# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hel/hw.nix ./hel/boot.nix ./users.nix ./custom/zsh.nix ./custom/tinc/def.nix ./custom/tinc/yggdrasil.nix ./custom/uucp.nix ./custom/borgbackup.nix ./custom/uucp-mediaclient.nix ./custom/uucp-notifyclient.nix ./custom/notify-users.nix ./utils/nix/module.nix ]; networking = { hostName = "hel"; domain = "midgard.yggdrasil"; hosts = { "127.0.0.1" = [ "hel.midgard.yggdrasil" "hel" ]; "::1" = [ "hel.midgard.yggdrasil" "hel" ]; }; firewall = { enable = true; allowedTCPPorts = [ 22 # ssh 24800 # synergy ]; allowedUDPPortRanges = [ { from = 1714; to = 1764; } # kdeconnect ]; allowedTCPPortRanges = [ { from = 1714; to = 1764; } # kdeconnect ]; }; networkmanager = { enable = true; unmanaged = [ "docker0" ]; dhcp = "internal"; }; dhcpcd.enable = false; }; systemd.services."ModemManager" = { enable = true; wantedBy = [ "network.target" ]; }; powerManagement.enable = true; i18n = { consoleFont = "lat9w-16"; consoleKeyMap = "dvp"; defaultLocale = "en_US.UTF-8"; }; boot.kernelPackages = pkgs.linuxPackages_latest; # boot.kernelPatches = [ # { patch = ./patches/udl.patch; # name = "udl-vblank"; # } # ]; environment.systemPackages = with pkgs; [ git slock shadow rewacom autorandr ntfs3g exfat rebuild-system brightnessctl ]; nixpkgs.config.packageOverrides = pkgs: rec { rewacom = pkgs.writeScriptBin "rewacom" '' #!${pkgs.stdenv.shell} modprobe -r wacom modprobe wacom ''; # samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: { # buildInputs = oldAttrs.buildInputs ++ [ pkgs.makeWrapper ]; # builder = pkgs.writeScript "builder.sh" '' # #!${pkgs.stdenv.shell} # source ${pkgs.stdenv}/setup # ${oldAttrs.builder} ${pkgs.lib.concatStringsSep " " oldAttrs.args} # export PATH=${pkgs.makeWrapper}/bin:$PATH # echo "Wrapping samsung filters" # wrapProgram $out/lib/cups/filter/rastertosamsungspl \ # --prefix PATH : ${pkgs.ghostscript}/bin # wrapProgram $out/lib/cups/filter/rastertosamsungsplc \ # --prefix PATH : ${pkgs.ghostscript}/bin # ''; # }); libfprint = pkgs.stdenv.mkDerivation rec { name = "libfprint-${version}"; version = "vfs0090-f8323a0"; src = pkgs.fetchFromGitHub { owner = "3v1n0"; repo = "libfprint"; rev = "f8323a0d3e0616f2822547902306992efd3572e7"; sha256 = "0y0lkwgw1lx4frm1kxz0hj11x93dby7vxkjly0ck7w7z96nn8bnm"; }; buildInputs = with pkgs; [ libusb pixman glib nss nspr gdk_pixbuf openssl ]; nativeBuildInputs = with pkgs; [ pkgconfig libtool automake autoconf ]; preConfigure = '' NOCONFIGURE=true ./autogen.sh ''; configureFlags = [ "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ]; }; fprintd = pkgs.stdenv.lib.overrideDerivation pkgs.fprintd (oldAttrs: { configureFlags = oldAttrs.configureFlags or [] ++ ["--sysconfdir=/etc" "--localstatedir=/var"]; installFlags = oldAttrs.installFlags or [] ++ ["sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}"]; }); }; nixpkgs.config.allowUnfree = true; virtualisation.docker = { enable = true; autoPrune.enable = true; enableOnBoot = false; }; systemd.services."unbound" = { preStart = '' if [[ -d /etc/unbound ]]; then ${pkgs.utillinux}/bin/mkdir -p /var/lib/unbound/etc/unbound ${pkgs.utillinux}/bin/mount --bind -n /etc/unbound /var/lib/unbound/etc/unbound fi ''; serviceConfig.ExecStopPost = lib.mkForce (pkgs.writeScript "unbound-exec-stop-post" '' ${pkgs.utillinux}/bin/umount /var/lib/unbound/dev/random ${pkgs.utillinux}/bin/umount /var/lib/unbound/etc/unbound ''); }; services = { unbound = { enable = true; extraConfig = '' remote-control: control-enable: yes ''; }; fprintd.enable = true; vnstat.enable = true; gpsd = { enable = true; debugLevel = 3; device = "/dev/gps0"; readonly = false; }; logind.extraConfig = '' HandleLidSwitch=hybrid-sleep LidSwitchIgnoreInhibited=no ''; openssh = { enable = true; }; atd = { enable = true; allowEveryone = true; }; xserver = { enable = true; layout = "us"; xkbVariant = "dvp"; xkbOptions = "compose:caps"; displayManager.lightdm = { enable = true; }; desktopManager = { default = "none"; xterm.enable = false; }; windowManager = { default = "xmonad"; xmonad = { enable = true; extraPackages = haskellPackages: (with haskellPackages; [ xmonad-contrib hostname libnotify aeson temporary parsec network ]); }; }; wacom.enable = true; multitouch.enable = true; libinput.enable = true; dpi = 