sourcephile / git / julm / julm-nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 36c757e)
nix: revamp in profiles
authorJulien Moutinho <julm+julm-nix@sourcephile.fr>
Tue, 2 Nov 2021 01:19:50 +0000 (02:19 +0100)
committerJulien Moutinho <julm+julm-nix@sourcephile.fr>
Tue, 2 Nov 2021 04:01:10 +0000 (05:01 +0100)
28 files changed:
homes/julm.nix patch | blob | history
homes/julm/hosts/carotte.nix patch | blob | history
homes/julm/hosts/losurdo.nix patch | blob | history
homes/julm/hosts/mermet.nix patch | blob | history
homes/julm/hosts/oignon.nix patch | blob | history
homes/options.nix patch | blob | history
homes/softwares/emacs.nix patch | blob | history
homes/softwares/gnupg.nix patch | blob | history
homes/softwares/vim.nix patch | blob | history
hosts/oignon.nix patch | blob | history
hosts/patate.nix patch | blob | history
nixos/profiles/bash.nix [new file with mode: 0644] patch | blob
nixos/profiles/dnscrypt-proxy2.nix [moved from profiles/dnscrypt-proxy2.nix with 100% similarity] patch | blob | history
nixos/profiles/security.nix [new file with mode: 0644] patch | blob
nixos/profiles/wireguard/wg-intra.nix [moved from networking/wireguard/wg-intra.nix with 100% similarity] patch | blob | history
nixos/profiles/wireguard/wg-intra/hosts.nix [moved from networking/wireguard/wg-intra/hosts.nix with 100% similarity] patch | blob | history
profiles/chat.nix [new file with mode: 0644] patch | blob
profiles/developing.nix [new file with mode: 0644] patch | blob
profiles/drawing.nix [new file with mode: 0644] patch | blob
profiles/gaming.nix [new file with mode: 0644] patch | blob
profiles/graphical.nix [new file with mode: 0644] patch | blob
profiles/networking.nix [new file with mode: 0644] patch | blob
profiles/office.nix [new file with mode: 0644] patch | blob
profiles/security.nix patch | blob | history
profiles/sharing.nix [new file with mode: 0644] patch | blob
profiles/system.nix [new file with mode: 0644] patch | blob
profiles/video.nix [new file with mode: 0644] patch | blob
profiles/web.nix [new file with mode: 0644] patch | blob

diff --git a/homes/julm.nix b/homes/julm.nix
index e250b06078aa078cf903f8bc8566d5b964f910fc..71ff5ef499e3a7ac4d185f41130d27785148c13a 100644 (file)
--- a/homes/julm.nix
+++ b/homes/julm.nix
@@ -6,17 +6,7 @@ imports = [
   julm/mutt.nix
   (import (julm/hosts + "/${hostName}.nix"))
 ];
-host.desktop = lib.elem hostName [ /*"losurdo"*/ "oignon" ];
-host.server = lib.elem hostName [ "losurdo" "mermet" ];
-host.admin = lib.elem hostName [ "carotte" "losurdo" "mermet" "oignon" ];
-host.developer = lib.elem hostName [ "losurdo" "oignon" ];
-host.media = lib.elem hostName [ "losurdo" "oignon" ];
-programs.bat.enable = with config.host; developer;
-programs.bash.enable = true;
-#programs.broot.enable = true;
-programs.doom-emacs.enable = config.host.developer;
 programs.firefox = {
-  enable = config.host.desktop;
   profiles =
     let defaultProfile = {
       settings = {
@@ -47,23 +37,18 @@ programs.firefox = {
       }];
     };
 };
-programs.gpg.enable = with config.host; developer;
 home.file."${config.programs.gpg.homedir}/gpg.conf".text = ''
   # julm@autogeree.net
   trusted-key 0xD15AF7F467E8299B
   # julm@sourcephile.fr (2021-08-12)
   trusted-key 0xA58CD81C3863926F
 '';
-services.gpg-agent.enable = config.programs.gpg.enable;
 services.gpg-agent.sshKeys = [
   # julm@autogeree.net
   "D275EBA09C7E1FFBFB47F6EEF164E6D56FB24AB2"
   # julm@sourcephile.fr (2021-08-12)
   "3D94D14514F1EA2B6D62F1275D888897B082415D"
 ];
-programs.direnv.enable = config.host.developer;
-programs.htop.enable = config.host.admin;
-programs.irssi.enable = hostName == "mermet" || hostName == "losurdo";
 programs.irssi.extraConfig = builtins.readFile julm/irssi/config;
 home.file.".irssi/passwd".text = ''
   FreeNode   : ${pkgs.pass}/bin/pass freenode.net/irc/julm
@@ -73,20 +58,13 @@ home.file.".irssi/passwd".text = ''
   OFTC       : ${pkgs.pass}/bin/pass oftc.net/irc/julm
   ToileLibre : ${pkgs.pass}/bin/pass toile-libre.org/irc/julm
 '';
-programs.man.enable = config.host.developer;
-programs.neovim.enable = config.host.developer;
-programs.ssh.enable = config.host.admin;
-programs.ssh.matchBlocks."lan.losurdo.sourcephile.fr" = {
+programs.ssh.matchBlocks = lib.genAttrs ["lan.losurdo.sourcephile.fr" "losurdo.wg"] (_: {
   compression = true; # Helps to get a better framerate with forwardX11
   forwardX11 = true;
   forwardX11Trusted = true;
   serverAliveInterval = 15;
-};
-programs.tmux.enable = with config.host; admin || developer;
-programs.vim.enable = with config.host; developer;
-manual.manpages.enable = config.host.developer;
+});
 programs.git = {
-  enable = with config.host; admin || developer;
   userName = "Julien Moutinho";
   userEmail = "julm@sourcephile.fr";
