Ciphers = "aes128-gcm@openssh.com";
};
};
- "patate.sp" = {
- user = "sevy";
+ "blackberry.sp" = {
+ user = "julm";
};
"courge.sp" = {
user = "mo";
};
+ "patate.sp" = {
+ user = "sevy";
+ };
} //
lib.genAttrs [ "lan.losurdo.sourcephile.fr" "losurdo.sp" ]
(_: {
--- /dev/null
+{ pkgs, lib, config, ... }:
+{
+ imports = [
+ #../../../home-manager/profiles/chat.nix
+ #../../../home-manager/profiles/developing.nix
+ ../../../home-manager/profiles/direnv.nix
+ ../../../home-manager/profiles/drawing.nix
+ ../../../home-manager/profiles/gaming.nix
+ ../../../home-manager/profiles/git.nix
+ ../../../home-manager/profiles/gnupg.nix
+ ../../../home-manager/profiles/graphical.nix
+ ../../../home-manager/profiles/lf.nix
+ ../../../home-manager/profiles/mpv.nix
+ ../../../home-manager/profiles/networking.nix
+ ../../../home-manager/profiles/nix.nix
+ #../../../home-manager/profiles/radio.nix
+ ../../../home-manager/profiles/science.nix
+ ../../../home-manager/profiles/video.nix
+ ../../../home-manager/profiles/wireless.nix
+ ../../../home-manager/profiles/yt-dlp.nix
+
+ #../../../home-manager/profiles/emacs.nix
+ ../../../home-manager/profiles/firefox.nix
+ #../../../home-manager/profiles/ghc.nix
+ ../../../home-manager/profiles/starship.nix
+ ../../../home-manager/profiles/xmonad.nix
+ ];
+
+ home.packages = [
+ pkgs.ghostscript
+ #pkgs.go-mtpfs
+ pkgs.ntfs3g
+ pkgs.p7zip
+ pkgs.unar
+ pkgs.pdftk
+ pkgs.vips
+ pkgs.poppler_utils
+ # psnup conflicts with pkgs.texlive.combined.scheme-*
+ (lib.lowPrio pkgs.psutils)
+ pkgs.ink
+ pkgs.djview
+ pkgs.qpdf
+ #pkgs.libreoffice
+ pkgs.calibre
+ #pkgs.zotero
+ pkgs.evince
+ pkgs.marble
+ pkgs.gcompris
+ pkgs.frozen-bubble
+ pkgs.neverball
+ pkgs.tuxpaint
+ pkgs.xsane
+ pkgs.gthumb
+ pkgs.fluidsynth
+ #(pkgs.qgis.override { extraPythonPackages = (ps: [
+ # ps.pyqt5_with_qtwebkit
+ #]); })
+ #pkgs.libva-utils
+ pkgs.otpclient
+ #pkgs.ristretto
+ pkgs.xfce.mousepad
+ #pkgs.mate.pluma
+ pkgs.wxmaxima
+ pkgs.espeak-ng
+ pkgs.vdhcoapp
+ #pkgs.qsynth
+ ];
+
+ services.screen-locker = {
+ inactiveInterval = 10; # minutes
+ };
+}
--- /dev/null
+{ config, pkgs, lib, inputs, hostName, ... }:
+{
+ imports = [
+ #../nixos/profiles/debug.nix
+ ../nixos/profiles/graphical.nix
+ #../nixos/profiles/irssi.nix
+ ../nixos/profiles/lang-fr.nix
+ ../nixos/profiles/desktop.nix
+ #../nixos/profiles/printing.nix
+ #../nixos/profiles/radio.nix
+ #../nixos/profiles/tor.nix
+ ../nixos/profiles/bluetooth.nix
+ #blackberry/backup.nix
+ blackberry/hardware.nix
+ blackberry/nebula.nix
+ blackberry/networking.nix
+ ];
+
+ # Lower kernel's security for better performances
+ security.kernel.mitigations = "off";
+
+ home-manager.users.julm = {
+ imports = [ ../homes/julm.nix ];
+ };
+ users.users.root = {
+ openssh.authorizedKeys.keys = map lib.readFile [
+ # For nix -L run .#oignon.switch
+ ../users/julm/ssh/oignon.pub
+ ../users/julm/ssh/blackberry.pub
+ ];
+ };
+ users.users.julm = {
+ isNormalUser = true;
+ uid = 1000;
+ # Put the hashedPassword in /nix/store,
+ # though /etc/shadow is not world readable...