210; }; ntp.enable = false; timesyncd.enable = false; chrony = { enable = true; extraConfig = '' refclock SOCK /var/run/chrony.gps0.sock refid GPS ''; }; yggdrasilTinc = { enable = true; connect = true; name = "hel"; interfaceConfig = { macAddress = "ee:10:15:9a:cc:1f"; }; }; uucp = { enable = true; nodeName = "hel"; remoteNodes = { "odin" = { publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcDj49TqmflGTmtGBqDawxmCBWW1txj61CZ7KT0hTHK uucp@odin"]; hostnames = ["odin.asgard.yggdrasil"]; }; "ymir" = { publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir"]; hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; }; }; defaultCommands = lib.mkForce []; media-client = { remoteNodes = [ "odin" ]; notify.users = [ "gkleen" ]; }; notify-client = { remoteNodes = { odin = {}; }; }; }; notify-users = [ "gkleen" ]; postfix = { enable = true; enableSmtp = true; enableSubmission = false; setSendmail = true; networksStyle = "host"; hostname = "hel.midgard.yggdrasil"; destination = []; relayHost = "uucp:ymir"; recipientDelimiter = "+"; masterConfig = { uucp = { type = "unix"; private = true; privileged = true; chroot = false; command = "pipe"; args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ]; }; sshsendmail = { type = "unix"; private = true; privileged = true; chroot = false; command = "pipe"; args = [ "flags=Fq" "user=postfix_ssh" ''argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient'' ]; }; }; transport = '' odin.asgard.yggdrasil uucp:odin ''; config = { always_bcc = "gkleen+sent@odin.asgard.yggdrasil"; default_transport = "uucp:ymir"; inet_interfaces = "loopback-only"; authorized_submit_users = ["!uucp" "static:anyone"]; message_size_limit = "0"; sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de ''}''; smtp_sasl_auth_enable = true; smtp_sender_dependent_authentication = true; smtp_sasl_tls_verified_security_options = "noanonymous"; smtp_tls_security_level = "dane"; smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd"; smtp_cname_overrides_servername = false; smtp_always_send_ehlo = true; smtp_tls_loglevel = "1"; smtp_dns_support_level = "dnssec"; }; }; printing = { enable = true; drivers = with pkgs; [ samsung-unified-linux-driver hplip ]; }; upower = { enable = true; }; locate = { enable = true; interval = "hourly"; locate = pkgs.mlocate; localuser = null; prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"]; }; dbus = { enable = true; packages = [ (pkgs.writeTextFile { name = "eavesdrop.conf"; text = '' ''; destination = "/etc/dbus-1/system.d/eavesdrop.conf"; }) ]; }; }; systemd.services."gpsd".wants = [ "chronyd.service" ]; systemd.services."gpsd".after = [ "chronyd.service" ]; users = { mutableUsers = false; extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; }; extraUsers.gkleen.extraGroups = [ "media" "networkmanager" "docker" ]; extraUsers.gkleen.packages = with pkgs; [ steam ]; extraUsers.postfix_ssh = { isSystemUser = true; home = "/var/db/postfix_ssh"; }; extraGroups = { network = {}; }; }; security = { sudo.extraConfig = '' Cmnd_Alias SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl, ${pkgs.rewacom}/bin/rewacom %wheel ALL=(ALL) NOPASSWD: SYSCTRL ''; wrappers = { "slock".source = "${pkgs.slock}/bin/slock"; "mount".source = "${pkgs.utillinux.bin}/bin/mount"; "umount".source = "${pkgs.utillinux.bin}/bin/umount"; "newgrp".source = "${pkgs.shadow}/bin/newgrp"; "sg".source = "${pkgs.shadow}/bin/sg"; "mount.cifs".source = "${pkgs.cifs-utils}/bin/mount.cifs"; "thinklight".source = "${(pkgs.callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })}/bin/thinklight"; }; polkit = { enable = true; extraConfig = '' polkit.addRule(function(action, subject) { if ( action.id == "org.freedesktop.systemd1.manage-units" && subject.isInGroup("wheel") ) { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if ((action.id == "org.blueman.rfkill.setstate" || action.id == "org.blueman.network.setup" || action.id == "org.freedesktop.NetworkManager.settings.modify.system" ) && subject.local && subject.active && subject.isInGroup("network") ) { return polkit.Result.YES; } }); ''; }; }; time.timeZone = "Europe/Berlin"; hardware = { pulseaudio = { enable = true; package = with pkgs; pulseaudioFull; support32Bit = true; }; opengl = { enable = true; extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; driSupport32Bit = true; }; bluetooth = { enable = true; extraConfig = '' [General] Enable=Source,Sink,Media,Socket ''; }; trackpoint = { enable = true; emulateWheel = true; sensitivity = 255; speed = 255; }; # sane = { # enable = true; # extraBackends = with pkgs; [ samsung-unified-linux-driver ]; # configDir = "/etc/sane.d"; # }; sensor.iio.enable = true; brightnessctl.enable = true; }; sound.enable = true; # nix.gc = { # automatic = true; # dates = "daily"; # options = "--delete-older-than 30d"; # }; nix = { useSandbox = true; autoOptimiseStore = true; daemonNiceLevel = 10; daemonIONiceLevel = 3; }; environment.variables = { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; SANE_CONFIG_DIR = "/etc/sane.d"; TPRINT_BASEURL = "http://bragi.asgard.yggdrasil/thermoprint/api"; MPD_HOST = "bragi.asgard.yggdrasil"; MPD_PORT = "6600"; }; environment.etc."fprintd.conf".source = "${pkgs.fprintd}/etc/fprintd.conf"; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./hel/wacom.conf; environment.etc."sane.d/dll.conf".text = "xerox_mfp"; environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil"; systemd.services."kill-user@" = { serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I"; }; }; systemd.targets."sleep" = { after = [ "kill-user@uucp.service" ]; wants = [ "kill-user@uucp.service" ]; }; systemd.automounts = [ { where = "/media"; automountConfig = { TimeoutIdleSec = "5min"; DirectoryMode = "555"; }; wantedBy = [ "remote-fs.target" ]; } ]; systemd.mounts = [ { after = [ "network-online.target" ]; bindsTo = [ "network-online.target" ]; where = "/media"; what = "//odin.asgard.yggdrasil/media"; type = "cifs"; options = lib.concatStringsSep "," [ "ro" "guest" ]; } { where = "/tmp"; what = "tmpfs"; type = "tmpfs"; options = lib.concatStringsSep "," ["mode=1777" "strictatime" "nosuid" "nodev" "size=16G"]; after = [ "swap.target" ]; before = [ "local-fs.target" "umount.target" ]; conflicts = [ "umount.target" ]; wantedBy = [ "local-fs.target" ]; } ]; systemd.user.services."pulseaudio".enable = lib.mkForce false; systemd.user.services."ssh-agent".enable = lib.mkForce false; systemd.user.sockets."pulseaudio".enable = lib.mkForce false; systemd.services."ac-plugged" = { description = "Inhibit handling of lid-switch and sleep"; path = with pkgs; [ systemd coreutils ]; script = '' exec systemd-inhibit --what=handle-lid-switch:sleep --why="AC is connected" --mode=block sleep infinity ''; serviceConfig = { Type = "simple"; }; }; services.udev.extraRules = with pkgs; '' SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" KERNELS=="1-2:1.2", ENV{ID_MM_DEVICE_IGNORE}="1", SYMLINK+="gps0" KERNELS=="1-2:1.3", ENV{ID_MM_DEVICE_IGNORE}="1", SYMLINK+="gpsctl0", TAG+="systemd" ''; systemd.services."gpscfg" = { description = "Configure GPS"; script = '' printf 'AT!GPSTRACK=1,255,30,1000,1\r' > /dev/gpsctl0 ''; }; systemd.timers."gpscfg" = { enable = true; bindsTo = [ "dev-gpscfg0.device" ]; after = [ "dev-gpscfg0.device" ]; wantedBy = [ "dev-gpscfg0.device" ]; timerConfig = { OnActiveSec = "0s"; OnUnitInactiveSec = "5m"; }; }; services.borgbackup = { snapshots = "btrfs"; prefix = "yggdrasil.midgard.hel."; targets = { "munin" = { repo = "borg.munin:borg"; paths = [ "/home/gkleen" ]; prune = { "home-gkleen" = [ "--keep-within" "24H" "--keep-daily" "31" "--keep-monthly" "12" "--keep-yearly" "-1" ]; }; }; }; }; services.btrfs.autoScrub = { enable = true; fileSystems = [ "/" ]; interval = "weekly"; }; systemd.services."nix-daemon".serviceConfig = { MemoryAccounting = true; MemoryHigh = "50%"; MemoryMax = "75%"; }; services.samba = { enable = true; extraConfig = '' domain master = no local master = no workgroup = ASGARD load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ''; }; systemd.services."nixos-upgrade" = { path = with pkgs; [ git ]; preStart = '' git -C /etc/nixos fetch --recurse-submodules git -C /etc/nixos reset --hard origin/master ''; }; services.compton = { enable = true; backend = "glx"; vSync = "opengl-swc"; extraOptions = '' glx-swap-method = 3; xrender-sync = true; xrender-sync-fence = true; ''; }; programs = { wireshark = { enable = true; package = with pkgs; wireshark-qt; }; }; services.journald.extraConfig = '' SystemMaxUse=100M ''; system = { stateVersion = "16.09"; }; }