   signing.key = "0x7182433A39582282929B2A222E3618DD0D087650";
@@ -102,9 +80,6 @@ programs.git = {
     sendemail.smtpUser = "julm@sourcephile.fr";
   };
 };
-services.redshift.enable = lib.mkDefault config.host.desktop;
-xsession.enable = lib.mkDefault config.host.desktop;
-xsession.windowManager.xmonad.enable = lib.mkDefault config.host.desktop;
 home.stateVersion = "20.09";
 home.sessionPath = [ "${config.home.homeDirectory}/bin" ];
 home.sessionVariables = {
@@ -114,169 +89,4 @@ home.sessionVariables = {
   LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive";
   MANPAGER = "less";
 };
-# Warning: triggers a rebuild of mumble
-#nixpkgs.config.mumble.speechdSupport = lib.mkDefault config.host.desktop;
-home.packages =
-  lib.optionals config.host.desktop [
-  #pkgs.chromium
-  #pkgs.ristretto
-  #pkgs.transmission-gtk
-  #(pkgs.texlive.combine { inherit (pkgs.texlive) scheme-medium xdvi; })
-  (pkgs.texlive.combine { inherit (pkgs.texlive) scheme-medium xdvi ucs; })
-  pkgs.amule
-  pkgs.calibre
-  pkgs.dino
-  pkgs.djview
-  pkgs.dmenu
-  pkgs.evince
-  pkgs.freeciv_gtk
-  pkgs.gajim
-  pkgs.geeqie
-  pkgs.gimp
-  pkgs.glxinfo
-  pkgs.gparted
-  pkgs.gpicview
-  pkgs.hicolor-icon-theme
-  pkgs.keepass
-  pkgs.libdvdcss
-  pkgs.libreoffice
-  pkgs.liferea
-  pkgs.mpv
-  pkgs.mumble
-  pkgs.networkmanager-openvpn
-  pkgs.networkmanagerapplet
-  pkgs.nix-du
-  pkgs.pavucontrol
-  pkgs.pdftk
-  pkgs.poppler_utils
-  pkgs.thunderbird
-  pkgs.vlc
-  pkgs.xclip
-  pkgs.xorg.xkill
-  pkgs.xsane
-  pkgs.yubikey-personalization-gui
-  ] ++ lib.optionals config.host.media [
-  #pkgs.amfora
-  #pkgs.browsh
-  #pkgs.glib # gio
-  #pkgs.go-mtpfs
-  #pkgs.gvfs
-  #pkgs.onionshare
-  pkgs.aria2
-  pkgs.convmv
-  pkgs.croc
-  pkgs.ffmpeg
-  pkgs.gtk-pipe-viewer
-  pkgs.imagemagick
-  pkgs.lftp
-  pkgs.mastodon-archive
-  pkgs.mplayer
-  pkgs.ntfs3g
-  pkgs.podl
-  pkgs.stig
-  pkgs.yt-dlp
-  ] ++ lib.optionals config.host.admin [
-  #pkgs.compsize
-  #pkgs.dnsutils
-  #pkgs.inetutils
-  #pkgs.linuxPackages.cpupower
-  #pkgs.ranger
-  pkgs.acpi
-  pkgs.bmon
-  pkgs.cryptsetup
-  pkgs.curl
-  pkgs.dstat
-  pkgs.e2fsprogs
-  pkgs.ethtool
-  pkgs.file
-  pkgs.hwinfo
-  pkgs.knot-dns
-  pkgs.ldns
-  pkgs.lf
-  pkgs.lm_sensors
-  pkgs.lsof
-  pkgs.lsscsi
-  pkgs.miniupnpc
-  pkgs.mosh
-  pkgs.ncdu
-  pkgs.nmap
-  pkgs.nmon
-  pkgs.nnn
-  pkgs.openssl
-  pkgs.parted
-  pkgs.pass
-  pkgs.pciutils
-  pkgs.powertop
-  pkgs.procps
-  pkgs.pv
-  pkgs.rdfind
-  pkgs.smartmontools
-  pkgs.sshfs
-  pkgs.strace
-  pkgs.stress-ng
-  pkgs.tcpdump
-  pkgs.tree
-  pkgs.usbutils
-  pkgs.utillinux
-  pkgs.wget
-  pkgs.which
-  pkgs.xdg_utils
-  ] ++ lib.optionals config.host.developer [
-  #pkgs.dracut not yet packaged
-  #pkgs.git-remote-gpg
-  #pkgs.haskell.packages.ghc865.zerobin
-  #pkgs.i7z
-  #pkgs.ipfs
-  #pkgs.linuxPackages.perf
-  #pkgs.meli
-  #pkgs.ncurses
-  #pkgs.profanity
-  #pkgs.ripgrep
-  #pkgs.sdate
-  pkgs.aspell
-  pkgs.aspellDicts.fr
-  pkgs.bc
-  pkgs.binutils
-  pkgs.binwalk
-  pkgs.cachix
-  pkgs.exa
-  pkgs.git-chglog
-  pkgs.git-crypt
-  pkgs.git-quick-stats
-  pkgs.gnumake
-  pkgs.graphviz
-  pkgs.hledger
-  pkgs.hunspell
-  pkgs.hunspellDicts.fr-moderne
-  pkgs.jc
-  pkgs.jq
-  pkgs.libfaketime
-  pkgs.libidn
-  pkgs.libxml2.bin
-  pkgs.mailutils
-  pkgs.neofetch
-  pkgs.neomutt
-  pkgs.nix-prefetch-git
-  pkgs.nixpkgs-review
-  pkgs.opusTools
-  pkgs.p7zip
-  pkgs.pastebinit
-  pkgs.patchelf
-  pkgs.picocom
-  pkgs.qprint
-  pkgs.reuse
-  pkgs.shellcheck
-  pkgs.sipcalc
-  pkgs.socat
-  pkgs.sqlite
-  pkgs.tig
-  pkgs.ubootTools
-  pkgs.unar
-  pkgs.unzip
-  pkgs.vbetool
-  pkgs.wgetpaste
-  pkgs.xmlstarlet
-  pkgs.xsel
-  pkgs.yubikey-personalization
-  ];
 }
diff --git a/homes/julm/hosts/carotte.nix b/homes/julm/hosts/carotte.nix
index 5b9ef64c73ab10d5ab336956392dc0f2a71ee85a..011cdafb5e907c9738615cf8f850e89bfaa02047 100644 (file)
--- a/homes/julm/hosts/carotte.nix
+++ b/homes/julm/hosts/carotte.nix
@@ -1,15 +1,15 @@
 { pkgs, lib, config, ... }:
 {
+imports = [
+  ../../../profiles/graphical.nix
+  ../../../profiles/networking.nix
+  ../../../profiles/security.nix
+  ../../../profiles/system.nix
+];
 services.gpg-agent.pinentryFlavor = lib.mkForce "curses";
 /*
 xsession.enable = true;
 xsession.windowManager.xmonad.enable = true;
-home.packages = [
-  #pkgs.blender
-  pkgs.glxinfo
-  pkgs.mpv
-  pkgs.pavucontrol
-];
 services.screen-locker.inactiveInterval = 10; # minutes
 */
 }
diff --git a/homes/julm/hosts/losurdo.nix b/homes/julm/hosts/losurdo.nix
index 9f5248ba6c13128ef5e1959784df93252246a563..51d35d29dc6c8032fd6a7b1ba6da3c4dbe4eddd9 100644 (file)
--- a/homes/julm/hosts/losurdo.nix
+++ b/homes/julm/hosts/losurdo.nix
@@ -1,13 +1,22 @@
 { pkgs, lib, config, ... }:
 {