+ # printf %s $(mkpasswd -m md5crypt)
+ hashedPassword = lib.readFile blackberry/users/julm/login/hashedPassword.clear;
+ extraGroups = [
+ "adbusers"
+ "dialout"
+ "lp"
+ "networkmanager"
+ "plugdev" # For rtl-sdr
+ "scanner"
+ #"tor"
+ "video"
+ "wheel"
+ #"ipfs"
+ config.services.davfs2.davGroup
+ #"vboxusers"
+ ];
+ # If created, zfs-mount.service would require:
+ # zfs set overlay=yes ${hostName}/home
+ createHome = false;
+ openssh.authorizedKeys.keys = map lib.readFile [
+ ../users/julm/ssh/oignon.pub
+ ../users/julm/ssh/losurdo.pub
+ ];
+ };
+
+ nix = {
+ extraOptions = ''
+ '';
+ settings = {
+ substituters = [
+ ];
+ trusted-public-keys = map lib.readFile [
+ ];
+ };
+ nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
+ };
+
+ environment.systemPackages = [
+ #pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
+ ];
+
+ boot.extraModulePackages = [
+ #config.boot.kernelPackages.v4l2loopback
+ ];
+
+ programs.fuse.userAllowOther = true;
+
+ systemd.automounts = [
+ { where = "/mnt/aubergine"; automountConfig.TimeoutIdleSec = "5 min"; }
+ ];
+ fileSystems =
+ let
+ # Use the user's gpg-agent session to query
+ # for the password of the SSH key when auto-mounting.
+ sshAsUser =
+ pkgs.writeScript "sshAsUser" ''
+ user="$1"; shift
+ exec ${pkgs.sudo}/bin/sudo -i -u "$user" \
+ ${pkgs.openssh}/bin/ssh "$@"
+ '';
+ options =
+ [
+ "user"
+ "uid=julm"
+ "gid=users"
+ "allow_other"
+ "exec" # Override "user"'s noexec
+ "noatime"
+ "nosuid"
+ "_netdev"
+ "ssh_command=${sshAsUser}\\040julm"
+ "noauto"
+ "x-gvfs-hide"
+ "x-systemd.automount"
+ #"Compression=yes" # YMMV
+ # Disconnect approximately 2*15=30 seconds after a network failure
+ "ServerAliveCountMax=1"
+ "ServerAliveInterval=15"
+ "dir_cache=no"
+ #"reconnect"
+ ];
+ in
+ {
+ "/mnt/aubergine" = {
+ device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.sp:/";
+ fsType = "fuse";
+ inherit options;
+ };
+ };
+
+ networking.firewall.extraCommands = ''
+ ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 8000 -j ACCEPT
+ '';
+
+ services.xserver = {
+ xkb = {
+ layout = "fr,us(altgr-intl)";
+ };
+ desktopManager = {
+ session = [
+ # Let the session be generated by home-manager
+ {
+ name = "home-manager";
+ start = ''
+ ${pkgs.runtimeShell} $HOME/.hm-xsession &
+ waitPID=$!
+ '';
+ }
+ ];
+ };
+ };
+
+ services.displayManager = {
+ defaultSession = "home-manager";
+ #defaultSession = "none+xmonad";
+ #defaultSession = "mate";
+ #defaultSession = "cinnamon";
+ autoLogin = {
+ user = config.users.users.julm.name;
+ };
+ };
+
+ # This value determines the NixOS release with which your system is to be
+ # compatible, in order to avoid breaking some software such as database
+ # servers. You should change this only after NixOS release notes say you should.
+ system.stateVersion = "24.05"; # Did you read the comment?
