-{ config, pkgs, lib, private, hostName, ... }:
+{ config, pkgs, lib, inputs, private, hostName, ... }:
{
imports = [
+ ../nixos/profiles/builder.nix
../nixos/profiles/debug.nix
- ../nixos/profiles/dnscrypt-proxy2.nix
../nixos/profiles/graphical.nix
../nixos/profiles/lang-fr.nix
- ../nixos/profiles/networking.nix
../nixos/profiles/printing.nix
../nixos/profiles/security.nix
../nixos/profiles/system.nix
../nixos/profiles/tor.nix
- ../nixos/profiles/wireguard/wg-intra.nix
+ ../nixos/profiles/irssi.nix
oignon/backup.nix
oignon/hardware.nix
- oignon/wireguard.nix
+ oignon/networking.nix
];
+# Lower kernel's security for better performances
+boot.kernelParams = [ "mitigations=off" ];
+
home-manager.users.julm = {
imports = [ ../homes/julm.nix ];
host.hardware = [ "ThinkPad" "X201" ];
systemd.services.home-manager-julm.postStart = ''
${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
'';
+users.users.root = {
+ openssh.authorizedKeys.keys = map lib.readFile [
+ ../private/shared/ssh/julm/oignon.pub
+ ];
+};
users.users.julm = {
isNormalUser = true;
uid = 1000;
hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
extraGroups = [
"adbusers"
+ "dialout"
"lp"
"networkmanager"
"scanner"
nix = {
extraOptions = ''
+ #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
'';
- trustedUsers = [ config.users.users."julm".name ];
- binaryCaches = [
- #"http://nix-localcache.losurdo.wg"
- "ssh://nix-ssh@losurdo.wg?priority=30"
- ];
- binaryCachePublicKeys = map lib.readFile [
- ../private/shared/nix/losurdo.pub
- ];
+ settings = {
+ trusted-users = [ config.users.users."julm".name ];
+ substituters = [
+ #"http://nix-localcache.losurdo.wg"
+ "ssh://nix-ssh@losurdo.wg?priority=30"
+ ];
+ trusted-public-keys = map lib.readFile [
+ ../private/shared/nix/losurdo.pub
+ ];
+ };
+ nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
};
#environment.etc."nixpkgs".source = pkgs.path;
#environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
-nix.allowedUsers = [ config.users.users."nix-ssh".name ];
+nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
nix.sshServe = {
enable = true;
keys = map lib.readFile [
programs.fuse.userAllowOther = true;
+services.davfs2.enable = true;
+
fileSystems =
# Use the user's gpg-agent session to query
# for the password of the SSH key when auto-mounting.
];
in {
"/mnt/losurdo" = {
- device = "${pkgs.sshfsFuse}/bin/sshfs#julm@losurdo.wg:/";
+ device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.wg:/";
fsType = "fuse";
inherit options;
};
"/mnt/mermet" = {
- device = "${pkgs.sshfsFuse}/bin/sshfs#julm@mermet.wg:/";
+ device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.wg:/";
fsType = "fuse";
inherit options;
};
+ "/mnt/ilico/severine" = {
+ device = "https://nuage.ilico.org/remote.php/dav/files/severine/";
+ fsType = "davfs";
+ options =
+ let conf = pkgs.writeText "davfs2.conf" ''
+ backup_dir /home/julm/.local/share/davfs2/ilico/severine
+ secrets /home/julm/.davfs2/secrets
+ ''; in
+ [ "conf=${conf}" "user" "noexec" "nosuid"
+ "noauto" "nofail" "_netdev" "reconnect"
+ "x-systemd.automount"
+ "x-systemd.device-timeout=1m"
+ "x-systemd.idle-timeout=1m"
+ "x-systemd.mount-timeout=10s"
+ ];
+ };
};
networking.firewall.extraCommands = ''
sourcephile / git / julm / julm-nix.git / blobdiff