diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2019-11-10 16:04:33 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2019-11-10 16:04:33 +0100 |
commit | e388626945519c0d5c728c84b95710b89430ccff (patch) | |
tree | fba659bb75fea1710d12f0689a8d512c9eb222e2 | |
parent | 61680466c6a8e476bd3c8a362454ba59907eb4d3 (diff) | |
download | nixos-e388626945519c0d5c728c84b95710b89430ccff.tar nixos-e388626945519c0d5c728c84b95710b89430ccff.tar.gz nixos-e388626945519c0d5c728c84b95710b89430ccff.tar.bz2 nixos-e388626945519c0d5c728c84b95710b89430ccff.tar.xz nixos-e388626945519c0d5c728c84b95710b89430ccff.zip |
Add sif
-rw-r--r-- | sif.nix | 439 | ||||
-rw-r--r-- | sif/boot.nix | 26 | ||||
-rw-r--r-- | sif/hw.nix | 33 | ||||
-rw-r--r-- | sif/wacom.conf | 15 | ||||
m--------- | yggdrasil | 0 |
5 files changed, 513 insertions, 0 deletions
diff --git a/sif.nix b/sif.nix new file mode 100644 index 00000000..1df1a1bf --- /dev/null +++ b/sif.nix | |||
@@ -0,0 +1,439 @@ | |||
1 | { config, pkgs, ... }: | ||
2 | |||
3 | { | ||
4 | imports = | ||
5 | [ ./sif/hw.nix | ||
6 | ./sif/boot.nix | ||
7 | ./users.nix | ||
8 | ./custom/zsh.nix | ||
9 | ./custom/tinc/def.nix | ||
10 | ./custom/tinc/yggdrasil.nix | ||
11 | ./custom/uucp.nix | ||
12 | ./custom/borgbackup.nix | ||
13 | ./custom/uucp-mediaclient.nix | ||
14 | ./custom/uucp-notifyclient.nix | ||
15 | ./custom/notify-users.nix | ||
16 | ./utils/nix/module.nix | ||
17 | ]; | ||
18 | |||
19 | networking = { | ||
20 | hostName = "sif"; | ||
21 | domain = "midgard.yggdrasil"; | ||
22 | |||
23 | hosts = { | ||
24 | "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ]; | ||
25 | "::1" = [ "sif.midgard.yggdrasil" "sif" ]; | ||
26 | }; | ||
27 | |||
28 | firewall = { | ||
29 | enable = true; | ||
30 | allowedTCPPorts = [ 22 # ssh | ||
31 | ]; | ||
32 | }; | ||
33 | |||
34 | networkmanager = { | ||
35 | enable = true; | ||
36 | dhcp = "internal"; | ||
37 | }; | ||
38 | |||
39 | dhcpcd.enable = false; | ||
40 | }; | ||
41 | |||
42 | powerManagement.enable = true; | ||
43 | |||
44 | i18n = { | ||
45 | consoleFont = "lat9w-16"; | ||
46 | consoleKeyMap = "dvp"; | ||
47 | defaultLocale = "en_US.UTF-8"; | ||
48 | }; | ||
49 | |||
50 | boot.kernelPackages = pkgs.linuxPackages_latest; | ||
51 | |||
52 | time.timeZone = "Europe/Berlin"; | ||
53 | |||
54 | environment.systemPackages = with pkgs; [ | ||
55 | git rebuild-system | ||
56 | ]; | ||
57 | |||
58 | nixpkgs.config.packageOverrides = pkgs: rec { | ||
59 | libfprint = pkgs.stdenv.mkDerivation rec { | ||
60 | name = "libfprint-${version}"; | ||
61 | version = "vfs0090-f8323a0"; | ||
62 | |||
63 | src = pkgs.fetchFromGitHub { | ||
64 | owner = "3v1n0"; | ||
65 | repo = "libfprint"; | ||
66 | rev = "f8323a0d3e0616f2822547902306992efd3572e7"; | ||
67 | sha256 = "0y0lkwgw1lx4frm1kxz0hj11x93dby7vxkjly0ck7w7z96nn8bnm"; | ||
68 | }; | ||
69 | |||
70 | buildInputs = with pkgs; [ libusb pixman glib nss nspr gdk_pixbuf openssl ]; | ||
71 | nativeBuildInputs = with pkgs; [ pkgconfig libtool automake autoconf ]; | ||
72 | |||
73 | preConfigure = '' | ||
74 | NOCONFIGURE=true ./autogen.sh | ||
75 | ''; | ||
76 | |||
77 | configureFlags = [ "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ]; | ||
78 | }; | ||
79 | |||
80 | fprintd = pkgs.stdenv.lib.overrideDerivation pkgs.fprintd (oldAttrs: { | ||
81 | configureFlags = oldAttrs.configureFlags or [] ++ ["--sysconfdir=/etc" "--localstatedir=/var"]; | ||