+imports = [
+  #../../../profiles/chat.nix
+  ../../../profiles/developing.nix
+  ../../../profiles/graphical.nix
+  ../../../profiles/networking.nix
+  ../../../profiles/sharing.nix
+  ../../../profiles/security.nix
+  ../../../profiles/system.nix
+  ../../../profiles/video.nix
+];
 services.gpg-agent.pinentryFlavor = lib.mkForce "curses";
 xsession.enable = true;
 xsession.windowManager.xmonad.enable = true;
 home.packages = [
   #pkgs.blender
-  pkgs.glxinfo
-  pkgs.mpv
-  pkgs.pavucontrol
+  #pkgs.freecad
+  #pkgs.sweethome3d.application
 ];
 services.screen-locker.inactiveInterval = 10; # minutes
 }
diff --git a/homes/julm/hosts/mermet.nix b/homes/julm/hosts/mermet.nix
index b2fa14ca3e5687eb2af37054a6882c5c084c44bc..863d4eb123932d7c08f576e1d8ee3561d0dc5a58 100644 (file)
--- a/homes/julm/hosts/mermet.nix
+++ b/homes/julm/hosts/mermet.nix
@@ -1,3 +1,12 @@
 { pkgs, lib, config, ... }:
 {
+imports = [
+  ../../../profiles/networking.nix
+  ../../../profiles/security.nix
+  ../../../profiles/system.nix
+];
+programs.irssi.enable = true;
+home.packages = [
+  pkgs.neomutt
+];
 }
diff --git a/homes/julm/hosts/oignon.nix b/homes/julm/hosts/oignon.nix
index e6e41d854d995d25b376645d03f81834b4368008..31807177c75d69c81e8ccf83f7f3709b8641cff2 100644 (file)
--- a/homes/julm/hosts/oignon.nix
+++ b/homes/julm/hosts/oignon.nix
@@ -1,5 +1,19 @@
 { pkgs, lib, config, ... }:
 {
+imports = [
+  ../../../profiles/chat.nix
+  ../../../profiles/developing.nix
+  ../../../profiles/drawing.nix
+  ../../../profiles/gaming.nix
+  ../../../profiles/graphical.nix
+  ../../../profiles/networking.nix
+  ../../../profiles/office.nix
+  ../../../profiles/security.nix
+  ../../../profiles/sharing.nix
+  ../../../profiles/system.nix
+  ../../../profiles/video.nix
+  ../../../profiles/web.nix
+];
 programs.bash.shellAliases.riseup = "sudo ip netns exec riseup sudo -u $USER PULSE_SERVER=/run/user/$(id -u $USER)/pulse/native";
 programs.bash.shellAliases.firefox = "riseup firefox";
 programs.gpg.homedir = "${config.home.homeDirectory}/documents/sec/.gnupg";
@@ -7,18 +21,13 @@ home.sessionVariables = {
   PASSWORD_STORE_DIR = "$HOME/documents/sec/.password-store";
 };
 home.packages = [
-  pkgs.arandr
-  #pkgs.freecad
-  pkgs.gcolor2
   pkgs.gpsbabel
-  pkgs.graphviz
-  pkgs.inkscape
-  pkgs.optipng
   (pkgs.qgis.override { extraPythonPackages = (ps: [
     ps.pyqt5_with_qtwebkit
   ]); })
-  pkgs.x2goclient
   #pkgs.libva-utils
-  #pkgs.sweethome3d.application
+  #pkgs.ristretto
 ];
+xsession.enable = true;
+xsession.windowManager.xmonad.enable = true;
 }
diff --git a/homes/options.nix b/homes/options.nix
index 696e46b8bd2820c096c530f2e0ec0e2d750e5394..49739de937e0ebd7a16516a11888fb2d9d75d712 100644 (file)
--- a/homes/options.nix
+++ b/homes/options.nix
@@ -8,10 +8,5 @@ options.host = {
       "/sys/devices/virtual/dmi/id/product_name"));
     description = "hardware";
   };
-  admin = lib.mkEnableOption "admin profile";
-  desktop = lib.mkEnableOption "desktop profile";
-  developer = lib.mkEnableOption "developer profile";
-  media = lib.mkEnableOption "media profile";
-  server = lib.mkEnableOption "server profile";
 };
 }
diff --git a/homes/softwares/emacs.nix b/homes/softwares/emacs.nix
index bda76abe52ef54044644663c61bc80cec05466ea..ad5e022c66c144fd308bf94af2dda4bb9b1fc61a 100644 (file)
--- a/homes/softwares/emacs.nix
+++ b/homes/softwares/emacs.nix
@@ -11,7 +11,7 @@ imports = [
   inputs.nix-doom-emacs.hmModule
 ];
 programs.doom-emacs = {
-  enable = config.host.developer;
+  enable = true;
   doomPrivateDir =
     "${config.home.homeDirectory}/.doom.d";
 };
diff --git a/homes/softwares/gnupg.nix b/homes/softwares/gnupg.nix
index 956820c466633206b6475819920523801af0f42a..7b7dc2b0ae44d9cd69e8565b4a52d2fc695572dd 100644 (file)
--- a/homes/softwares/gnupg.nix
+++ b/homes/softwares/gnupg.nix
@@ -1,6 +1,5 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, nixosConfig, ... }:
 {
-config = {
 /*
 home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
   install -d -m700 ${lib.escapeShellArg config.programs.gpg.homedir}
@@ -9,7 +8,7 @@ home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
 services.gpg-agent = {
   enableSshSupport = true;
   enableExtraSocket = true;
-  pinentryFlavor = if config.host.desktop then "gtk2" else "curses";
+  pinentryFlavor = lib.mkDefault (if nixosConfig.services.xserver.enable then "gtk2" else "curses");
 };
 programs.gpg.settings = {
   #auto-key-locate = "keyserver";
@@ -43,14 +42,4 @@ home.file."${config.programs.gpg.homedir}/dirmngr.conf".text = ''
   #log-file dirmngr.log
   #standard-resolver
 '';
-}/* // lib.optionalAttrs (!config.useGlobalPkgs) {
-nixpkgs.overlays = [ (self: super: {
-  # Avoid rebuilding graphical dependencies
-  # when using Nixpkgs PRs rebuilding them.
