git: ignore nixpkgs roots
[julm/julm-nix.git] / hosts / oignon.nix
index 9af9a796845697c37a9f113f43ee7ef48a7c2c5f..e55df74ae1ba07a7898f2ec150b7f15ce39eca5d 100644 (file)
@@ -1,29 +1,35 @@
 { config, pkgs, lib, inputs, private, hostName, ... }:
-let
-  inherit (config.users) users;
-  inherit (config.services) davfs2;
-in
 {
 imports = [
-  ../profiles/dnscrypt-proxy2.nix
-  ../profiles/security.nix
-  oignon/hardware.nix
-  oignon/openvpn.nix
-  oignon/wireguard.nix
-  oignon/tor.nix
+  ../nixos/profiles/builder.nix
+  ../nixos/profiles/debug.nix
+  ../nixos/profiles/graphical.nix
+  ../nixos/profiles/lang-fr.nix
+  ../nixos/profiles/printing.nix
+  ../nixos/profiles/security.nix
+  ../nixos/profiles/system.nix
+  ../nixos/profiles/tor.nix
+  ../nixos/profiles/irssi.nix
   oignon/backup.nix
+  oignon/hardware.nix
+  oignon/networking.nix
 ];
 
+# Lower kernel's security for better performances
+boot.kernelParams = [ "mitigations=off" ];
+
 home-manager.users.julm = {
   imports = [ ../homes/julm.nix ];
-  host.name = hostName;
-  host.hardware = ["ThinkPad" "X201"];
+  host.hardware = [ "ThinkPad" "X201" ];
 };
 systemd.services.home-manager-julm.postStart = ''
   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
 '';
-security.lockKernelModules = false;
-users.mutableUsers = false;
+users.users.root = {
+  openssh.authorizedKeys.keys = map lib.readFile [
+    ../private/shared/ssh/julm/oignon.pub
+  ];
+};
 users.users.julm = {
   isNormalUser = true;
   uid = 1000;
@@ -32,6 +38,7 @@ users.users.julm = {
   hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
   extraGroups = [
     "adbusers"
+    "dialout"
     "lp"
     "networkmanager"
     "scanner"
@@ -39,163 +46,112 @@ users.users.julm = {
     "video"
     "wheel"
     #"ipfs"
-    davfs2.davGroup
+    config.services.davfs2.davGroup
     #"vboxusers"
   ];
   # If created, zfs-mount.service would require:
   # zfs set overlay=yes ${hostName}/home
   createHome = false;
+  openssh.authorizedKeys.keys = map lib.readFile [
+    ../private/shared/ssh/julm/losurdo.pub
+  ];
 };
 
 nix = {
   extraOptions = ''
-    auto-optimise-store = true
+    #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
   '';
-  gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 7d";
+  settings = {
+    trusted-users = [ config.users.users."julm".name ];
+    substituters = [
+      #"http://nix-localcache.losurdo.wg"
+      "ssh://nix-ssh@losurdo.wg?priority=30"
+    ];
+    trusted-public-keys = map lib.readFile [
+      ../private/shared/nix/losurdo.pub
+    ];
   };
-  nixPath = [
-    "nixpkgs=/etc/nixpkgs"
-    "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
-  ];
-  trustedUsers = [ users.julm.name ];
-  binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
-  binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
+  nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
 };
-documentation.enable = false;
+#environment.etc."nixpkgs".source = pkgs.path;
+#environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
+
+nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
 nix.sshServe = {
   enable = true;
-  keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
-};
-users.users.julm.openssh.authorizedKeys.keys = [
-  (lib.readFile ../private/world/julm/losurdo/ssh.pub)
-];
-services.openssh.openFirewall = false;
-services.openssh.forwardX11 = true;
-services.openssh.passwordAuthentication = false;
-
-nixpkgs.config.allowUnfree = true;
-environment.etc."nixpkgs".source = pkgs.path;
-environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
-
-documentation.nixos.enable = true;
-time.timeZone = "Europe/Paris";
-i18n.defaultLocale = "fr_FR.UTF-8";
-console.font = "Lat2-Terminus16";
-console.keyMap = "fr";
-
-networking = {
-  hostName = hostName;
-  domain = "localdomain";
-  search = [ "sourcephile.fr" ];
-  networkmanager = {
-    enable = true;
-    #dhcp = "dhcpcd";
-    logLevel = "INFO";
-    wifi = {
-      #backend = "iwd";
-      #backend = "wpa_supplicant";
-      powersave = false;
-    };
-  };
-  firewall = {
-    enable = true;
-    allowPing = false;
-  };
+  keys = map lib.readFile [
+    ../private/shared/ssh/julm/losurdo.pub
+    ../private/shared/ssh/sevy/patate.pub
+    ../private/shared/ssh/julm/oignon.pub
+  ];
 };
 
-sound.enable = true;
-hardware.pulseaudio.enable = true;
-hardware.sane.enable = true;
-hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
-
-environment.variables = {
-  EDITOR = "vim";
-  PAGER  = "less -R";
-  SYSTEMD_LESS = "FKMRX";
-};
 environment.systemPackages = [
-  pkgs.mkpasswd
-  pkgs.gdb
+  pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
 ];
 
