fail2ban: tweak parameters

[sourcephile-nix.git] / shell.nix

{ inputs, pkgs, shellHook ? "", ... }:
let
  # Configuration of shell/modules/
  # to expand shellHook and buildInputs of this shell.nix
  shellConfig = { ... }: {
    imports = [
      shell/gnupg.nix
    ];
    gnupg = {
      enable = true;
      gnupgHome = "../sec/gnupg";
      gpgExtraConf = ''
        # julm@sourcephile.fr
        trusted-key 0xB2450D97085B7B8C
        default-key 0x4FE467034C11017B429BAC53A58CD81C3863926F
      '';
      gpgAgentExtraConf = ''
        #pretend-request-origin remote
        #extra-socket ${toString ./.}/S.gpg-agent.extra
        #log-file ${toString ./.}/gpg-agent.log
        #no-grab
        #debug-level expert
        #allow-loopback-pinentry
      '';
    };
    /*
      openssl = {
      enable = true;
      opensslHome = "../sec/openssl";
      certificates = import shell/x509.nix;
      };
    */
    openssh = {
      enable = true;
      sshConf = ''
        Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
        Compression no
        #CompressionLevel 4
        ControlMaster auto
        ControlPath .ssh-%h-%p-%r.socket
        HashKnownHosts no
        #SSAPIAuthentication no
        SendEnv LANG LC_*
        StrictHostKeyChecking yes
        #UserKnownHostsFile ''${inputs.secrets + "/ssh/known_hosts"}
      '';
    };
    virtualbox = {
      enable = false;
    };
  };

  # Using modules enables to separate specific configurations
  # from reusable code in shell/modules.nix and shell/modules/
  # which may find its way in another git repository one day.
  shell = (pkgs.lib.evalModules {
    modules = [
      shellConfig
      { config._module.args = { inherit inputs pkgs; }; }
    ] ++ map import (pkgs.lib.findFiles ".*\\.nix" shell/modules);
  }).config;
in
pkgs.mkShell {
  name = "sourcephile-nix";
  src = null;
  #preferLocalBuild = true;
  #allowSubstitutes = false;
  buildInputs = shell.nix-shell.buildInputs ++ [
    (pkgs.nixos [ ]).nixos-generate-config
    (pkgs.nixos [ ]).nixos-install
    (pkgs.nixos [ ]).nixos-enter
    #pkgs.binutils
    pkgs.coreutils
    pkgs.cryptsetup
    pkgs.curl
    #pkgs.direnv
    pkgs.dnsutils
    #pkgs.dropbear
    pkgs.e2fsprogs
    pkgs.git
    pkgs.glibcLocales
    pkgs.gnumake
    pkgs.gnupg
    pkgs.htop
    #pkgs.inetutils
    pkgs.ipcalc
    #pkgs.iputils
    pkgs.less
    pkgs.libfaketime
    pkgs.ldns
    #pkgs.ldns.examples
    #pkgs.mailutils
    pkgs.man
    pkgs.mdadm
    pkgs.gptfdisk
    pkgs.ncdu
    pkgs.ncurses
    #pkgs.nixops
    #pkgs.openssl
    pkgs.pass
    pkgs.procps
    pkgs.rsync
    #pkgs.rxvt_unicode.terminfo
    #pkgs.sqlite
    pkgs.sqlite
    #pkgs.sudo
    pkgs.tig
    pkgs.time
    #pkgs.tmux
    pkgs.tree
    pkgs.utillinux
    #pkgs.vim
    #pkgs.virtualbox
    pkgs.which
    pkgs.xdg_utils
    pkgs.fio
    pkgs.strace
    pkgs.utillinux
    #pkgs.zfstools
    pkgs.linuxPackages.perf
    #pkgs.go2nix
    pkgs.wireguard-tools
    pkgs.stun
    pkgs.mkpasswd
    #pkgs.ubootTools
    #pkgs.hydra-unstable
  ];
  #enableParallelBuilding = true;

  NIX_PATH = pkgs.lib.concatStringsSep ":" [
    "nixpkgs=${pkgs.path}"
    ("nixpkgs-overlays=" + pkgs.writeText "overlays.nix" ''
      import ${inputs.self + "/nixpkgs/overlays.nix"} ++
      import ${inputs.julm-nix + "/nixpkgs/overlays.nix"}
    '')
  ];

  shellHook = ''
    echo >&2 "nix: running shellHook"

    ${shell.nix-shell.shellHook}

    # gpg
    export GNUPGHOME=$(realpath -e ${shell.gnupg.gnupgHome});
    export GPG_TTY=$(tty)
    gpg-connect-agent updatestartuptty /bye >/dev/null

    # pass
    export PASSWORD_STORE_DIR="$PWD"
  '' + shellHook;
}