From e388626945519c0d5c728c84b95710b89430ccff Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 10 Nov 2019 16:04:33 +0100 Subject: Add sif --- sif.nix | 439 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 439 insertions(+) create mode 100644 sif.nix (limited to 'sif.nix') diff --git a/sif.nix b/sif.nix new file mode 100644 index 00000000..1df1a1bf --- /dev/null +++ b/sif.nix @@ -0,0 +1,439 @@ +{ config, pkgs, ... }: + +{ + imports = + [ ./sif/hw.nix + ./sif/boot.nix + ./users.nix + ./custom/zsh.nix + ./custom/tinc/def.nix + ./custom/tinc/yggdrasil.nix + ./custom/uucp.nix + ./custom/borgbackup.nix + ./custom/uucp-mediaclient.nix + ./custom/uucp-notifyclient.nix + ./custom/notify-users.nix + ./utils/nix/module.nix + ]; + + networking = { + hostName = "sif"; + domain = "midgard.yggdrasil"; + + hosts = { + "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ]; + "::1" = [ "sif.midgard.yggdrasil" "sif" ]; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 22 # ssh + ]; + }; + + networkmanager = { + enable = true; + dhcp = "internal"; + }; + + dhcpcd.enable = false; + }; + + powerManagement.enable = true; + + i18n = { + consoleFont = "lat9w-16"; + consoleKeyMap = "dvp"; + defaultLocale = "en_US.UTF-8"; + }; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + time.timeZone = "Europe/Berlin"; + + environment.systemPackages = with pkgs; [ + git rebuild-system + ]; + + nixpkgs.config.packageOverrides = pkgs: rec { + libfprint = pkgs.stdenv.mkDerivation rec { + name = "libfprint-${version}"; + version = "vfs0090-f8323a0"; + + src = pkgs.fetchFromGitHub { + owner = "3v1n0"; + repo = "libfprint"; + rev = "f8323a0d3e0616f2822547902306992efd3572e7"; + sha256 = "0y0lkwgw1lx4frm1kxz0hj11x93dby7vxkjly0ck7w7z96nn8bnm"; + }; + + buildInputs = with pkgs; [ libusb pixman glib nss nspr gdk_pixbuf openssl ]; + nativeBuildInputs = with pkgs; [ pkgconfig libtool automake autoconf ]; + + preConfigure = '' + NOCONFIGURE=true ./autogen.sh + ''; + + configureFlags = [ "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ]; + }; + + fprintd = pkgs.stdenv.lib.overrideDerivation pkgs.fprintd (oldAttrs: { + configureFlags = oldAttrs.configureFlags or [] ++ ["--sysconfdir=/etc" "--localstatedir=/var"]; + installFlags = oldAttrs.installFlags or [] ++ ["sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}"]; + }); + }; + + nixpkgs.config.allowUnfree = true; + + services = { + fprintd.enable = true; + + vnstat.enable = true; + + logind.extraConfig = '' + HandleLidSwitch=hybrid-sleep + LidSwitchIgnoreInhibited=no + ''; + + openssh = { + enable = true; + }; + + atd = { + enable = true; + allowEveryone = true; + }; + + xserver = { + enable = true; + + layout = "us"; + xkbVariant = "dvp"; + xkbOptions = "compose:caps"; + + displayManager.lightdm = { + enable = true; + }; + + desktopManager = { + default = "none"; + xterm.enable = false; + }; + + windowManager = { + default = "xmonad"; + xmonad = { + enable = true; + extraPackages = haskellPackages: (with haskellPackages; + [ xmonad-contrib hostname libnotify aeson temporary parsec network] + ); + }; + }; + + wacom.enable = true; + multitouch.enable = true; + libinput.enable = true; + + dpi = 282; + }; + + yggdrasilTinc = { + enable = true; + connect = true; + name = "sif"; + interfaceConfig = { + macAddress = "5c:93:21:c3:61:39"; + }; + }; + + uucp = { + enable = true; + nodeName = "hel"; + remoteNodes = { + "odin" = { + publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcDj49TqmflGTmtGBqDawxmCBWW1txj61CZ7KT0hTHK uucp@odin"]; + hostnames = ["odin.asgard.yggdrasil"]; + }; + "ymir" = { + publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir"]; + hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; + }; + }; + + defaultCommands = lib.mkForce []; + + media-client = { + remoteNodes = [ "odin" ]; + notify.users = [ "gkleen" ]; + }; + + notify-client = { + remoteNodes = { + odin = {}; + }; + }; + }; + + notify-users = [ "gkleen" ]; + + postfix = { + enable = true; + enableSmtp = true; + enableSubmission = false; + setSendmail = true; + networksStyle = "host"; + hostname = "hel.midgard.yggdrasil"; + destination = []; + relayHost = "uucp:ymir"; + recipientDelimiter = "+"; + masterConfig = { + uucp = { + type = "unix"; + private = true; + privileged = true; + chroot = false; + command = "pipe"; + args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ]; + }; + sshsendmail = { + type = "unix"; + private = true; + privileged = true; + chroot = false; + command = "pipe"; + args = [ "flags=Fq" "user=postfix_ssh" ''argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient'' ]; + }; + }; + transport = '' + odin.asgard.yggdrasil uucp:odin + ''; + config = { + always_bcc = "gkleen+sent@odin.asgard.yggdrasil"; + + default_transport = "uucp:ymir"; + + inet_interfaces = "loopback-only"; + + authorized_submit_users = ["!uucp" "static:anyone"]; + message_size_limit = "0"; + + sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' + /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc + /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de + /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 + /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de + ''}''; + + smtp_sasl_auth_enable = true; + smtp_sender_dependent_authentication = true; + smtp_sasl_tls_security_options = "noanonymous"; + smtp_sasl_mechanism_filter = ["plain"]; + smtp_tls_security_level = "dane"; + smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd"; + smtp_cname_overrides_servername = false; + smtp_always_send_ehlo = true; + + smtp_tls_loglevel = "1"; + smtp_dns_support_level = "dnssec"; + }; + }; + + upower = { + enable = true; + }; + + locate = { + enable = true; + interval = "hourly"; + locate = pkgs.mlocate; + localuser = null; + prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"]; + }; + }; + + users = { + mutableUsers = false; + + extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; }; + + extraUsers.gkleen.extraGroups = [ "media" "networkmanager" ]; + extraUsers.gkleen.packages = with pkgs; [ + steam + ]; + + extraUsers.postfix_ssh = { + isSystemUser = true; + home = "/var/db/postfix_ssh"; + }; + + extraGroups = { + network = {}; + }; + }; + + security = { + sudo.extraConfig = '' + Cmnd_Alias SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl + %wheel ALL=(ALL) NOPASSWD: SYSCTRL + ''; + + wrappers = { "mount".source = "${pkgs.utillinux.bin}/bin/mount"; + "umount".source = "${pkgs.utillinux.bin}/bin/umount"; + "newgrp".source = "${pkgs.shadow}/bin/newgrp"; + "sg".source = "${pkgs.shadow}/bin/sg"; + }; + + polkit = { + enable = true; + extraConfig = '' + polkit.addRule(function(action, subject) { + if ( action.id == "org.freedesktop.systemd1.manage-units" + && subject.isInGroup("wheel") + ) { + return polkit.Result.YES; + } + }); + + polkit.addRule(function(action, subject) { + if ((action.id == "org.blueman.rfkill.setstate" || + action.id == "org.blueman.network.setup" || + action.id == "org.freedesktop.NetworkManager.settings.modify.system" + ) && subject.local + && subject.active && subject.isInGroup("network") + ) { + return polkit.Result.YES; + } + }); + ''; + }; + }; + + hardware = { + pulseaudio = { + enable = true; + package = with pkgs; pulseaudioFull; + }; + + bluetooth = { + enable = true; + extraConfig = '' + [General] + Enable=Source,Sink,Media,Socket + ''; + }; + + trackpoint = { + enable = true; + emulateWheel = true; + sensitivity = 255; + speed = 255; + }; + + brightnessctl.enable = true; + }; + + sound.enable = true; + + nix = { + useSandbox = true; + autoOptimiseStore = true; + daemonNiceLevel = 10; + daemonIONiceLevel = 3; + }; + + environment.etc."fprintd.conf".source = "${pkgs.fprintd}/etc/fprintd.conf"; + environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./sif/wacom.conf; + + systemd.services."kill-user@" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I"; + }; + }; + systemd.targets."sleep" = { + after = [ "kill-user@uucp.service" ]; + wants = [ "kill-user@uucp.service" ]; + }; + + + systemd.user.services."pulseaudio".enable = lib.mkForce false; + systemd.user.services."ssh-agent".enable = lib.mkForce false; + systemd.user.sockets."pulseaudio".enable = lib.mkForce false; + + systemd.services."ac-plugged" = { + description = "Inhibit handling of lid-switch and sleep"; + + path = with pkgs; + [ systemd coreutils ]; + + script = '' + exec systemd-inhibit --what=handle-lid-switch:sleep --why="AC is connected" --mode=block sleep infinity + ''; + + serviceConfig = { + Type = "simple"; + }; + }; + + services.udev.extraRules = with pkgs; '' + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" + ''; + + services.borgbackup = { + snapshots = "btrfs"; + prefix = "yggdrasil.midgard.sif."; + targets = { + "munin" = { + repo = "borg.munin:borg"; + paths = [ "/home/gkleen" ]; + prune = { + "home-gkleen" = + [ "--keep-within" "24H" + "--keep-daily" "31" + "--keep-monthly" "12" + "--keep-yearly" "-1" + ]; + }; + }; + }; + }; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/home" ]; + interval = "weekly"; + }; + + systemd.services."nix-daemon".serviceConfig = { + MemoryAccounting = true; + MemoryHigh = "50%"; + MemoryMax = "75%"; + }; + + systemd.services."nixos-upgrade" = { + path = with pkgs; [ git ]; + preStart = '' + git -C /etc/nixos fetch --recurse-submodules + git -C /etc/nixos reset --hard origin/master + ''; + }; + + services.compton = { + enable = true; + backend = "glx"; + vSync = true; + settings = { + glx-swap-method = 3; + xrender-sync = true; + xrender-sync-fence = true; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=100M + ''; + + system.stateVersion = "20.03"; # Did you read the comment? +} + -- cgit v1.2.3