-programs = {
-  bash = {
-    interactiveShellInit = ''
-      bind '"\e[A":history-search-backward'
-      bind '"\e[B":history-search-forward'
-
-      # Ignore duplicate commands, ignore commands starting with a space
-      export HISTCONTROL=erasedups:ignorespace
-      export HISTSIZE=42000
-      # Append to the history instead of overwriting (good for multiple connections)
-      shopt -s histappend
+boot.extraModulePackages = [
+  #config.boot.kernelPackages.v4l2loopback
+];
 
-      # Utilities
-      mkcd () { mkdir -p "$1"; cd "$1"; }
-      fan () {
-        if [ $# -gt 0 ]
-        then sudo tee /proc/acpi/ibm/fan <<<"level $1"
-        else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
-        fi
-        acpi -t
-      }
-    '';
-    shellAliases = {
-      cl = "clear";
-      grep = "grep --color";
-      l  = "ls -alh";
-      ll = "ls -al";
-      ls = "ls --color=tty";
-      mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
+programs.fuse.userAllowOther = true;
 
-      s="sudo systemctl";
-      st="sudo systemctl status";
-      u="systemctl --user";
-      j="sudo journalctl -u";
-      jb="sudo journalctl -b";
+services.davfs2.enable = true;
 
-      nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
-      mv = "mv -i";
-      sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
-    };
+fileSystems =
+  # Use the user's gpg-agent session to query
+  # for the password of the SSH key when auto-mounting.
+  let
+    sshAsUser = user:
+      pkgs.writeScript "sshAsUser-${user}" ''
+         exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
+           ${pkgs.openssh}/bin/ssh "$@"
+      '';
+    options =
+      [
+        "noatime" "noexec" "nosuid"
+        "user" "uid=julm" "gid=users" "allow_other"
+        "_netdev" "ssh_command=${sshAsUser "julm"}" #  "reconnect"
+        "noauto" "x-gvfs-hide" "x-systemd.automount"
+        #"Compression=yes" # YMMV
+        # Disconnect approximately 2*15=30 seconds after a network failure
+        "ServerAliveCountMax=1"
+        "ServerAliveInterval=15"
+      ];
+  in {
+  "/mnt/losurdo" = {
+    device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.wg:/";
+    fsType = "fuse";
+    inherit options;
   };
-  dconf.enable = true;
-  mtr.enable = true;
-};
-
-services.avahi = {
-  enable = true;
-  nssmdns = true;
-  openFirewall = false;
-  publish = {
-    enable = false;
+  "/mnt/mermet" = {
+    device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.wg:/";
+    fsType = "fuse";
+    inherit options;
+  };
+  "/mnt/ilico/severine" = {
+    device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
+    fsType = "davfs";
+    options =
+      let conf = pkgs.writeText "davfs2.conf" ''
+        backup_dir /home/julm/.local/share/davfs2/ilico/severine
+        secrets /home/julm/.davfs2/secrets
+      ''; in
+      [ "conf=${conf}" "user" "noexec" "nosuid"
+        "noauto" "nofail" "_netdev" "reconnect"
+        "x-systemd.automount"
+        "x-systemd.device-timeout=1m"
+        "x-systemd.idle-timeout=1m"
+        "x-systemd.mount-timeout=10s"
+      ];
   };
 };
-services.davfs2 = {
-  enable = true;
-  extraConfig = ''
-  '';
-};
-fileSystems."/home/julm/mnt/ilico/severine" = {
-  device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
-  fsType = "davfs";
-  options =
-    let conf = pkgs.writeText "davfs2.conf" ''
-      backup_dir /home/julm/documents/backup/ilico/severine
-      cache_dir /home/julm/.cache/davfs2/ilico/severine
-    ''; in
-    [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
-};
-services.dbus = {
-  packages = [ pkgs.gnome3.dconf ];
-};
-services.gvfs = {
-  enable = true;
-};
+
+networking.firewall.extraCommands = ''
+  ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 8000 -j ACCEPT
+'';
+
 services.ipfs = {
   #enable = true;
   defaultMode = "online";
@@ -211,32 +167,14 @@ services.ipfs = {
   };
   startWhenNeeded = true;
 };
-services.journald = {
-  extraConfig = ''
-    Compress=true
-    MaxRetentionSec=1month
-    Storage=persistent
-    SystemMaxUse=100M
-  '';
-};
-services.printing = {
-  enable = true;
-  drivers = [
-    pkgs.gutenprint
-    pkgs.hplip
-  ];
-};
-services.udev = {
-  packages = [
-    # Allow members of the "adbusers" group to mount Android devices via MTP
-    pkgs.android-udev-rules
-  ];
-};
+
+services.udev.packages = [
+  # Allow the console user access the Yubikey USB device node,
+  # needed for challenge/response to work correctly.
+  pkgs.yubikey-personalization
+];
+
 services.xserver = {
-  enable = true;
-  layout = "fr";
-  xkbOptions = "eurosign:e";
-  libinput.enable = true;
   desktopManager = {
     session = [
       # Let the session be generated by home-manager
@@ -251,16 +189,14 @@ services.xserver = {
   displayManager = {
     defaultSession = "home-manager";
     #defaultSession = "none+xmonad";
+    #defaultSession = "mate";
+    #defaultSession = "cinnamon";
     autoLogin = {
-      enable = true;
-      user = users.julm.name;
+      user = config.users.users.julm.name;
     };
   };
 };
 
-systemd.coredump.enable = true;
-#environment.enableDebugInfo = true;
-
 # This value determines the NixOS release with which your system is to be
 # compatible, in order to avoid breaking some software such as database
 # servers. You should change this only after NixOS release notes say you should.