82 | installFlags = oldAttrs.installFlags or [] ++ ["sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}"]; | ||
83 | }); | ||
84 | }; | ||
85 | |||
86 | nixpkgs.config.allowUnfree = true; | ||
87 | |||
88 | services = { | ||
89 | fprintd.enable = true; | ||
90 | |||
91 | vnstat.enable = true; | ||
92 | |||
93 | logind.extraConfig = '' | ||
94 | HandleLidSwitch=hybrid-sleep | ||
95 | LidSwitchIgnoreInhibited=no | ||
96 | ''; | ||
97 | |||
98 | openssh = { | ||
99 | enable = true; | ||
100 | }; | ||
101 | |||
102 | atd = { | ||
103 | enable = true; | ||
104 | allowEveryone = true; | ||
105 | }; | ||
106 | |||
107 | xserver = { | ||
108 | enable = true; | ||
109 | |||
110 | layout = "us"; | ||
111 | xkbVariant = "dvp"; | ||
112 | xkbOptions = "compose:caps"; | ||
113 | |||
114 | displayManager.lightdm = { | ||
115 | enable = true; | ||
116 | }; | ||
117 | |||
118 | desktopManager = { | ||
119 | default = "none"; | ||
120 | xterm.enable = false; | ||
121 | }; | ||
122 | |||
123 | windowManager = { | ||
124 | default = "xmonad"; | ||
125 | xmonad = { | ||
126 | enable = true; | ||
127 | extraPackages = haskellPackages: (with haskellPackages; | ||
128 | [ xmonad-contrib hostname libnotify aeson temporary parsec network] | ||
129 | ); | ||
130 | }; | ||
131 | }; | ||
132 | |||
133 | wacom.enable = true; | ||
134 | multitouch.enable = true; | ||
135 | libinput.enable = true; | ||
136 | |||
137 | dpi = 282; | ||
138 | }; | ||
139 | |||
140 | yggdrasilTinc = { | ||
141 | enable = true; | ||
142 | connect = true; | ||
143 | name = "sif"; | ||
144 | interfaceConfig = { | ||
145 | macAddress = "5c:93:21:c3:61:39"; | ||
146 | }; | ||
147 | }; | ||
148 | |||
149 | uucp = { | ||
150 | enable = true; | ||
151 | nodeName = "hel"; | ||
152 | remoteNodes = { | ||
153 | "odin" = { | ||
154 | publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcDj49TqmflGTmtGBqDawxmCBWW1txj61CZ7KT0hTHK uucp@odin"]; | ||
155 | hostnames = ["odin.asgard.yggdrasil"]; | ||
156 | }; | ||
157 | "ymir" = { | ||
158 | publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir"]; | ||
159 | hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
160 | }; | ||
161 | }; | ||
162 | |||
163 | defaultCommands = lib.mkForce []; | ||
164 | |||
165 | media-client = { | ||
166 | remoteNodes = [ "odin" ]; | ||
167 | notify.users = [ "gkleen" ]; | ||
168 | }; | ||
169 | |||
170 | notify-client = { | ||
171 | remoteNodes = { | ||
172 | odin = {}; | ||
173 | }; | ||
174 | }; | ||
175 | }; | ||
176 | |||
177 | notify-users = [ "gkleen" ]; | ||
178 | |||
179 | postfix = { | ||
180 | enable = true; | ||
181 | enableSmtp = true; | ||
182 | enableSubmission = false; | ||
183 | setSendmail = true; | ||
184 | networksStyle = "host"; | ||
185 | hostname = "hel.midgard.yggdrasil"; | ||
186 | destination = []; | ||
187 | relayHost = "uucp:ymir"; | ||
188 | recipientDelimiter = "+"; | ||
189 | masterConfig = { | ||
190 | uucp = { | ||
191 | type = "unix"; | ||
192 | private = true; | ||
193 | privileged = true; | ||
194 | chroot = false; | ||
195 | command = "pipe"; | ||
196 | args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ]; | ||
197 | }; | ||
198 | sshsendmail = { | ||
199 | type = "unix"; | ||
200 | private = true; | ||
201 | privileged = true; | ||
202 | chroot = false; | ||
203 | command = "pipe"; | ||