+}
--- /dev/null
+*.clear filter=git-crypt-blackberry diff=git-crypt-blackberry
+*.cred filter=git-crypt-blackberry diff=git-crypt-blackberry
+*.gpg filter=git-crypt-blackberry diff=git-crypt-blackberry
+*.pem filter=git-crypt-blackberry diff=git-crypt-blackberry
+*.pub filter=git-crypt-blackberry diff=git-crypt-blackberry
+*.crt filter=git-crypt-blackberry diff=git-crypt-blackberry
+.gpg-id filter=git-crypt-blackberry diff=git-crypt-blackberry
--- /dev/null
+#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
+hostName := blackberry
+disk_ssd1 := /dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5
+zpool := $(hostName)
+cipher := aes-128-gcm
+autotrim := on
+reservation := 1G
+compression := zstd
+#TARGET ?= root@localhost
+TARGET ?= root@192.168.3.105
+
+machine-id.clear:
+ systemd-machine-id-setup --root $(@D)
+ mv $(@D)/etc/machine-id $@
+ rmdir -p etc
+credential.secret: machine-id.clear
+ sudo unshare --mount sh -xec ' \
+ mount --bind machine-id.clear /etc/machine-id && \
+ mount --bind . /var/lib/systemd && \
+ systemd-creds setup --with-key=host \
+ '
+credential.secret.gpg:
+ sudo chown $(USER) credential.secret
+ gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret
+ shred -fu $<
+
+%.cred: %.gpg
+ ../gpg2cred-local.sh $< $(shell basename "$*")
+
+users/%/login/hashedPassword.clear:
+ mkpasswd -m yescrypt | tr -d '\n' >$@
+
+root.passphrase.gpg:
+ gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@
+
+ssh/host.key ssh/host.key.pub:
+ mkdir -p $(@D)
+ ssh-keygen -t ed25519 -f $@
+ssh/host.key.gpg: ssh/host.key
+ gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $<
+ shred -fu $<
+
+nebula/$(hostName).key.gpg:
+ nebula-cert keygen \
+ -out-pub nebula/$(hostName).pub \
+ -out-key nebula/$(hostName).key
+ gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) \
+ nebula/$(hostName).key
+
+wipe:
+ ssh $(TARGET) sh -xec '" \
+ modprobe zfs; \
+ ! zpool list $(zpool) || zpool export -f $(zpool); \
+ zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd1_zpool || true; \
+ sgdisk --zap-all $(disk_ssd1); \
+ partprobe || true; \
+ udevadm settle; \
+ "'
+
+part: wipe root.passphrase.gpg
+ # https://wiki.archlinux.org/index.php/BIOS_boot_partition
+ #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd1_bios" $(disk_ssd1)
+ # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
+ #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd1) bs=1 seek=462
+ gpg --decrypt root.passphrase.gpg | \
+ ssh $(TARGET) sh -xec '" \
+ sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_ssd1_bios $(disk_ssd1); \
+ sgdisk -n0::+256M -t0:EF00 -c0:$(hostName)_ssd1_boot $(disk_ssd1); \
+ sgdisk -n0:0:+4G -t0:8200 -c0:$(hostName)_ssd1_swap $(disk_ssd1); \
+ sgdisk -n0:0:0 -t0:BF01 -c0:$(hostName)_ssd1_zpool $(disk_ssd1); \
+ sgdisk --randomize-guids $(disk_ssd1); \
+ sgdisk --backup=$(hostName)_ssd1.sgdisk $(disk_ssd1); \
+ partprobe || true; \
+ udevadm settle; \
+ mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd1_boot; \
+ zpool create -o ashift=12 \
+ -O utf8only=on \
+ -R /mnt/$(zpool) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd1_zpool; \
+ zpool set autotrim=$(autotrim) $(zpool); \
+ zfs set \
+ acltype=off \
+ atime=off \
+ canmount=off \
+ compression=$(compression) \
+ dnodesize=auto \
+ relatime=on \
+ xattr=off \
+ mountpoint=none \
+ $(zpool); \
+ zfs create \
+ -o canmount=off \
+ -o mountpoint=none \
+ -o refreservation=$(reservation) \
+ $(zpool)/reserved; \
+ zfs create -o canmount=on -o mountpoint=/ \
+ $(if $(cipher),-o encryption=$(cipher) \
