nixpkgs: update patches

[julm/julm-nix.git] / hosts / oignon.nix
diff --git a/hosts/oignon.nix b/hosts/oignon.nix

index af2b6a7818355edfcfd6536831c727ac59e12592..01aed7d41e952eff62633d0daa889f0dd2e07800 100644 (file)
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -1,38 +1,45 @@
-{ config, pkgs, lib, inputs, private, hostName, ... }:
+{ config, pkgs, lib, inputs, hostName, ... }:
  {
  imports = [
    ../nixos/profiles/builder.nix
    ../nixos/profiles/debug.nix
-  ../nixos/profiles/dnscrypt-proxy2.nix
    ../nixos/profiles/graphical.nix
    ../nixos/profiles/lang-fr.nix
-  ../nixos/profiles/networking.nix
    ../nixos/profiles/printing.nix
    ../nixos/profiles/security.nix
    ../nixos/profiles/system.nix
    ../nixos/profiles/tor.nix
    ../nixos/profiles/irssi.nix
-  ../nixos/profiles/wireguard/wg-intra.nix
    oignon/backup.nix
    oignon/hardware.nix
-  oignon/wireguard.nix
+  oignon/networking.nix
  ];
  
+# Lower kernel's security for better performances
+boot.kernelParams = [ "mitigations=off" ];
+
  home-manager.users.julm = {
    imports = [ ../homes/julm.nix ];
-  host.hardware = [ "ThinkPad" "X201" ];
  };
  systemd.services.home-manager-julm.postStart = ''
    ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  '';
+users.users.root = {
+  openssh.authorizedKeys.keys = map lib.readFile [
+    # For nix -L run .#oignon.switch
+    ../users/julm/ssh/oignon.pub
+  ];
+};
  users.users.julm = {
    isNormalUser = true;
    uid = 1000;
-  # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
-  # which is already world readable.
-  hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
+  # Put the hashedPassword in /nix/store,
+  # though /etc/shadow is not world readable...
+  # printf %s $(mkpasswd -m md5crypt)
+  hashedPassword = lib.readFile oignon/users/julm/login/hashedPassword.clear;
    extraGroups = [
      "adbusers"
+    "dialout"
      "lp"
      "networkmanager"
      "scanner"
@@ -47,14 +54,15 @@ users.users.julm = {
    # zfs set overlay=yes ${hostName}/home
    createHome = false;
    openssh.authorizedKeys.keys = map lib.readFile [
-    ../private/shared/ssh/julm/losurdo.pub
+    ../users/julm/ssh/losurdo.pub
    ];
  };
  
+systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted =
+  [ ("${hostName}.key:" + inputs.self + "/hosts/${hostName}/nix/secret-key-files.priv.pem.cred") ];
  nix = {
    extraOptions = ''
-    #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
-    secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
+    secret-key-files = /run/credentials/nix-daemon.service/${hostName}.key
    '';
    settings = {
      trusted-users = [ config.users.users."julm".name ];
@@ -63,7 +71,7 @@ nix = {
        "ssh://nix-ssh@losurdo.wg?priority=30"
      ];
      trusted-public-keys = map lib.readFile [
-      ../private/shared/nix/losurdo.pub
+      ../hosts/losurdo/nix/key.pub
      ];
    };
    nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
@@ -75,12 +83,15 @@ nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
  nix.sshServe = {
    enable = true;
    keys = map lib.readFile [
-    ../private/shared/ssh/julm/losurdo.pub
-    ../private/shared/ssh/sevy/patate.pub
-    ../private/shared/ssh/julm/oignon.pub
+    ../users/julm/ssh/losurdo.pub
+    ../users/julm/ssh/oignon.pub
+    ../users/sevy/ssh/patate.pub
    ];
  };
  
+#security.systemd-creds.shell = [ "sudo" ];
+security.systemd-creds.encrypt = [ "systemd-creds" "encrypt" "--name" "\"$credID\"" "--with-key=host" ];
+
  environment.systemPackages = [
    pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
  ];
@@ -114,6 +125,11 @@ fileSystems =
          "ServerAliveInterval=15"
        ];
    in {
+  "/mnt/aubergine" = {
+    device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.wg:/";
+    fsType = "fuse";
+    inherit options;
+  };
    "/mnt/losurdo" = {
      device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.wg:/";
      fsType = "fuse";
@@ -146,7 +162,7 @@ networking.firewall.extraCommands = ''
    ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 8000 -j ACCEPT
  '';
  
-services.ipfs = {
+services.kubo = {
    #enable = true;
    defaultMode = "online";
    autoMount = true;