{ config, pkgs, lib, inputs, private, hostName, ... }:
-let
- inherit (config.users) users;
- inherit (config.services) davfs2;
-in
{
imports = [
- ../profiles/dnscrypt-proxy2.nix
- ../profiles/security.nix
- oignon/hardware.nix
- oignon/openvpn.nix
- oignon/wireguard.nix
- oignon/tor.nix
+ ../nixos/profiles/builder.nix
+ ../nixos/profiles/debug.nix
+ ../nixos/profiles/graphical.nix
+ ../nixos/profiles/lang-fr.nix
+ ../nixos/profiles/printing.nix
+ ../nixos/profiles/security.nix
+ ../nixos/profiles/system.nix
+ ../nixos/profiles/tor.nix
+ ../nixos/profiles/irssi.nix
oignon/backup.nix
+ oignon/hardware.nix
+ oignon/networking.nix
];
+# Lower kernel's security for better performances
+boot.kernelParams = [ "mitigations=off" ];
+
home-manager.users.julm = {
imports = [ ../homes/julm.nix ];
- host.name = hostName;
- host.hardware = ["ThinkPad" "X201"];
+ host.hardware = [ "ThinkPad" "X201" ];
};
systemd.services.home-manager-julm.postStart = ''
${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
'';
-security.lockKernelModules = false;
-users.mutableUsers = false;
+users.users.root = {
+ openssh.authorizedKeys.keys = map lib.readFile [
+ ../private/shared/ssh/julm/oignon.pub
+ ];
+};
users.users.julm = {
isNormalUser = true;
uid = 1000;
hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
extraGroups = [
"adbusers"
+ "dialout"
"lp"
"networkmanager"
"scanner"
"video"
"wheel"
#"ipfs"
- davfs2.davGroup
+ config.services.davfs2.davGroup
#"vboxusers"
];
# If created, zfs-mount.service would require:
# zfs set overlay=yes ${hostName}/home
createHome = false;
+ openssh.authorizedKeys.keys = map lib.readFile [
+ ../private/shared/ssh/julm/losurdo.pub
+ ];
};
nix = {
extraOptions = ''
- auto-optimise-store = true
+ #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
'';
- gc = {
- automatic = true;
- dates = "weekly";
- options = "--delete-older-than 7d";
+ settings = {
+ trusted-users = [ config.users.users."julm".name ];
+ substituters = [
+ #"http://nix-localcache.losurdo.wg"
+ "ssh://nix-ssh@losurdo.wg?priority=30"
+ ];
+ trusted-public-keys = map lib.readFile [
+ ../private/shared/nix/losurdo.pub
+ ];
};
- nixPath = [
- "nixpkgs=/etc/nixpkgs"
- "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
- ];
- trustedUsers = [ users.julm.name ];
- binaryCaches = [ "https://nix-localcache.sourcephile.fr" ];
- binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
+ nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
};
-documentation.enable = false;
+#environment.etc."nixpkgs".source = pkgs.path;
+#environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
+
+nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
nix.sshServe = {
enable = true;
- keys = [ (lib.readFile ../private/world/julm/losurdo/ssh.pub) ];
-};
-users.users.julm.openssh.authorizedKeys.keys = [
- (lib.readFile ../private/world/julm/losurdo/ssh.pub)
-];
-services.openssh.openFirewall = false;
-services.openssh.forwardX11 = true;
-services.openssh.passwordAuthentication = false;
-
-nixpkgs.config.allowUnfree = true;
-environment.etc."nixpkgs".source = pkgs.path;
-environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
-
-documentation.nixos.enable = true;
-time.timeZone = "Europe/Paris";
-i18n.defaultLocale = "fr_FR.UTF-8";
-console.font = "Lat2-Terminus16";
-console.keyMap = "fr";
-
-networking = {
- hostName = hostName;
- domain = "localdomain";
- search = [ "sourcephile.fr" ];
- networkmanager = {
- enable = true;
- #dhcp = "dhcpcd";
- logLevel = "INFO";
- wifi = {
- #backend = "iwd";
- #backend = "wpa_supplicant";
- powersave = false;
- };
- };
- firewall = {
- enable = true;
- allowPing = false;
- };
+ keys = map lib.readFile [
+ ../private/shared/ssh/julm/losurdo.pub
+ ../private/shared/ssh/sevy/patate.pub
+ ../private/shared/ssh/julm/oignon.pub
+ ];
};
-sound.enable = true;
-hardware.pulseaudio.enable = true;
-hardware.sane.enable = true;
-hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
-
-environment.variables = {
- EDITOR = "vim";
- PAGER = "less -R";
- SYSTEMD_LESS = "FKMRX";
-};
environment.systemPackages = [
- pkgs.mkpasswd
- pkgs.gdb
+ pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
];
-programs = {
- bash = {
- interactiveShellInit = ''
- bind '"\e[A":history-search-backward'
- bind '"\e[B":history-search-forward'
-
- # Ignore duplicate commands, ignore commands starting with a space
- export HISTCONTROL=erasedups:ignorespace
- export HISTSIZE=42000
- # Append to the history instead of overwriting (good for multiple connections)
- shopt -s histappend
+boot.extraModulePackages = [
+ #config.boot.kernelPackages.v4l2loopback
+];
- # Utilities
- mkcd () { mkdir -p "$1"; cd "$1"; }
- fan () {
- if [ $# -gt 0 ]
- then sudo tee /proc/acpi/ibm/fan <<<"level $1"
- else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
- fi
- acpi -t
- }
- '';
- shellAliases = {
- cl = "clear";
- grep = "grep --color";
- l = "ls -alh";
- ll = "ls -al";
- ls = "ls --color=tty";
- mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
+programs.fuse.userAllowOther = true;
- s="sudo systemctl";
- st="sudo systemctl status";
- u="systemctl --user";
- j="sudo journalctl -u";
- jb="sudo journalctl -b";
+services.davfs2.enable = true;
- nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
- mv = "mv -i";
- sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
- };
+fileSystems =
+ # Use the user's gpg-agent session to query
+ # for the password of the SSH key when auto-mounting.
