Add sif

1 files changed, 439 insertions, 0 deletions

diff --git a/sif.nix b/sif.nix
new file mode 100644
index 00000000..1df1a1bf
--- /dev/null
+++ b/sif.nix
@@ -0,0 +1,439 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ ./sif/hw.nix
+      ./sif/boot.nix
+      ./users.nix
+      ./custom/zsh.nix
+      ./custom/tinc/def.nix
+      ./custom/tinc/yggdrasil.nix
+      ./custom/uucp.nix
+      ./custom/borgbackup.nix
+      ./custom/uucp-mediaclient.nix
+      ./custom/uucp-notifyclient.nix
+      ./custom/notify-users.nix
+      ./utils/nix/module.nix
+    ];
+
+  networking = {
+    hostName = "sif";
+    domain = "midgard.yggdrasil";
+
+    hosts = {
+      "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
+      "::1" = [ "sif.midgard.yggdrasil" "sif" ];
+    };
+    
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 # ssh
+                        ];
+    };
+
+    networkmanager = {
+      enable = true;
+      dhcp = "internal";
+    };
+
+    dhcpcd.enable = false;
+  };
+
+  powerManagement.enable = true;
+
+  i18n = {
+    consoleFont = "lat9w-16";
+    consoleKeyMap = "dvp";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  time.timeZone = "Europe/Berlin";
+
+  environment.systemPackages = with pkgs; [
+    git rebuild-system
+  ];
+
+  nixpkgs.config.packageOverrides = pkgs: rec {
+    libfprint = pkgs.stdenv.mkDerivation rec {
+      name = "libfprint-${version}";
+      version = "vfs0090-f8323a0";
+
+      src = pkgs.fetchFromGitHub {
+        owner = "3v1n0";
+        repo = "libfprint";
+        rev = "f8323a0d3e0616f2822547902306992efd3572e7";
+        sha256 = "0y0lkwgw1lx4frm1kxz0hj11x93dby7vxkjly0ck7w7z96nn8bnm";
+      };
+
+      buildInputs = with pkgs; [ libusb pixman glib nss nspr gdk_pixbuf openssl ];
+      nativeBuildInputs = with pkgs; [ pkgconfig libtool automake autoconf ];
+
+      preConfigure = ''
+        NOCONFIGURE=true ./autogen.sh
+      '';
+
+      configureFlags = [ "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ];
+    };
+
+    fprintd = pkgs.stdenv.lib.overrideDerivation pkgs.fprintd (oldAttrs: {
+      configureFlags = oldAttrs.configureFlags or [] ++ ["--sysconfdir=/etc" "--localstatedir=/var"];
+      installFlags = oldAttrs.installFlags or [] ++ ["sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}"];
+    });
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  services = {
+    fprintd.enable = true;
+
+    vnstat.enable = true;
+
+    logind.extraConfig = ''
+      HandleLidSwitch=hybrid-sleep
+      LidSwitchIgnoreInhibited=no
+    '';
+
+    openssh = {
+      enable = true;
+    };
+
+    atd = {
+      enable = true;
+      allowEveryone = true;
+    };
+
+    xserver = {
+      enable = true;
+      
+      layout = "us";
+      xkbVariant = "dvp";
+      xkbOptions = "compose:caps";
+      
+      displayManager.lightdm = {
+        enable = true;
+      };
+
+      desktopManager = {
+        default = "none";
+        xterm.enable = false;
+      };
+
+      windowManager = {
+        default = "xmonad";
+        xmonad = {
+          enable = true;
+          extraPackages = haskellPackages: (with haskellPackages;
+            [ xmonad-contrib hostname libnotify aeson temporary parsec network]
+          );
+        };
+      };
+
+      wacom.enable = true;
+      multitouch.enable = true;
+      libinput.enable = true;
+
+      dpi = 282;
+    };
+
+    yggdrasilTinc = {
+      enable = true;
+      connect = true;
+      name = "sif";
+      interfaceConfig = {
+        macAddress = "5c:93:21:c3:61:39";
+      };
+    };
+
+    uucp = {
+      enable = true;
+      nodeName = "hel";
+      remoteNodes = {
+        "odin" = {
+          publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcDj49TqmflGTmtGBqDawxmCBWW1txj61CZ7KT0hTHK uucp@odin"];