204 | args = [ "flags=Fq" "user=postfix_ssh" ''argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient'' ]; | ||
205 | }; | ||
206 | }; | ||
207 | transport = '' | ||
208 | odin.asgard.yggdrasil uucp:odin | ||
209 | ''; | ||
210 | config = { | ||
211 | always_bcc = "gkleen+sent@odin.asgard.yggdrasil"; | ||
212 | |||
213 | default_transport = "uucp:ymir"; | ||
214 | |||
215 | inet_interfaces = "loopback-only"; | ||
216 | |||
217 | authorized_submit_users = ["!uucp" "static:anyone"]; | ||
218 | message_size_limit = "0"; | ||
219 | |||
220 | sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' | ||
221 | /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc | ||
222 | /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de | ||
223 | /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 | ||
224 | /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de | ||
225 | ''}''; | ||
226 | |||
227 | smtp_sasl_auth_enable = true; | ||
228 | smtp_sender_dependent_authentication = true; | ||
229 | smtp_sasl_tls_security_options = "noanonymous"; | ||
230 | smtp_sasl_mechanism_filter = ["plain"]; | ||
231 | smtp_tls_security_level = "dane"; | ||
232 | smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd"; | ||
233 | smtp_cname_overrides_servername = false; | ||
234 | smtp_always_send_ehlo = true; | ||
235 | |||
236 | smtp_tls_loglevel = "1"; | ||
237 | smtp_dns_support_level = "dnssec"; | ||
238 | }; | ||
239 | }; | ||
240 | |||
241 | upower = { | ||
242 | enable = true; | ||
243 | }; | ||
244 | |||
245 | locate = { | ||
246 | enable = true; | ||
247 | interval = "hourly"; | ||
248 | locate = pkgs.mlocate; | ||
249 | localuser = null; | ||
250 | prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"]; | ||
251 | }; | ||
252 | }; | ||
253 | |||
254 | users = { | ||
255 | mutableUsers = false; | ||
256 | |||
257 | extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; }; | ||
258 | |||
259 | extraUsers.gkleen.extraGroups = [ "media" "networkmanager" ]; | ||
260 | extraUsers.gkleen.packages = with pkgs; [ | ||
261 | steam | ||
262 | ]; | ||
263 | |||
264 | extraUsers.postfix_ssh = { | ||
265 | isSystemUser = true; | ||
266 | home = "/var/db/postfix_ssh"; | ||
267 | }; | ||
268 | |||
269 | extraGroups = { | ||
270 | network = {}; | ||
271 | }; | ||
272 | }; | ||
273 | |||
274 | security = { | ||
275 | sudo.extraConfig = '' | ||
276 | Cmnd_Alias SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl | ||
277 | %wheel ALL=(ALL) NOPASSWD: SYSCTRL | ||
278 | ''; | ||
279 | |||
280 | wrappers = { "mount".source = "${pkgs.utillinux.bin}/bin/mount"; | ||
281 | "umount".source = "${pkgs.utillinux.bin}/bin/umount"; | ||
282 | "newgrp".source = "${pkgs.shadow}/bin/newgrp"; | ||
283 | "sg".source = "${pkgs.shadow}/bin/sg"; | ||
284 | }; | ||
285 | |||
286 | polkit = { | ||
287 | enable = true; | ||
288 | extraConfig = '' | ||
289 | polkit.addRule(function(action, subject) { | ||
290 | if ( action.id == "org.freedesktop.systemd1.manage-units" | ||
291 | && subject.isInGroup("wheel") | ||
292 | ) { | ||
293 | return polkit.Result.YES; | ||
294 | } | ||
295 | }); | ||
296 | |||
297 | polkit.addRule(function(action, subject) { | ||
298 | if ((action.id == "org.blueman.rfkill.setstate" || | ||
299 | action.id == "org.blueman.network.setup" || | ||
300 | action.id == "org.freedesktop.NetworkManager.settings.modify.system" | ||
301 | ) && subject.local | ||
302 | && subject.active && subject.isInGroup("network") | ||
