# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hel/hw.nix ./hel/boot.nix ./users.nix ./custom/zsh.nix ./custom/tinc/def.nix ./custom/tinc/yggdrasil.nix ./custom/uucp.nix ./custom/borgbackup.nix ./custom/uucp-mediaclient.nix ./custom/uucp-notifyclient.nix ./custom/notify-users.nix ./utils/nix/module.nix ]; networking = { hostName = "hel"; domain = "midgard.yggdrasil"; hosts = { "127.0.0.1" = [ "hel.midgard.yggdrasil" "hel" ]; "::1" = [ "hel.midgard.yggdrasil" "hel" ]; }; firewall = { enable = true; allowedTCPPorts = [ 22 # ssh ]; allowedUDPPortRanges = [ { from = 1714; to = 1764; } # kdeconnect ]; allowedTCPPortRanges = [ { from = 1714; to = 1764; } # kdeconnect ]; }; networkmanager = { enable = true; unmanaged = [ "docker0" ]; dhcp = "internal"; dns = "unbound"; }; dhcpcd.enable = false; }; systemd.services."modem-manager" = { enable = true; wantedBy = [ "network.target" ]; }; powerManagement.enable = true; i18n = { consoleFont = "lat9w-16"; consoleKeyMap = "dvp"; defaultLocale = "en_US.UTF-8"; }; boot.kernelPackages = pkgs.linuxPackages_latest; # boot.kernelPatches = [ # { patch = ./patches/udl.patch; # name = "udl-vblank"; # } # ]; environment.systemPackages = with pkgs; [ git slock shadow rewacom autorandr ntfs3g exfat rebuild-system ]; nixpkgs.config.packageOverrides = pkgs: rec { rewacom = pkgs.writeScriptBin "rewacom" '' #!${pkgs.stdenv.shell} modprobe -r wacom modprobe wacom ''; samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: { buildInputs = oldAttrs.buildInputs ++ [ pkgs.makeWrapper ]; builder = pkgs.writeScript "builder.sh" '' #!${pkgs.stdenv.shell} source ${pkgs.stdenv}/setup ${oldAttrs.builder} ${pkgs.lib.concatStringsSep " " oldAttrs.args} export PATH=${pkgs.makeWrapper}/bin:$PATH echo "Wrapping samsung filters" wrapProgram $out/lib/cups/filter/rastertosamsungspl \ --prefix PATH : ${pkgs.ghostscript}/bin wrapProgram $out/lib/cups/filter/rastertosamsungsplc \ --prefix PATH : ${pkgs.ghostscript}/bin ''; }); libfprint = pkgs.stdenv.mkDerivation rec { name = "libfprint-${version}"; version = "vfs0090-f8323a0"; src = pkgs.fetchFromGitHub { owner = "3v1n0"; repo = "libfprint"; rev = "f8323a0d3e0616f2822547902306992efd3572e7"; sha256 = "0y0lkwgw1lx4frm1kxz0hj11x93dby7vxkjly0ck7w7z96nn8bnm"; }; buildInputs = with pkgs; [ libusb pixman glib nss nspr gdk_pixbuf openssl ]; nativeBuildInputs = with pkgs; [ pkgconfig libtool automake autoconf ]; preConfigure = '' NOCONFIGURE=true ./autogen.sh ''; configureFlags = [ "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ]; }; fprintd = pkgs.stdenv.lib.overrideDerivation pkgs.fprintd (oldAttrs: { configureFlags = oldAttrs.configureFlags or [] ++ ["--sysconfdir=/etc" "--localstatedir=/var"]; installFlags = oldAttrs.installFlags or [] ++ ["sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}"]; }); }; nixpkgs.config.allowUnfree = true; virtualisation.docker = { enable = true; autoPrune.enable = true; enableOnBoot = false; }; services = { fprintd.enable = true; vnstat = { enable = true; }; gpsd = { enable = true; debugLevel = 3; device = "/dev/gps0"; readonly = false; }; logind.extraConfig = '' HandleLidSwitch=hybrid-sleep LidSwitchIgnoreInhibited=no ''; openssh = { enable = true; }; atd = { enable = true; allowEveryone = true; }; xserver = { enable = true; layout = "us"; xkbVariant = "dvp"; xkbOptions = "compose:caps"; displayManager.lightdm = { enable = true; }; desktopManager = { default = "none"; xterm.enable = false; }; windowManager = { default = "xmonad"; xmonad = { enable = true; extraPackages = haskellPackages: (with haskellPackages; [ xmonad-contrib hostname libnotify aeson temporary parsec network ]); }; }; wacom.enable = true; multitouch.enable = true; dpi = 210; }; ntp.enable = false; timesyncd.enable = false; chrony = { enable = true; extraConfig = '' refclock SOCK /var/run/chrony.gps0.sock refid GPS ''; }; yggdrasilTinc = { enable = true; connect = true; name = "hel"; interfaceConfig = { macAddress = "ee:10:15:9a:cc:1f"; }; }; uucp = { enable = true; nodeName = "hel"; remoteNodes = { "odin" = { publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcDj49TqmflGTmtGBqDawxmCBWW1txj61CZ7KT0hTHK uucp@odin"]; hostnames = ["odin.asgard.yggdrasil"]; }; "ymir" = { publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir"]; hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; }; }; defaultCommands = lib.mkForce []; media-client = { remoteNodes = [ "odin" ]; notify.users = [ "gkleen" ]; }; notify-client = { remoteNodes = { odin = {}; }; }; }; notify-users = [ "gkleen" ]; postfix = { enable = true; enableSmtp = true; enableSubmission = false; setSendmail = true; networksStyle = "host"; hostname = "hel.midgard.yggdrasil"; destination = []; relayHost = "uucp:ymir"; recipientDelimiter = "+"; extraMasterConf = '' uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient) sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient ''; transport = '' odin.asgard.yggdrasil uucp:odin ''; extraConfig = '' always_bcc = gkleen+sent@odin.asgard.yggdrasil default_transport = uucp:ymir inet_interfaces = loopback-only authorized_submit_users = !uucp, static:anyone message_size_limit = 0 sender_dependent_default_transport_maps = regexp:${pkgs.writeText "sender_relay" '' /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de /@campus\.lmu\.de$/ smtp:postout.lrz.de ''} smtp_sasl_auth_enable = yes smtp_sender_dependent_authentication = yes smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = dane smtp_sasl_password_maps = texthash:/var/db/postfix/sasl_passwd smtp_cname_overrides_servername = no smtp_always_send_ehlo = yes smtp_tls_loglevel = 1 smtp_dns_support_level = dnssec ''; }; printing = { enable = true; drivers = with pkgs; [ samsung-unified-linux-driver ]; }; upower = { enable = true; }; locate = { enable = true; interval = "hourly"; locate = pkgs.mlocate; localuser = null; prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"]; }; dbus = { enable = true; packages = [ (pkgs.writeTextFile { name = "eavesdrop.conf"; text = '' ''; destination = "/etc/dbus-1/system.d/eavesdrop.conf"; }) ]; }; }; systemd.services."gpsd".wants = [ "chronyd.service" ]; systemd.services."gpsd".after = [ "chronyd.service" ]; users = { mutableUsers = false; extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; }; extraUsers.gkleen.extraGroups = [ "media" "networkmanager" "docker" ]; extraUsers.postfix_ssh = { isSystemUser = true; home = "/var/db/postfix_ssh"; }; extraGroups = { network = {}; }; }; security = { sudo.extraConfig = '' Cmnd_Alias SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl, ${pkgs.rewacom}/bin/rewacom %wheel ALL=(ALL) NOPASSWD: SYSCTRL ''; wrappers = { "slock".source = "${pkgs.slock}/bin/slock"; "mount".source = "${pkgs.utillinux.bin}/bin/mount"; "umount".source = "${pkgs.utillinux.bin}/bin/umount"; "newgrp".source = "${pkgs.shadow}/bin/newgrp"; "sg".source = "${pkgs.shadow}/bin/sg"; "mount.cifs".source = "${pkgs.cifs-utils}/bin/mount.cifs"; "thinklight".source = "${(pkgs.callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })}/bin/thinklight"; }; polkit = { enable = true; extraConfig = '' polkit.addRule(function(action, subject) { if ( action.id == "org.freedesktop.systemd1.manage-units" && subject.isInGroup("wheel") ) { return polkit.Result.YES; } }); ''; }; }; time.timeZone = "Europe/Berlin"; hardware = { pulseaudio = { enable = true; package = with pkgs; pulseaudioFull; support32Bit = true; }; opengl = { enable = true; extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; driSupport32Bit = true; }; bluetooth = { enable = true; extraConfig = '' [General] Enable=Source,Sink,Media,Socket ''; }; # sane = { # enable = true; # extraBackends = with pkgs; [ samsung-unified-linux-driver ]; # configDir = "/etc/sane.d"; # }; sensor.iio.enable = true; }; sound.enable = true; # nix.gc = { # automatic = true; # dates = "daily"; # options = "--delete-older-than 30d"; # }; nix = { useSandbox = true; autoOptimiseStore = true; daemonNiceLevel = 10; daemonIONiceLevel = 3; }; environment.variables = { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; SANE_CONFIG_DIR = "/etc/sane.d"; TPRINT_BASEURL = "http://bragi.asgard.yggdrasil/thermoprint/api"; MPD_HOST = "bragi.asgard.yggdrasil"; MPD_PORT = "6600"; }; environment.etc."fprintd.conf".source = "${pkgs.fprintd}/etc/fprintd.conf"; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./hel/wacom.conf; environment.etc."sane.d/dll.conf".text = "xerox_mfp"; environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil"; systemd.services."kill-user@" = { serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I"; }; }; systemd.targets."sleep" = { after = [ "kill-user@uucp.service" ]; wants = [ "kill-user@uucp.service" ]; }; systemd.automounts = [ { where = "/media"; automountConfig = { TimeoutIdleSec = "5min"; DirectoryMode = "555"; }; wantedBy = [ "remote-fs.target" ]; } ]; systemd.mounts = [ { after = [ "network-online.target" ]; bindsTo = [ "network-online.target" ]; where = "/media"; what = "//odin.asgard.yggdrasil/media"; type = "cifs"; options = lib.concatStringsSep "," [ "ro" "guest" ]; } ]; systemd.user.services."pulseaudio".enable = lib.mkForce false; systemd.user.services."ssh-agent".enable = lib.mkForce false; systemd.user.sockets."pulseaudio".enable = lib.mkForce false; systemd.services."ac-plugged" = { description = "Inhibit handling of lid-switch and sleep"; path = with pkgs; [ systemd coreutils ]; script = '' exec systemd-inhibit --what=handle-lid-switch:sleep --why="AC is connected" --mode=block sleep infinity ''; serviceConfig = { Type = "simple"; }; }; services.udev.extraRules = with pkgs; '' SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" KERNELS=="1-2:1.2", ENV{ID_MM_DEVICE_IGNORE}="1", SYMLINK+="gps0" KERNELS=="1-2:1.3", ENV{ID_MM_DEVICE_IGNORE}="1", SYMLINK+="gpsctl0", TAG+="systemd" ''; systemd.services."gpscfg" = { description = "Configure GPS"; script = '' printf 'AT!GPSTRACK=1,255,30,1000,1\r' > /dev/gpsctl0 ''; }; systemd.timers."gpscfg" = { enable = true; bindsTo = [ "dev-gpscfg0.device" ]; after = [ "dev-gpscfg0.device" ]; wantedBy = [ "dev-gpscfg0.device" ]; timerConfig = { OnActiveSec = "0s"; OnUnitInactiveSec = "5m"; }; }; services.borgbackup = { snapshots = "btrfs"; prefix = "yggdrasil.midgard.hel."; targets = { "munin" = { repo = "borg.munin:borg"; paths = [ "/home/gkleen" ]; prune = { "/home/gkleen" = [ "--keep-within" "24H" "--keep-daily" "31" "--keep-monthly" "12" "--keep-yearly" "-1" ]; }; }; }; }; services.btrfs.autoScrub = { enable = true; fileSystems = [ "/" ]; interval = "weekly"; }; systemd.services."nix-daemon".serviceConfig = { MemoryAccounting = true; MemoryHigh = "50%"; MemoryMax = "75%"; }; services.samba = { enable = true; extraConfig = '' domain master = no local master = no workgroup = ASGARD load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ''; }; systemd.services."nixos-upgrade" = { path = with pkgs; [ git ]; preStart = '' git -C /etc/nixos fetch --recurse-submodules git -C /etc/nixos reset --hard origin/master ''; }; environment.etc."dnssec-trust-anchors.d/local-ip.negative" = { text = '' 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa ''; }; environment.etc."dnssec-trust-anchors.d/local-domains.negative" = { text = '' yggdrasil box ''; }; security.pam.services = { gdm-fingerprint.text = '' auth requisite pam_nologin.so auth required pam_env.so envfile=${config.system.build.pamEnvironment} auth required pam_succeed_if.so uid >= 1000 quiet auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so account sufficient pam_unix.so password required ${pkgs.fprintd}/lib/security/pam_fprintd.so session required pam_env.so envfile=${config.system.build.pamEnvironment} session required pam_unix.so session required pam_loginuid.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start ''; }; system = { stateVersion = "16.09"; }; }