-  # See https://github.com/NixOS/nixpkgs/issues/96306#issuecomment-722140002
-  pinentry = super.pinentry.override {
-    enabledFlavors = [ "curses" "tty" ] ++ lib.optional config.host.desktop "gtk2";
-  };
-}) ];
-}*/;
 }
diff --git a/homes/softwares/vim.nix b/homes/softwares/vim.nix
index 6d24591faf97c45977787da28d504c416dd6dfb0..433fb8d201fd134881b3980e573b72ca031235dd 100644 (file)
--- a/homes/softwares/vim.nix
+++ b/homes/softwares/vim.nix
@@ -1,7 +1,6 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, nixosConfig, ... }:
 let inherit (builtins) readFile; in
 {
-config = {
 programs.vim = {
   extraConfig =
     readFile vim/init.vim
@@ -39,12 +38,13 @@ programs.vim = {
     #pkgs.vimPlugins.fugitive
     pkgs.vimPlugins.vim-ghcid-quickfix
   ];
-} // lib.optionalAttrs (!config.host.desktop) {
+} // lib.optionalAttrs (!nixosConfig.services.xserver.enable) {
   packageConfigurable =
     pkgs.vim_configurable.override {
       config.vim.gui = "none";
     };
 };
+
 programs.neovim = {
   extraConfig =
     readFile vim/init.vim +
@@ -77,8 +77,4 @@ programs.neovim = {
     #pkgs.vimPlugins.fugitive
   ];
 };
-} /* // lib.optionalAttrs (!config.useGlobalPkgs) {
-  nixpkgs.config.vim.gui = if config.host.desktop then "gtk3" else "";
-}*/;
-
 }
diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index 9ac926a64a1908acbd34faaa40cb01a5c93a6846..395c794d3a62835f264556e01ac4dbf12b712dfe 100644 (file)
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -1,13 +1,9 @@
 { config, pkgs, lib, private, hostName, ... }:
-let
-  inherit (config.users) users;
-  inherit (config.services) davfs2;
-in
 {
 imports = [
-  ../profiles/dnscrypt-proxy2.nix
-  ../profiles/security.nix
-  ../networking/wireguard/wg-intra.nix
+  ../nixos/profiles/dnscrypt-proxy2.nix
+  ../nixos/profiles/security.nix
+  ../nixos/profiles/wireguard/wg-intra.nix
   oignon/hardware.nix
   oignon/wireguard.nix
   oignon/tor.nix
@@ -15,10 +11,8 @@ imports = [
 ];
 
 home-manager.users.julm = {
-  imports = [
-    ../homes/julm.nix
-  ];
-  host.hardware = ["ThinkPad" "X201"];
+  imports = [ ../homes/julm.nix ];
+  host.hardware = [ "ThinkPad" "X201" ];
 };
 systemd.services.home-manager-julm.postStart = ''
   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
@@ -40,7 +34,7 @@ users.users.julm = {
     "video"
     "wheel"
     #"ipfs"
-    davfs2.davGroup
+    config.services.davfs2.davGroup
     #"vboxusers"
   ];
   # If created, zfs-mount.service would require:
@@ -53,19 +47,11 @@ nix = {
     secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
   '';
   autoOptimiseStore = true;
-  gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 7d";
-  };
-  /*
-  nixPath = [
-    "nixpkgs=/etc/nixpkgs"
-    "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
-  ];
-  */
+  gc.automatic = true;
+  gc.dates = "weekly";
+  gc.options = "--delete-older-than 7d";
   nixPath = lib.mkForce [];
-  trustedUsers = [ users.julm.name ];
+  trustedUsers = [ config.users.users.julm.name ];
   binaryCaches = [ "http://nix-localcache.losurdo.wg" ];
   binaryCachePublicKeys = [ "losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=" ];
 };
@@ -87,9 +73,6 @@ nix.sshServe = {
 users.users.julm.openssh.authorizedKeys.keys = [
   (lib.readFile ../private/world/julm/losurdo/ssh.pub)
 ];
-services.openssh.openFirewall = false;
-services.openssh.forwardX11 = true;
-services.openssh.passwordAuthentication = false;
 
 time.timeZone = "Europe/Paris";
 i18n.defaultLocale = "fr_FR.UTF-8";
@@ -126,57 +109,18 @@ environment.variables = {
   PAGER  = "less -R";
   SYSTEMD_LESS = "FKMRX";
 };
-environment.systemPackages = [
-  pkgs.mkpasswd
-  pkgs.gdb
-  pkgs.riseup-vpn
-  #pkgs.calyx-vpn
-];
-
-programs = {
-  bash = {
-    interactiveShellInit = ''
-      bind '"\e[A":history-search-backward'
-      bind '"\e[B":history-search-forward'
-
-      # Ignore duplicate commands, ignore commands starting with a space
-      export HISTCONTROL=erasedups:ignorespace
-      export HISTSIZE=42000
-      # Append to the history instead of overwriting (good for multiple connections)
-      shopt -s histappend
-
-      # Utilities
-      mkcd () { mkdir -p "$1"; cd "$1"; }
-      fan () {
-        if [ $# -gt 0 ]
-        then sudo tee /proc/acpi/ibm/fan <<<"level $1"
-        else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
-        fi
-        acpi -t
-      }
-    '';
-    shellAliases = {
-      cl = "clear";
-      grep = "grep --color";
-      l  = "ls -alh";
-      ll = "ls -al";
-      ls = "ls --color=tty";
-      mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
-
-      s="sudo systemctl";
-      st="sudo systemctl status";
-      u="systemctl --user";
-      j="sudo journalctl -u";
-      jb="sudo journalctl -b";
 
-      nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
-      mv = "mv -i";
-      sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
-    };
-  };
-  dconf.enable = true;
-  mtr.enable = true;
-};
+programs.bash.interactiveShellInit = ''
+  fan () {
+    if [ $# -gt 0 ]
+    then sudo tee /proc/acpi/ibm/fan <<<"level $1"
+    else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
+    fi
+    acpi -t
+  }
+'';
+programs.dconf.enable = true;
+programs.mtr.enable = true;
 
 services.avahi = {
   enable = true;
@@ -204,9 +148,7 @@ fileSystems."/home/julm/mnt/ilico/severine" = {
 services.dbus = {
   packages = [ pkgs.gnome3.dconf ];
 };
-services.gvfs = {
-  enable = true;
-};
+services.gvfs.enable = true;
 services.ipfs = {
   #enable = true;
   defaultMode = "online";
@@ -222,13 +164,8 @@ services.ipfs = {
   };
   startWhenNeeded = true;
 };
-services.journald = {
-  extraConfig = ''
-    Compress=true
-    MaxRetentionSec=1month
-    Storage=persistent