+          hostnames = ["odin.asgard.yggdrasil"];
+        };
+        "ymir" = {
+          publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir"];
+          hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+        };
+      };
+      
+      defaultCommands = lib.mkForce [];
+
+      media-client = {
+        remoteNodes = [ "odin" ];
+        notify.users = [ "gkleen" ];
+      };
+
+      notify-client = {
+        remoteNodes = {
+          odin = {};
+        };
+      };
+    };
+
+    notify-users = [ "gkleen" ];
+    
+    postfix = {
+      enable = true;
+      enableSmtp = true;
+      enableSubmission = false;
+      setSendmail = true;
+      networksStyle = "host";
+      hostname = "hel.midgard.yggdrasil";
+      destination = [];
+      relayHost = "uucp:ymir";
+      recipientDelimiter = "+";
+      masterConfig = {
+        uucp = {
+          type = "unix";
+          private = true;
+          privileged = true;
+          chroot = false;
+          command = "pipe";
+          args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+        };
+        sshsendmail = {
+          type = "unix";
+          private = true;
+          privileged = true;
+          chroot = false;
+          command = "pipe";
+          args = [ "flags=Fq" "user=postfix_ssh" ''argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient'' ];
+        };
+      };
+      transport = ''
+        odin.asgard.yggdrasil uucp:odin
+      '';
+      config = {
+        always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+      
+        default_transport = "uucp:ymir";
+
+        inet_interfaces = "loopback-only";
+      
+        authorized_submit_users = ["!uucp" "static:anyone"];
+        message_size_limit = "0";
+
+        sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+          /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc
+          /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+          /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+          /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+        ''}'';
+
+        smtp_sasl_auth_enable = true;
+        smtp_sender_dependent_authentication = true;
+        smtp_sasl_tls_security_options = "noanonymous";
+        smtp_sasl_mechanism_filter = ["plain"];
+        smtp_tls_security_level = "dane";
+        smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd";
+        smtp_cname_overrides_servername = false;
+        smtp_always_send_ehlo = true;
+
+        smtp_tls_loglevel = "1";
+        smtp_dns_support_level = "dnssec";
+      };
+    };
+
+    upower = {
+      enable = true;
+    };
+
+    locate = {
+      enable = true;
+      interval = "hourly";
+      locate = pkgs.mlocate;
+      localuser = null;
+      prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"];
+    };
+  };
+
+  users = {
+    mutableUsers = false;
+  
+    extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; };
+
+    extraUsers.gkleen.extraGroups = [ "media" "networkmanager" ];
+    extraUsers.gkleen.packages = with pkgs; [
+      steam
+    ];
+
+    extraUsers.postfix_ssh = {
+      isSystemUser = true;
+      home = "/var/db/postfix_ssh";
+    };
+
+    extraGroups = {
+      network = {};
+    };
+  };
+
+  security = {
+    sudo.extraConfig = ''
+      Cmnd_Alias  SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl
+      %wheel ALL=(ALL) NOPASSWD: SYSCTRL
+    '';
+
+    wrappers = { "mount".source = "${pkgs.utillinux.bin}/bin/mount";
+                 "umount".source = "${pkgs.utillinux.bin}/bin/umount";
+                 "newgrp".source = "${pkgs.shadow}/bin/newgrp";
+                 "sg".source = "${pkgs.shadow}/bin/sg";