+ -o keyformat=passphrase \
+ -o keylocation=prompt) \
+ $(zpool)/root; \
+ for p in nix home var; do \
+ zfs create $(zpool)/root/\$$p; \
+ done; \
+ zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \
+ "'
+ #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
+
+ #sudo zfs set sync=disabled $(zpool)/root/var/tmp
+ #sudo zfs set copies=2 $(zpool)/root/home/files
+
+copy-ssh:
+ host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host
+ ssh-copy-id $(TARGET)
+ #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
+
+install: NIX_STORE_DIR=/nix/store
+install: targetRoot=/mnt/$(zpool)
+install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR)
+install: credential.secret.gpg
+ nix -L build --out-link ../$(hostName).root \
+ "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
+ ssh $(TARGET) sh -xec '" \
+ zpool list $(zpool) || zpool import $(zpool); \
+ test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \
+ test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \
+ zfs load-key $(zpool)/root; \
+ mountpoint $(targetRoot) || \
+ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \
+ mountpoint $(targetRoot)/boot1 || \
+ mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_ssd1_boot $(targetRoot)/boot1; \
+ mountpoint $(targetRoot)/nix || \
+ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \
+ mountpoint $(targetRoot)/var || \
+ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \
+ findmnt \
+ "'
+ nix copy --to "ssh://$(TARGET)?$(targetStore)" ../blackberry.root
+ gpg --decrypt credential.secret.gpg | \
+ ssh $(TARGET) sh -xec '" \
+ nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
+ --set '$$(readlink -f ../$(hostName).root)'; \
+ mkdir -m 0755 -p $(targetRoot)/etc; \
+ touch $(targetRoot)/etc/NIXOS; \
+ install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
+ "'
+ ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \
+ set -eux; \
+ mount --rbind --mkdir / $(targetRoot); \
+ mount --make-rslave $(targetRoot); \
+ NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../blackberry.root)/bin/switch-to-configuration boot; \
+ umount -R $(targetRoot) && rmdir $(targetRoot) \
+ "'
+ ssh $(TARGET) sh -xec '" \
+ ! mountpoint $(targetRoot)/boot1 || \
+ umount -v $(targetRoot)/boot1; \
+ ! mountpoint $(targetRoot)/nix || \
+ umount -v $(targetRoot)/nix; \
+ ! mountpoint $(targetRoot)/var || \
+ umount -v $(targetRoot)/var; \
+ ! mountpoint $(targetRoot) || \
+ umount -v $(targetRoot); \
+ ! zpool list $(zpool) || \
+ zpool export $(zpool); \
+ findmnt \
+ "'
--- /dev/null
+{ pkgs, hostName, ... }:
+{
+ imports = [
+ ../../nixos/profiles/hardware/E5500.nix
+ ../../nixos/profiles/zfs.nix
+ ../../nixos/profiles/zramSwap.nix
+ ];
+
+ # Setting the machine-id avoids to reencrypt all credentials
+ # when reinstalling NixOS on a new drive.
+ # Manually generated with : uuidgen | tr -d -
+ environment.etc.machine-id.source = ./machine-id.clear;
+
+ # The 32-bit host id of the host, formatted as 8 hexadecimal characters.
+ # You should try to make this id unique among your hosts.
+ # Manually generated with : uuidgen | head -c8
+ networking.hostId = "e53001b7";
+
+ boot.loader = {
+ grub = {
+ enable = true;
+ memtest86.enable = true;
+ mirroredBoots = [
+ { path = "/boot1"; devices = [ "/dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5" ]; }
+ ];
+ # Roughly 25MiB (initrd) + 9MiB (kernel) per configuration
+ configurationLimit = 6;
+
+ #zfsSupport = true;
+ #efiSupport = true;
+ #enableCryptodisk = true;
+ };
+ };