-    SystemMaxUse=100M
-  '';
+services.openssh = {
+  forwardX11 = true;
 };
 services.printing = {
   enable = true;
@@ -267,7 +204,7 @@ services.xserver = {
     #defaultSession = "none+xmonad";
     autoLogin = {
       enable = true;
-      user = users.julm.name;
+      user = config.users.users.julm.name;
     };
   };
 };
diff --git a/hosts/patate.nix b/hosts/patate.nix
index 4d626f4451b2cf3f2c77e37d1a6c5528d66d72f8..0a8689e552d6b5e29c062aed2515d659e4e25de5 100644 (file)
--- a/hosts/patate.nix
+++ b/hosts/patate.nix
@@ -1,10 +1,9 @@
 { config, pkgs, lib, inputs, hostName, ... }:
-let inherit (config.users) users; in
 {
 imports = [
-  ../profiles/dnscrypt-proxy2.nix
-  ../profiles/security.nix
-  ../networking/wireguard/wg-intra.nix
+  ../nixos/profiles/dnscrypt-proxy2.nix
+  ../nixos/profiles/security.nix
+  ../nixos/profiles/wireguard/wg-intra.nix
   patate/backup.nix
   patate/hardware.nix
 ];
@@ -13,7 +12,7 @@ home-manager.users.sevy = {
   imports = [ ../homes/sevy.nix ];
   host.hardware = ["ThinkPad" "X200"];
 };
-systemd.services.home-manager-julm.postStart = ''
+systemd.services.home-manager-sevy.postStart = ''
   ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/sevy/home-manager
 '';
 security.lockKernelModules = false;
@@ -42,15 +41,10 @@ nix = {
   extraOptions = ''
   '';
   autoOptimiseStore = true;
-  gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 7d";
-  };
-  nixPath = [
-    "nixpkgs=/etc/nixpkgs"
-    "nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix"
-  ];
+  gc.automatic = true;
+  gc.dates = "weekly";
+  gc.options = "--delete-older-than 7d";
+  nixPath = lib.mkForce [ ];
   trustedUsers = [ users.sevy.name ];
   binaryCaches = [
     "http://nix-localcache.losurdo.wg"
@@ -63,8 +57,6 @@ nix = {
 };
 services.openssh.passwordAuthentication = false;
 
-environment.etc."nixpkgs".source = pkgs.path;
-environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";
 environment.systemPackages = [
   pkgs.riseup-vpn
 ];
@@ -232,7 +224,7 @@ services.xserver = {
     defaultSession = "xfce";
     autoLogin = {
       enable = true;
-      user = users.sevy.name;
+      user = config.users.users.sevy.name;
     };
   };
 };
diff --git a/nixos/profiles/bash.nix b/nixos/profiles/bash.nix
new file mode 100644 (file)
index 0000000..f52add1
--- /dev/null
+++ b/nixos/profiles/bash.nix
@@ -0,0 +1,42 @@
+
+programs = {
+  bash = {
+    interactiveShellInit = ''
+      bind '"\e[A":history-search-backward'
+      bind '"\e[B":history-search-forward'
+
+      # Ignore duplicate commands, ignore commands starting with a space
+      export HISTCONTROL=erasedups:ignorespace
+      export HISTSIZE=42000
+      # Append to the history instead of overwriting (good for multiple connections)
+      shopt -s histappend
+
+      # Utilities
+      mkcd () { mkdir -p "$1"; cd "$1"; }
+      fan () {
+        if [ $# -gt 0 ]
+        then sudo tee /proc/acpi/ibm/fan <<<"level $1"
+        else grep '^\(level\|speed\):' /proc/acpi/ibm/fan
+        fi
+        acpi -t
+      }
+    '';
+    shellAliases = {
+      cl = "clear";
+      grep = "grep --color";
+      l  = "ls -alh";
+      ll = "ls -al";
+      ls = "ls --color=tty";
+      mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
+
+      s="sudo systemctl";
+      st="sudo systemctl status";
+      u="systemctl --user";
+      j="sudo journalctl -u";
+      jb="sudo journalctl -b";
+
+      nix-history="sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
+      mv = "mv -i";
+      sshfs = "sshfs -o ServerAliveInterval=15 -o reconnect -f";
+    };
+  };
diff --git a/nixos/profiles/security.nix b/nixos/profiles/security.nix
new file mode 100644 (file)
index 0000000..7787a96
--- /dev/null
+++ b/nixos/profiles/security.nix
@@ -0,0 +1,146 @@
+{ pkgs, lib, config, ... }:
+{
+boot.kernelPackages = pkgs.linuxPackages_latest;
+#boot.kernelPackages = pkgs.linuxPackages_hardened;
+#boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
+#environment.memoryAllocator.provider = "libc";
+nix.allowedUsers = [ "@users" ];
+networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
+security.allowSimultaneousMultithreading = false;
+security.apparmor.enable = lib.mkDefault true;
+security.forcePageTableIsolation = true;
+security.lockKernelModules = lib.mkDefault true;
+security.protectKernelImage = true;
+security.virtualisation.flushL1DataCache = "always";
+boot.blacklistedKernelModules = [
+  # Obscure network protocols
+  "ax25"
+  "netrom"
+  "rose"
+
+  # Old or rare or insufficiently audited filesystems
+  "adfs"
+  "affs"
+  "bfs"
+  "befs"
+  "cramfs"
+  "efs"
+  "erofs"
+  "exofs"
+  "freevxfs"
+  "f2fs"
+  "hfs"
+  "hpfs"
+  "jfs"
+  "minix"
+  "nilfs2"
+  "ntfs"
+  "omfs"
+  "qnx4"
+  "qnx6"
+  "sysv"
+  "ufs"
+];
+boot.kernel.sysctl = {
+  # Mitigate kernel pointer leaks
+  "kernel.kptr_restrict" = 2;
+  # Restricts the kernel log to the CAP_SYSLOG capability
+  "kernel.dmesg_restrict" = 1;
+  # Prevent information leaks
+  #kernel.printk = "3 3 3 3";
+  # Restrict eBPF to the CAP_BPF capability
+  # and enable JIT hardening techniques
+  # such as constant blinding.
+  "kernel.unprivileged_bpf_disabled" = 1;
+  "net.core.bpf_jit_harden" = 2;
+  # Restricts loading TTY line disciplines
+  # to the CAP_SYS_MODULE capability to prevent
+  # unprivileged attackers from loading vulnerable
+  # line disciplines with the TIOCSETD ioctl
+  "dev.tty.ldisc_autoload" = 0;
+  # The userfaultfd() syscall is often abused to exploit
+  # use-after-free flaws.
+  # Due to this, this sysctl is used to restrict
+  # this syscall to the CAP_SYS_PTRACE capability.
+  "vm.unprivileged_userfaultfd" = 0;
+  # kexec is a system call that is used
+  # to boot another kernel during runtime.
