliveInterval=15"
-        ];
+      # Use the user's gpg-agent session to query
+      # for the password of the SSH key when auto-mounting.
+      sshAsUser = pkgs.writeScript "sshAsUser" ''
+        user="$1"; shift
+        exec ${pkgs.sudo}/bin/sudo -i -u "$user" \
+          ${pkgs.openssh}/bin/ssh "$@"
+      '';
+      options = [
+        "user"
+        "uid=julm"
+        "gid=users"
+        "allow_other"
+        "exec" # Override "user"'s noexec
+        "noatime"
+        "nosuid"
+        "_netdev"
+        "ssh_command=${sshAsUser}\\040julm"
+        "noauto"
+        "x-gvfs-hide"
+        "x-systemd.automount"
+        #"Compression=yes" # YMMV
+        # Disconnect approximately 2*15=30 seconds after a network failure
+        "ServerAliveCountMax=1"
+        "ServerAliveInterval=15"
+        "dir_cache=no"
+        #"reconnect"
+      ];
     in
     {
       "/mnt/aubergine" = {
-        device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.wg:/";
+        device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.sp:/";
         fsType = "fuse";
         inherit options;
       };
       "/mnt/losurdo" = {
-        device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.wg:/";
+        device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.sp:/";
         fsType = "fuse";
         inherit options;
       };
       "/mnt/mermet" = {
-        device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.wg:/";
+        device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.sp:/";
         fsType = "fuse";
         inherit options;
       };
@@ -200,6 +215,9 @@
   ];
 
   services.xserver = {
+    xkb = {
+      layout = "fr,us(altgr-intl)";
+    };
     desktopManager = {
       session = [
         # Let the session be generated by home-manager
@@ -212,14 +230,15 @@
         }
       ];
     };
-    displayManager = {
-      defaultSession = "home-manager";
-      #defaultSession = "none+xmonad";
-      #defaultSession = "mate";
-      #defaultSession = "cinnamon";
-      autoLogin = {
-        user = config.users.users.julm.name;
-      };
+  };
+
+  services.displayManager = {
+    defaultSession = "home-manager";
+    #defaultSession = "none+xmonad";
+    #defaultSession = "mate";
+    #defaultSession = "cinnamon";
+    autoLogin = {
+      user = config.users.users.julm.name;
     };
   };