+ boot.zfs.requestEncryptionCredentials = [ "${hostName}/root" ];
+
+ hardware.enableRedistributableFirmware = true;
+
+ fileSystems."/boot1" =
+ {
+ device = "/dev/disk/by-partlabel/${hostName}_ssd1_boot";
+ fsType = "vfat";
+ options = [ "rw" "noexec" "nodev" "nofail" "X-mount.mkdir" "iocharset=iso8859-1" ];
+ };
+ swapDevices = [
+ {
+ device = "/dev/disk/by-partlabel/${hostName}_ssd1_swap";
+ randomEncryption = {
+ enable = true;
+ cipher = "aes-xts-plain64";
+ source = "/dev/urandom";
+ };
+ }
+ ];
+
+ boot.supportedFilesystems = [ "ntfs" "vfat" ];
+
+ fileSystems."/" =
+ {
+ device = "${hostName}/root";
+ fsType = "zfs";
+ options = [ "zfsutil" ];
+ };
+ fileSystems."/nix" =
+ {
+ device = "${hostName}/root/nix";
+ fsType = "zfs";
+ options = [ "X-mount.mkdir" "zfsutil" ];
+ };
+ fileSystems."/var" =
+ {
+ device = "${hostName}/root/var";
+ fsType = "zfs";
+ options = [ "X-mount.mkdir" "zfsutil" ];
+ };
+
+ services.pipewire.jack.enable = true;
+
+}
--- /dev/null
+blackberry
--- /dev/null
+{ pkgs, lib, config, inputs, hostName, ... }:
+let
+ domain = "sourcephile.fr";
+ iface = config.services.nebula.networks.${domain}.tun.device;
+in
+{
+ imports = [
+ ../../share/nebula/sourcephile.fr.nix
+ ];
+ services.nebula.networks.${domain} = {
+ listen.port = 10008;
+ firewall = {
+ inbound = [
+ { port = "any"; proto = "any"; groups = [ "sourcephile" "intra" ]; }
+ ];
+ outbound = [
+ { port = "any"; proto = "any"; host = "any"; }
+ ];
+ };
+ settings = {
+ punchy = {
+ punch = true;
+ respond = true;
+ };
+ };
+ };
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain input-${iface} {
+ }
+ chain output-${iface} {
+ tcp dport 9091 counter accept comment "Transmission RPC"
+ counter accept
+ }
+ }
+ '';
+}
--- /dev/null
+{ pkgs, lib, ... }:
+{
+ imports = [
+ ../../nixos/profiles/dnscrypt-proxy2.nix
+ ../../nixos/profiles/networking/ssh.nix
+ ../../nixos/profiles/networking/wifi.nix
+ #../../nixos/profiles/openvpn/calyx.nix
+ networking/nftables.nix
+ ];
+ install.substituteOnDestination = false;
+ #networking.domain = "sourcephile.fr";
+ networking.useDHCP = false;
+
+ services.tor = {
+ settings = {
+ HashedControlPassword = lib.readFile tor/HashedControlPassword.clear;
+ # https://metrics.torproject.org/rs.html#search/flag:exit%20country:be%20running:true
+ # https://nusenu.github.io/OrNetStats/w/relay/58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.html
+ MapAddress = [
+ "*.gcp.cloud.es.io *.gcp.cloud.es.io.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
+ "*.redbee.live *.redbee.live.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
+ "*.rtbf.be *.rtbf.be.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit"
+ ];
+ StrictNodes = true;
+ };
+ };
+
+ networking.nftables.ruleset = lib.mkAfter ''
+ table inet filter {
+ chain input {
+ goto input-net
+ }
+ chain output {
+ ip daddr 10.0.0.0/8 counter goto output-lan
+ ip daddr 172.16.0.0/12 counter goto output-lan
+ ip daddr 192.168.0.0/16 counter goto output-lan
+ ip daddr 224.0.0.0/3 counter goto output-lan
+ jump output-net
+ log level warn prefix "output-net: " counter drop
+ }
+ }
+ '';
+
+ networking.hosts = {
+ #"80.67.180.129" = ["salons.sourcephile.fr"];
+ };
+
+ networking.interfaces = { };
+
+ networking.networkmanager = {
+ enable = true;
+ unmanaged = [
+ ];
+ };
+
+ systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+ "host.key:${ssh/host.key.cred}"
+ ];
+}
--- /dev/null
+{ config, ... }:
+let
+ inherit (config.users) users;
+in
+{
+ networking.firewall.enable = false;
+ security.lockKernelModules = false;
+ systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
+ # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
+ # nft list ruleset
+ networking.nftables = {
+ enable = true;
+ preCheckRuleset = ''
+ sed -i ruleset.conf \
+ -e 's/ip daddr losurdo.wg//'
+ '';
+ ruleset = ''
+ table inet filter {
+ chain input-net {
+ }
+
+ chain output-lan {
+ tcp dport { http, https } counter accept comment "HTTP(s)"
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ udp dport 60001-60100 counter accept comment "Mosh"
+ tcp dport bootps counter accept comment "DHCP"
+ tcp dport { 4444, 5555 } counter accept
+ tcp dport 5201 counter accept comment "iperf"
+ }
+ chain output-net {
+ tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
+ udp dport 60001-60100 counter accept comment "Mosh"
+ udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
+ tcp dport { http, https } counter accept comment "HTTP"
+ tcp dport git counter accept comment "Git"
+ tcp dport imaps counter accept comment "IMAPS"
+ tcp dport submissions counter accept comment "SMTPS"
+ tcp dport xmpp-client counter accept comment "XMPP client"
+ tcp dport 5223 counter accept comment "XMPP client direct TLS"
+ tcp dport 5281 counter accept comment "XMPP HTTPS"
+ tcp dport nntps counter accept comment "NNTPS"
+ tcp dport 5201 counter accept comment "iperf"
+ }
+ }
+ '';
+ };
+}
--- /dev/null
+{ lib, ... }:
+{
+ systemd.services.nix-daemon.serviceConfig = {
+ CPUSchedulingPolicy = lib.mkForce "idle";
+ IOSchedulingClass = lib.mkForce "idle";
+ # 0: high priority, 7: low priority
+ IOSchedulingPriority = lib.mkForce 4;
+ Nice = 19;
+ };
+
+ systemd.services.nix-gc.serviceConfig = {
+ CPUSchedulingPolicy = "idle";
+ IOSchedulingClass = "idle";
+ IOSchedulingPriority = 7;
+ Nice = 19;
+ };
+
+ systemd.sleep.extraConfig = ''
+ AllowSuspend=yes
+ AllowHibernation=yes
+ '';
+
+}
--- /dev/null
+{ pkgs, lib, config, ... }:
+with lib;
+{
+ imports = [
+ ../acpid.nix
+ ];
+
+ nixpkgs.hostPlatform = {
+ system = "x86_64-linux";
+ config = "x86_64-unknown-linux-gnu";
+ };
+
+ boot.kernelModules = [ "kvm-intel" ];
+ # https://bugzilla.kernel.org/show_bug.cgi?id=110941
+ boot.initrd.availableKernelModules = [
+ "ahci"
+ "drbg"
+ "ehci_pci"
+ "gf128mul"
+ "hmac"
+ "sd_mod"
+ ];
+ boot.extraModulePackages = with config.boot.kernelPackages; [
+ ];
+ boot.kernelParams = [
+ ];
+
+ hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+ hardware.opengl.extraPackages = [
+ pkgs.intel-media-driver # LIBVA_DRIVER_NAME=iHD
+ # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+ (if (versionOlder (versions.majorMinor version) "23.11") then pkgs.vaapiIntel else pkgs.intel-vaapi-driver)
+ pkgs.libvdpau-va-gl
+ pkgs.vaapiVdpau
+ ];
+
+ services.upower.enable = true;
+ services.libinput.enable = mkDefault true;
+}
"${IPv4Prefix}.5" = [ "carotte.sp" ];
"${IPv4Prefix}.6" = [ "aubergine.sp" ];
"${IPv4Prefix}.7" = [ "courge.sp" ];
+ "${IPv4Prefix}.8" = [ "blackberry.sp" ];
};
services.nebula.networks.${domain} = {
enable = true;
--- /dev/null
+-----BEGIN NEBULA CERTIFICATE-----
+CooBChlibGFja2JlcnJ5LnNvdXJjZXBoaWxlLmZyEgmIgIBQgID8/w8iC3NvdXJj
+ZXBoaWxlIgVpbnRyYSj1g/i1BjDv6LiPEjogx+muhsdSLTpROSA5kOcRpWSACdW7
+90+ue4gxz7wSPVhKIE9dl0LRpqNSmBSZXfX8iNjgyTTlOdxVRrnE5DrL+MPjEkBu
+HbCVxDIxAAALUPFKBdmEk4xcQwAfWqOr3EQSDGF1KKBsVv7Hq10REcPySLchivrR
+CjKWCKUA6rYrr3FUyWYK
+-----END NEBULA CERTIFICATE-----
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPi2WQBLzkg2TT9RPB1MTr9lmgJnkLU8+oo1FszCfe6p julm@blackberry
sourcephile / git / julm / julm-nix.git / commitdiff