+  "kernel.kexec_load_disabled" = 1;
+  # User namespaces are a feature in the kernel which aim to
+  # improve sandboxing and make it easily accessible for
+  # unprivileged users however, this feature exposes
+  # significant kernel attack surface for privilege
+  # escalation so this sysctl restricts the usage of user
+  # namespaces to the CAP_SYS_ADMIN capability.
+  "kernel.unprivileged_userns_clone" = 0;
+  # Restricts all usage of performance events to the
+  # CAP_PERFMON capability
+  "kernel.perf_event_paranoid" = 3;
+  # Helps protect against SYN flood attacks
+  "net.ipv4.tcp_syncookies" = 1;
+  # Protects against time-wait assassination
+  # by dropping RST packets for sockets
+  # in the time-wait state.
+  "net.ipv4.tcp_rfc1337" = 1;
+  # Disable ICMP redirect acceptance and sending to prevent
+  # man-in-the-middle attacks and minimize information disclosure.
+  "net.ipv4.conf.all.accept_redirects" = 0;
+  "net.ipv4.conf.default.accept_redirects" = 0;
+  "net.ipv4.conf.all.secure_redirects" = 0;
+  "net.ipv4.conf.default.secure_redirects" = 0;
+  "net.ipv6.conf.all.accept_redirects" = 0;
+  "net.ipv6.conf.default.accept_redirects" = 0;
+  "net.ipv4.conf.all.send_redirects" = 0;
+  "net.ipv4.conf.default.send_redirects" = 0;
+  # Disable source routing, a mechanism
+  # that allows users to redirect network traffic.
+  "net.ipv4.conf.all.accept_source_route" = 0;
+  "net.ipv4.conf.default.accept_source_route" = 0;
+  "net.ipv6.conf.all.accept_source_route" = 0;
+  "net.ipv6.conf.default.accept_source_route" = 0;
+  /*
+  # Disable TCP SACK, which is commonly exploited
+  # and unnecessary for many circumstances.
+  # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
+  "net.ipv4.tcp_sack" = 0;
+  "net.ipv4.tcp_dsack" = 0;
+  "net.ipv4.tcp_fack" = 0;
+  */
+  # Generate a random IPv6 address
+  "net.ipv6.conf.all.use_tempaddr" = 2;
+  "net.ipv6.conf.default.use_tempaddr" = 2;
+  # Restricts usage of ptrace to only processes
+  # with the CAP_SYS_PTRACE capability
+  "kernel.yama.ptrace_scope" = 2;
+  # Do source validation by confirming reverse path
+  "net.ipv4.conf.all.rp_filter" = 1;
+  "net.ipv4.conf.default.rp_filter" = 1;
+};
+boot.kernelParams = [
+  "slab_nomerge"
+  "slub_debug=FZ"
+  #"init_on_alloc=1"
+  #"init_on_free=1"
+  "page_alloc.shuffle=1"
+  "pti=on"
+  "vsyscall=none"
+  "debugfs=off"
+  "oops=panic"
+  # Disabled because zfs and wireguard modules are not signed
+  "module.sig_enforce=0"
+  "lockdown=confidentiality"
+  "mce=0"
+  #"quiet"
+  #"loglevel=0"
+];
+services.journald.extraConfig = ''
+  Compress=true
+  MaxRetentionSec=1month
+  Storage=persistent
+  SystemMaxUse=100M
+'';
+services.openssh = {
+  openFirewall = lib.mkFalse false;
+  passwordAuthentication = false;
+};
+}
diff --git a/profiles/chat.nix b/profiles/chat.nix
new file mode 100644 (file)
index 0000000..545a5d3
--- /dev/null
+++ b/profiles/chat.nix
@@ -0,0 +1,11 @@
+{ pkgs, lib, config, ... }:
+{
+home.packages = [
+  pkgs.dino
+  pkgs.gajim
+  pkgs.mastodon-archive
+  pkgs.mumble
+  # Warning: triggers a rebuild of mumble
+  #(pkgs.mumble.override { config.speechdSupport = true; })
+];
+}
diff --git a/profiles/developing.nix b/profiles/developing.nix
new file mode 100644 (file)
index 0000000..c11190d
--- /dev/null
+++ b/profiles/developing.nix
@@ -0,0 +1,62 @@
+{ pkgs, lib, config, nixosConfig, ... }:
+{
+manual.manpages.enable = lib.mkDefault true;
+programs.direnv.enable = lib.mkDefault true;
+programs.doom-emacs.enable = lib.mkDefault true;
+programs.git.enable = lib.mkDefault true;
+programs.gpg.enable = lib.mkDefault true;
+programs.man.enable = lib.mkDefault true;
+#programs.neovim.enable = lib.mkDefault true;
+programs.vim.enable = lib.mkDefault true;
+services.gpg-agent.enable = lib.mkDefault config.programs.gpg.enable;
+home.packages = [
+  pkgs.binutils
+  pkgs.binwalk
+  pkgs.cachix
+  pkgs.exa
+  pkgs.gdb
+  pkgs.git-chglog
+  pkgs.git-crypt
+  pkgs.git-quick-stats
+  pkgs.gnumake
+  pkgs.graphviz
+  pkgs.hledger
+  pkgs.jc
+  pkgs.jq
+  pkgs.libfaketime
+  pkgs.libidn
+  pkgs.libxml2.bin
+  pkgs.mailutils
+  pkgs.neofetch
+  pkgs.nix-prefetch-git
+  pkgs.nixpkgs-review
+  pkgs.pastebinit
+  pkgs.patchelf
+  pkgs.pax-utils
+  pkgs.picocom
+  pkgs.qprint
+  pkgs.reuse
+  pkgs.shellcheck
+  pkgs.sqlite
+  pkgs.tig
+  pkgs.ubootTools
+  pkgs.unar
+  pkgs.unzip
+  pkgs.vbetool
+  pkgs.wgetpaste
+  pkgs.xmlstarlet
+  pkgs.xsel
+  pkgs.zstd
+  #nixosConfig.boot.kernelPackages.perf
+  #pkgs.dracut not yet packaged
+  #pkgs.git-remote-gpg
+  #pkgs.haskell.packages.ghc865.zerobin
+  #pkgs.i7z
+  #pkgs.ipfs
+  #pkgs.meli
+  #pkgs.ncurses
+  #pkgs.profanity
+  #pkgs.ripgrep
+  #pkgs.sdate
+];
+}
diff --git a/profiles/drawing.nix b/profiles/drawing.nix
new file mode 100644 (file)
index 0000000..f81dbb6
--- /dev/null
+++ b/profiles/drawing.nix
@@ -0,0 +1,15 @@
+{ pkgs, lib, config, ... }:
+{
+home.packages = [
+  #pkgs.blender
+  pkgs.gcolor2
+  pkgs.geeqie
+  pkgs.gimp
+  pkgs.gpicview
+  pkgs.graphviz
+  pkgs.imagemagick
+  pkgs.inkscape
+  pkgs.optipng
+  (pkgs.texlive.combine { inherit (pkgs.texlive) scheme-medium xdvi ucs; })
+];
+}
diff --git a/profiles/gaming.nix b/profiles/gaming.nix
new file mode 100644 (file)
index 0000000..d0e4186
--- /dev/null
+++ b/profiles/gaming.nix
@@ -0,0 +1,6 @@
+{ pkgs, lib, config, ... }:
+{
+home.packages = [
+  pkgs.freeciv_gtk
+];
+}
diff --git a/profiles/graphical.nix b/profiles/graphical.nix
new file mode 100644 (file)
index 0000000..2a76e9b
--- /dev/null
+++ b/profiles/graphical.nix
@@ -0,0 +1,16 @@
+{ pkgs, lib, config, ... }:
+{
+services.redshift.enable = lib.mkDefault true;
+home.packages = [
+  pkgs.arandr
+  pkgs.dmenu
+  pkgs.glxinfo
+  pkgs.hicolor-icon-theme
+  pkgs.networkmanager-openvpn
+  pkgs.networkmanagerapplet
+  pkgs.pavucontrol
+  pkgs.xclip
+  pkgs.xorg.xkill
+  pkgs.x2goclient
+];
+}
diff --git a/profiles/networking.nix b/profiles/networking.nix
new file mode 100644 (file)
index 0000000..c34b54f
--- /dev/null
+++ b/profiles/networking.nix
@@ -0,0 +1,32 @@
+{ pkgs, lib, config, nixosConfig, ... }:
+{
+programs.git.enable = lib.mkDefault true;
+programs.ssh.enable = lib.mkDefault true;
+home.packages = [
+  pkgs.bmon
+  pkgs.conntrack-tools
+  pkgs.curl
+  pkgs.ethtool
+  pkgs.iftop
+  pkgs.inetutils
+  pkgs.knot-dns
+  pkgs.ldns
+  pkgs.lftp
+  pkgs.miniupnpc
+  pkgs.mosh
+  pkgs.nethogs
+  pkgs.nmap
+  pkgs.nmon
+  pkgs.nnn
+  pkgs.openssl
+  pkgs.sipcalc
+  pkgs.socat
+  pkgs.sshfs
+  pkgs.tcpdump
+  pkgs.tshark
+  pkgs.wget
+] ++ lib.optionals nixosConfig.services.xserver.enable [
+  #pkgs.calyx-vpn
+  pkgs.riseup-vpn
+];
+}
diff --git a/profiles/office.nix b/profiles/office.nix
new file mode 100644 (file)
index 0000000..f546023
--- /dev/null
+++ b/profiles/office.nix
@@ -0,0 +1,20 @@
+{ pkgs, lib, config, nixosConfig, ... }:
+{
+home.packages = [
+  pkgs.aspell
+  pkgs.aspellDicts.fr
+  pkgs.hunspell
+  pkgs.hunspellDicts.fr-moderne
+  pkgs.pdftk
+  pkgs.poppler_utils
+] ++ lib.optionals nixosConfig.services.xserver.enable [
+  pkgs.calibre
+  pkgs.djview
+  pkgs.evince
+  pkgs.geeqie
+  pkgs.gpicview
+  pkgs.libreoffice
+  pkgs.thunderbird
+  pkgs.xsane
+];
+}
diff --git a/profiles/security.nix b/profiles/security.nix
index 166c7a497d52d4f0a631696278965cad9720701f..287b3085fb2dc9f82bd9af5176f4c307de4b74cd 100644 (file)
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -1,136 +1,11 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, nixosConfig, ... }:
 {
-boot.kernelPackages = pkgs.linuxPackages_latest;
-#boot.kernelPackages = pkgs.linuxPackages_hardened;
-#boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
-#environment.memoryAllocator.provider = "libc";
-nix.allowedUsers = [ "@users" ];
-networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
-security.allowSimultaneousMultithreading = false;
-security.apparmor.enable = true;
-security.forcePageTableIsolation = true;
-security.lockKernelModules = lib.mkDefault true;
-security.protectKernelImage = true;
-security.virtualisation.flushL1DataCache = "always";
-boot.blacklistedKernelModules = [
-  # Obscure network protocols
-  "ax25"
-  "netrom"
-  "rose"
-
-  # Old or rare or insufficiently audited filesystems
-  "adfs"
-  "affs"
-  "bfs"
-  "befs"
-  "cramfs"
-  "efs"
-  "erofs"
-  "exofs"
-  "freevxfs"
-  "f2fs"
-  "hfs"
-  "hpfs"
-  "jfs"
-  "minix"
-  "nilfs2"
-  "ntfs"
-  "omfs"
-  "qnx4"
-  "qnx6"
-  "sysv"
-  "ufs"
-];
-boot.kernel.sysctl = {
-  # Mitigate kernel pointer leaks
-  "kernel.kptr_restrict" = 2;
-  # Restricts the kernel log to the CAP_SYSLOG capability
-  "kernel.dmesg_restrict" = 1;
-  # Prevent information leaks
-  #kernel.printk = "3 3 3 3";
-  # Restrict eBPF to the CAP_BPF capability
-  # and enable JIT hardening techniques
-  # such as constant blinding.
-  "kernel.unprivileged_bpf_disabled" = 1;
-  "net.core.bpf_jit_harden" = 2;
-  # Restricts loading TTY line disciplines
-  # to the CAP_SYS_MODULE capability to prevent
-  # unprivileged attackers from loading vulnerable
-  # line disciplines with the TIOCSETD ioctl
-  "dev.tty.ldisc_autoload" = 0;
-  # The userfaultfd() syscall is often abused to exploit
-  # use-after-free flaws.
-  # Due to this, this sysctl is used to restrict
-  # this syscall to the CAP_SYS_PTRACE capability.
-  "vm.unprivileged_userfaultfd" = 0;
-  # kexec is a system call that is used
-  # to boot another kernel during runtime.
-  "kernel.kexec_load_disabled" = 1;
-  # User namespaces are a feature in the kernel which aim to
-  # improve sandboxing and make it easily accessible for
-  # unprivileged users however, this feature exposes
-  # significant kernel attack surface for privilege
-  # escalation so this sysctl restricts the usage of user
-  # namespaces to the CAP_SYS_ADMIN capability.