303 | ) { | ||
304 | return polkit.Result.YES; | ||
305 | } | ||
306 | }); | ||
307 | ''; | ||
308 | }; | ||
309 | }; | ||
310 | |||
311 | hardware = { | ||
312 | pulseaudio = { | ||
313 | enable = true; | ||
314 | package = with pkgs; pulseaudioFull; | ||
315 | }; | ||
316 | |||
317 | bluetooth = { | ||
318 | enable = true; | ||
319 | extraConfig = '' | ||
320 | [General] | ||
321 | Enable=Source,Sink,Media,Socket | ||
322 | ''; | ||
323 | }; | ||
324 | |||
325 | trackpoint = { | ||
326 | enable = true; | ||
327 | emulateWheel = true; | ||
328 | sensitivity = 255; | ||
329 | speed = 255; | ||
330 | }; | ||
331 | |||
332 | brightnessctl.enable = true; | ||
333 | }; | ||
334 | |||
335 | sound.enable = true; | ||
336 | |||
337 | nix = { | ||
338 | useSandbox = true; | ||
339 | autoOptimiseStore = true; | ||
340 | daemonNiceLevel = 10; | ||
341 | daemonIONiceLevel = 3; | ||
342 | }; | ||
343 | |||
344 | environment.etc."fprintd.conf".source = "${pkgs.fprintd}/etc/fprintd.conf"; | ||
345 | environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./sif/wacom.conf; | ||
346 | |||
347 | systemd.services."kill-user@" = { | ||
348 | serviceConfig = { | ||
349 | Type = "oneshot"; | ||
350 | ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I"; | ||
351 | }; | ||
352 | }; | ||
353 | systemd.targets."sleep" = { | ||
354 | after = [ "kill-user@uucp.service" ]; | ||
355 | wants = [ "kill-user@uucp.service" ]; | ||
356 | }; | ||
357 | |||
358 | |||
359 | systemd.user.services."pulseaudio".enable = lib.mkForce false; | ||
360 | systemd.user.services."ssh-agent".enable = lib.mkForce false; | ||
361 | systemd.user.sockets."pulseaudio".enable = lib.mkForce false; | ||
362 | |||
363 | systemd.services."ac-plugged" = { | ||
364 | description = "Inhibit handling of lid-switch and sleep"; | ||
365 | |||
366 | path = with pkgs; | ||
367 | [ systemd coreutils ]; | ||
368 | |||
369 | script = '' | ||
370 | exec systemd-inhibit --what=handle-lid-switch:sleep --why="AC is connected" --mode=block sleep infinity | ||
371 | ''; | ||
372 | |||
373 | serviceConfig = { | ||
374 | Type = "simple"; | ||
375 | }; | ||
376 | }; | ||
377 | |||
378 | services.udev.extraRules = with pkgs; '' | ||
379 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" | ||
380 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" | ||
381 | ''; | ||
382 | |||
383 | services.borgbackup = { | ||
384 | snapshots = "btrfs"; | ||
385 | prefix = "yggdrasil.midgard.sif."; | ||
386 | targets = { | ||
387 | "munin" = { | ||
388 | repo = "borg.munin:borg"; | ||
389 | paths = [ "/home/gkleen" ]; | ||
390 | prune = { | ||
391 | "home-gkleen" = | ||
392 | [ "--keep-within" "24H" | ||
393 | "--keep-daily" "31" | ||
394 | "--keep-monthly" "12" | ||
395 | "--keep-yearly" "-1" | ||
396 | ]; | ||
397 | }; | ||
398 | }; | ||
399 | }; | ||
400 | }; | ||
401 | |||
402 | services.btrfs.autoScrub = { | ||
403 | enable = true; | ||
404 | fileSystems = [ "/" "/home" ]; | ||
405 | interval = "weekly"; | ||
406 | }; | ||
407 | |||
408 | systemd.services."nix-daemon".serviceConfig = { | ||
409 | MemoryAccounting = true; | ||
410 | MemoryHigh = "50%"; | ||
411 | MemoryMax = "75%"; | ||
412 | }; | ||
413 | |||
414 | systemd.services."nixos-upgrade" = { | ||
415 | path = with pkgs; [ git ]; | ||
416 | preStart = '' | ||
417 | git -C /etc/nixos fetch --recurse-submodules | ||
418 | git -C /etc/nixos reset --hard origin/master | ||