+               };
+
+    polkit = {
+      enable = true;
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (    action.id == "org.freedesktop.systemd1.manage-units"
+               && subject.isInGroup("wheel")
+             ) {
+            return polkit.Result.YES;
+          }
+        });
+
+        polkit.addRule(function(action, subject) {
+          if ((action.id == "org.blueman.rfkill.setstate" ||
+               action.id == "org.blueman.network.setup" ||
+               action.id == "org.freedesktop.NetworkManager.settings.modify.system"
+              ) && subject.local
+              && subject.active && subject.isInGroup("network")
+             ) {
+            return polkit.Result.YES;
+          }
+        });
+      '';
+    };
+  };
+
+  hardware = {
+    pulseaudio = {
+      enable = true;
+      package = with pkgs; pulseaudioFull;
+    };
+
+    bluetooth = {
+      enable = true;   
+      extraConfig = ''
+        [General]
+        Enable=Source,Sink,Media,Socket
+      '';
+    };
+
+    trackpoint = {
+      enable = true;
+      emulateWheel = true;
+      sensitivity = 255;
+      speed = 255;
+    };
+
+    brightnessctl.enable = true;
+  };
+
+  sound.enable = true;
+
+  nix = {
+    useSandbox = true;
+    autoOptimiseStore = true;
+    daemonNiceLevel = 10;
+    daemonIONiceLevel = 3;
+  };
+
+  environment.etc."fprintd.conf".source = "${pkgs.fprintd}/etc/fprintd.conf";
+  environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./sif/wacom.conf;
+
+  systemd.services."kill-user@" = {
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I";
+    };
+  };
+  systemd.targets."sleep" = {
+    after = [ "kill-user@uucp.service" ];
+    wants = [ "kill-user@uucp.service" ];
+  };
+
+
+  systemd.user.services."pulseaudio".enable = lib.mkForce false;
+  systemd.user.services."ssh-agent".enable = lib.mkForce false;
+  systemd.user.sockets."pulseaudio".enable = lib.mkForce false;
+
+  systemd.services."ac-plugged" = {
+    description = "Inhibit handling of lid-switch and sleep";
+
+    path = with pkgs;
+             [ systemd coreutils ];
+
+    script = ''
+      exec systemd-inhibit --what=handle-lid-switch:sleep --why="AC is connected" --mode=block sleep infinity
+    '';
+  
+    serviceConfig = {
+      Type = "simple";
+    };
+  };
+
+  services.udev.extraRules = with pkgs; ''
+    SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
+    SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
+  '';
+
+  services.borgbackup = {
+    snapshots = "btrfs";
+    prefix = "yggdrasil.midgard.sif.";
+    targets = {
+      "munin" = {
+        repo = "borg.munin:borg";
+        paths = [ "/home/gkleen" ];
+        prune = {
+          "home-gkleen" =
+            [ "--keep-within" "24H"
+              "--keep-daily" "31"
+              "--keep-monthly" "12"
+              "--keep-yearly" "-1"
+            ];
+        };
+      };
+    };
+  };
+
+  services.btrfs.autoScrub = {
+    enable = true;
+    fileSystems = [ "/" "/home" ];
+    interval = "weekly";
+  };
+
+  systemd.services."nix-daemon".serviceConfig = {
+    MemoryAccounting = true;
+    MemoryHigh = "50%";
+    MemoryMax = "75%";
+  };
+
+  systemd.services."nixos-upgrade" = {
+    path = with pkgs; [ git ];
+    preStart = ''
+      git -C /etc/nixos fetch --recurse-submodules
+      git -C /etc/nixos reset --hard origin/master
+    '';
+  };
+
+  services.compton = {
+    enable = true;
+    backend = "glx";
+    vSync = true;
+    settings = {
+      glx-swap-method = 3;
+      xrender-sync = true;
+      xrender-sync-fence = true;
+    };
+  };
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=100M
+  '';
+
+  system.stateVersion = "20.03"; # Did you read the comment?
+}
+