-  "kernel.unprivileged_userns_clone" = 0;
-  # Restricts all usage of performance events to the
-  # CAP_PERFMON capability
-  "kernel.perf_event_paranoid" = 3;
-  # Helps protect against SYN flood attacks
-  "net.ipv4.tcp_syncookies" = 1;
-  # Protects against time-wait assassination
-  # by dropping RST packets for sockets
-  # in the time-wait state.
-  "net.ipv4.tcp_rfc1337" = 1;
-  # Disable ICMP redirect acceptance and sending to prevent
-  # man-in-the-middle attacks and minimize information disclosure.
-  "net.ipv4.conf.all.accept_redirects" = 0;
-  "net.ipv4.conf.default.accept_redirects" = 0;
-  "net.ipv4.conf.all.secure_redirects" = 0;
-  "net.ipv4.conf.default.secure_redirects" = 0;
-  "net.ipv6.conf.all.accept_redirects" = 0;
-  "net.ipv6.conf.default.accept_redirects" = 0;
-  "net.ipv4.conf.all.send_redirects" = 0;
-  "net.ipv4.conf.default.send_redirects" = 0;
-  # Disable source routing, a mechanism
-  # that allows users to redirect network traffic.
-  "net.ipv4.conf.all.accept_source_route" = 0;
-  "net.ipv4.conf.default.accept_source_route" = 0;
-  "net.ipv6.conf.all.accept_source_route" = 0;
-  "net.ipv6.conf.default.accept_source_route" = 0;
-  /*
-  # Disable TCP SACK, which is commonly exploited
-  # and unnecessary for many circumstances.
-  # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
-  "net.ipv4.tcp_sack" = 0;
-  "net.ipv4.tcp_dsack" = 0;
-  "net.ipv4.tcp_fack" = 0;
-  */
-  # Generate a random IPv6 address
-  "net.ipv6.conf.all.use_tempaddr" = 2;
-  "net.ipv6.conf.default.use_tempaddr" = 2;
-  # Restricts usage of ptrace to only processes
-  # with the CAP_SYS_PTRACE capability
-  "kernel.yama.ptrace_scope" = 2;
-  # Do source validation by confirming reverse path
-  "net.ipv4.conf.all.rp_filter" = 1;
-  "net.ipv4.conf.default.rp_filter" = 1;
-};
-boot.kernelParams = [
-  "slab_nomerge"
-  "slub_debug=FZ"
-  #"init_on_alloc=1"
-  #"init_on_free=1"
-  "page_alloc.shuffle=1"
-  "pti=on"
-  "vsyscall=none"
-  "debugfs=off"
-  "oops=panic"
-  # Disabled because zfs and wireguard modules are not signed
-  "module.sig_enforce=0"
-  "lockdown=confidentiality"
-  "mce=0"
-  #"quiet"
-  #"loglevel=0"
+home.packages = [
+  pkgs.mkpasswd
+  pkgs.pass
+  pkgs.yubikey-personalization
+] ++ lib.optionals nixosConfig.services.xserver.enable [
+  pkgs.keepass
+  pkgs.yubikey-personalization-gui
 ];
 }
diff --git a/profiles/sharing.nix b/profiles/sharing.nix
new file mode 100644 (file)
index 0000000..b692606
--- /dev/null
+++ b/profiles/sharing.nix
@@ -0,0 +1,13 @@
+{ pkgs, lib, config, nixosConfig, ... }:
+{
+home.packages = [
+  pkgs.croc
+  pkgs.sshfs
+  pkgs.stig
+  #pkgs.transmission-gtk
+] ++ lib.optionals nixosConfig.services.xserver.enable [
+  pkgs.amule
+] ++ lib.optionals nixosConfig.services.tor.enable [
+  pkgs.onionshare
+];
+}
diff --git a/profiles/system.nix b/profiles/system.nix
new file mode 100644 (file)
index 0000000..a011bc4
--- /dev/null
+++ b/profiles/system.nix
@@ -0,0 +1,51 @@
+{ pkgs, lib, config, nixosConfig, ... }:
+{
+#programs.broot.enable = lib.mkDefault true;
+programs.bash.enable = lib.mkDefault true;
+programs.bat.enable = lib.mkDefault true;
+programs.htop.enable = lib.mkDefault true;
+programs.tmux.enable = lib.mkDefault true;
+home.packages = [
+  #pkgs.glib # gio
+  #pkgs.go-mtpfs
+  #pkgs.gvfs
+  nixosConfig.boot.kernelPackages.cpupower
+  pkgs.acpi
+  pkgs.bc
+  pkgs.convmv
+  pkgs.cryptsetup
+  pkgs.dstat
+  pkgs.e2fsprogs
+  pkgs.file
+  pkgs.hwinfo
+  pkgs.iotop
+  pkgs.lf
+  pkgs.lm_sensors
+  pkgs.lsof
+  pkgs.lsscsi
+  pkgs.multitail
+  pkgs.ncdu
+  pkgs.nix-du
+  pkgs.nload
+  pkgs.ntfs3g
+  pkgs.p7zip
+  pkgs.parted
+  pkgs.pciutils
+  pkgs.powertop
+  pkgs.procps
+  pkgs.pv
+  pkgs.rdfind
+  pkgs.smartmontools
+  pkgs.smem
+  pkgs.strace
+  pkgs.stress-ng
+  pkgs.swaplist
+  pkgs.tree
+  pkgs.usbutils
+  pkgs.utillinux
+  pkgs.which
+  pkgs.xdg_utils
+] ++ lib.optionals nixosConfig.services.xserver.enable [
+  pkgs.gparted
+];
+}
diff --git a/profiles/video.nix b/profiles/video.nix
new file mode 100644 (file)
index 0000000..30b18e1
--- /dev/null
+++ b/profiles/video.nix
@@ -0,0 +1,15 @@
+{ pkgs, lib, config, ... }:
+{
+home.packages = [
+  pkgs.aria2
+  pkgs.ffmpeg
+  pkgs.gtk-pipe-viewer
+  pkgs.libdvdcss
+  pkgs.mplayer
+  pkgs.mpv
+  pkgs.opusTools
+  pkgs.podl
+  pkgs.vlc
+  pkgs.yt-dlp
+];
+}
diff --git a/profiles/web.nix b/profiles/web.nix
new file mode 100644 (file)
index 0000000..9e2ae8e
--- /dev/null
+++ b/profiles/web.nix
@@ -0,0 +1,8 @@
+{ pkgs, lib, config, ... }:
+{
+programs.firefox.enable = lib.mkDefault true;
+home.packages = [
+  #pkgs.chromium
+  pkgs.liferea
+];
+}
julm's NixOS and home-manager configs