419 | ''; | ||
420 | }; | ||
421 | |||
422 | services.compton = { | ||
423 | enable = true; | ||
424 | backend = "glx"; | ||
425 | vSync = true; | ||
426 | settings = { | ||
427 | glx-swap-method = 3; | ||
428 | xrender-sync = true; | ||
429 | xrender-sync-fence = true; | ||
430 | }; | ||
431 | }; | ||
432 | |||
433 | services.journald.extraConfig = '' | ||
434 | SystemMaxUse=100M | ||
435 | ''; | ||
436 | |||
437 | system.stateVersion = "20.03"; # Did you read the comment? | ||
438 | } | ||
439 | |||
diff --git a/sif/boot.nix b/sif/boot.nix new file mode 100644 index 00000000..00d42b99 --- /dev/null +++ b/sif/boot.nix | |||
@@ -0,0 +1,26 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | { | ||
4 | boot = { | ||
5 | initrd = { | ||
6 | luks.devices = [ | ||
7 | { name = "nvm0"; device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; } | ||
8 | { name = "nvm1"; device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; } | ||
9 | ]; | ||
10 | kernelModules = [ "dm-snapshot" ]; | ||
11 | availableKernelModules = [ "fbcon" "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; | ||
12 | }; | ||
13 | }; | ||
14 | |||
15 | |||
16 | # Use the systemd-boot EFI boot loader. | ||
17 | loader = { | ||
18 | systemd-boot.enable = true; | ||
19 | efi.canTouchEfiVariables = true; | ||
20 | timeout = null; | ||
21 | }; | ||
22 | |||
23 | plymouth.enable = true; | ||
24 | |||
25 | kernelParams = [ "intel_pstate=no_hwp" "quiet" ]; | ||
26 | } | ||
diff --git a/sif/hw.nix b/sif/hw.nix new file mode 100644 index 00000000..17293c90 --- /dev/null +++ b/sif/hw.nix | |||
@@ -0,0 +1,33 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | { | ||
4 | imports = | ||
5 | [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> | ||
6 | ]; | ||
7 | |||
8 | fileSystems."/" = | ||
9 | { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2"; | ||
10 | fsType = "btrfs"; | ||
11 | }; | ||
12 | |||
13 | fileSystems."/boot" = | ||
14 | { device = "/dev/disk/by-uuid/B3A2-D029"; | ||
15 | fsType = "vfat"; | ||
16 | }; | ||
17 | |||
18 | fileSystems."/home" = | ||
19 | { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28"; | ||
20 | fsType = "btrfs"; | ||
21 | }; | ||
22 | |||
23 | swapDevices = | ||
24 | [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; } | ||
25 | ]; | ||
26 | |||
27 | nix.maxJobs = lib.mkDefault 12; | ||
28 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; | ||
29 | # High-DPI console | ||
30 | i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; | ||
31 | |||
32 | hardware.cpu.intel.updateMicrocode = true; | ||
33 | } | ||
diff --git a/sif/wacom.conf b/sif/wacom.conf new file mode 100644 index 00000000..864409f1 --- /dev/null +++ b/sif/wacom.conf | |||
@@ -0,0 +1,15 @@ | |||
1 | Section "InputClass" | ||
2 | Identifier "Wacom USB device class" | ||
3 | MatchUSBID "056a:*" | ||
4 | MatchDevicePath "/dev/input/event*" | ||
5 | Driver "wacom" | ||
6 | EndSection | ||
7 | |||
8 | Section "InputClass" | ||
9 | Identifier "calibration" | ||
10 | MatchProduct "Wacom USB device class" | ||
11 | Option "MinX" "58" | ||
12 | Option "MaxX" "30982" | ||
13 | Option "MinY" "87" | ||
14 | Option "MaxY" "17328" | ||
15 | EndSection \ No newline at end of file | ||
diff --git a/yggdrasil b/yggdrasil | |||
Subproject 5da484d0a81d9b35ceaa2da44c2dfc6bb9ad292 | Subproject f9b7f232d15afba865e94ca66e28ca375670009 | ||