+ let
+ sshAsUser = user:
+ pkgs.writeScript "sshAsUser-${user}" ''
+ exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
+ ${pkgs.openssh}/bin/ssh "$@"
+ '';
+ options =
+ [
+ "noatime" "noexec" "nosuid"
+ "user" "uid=julm" "gid=users" "allow_other"
+ "_netdev" "ssh_command=${sshAsUser "julm"}" # "reconnect"
+ "noauto" "x-gvfs-hide" "x-systemd.automount"
+ #"Compression=yes" # YMMV
+ # Disconnect approximately 2*15=30 seconds after a network failure
+ "ServerAliveCountMax=1"
+ "ServerAliveInterval=15"
+ ];
+ in {
+ "/mnt/losurdo" = {
+ device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.wg:/";
+ fsType = "fuse";
+ inherit options;
};
- dconf.enable = true;
- mtr.enable = true;
-};
-
-services.avahi = {
- enable = true;
- nssmdns = true;
- openFirewall = false;
- publish = {
- enable = false;
+ "/mnt/mermet" = {
+ device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.wg:/";
+ fsType = "fuse";
+ inherit options;
+ };
+ "/mnt/ilico/severine" = {
+ device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
+ fsType = "davfs";
+ options =
+ let conf = pkgs.writeText "davfs2.conf" ''
+ backup_dir /home/julm/.local/share/davfs2/ilico/severine
+ secrets /home/julm/.davfs2/secrets
+ ''; in
+ [ "conf=${conf}" "user" "noexec" "nosuid"
+ "noauto" "nofail" "_netdev" "reconnect"
+ "x-systemd.automount"
+ "x-systemd.device-timeout=1m"
+ "x-systemd.idle-timeout=1m"
+ "x-systemd.mount-timeout=10s"
+ ];
};
};
-services.davfs2 = {
- enable = true;
- extraConfig = ''
- '';
-};
-fileSystems."/home/julm/mnt/ilico/severine" = {
- device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
- fsType = "davfs";
- options =
- let conf = pkgs.writeText "davfs2.conf" ''
- backup_dir /home/julm/documents/backup/ilico/severine
- cache_dir /home/julm/.cache/davfs2/ilico/severine
- ''; in
- [ "conf=${conf}" "user" "noexec" "nosuid" "noauto" ]; # "x-systemd.automount"
-};
-services.dbus = {
- packages = [ pkgs.gnome3.dconf ];
-};
-services.gvfs = {
- enable = true;
-};
+
+networking.firewall.extraCommands = ''
+ ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 8000 -j ACCEPT
+'';
+
services.ipfs = {
#enable = true;
defaultMode = "online";
};
startWhenNeeded = true;
};
-services.journald = {
- extraConfig = ''
- Compress=true
- MaxRetentionSec=1month
- Storage=persistent
- SystemMaxUse=100M
- '';
-};
-services.printing = {
- enable = true;
- drivers = [
- pkgs.gutenprint
- pkgs.hplip
- ];
-};
-services.udev = {
- packages = [
- # Allow members of the "adbusers" group to mount Android devices via MTP
- pkgs.android-udev-rules
- ];
-};
+
+services.udev.packages = [
+ # Allow the console user access the Yubikey USB device node,
+ # needed for challenge/response to work correctly.
+ pkgs.yubikey-personalization
+];
+
services.xserver = {
- enable = true;
- layout = "fr";
- xkbOptions = "eurosign:e";
- libinput.enable = true;
desktopManager = {
session = [
# Let the session be generated by home-manager
displayManager = {
defaultSession = "home-manager";
#defaultSession = "none+xmonad";
+ #defaultSession = "mate";
+ #defaultSession = "cinnamon";
autoLogin = {
- enable = true;
- user = users.julm.name;
+ user = config.users.users.julm.name;
};
};
};
-systemd.coredump.enable = true;
-#environment.enableDebugInfo = true;
-
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you should.