nix: update flake inputs

[julm/julm-nix.git] / hosts / patate.nix

diff --git a/hosts/patate.nix b/hosts/patate.nix
index 42e8c5b704e484ae5e536e2ab23a354f11ebef7d..4d626f4451b2cf3f2c77e37d1a6c5528d66d72f8 100644 (file)
--- a/hosts/patate.nix
+++ b/hosts/patate.nix
@@ -3,41 +3,45 @@ let inherit (config.users) users; in
 {
 imports = [
   ../profiles/dnscrypt-proxy2.nix
+  ../profiles/security.nix
+  ../networking/wireguard/wg-intra.nix
+  patate/backup.nix
   patate/hardware.nix
 ];
 
 home-manager.users.sevy = {
   imports = [ ../homes/sevy.nix ];
-  host.name = hostName;
   host.hardware = ["ThinkPad" "X200"];
 };
 systemd.services.home-manager-julm.postStart = ''
   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/sevy/home-manager
 '';
+security.lockKernelModules = false;
 users.mutableUsers = false;
 users.users.sevy = {
   isNormalUser = true;
   uid = 1000;
   # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
   # which is already world readable.
-  hashedPassword = lib.readFile ../secrets/sevy/hashedPassword;
+  hashedPassword = lib.readFile ../private/world/sevy/hashedPassword;
   extraGroups = [
     "adbusers"
+    config.services.davfs2.davGroup
     "lp"
     "networkmanager"
     "scanner"
+    "systemd-journal"
     "tor"
+    "vboxusers"
     "video"
     "wheel"
-    "networkmanager"
-    "vboxusers"
   ];
 };
 
 nix = {
   extraOptions = ''
-    auto-optimise-store = true
   '';
+  autoOptimiseStore = true;
   gc = {
     automatic = true;
     dates = "weekly";
@@ -48,13 +52,23 @@ nix = {
     "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
   ];
   trustedUsers = [ users.sevy.name ];
+  binaryCaches = [
+    "http://nix-localcache.losurdo.wg"
+    "ssh://nix-ssh@oignon.wg"
+  ];
+  binaryCachePublicKeys = [
+    "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los="
+    "oignon.sourcephile.fr:slxL7XLsGXlD1r6gvw1imL5uQntW0TTlQgGQt3LBJgQ="
+  ];
 };
+services.openssh.passwordAuthentication = false;
+
 environment.etc."nixpkgs".source = pkgs.path;
 environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
+environment.systemPackages = [
+  pkgs.riseup-vpn
+];
 
-nixpkgs.config = {
-  allowUnfree = true;
-};
 documentation.nixos.enable = true;
 time.timeZone = "Europe/Paris";
 i18n.defaultLocale = "fr_FR.UTF-8";
@@ -76,6 +90,7 @@ networking = {
   };
   firewall = {
     enable = true;
+    allowPing = false;
     allowedTCPPorts = [
       51413 # transmission-gtk
       4662 # edonkey
@@ -144,79 +159,80 @@ programs = {
   mtr.enable = true;
 };
 
-services = {
-  avahi = {
-    enable  = true;
-    nssmdns = true;
-  };
-  dbus = {
-    packages = [ pkgs.gnome3.dconf ];
-  };
-  gvfs = {
-    enable = true;
-  };
-  journald = {
-    extraConfig = ''
-      Compress=true
-      MaxRetentionSec=1month
-      Storage=persistent
-      SystemMaxUse=100M
-    '';
-  };
-  physlock = {
-    enable = true;
-    allowAnyUser = true;
-    # NOTE: xfconf-query -c xfce4-session -p /general/LockCommand -s "physlock" --create -t string
-  };
-  printing = {
-    enable = true;
-    drivers = [
-      pkgs.gutenprint
-      pkgs.hplip
-    ];
+services.avahi = {
+  enable  = true;
+  nssmdns = true;
+  openFirewall = false;
+  publish = {
+    enable = false;
   };
-  sanoid = {
-    enable = true;
-    extraArgs = [ "--verbose" ];
-    datasets = {
-      "${hostName}/home/documents" = {
-        autosnap = true;
-        autoprune = true;
-        hourly = 12;
-        daily = 31;
-        monthly = 0;
-        yearly = 0;
-      };
+};
+services.davfs2 = {
+  enable = true;
+  extraConfig = ''
+  '';
+};
+fileSystems."/home/sevy/mnt/ilico/severine" = {
+  device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
+  fsType = "davfs";
+  options =
+    let conf = pkgs.writeText "davfs2.conf" ''
+      backup_dir /home/sevy/Documents/EnTransfert/ilico/severine
+      cache_dir /home/sevy/.cache/davfs2/ilico/severine
+    ''; in
+    [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
+};
+services.dbus = {
+  packages = [ pkgs.gnome3.dconf ];
+};
+services.gvfs = {
+  enable = true;
+};
+services.journald = {
+  extraConfig = ''
+    Compress=true
+    MaxRetentionSec=1month
+    Storage=persistent
+    SystemMaxUse=100M
+  '';
+};
+services.physlock = {
+  enable = true;
+  allowAnyUser = true;
+  # NOTE: xfconf-query -c xfce4-session -p /general/LockCommand -s "physlock" --create -t string
+};
+services.printing = {
+  enable = true;
+  drivers = [
+    pkgs.gutenprint
+    pkgs.hplip
+  ];
+};
+services.udev = {
+  packages = [
+    # Allow members of the "adbusers" group to mount Android devices via MTP
+    pkgs.android-udev-rules
+  ];
+};
+services.xserver = {
+  enable = true;
+  layout = "fr";
+  xkbOptions = "eurosign:e";
+  libinput.enable = true;
+  desktopManager = {
+    xfce = {
+      enable = true;
+      thunarPlugins = [
+        #pkgs.xfce.thunar-archive-plugin
+      ];
     };
+    xterm.enable = false;
   };
-  udev = {
-    packages = [
-      # Allow members of the "adbusers" group to mount Android devices via MTP
-      pkgs.android-udev-rules
-    ];
-  };
-  xserver = {
-    enable = true;
-    layout = "fr";
-    xkbOptions = "eurosign:e";
-    libinput.enable = true;
-    desktopManager = {
-      xfce = {
-        enable = true;
-        thunarPlugins = [
-          pkgs.xfce.thunar-archive-plugin
-        ];
-      };
-      xterm.enable = false;
-    };
-    displayManager = {
-      defaultSession = "xfce";
-      lightdm = {
-        autoLogin = {
-          enable = true;
-          user = users.sevy.name;
-        };
-      };
+  displayManager = {
+    defaultSession = "xfce";
+    autoLogin = {
+      enable = true;
+      user = users.sevy.name;
     };
   };
 };