# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hel/hw.nix ./hel/boot.nix ./users.nix ./custom/zsh.nix ./custom/tinc/def.nix ./custom/uucp.nix ]; system.stateVersion = "16.09"; networking = { hostName = "hel"; firewall = { enable = true; allowedTCPPorts = [ 22 # ssh ]; }; networkmanager = { enable = true; }; }; powerManagement.enable = true; i18n = { consoleFont = "lat9w-16"; consoleKeyMap = "dvp"; defaultLocale = "en_US.UTF-8"; }; boot.kernelPackages = pkgs.linuxPackages_latest; environment.systemPackages = with pkgs; [ git slock shadow (callPackage ./utils/nix/rebuild-system.nix {}) rewacom ]; nixpkgs.config.packageOverrides = pkgs: rec { rewacom = pkgs.writeScriptBin "rewacom" '' #!${pkgs.stdenv.shell} modprobe -r wacom modprobe wacom ''; samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: { buildInputs = oldAttrs.buildInputs ++ [ pkgs.makeWrapper ]; builder = pkgs.writeScript "builder.sh" '' #!${pkgs.stdenv.shell} source ${pkgs.stdenv}/setup ${oldAttrs.builder} ${pkgs.lib.concatStringsSep " " oldAttrs.args} export PATH=${pkgs.makeWrapper}/bin:$PATH echo "Wrapping samsung filters" wrapProgram $out/lib/cups/filter/rastertosamsungspl \ --prefix PATH : ${pkgs.ghostscript}/bin wrapProgram $out/lib/cups/filter/rastertosamsungsplc \ --prefix PATH : ${pkgs.ghostscript}/bin ''; }); }; # nixpkgs.config.packageOverrides = pkgs: rec { # libqmi = pkgs.stdenv.lib.overrideDerivation pkgs.libqmi (old: { # src = pkgs.fetchgit { # url = "git://anongit.freedesktop.org/libqmi"; # rev = "7a426340c9238f743b4641096ea86b89dd503041"; # sha256 = "1lnr049hjakp864kq2lql04nfraaxgfh88rjayc7a7x993s75fzs"; # }; # buildInputs = old.buildInputs ++ (with pkgs; [ libmbim automake114x ]); # }); # libmbim = pkgs.stdenv.lib.overrideDerivation pkgs.libmbim (old: { # src = pkgs.fetchgit { # url = "git://anongit.freedesktop.org/libmbim/libmbim"; # rev = "c5ed53cfabc0d7ba20dea1047db718f2ca0a6d80"; # sha256 = "07fy120703rwpf7p0d8fdbrswx9jn1ln8wnnn7zkwwjq9mgr6ppp"; # }; # buildInputs = old.buildInputs ++ (with pkgs; [ autoconf automake gnome.gtkdoc libtool pkgconfig ]); # preConfigure = "./autogen.sh"; # }); # }; nixpkgs.config.allowUnfree = true; services = { logind.extraConfig = '' HandleLidSwitch=sleep HandleSuspendKey=sleep LidSwitchIgnoreInhibited=no ''; openssh = { enable = true; extraConfig = '' Match User media ForceCommand internal-sftp PermitTTY no AllowTcpForwarding no AllowStreamLocalForwarding no X11Forwarding no AllowAgentForwarding no ChrootDirectory /run/%u AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u ''; }; atd = { enable = true; allowEveryone = true; }; xserver = { enable = true; layout = "us"; xkbVariant = "dvp"; xkbOptions = "compose:caps"; displayManager.slim = { enable = true; defaultUser = "gkleen"; }; desktopManager = { default = "none"; xterm.enable = false; }; windowManager = { default = "xmonad"; xmonad = { enable = true; enableContribAndExtras = true; extraPackages = haskellPackages: (with haskellPackages; [ hostname libnotify taffybar ]); }; }; wacom.enable = true; multitouch.enable = true; dpi = 210; }; ntp.enable = false; timesyncd.enable = true; customTinc.networks = ((import ./custom/tinc/yggdrasil.nix) { inherit (pkgs) stdenv nettools openresolv; connect = true; name = "hel"; ipConf = { ip4 = [ { address = "10.141.2.3"; prefixLength = 16; } ]; }; }); uucp = { enable = true; nodeName = "hel"; remoteNodes = ["isaac" "ymir"]; # legacy name for odin sshUser = { openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir'' ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico ${config.security.wrapperDir}/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin'' ]; }; sshConfig = '' Host isaac Hostname odin.asgard.yggdrasil IdentityFile ~/.ssh/odin Host ymir Hostname ymir.niflheim.yggdrasil IdentityFile ~/.ssh/ymir ''; commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" config.security.wrapperDir ]; defaultCommands = []; commands = { "isaac" = ["recv-media" "notify-gkleen"]; }; protocols = { "isaac" = "t"; }; }; postfix = { enable = true; enableSmtp = true; enableSubmission = false; setSendmail = true; networksStyle = "host"; hostname = "hel.midgard.yggdrasil"; destination = []; relayHost = "uucp:ymir"; recipientDelimiter = "+"; extraMasterConf = '' uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient) sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient ''; transport = '' gkleen+sent@yggdrasil.li uucp:isaac ''; extraConfig = '' always_bcc = gkleen+sent@yggdrasil.li default_transport = uucp:ymir inet_interfaces = loopback-only authorized_submit_users = !uucp, static:anyone message_size_limit = 0 sender_dependent_default_transport_maps = regexp:${pkgs.writeText "sender_relay" '' /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de /@campus\.lmu\.de$/ smtp:postout.lrz.de ''} smtp_sasl_auth_enable = yes smtp_sender_dependent_authentication = yes smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = dane smtp_sasl_password_maps = texthash:/var/db/postfix/sasl_passwd smtp_cname_overrides_servername = no smtp_always_send_ehlo = yes smtp_tls_loglevel = 1 smtp_dns_support_level = dnssec ''; }; udev.extraRules = '' ACTION!="add|change", GOTO="mbim_to_qmi_rules_end" SUBSYSTEM!="usb|drivers", GOTO="mbim_to_qmi_rules_end" # load qmi_wwan module SUBSYSTEM=="usb", \ ATTR{idVendor}=="1199", ATTR{idProduct}=="9079", \ RUN+="/sbin/modprobe -b qmi_wwan" # force Sierra Wireless EM7455 to configuration #1 SUBSYSTEM=="usb", \ ATTR{idVendor}=="1199", ATTR{idProduct}=="9079", \ ATTR{bConfigurationValue}="1" # add the new id in the qmi_wwan driver SUBSYSTEM=="drivers", \ ENV{DEVPATH}=="/bus/usb/drivers/qmi_wwan", \ ATTR{new_id}="1199 9079" # load qcserial module SUBSYSTEM=="usb", \ ATTR{idVendor}=="1199", ATTR{idProduct}=="9079", \ RUN+="/sbin/modprobe -b qcserial" # add the new id in the qcserial driver SUBSYSTEM=="drivers", \ ENV{DEVPATH}=="/bus/usb-serial/drivers/qcserial", \ ATTR{new_id}="1199 9079" LABEL="mbim_to_qmi_rules_end" ''; printing = { enable = true; drivers = with pkgs; [ samsung-unified-linux-driver ]; }; upower = { enable = true; }; locate = { enable = true; interval = "hourly"; locate = pkgs.mlocate; localuser = null; prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"]; }; dbus = { enable = true; packages = [ (pkgs.writeTextFile { name = "eavesdrop.conf"; text = '' ''; destination = "/etc/dbus-1/system.d/eavesdrop.conf"; }) ]; }; }; users = { mutableUsers = false; extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; }; extraUsers.media = { group = "media"; home = "/var/media"; isSystemUser = true; openssh.authorizedKeys.keyFiles = [ ./users/keys/gkleen-media-hel.pub ]; useDefaultShell = true; }; extraUsers.postfix_ssh = { isSystemUser = true; home = "/var/db/postfix_ssh"; }; extraGroups = { network = {}; media = { members = [ "gkleen" "uucp" "media" ]; }; networkmanager = { members = [ "gkleen" ]; }; }; }; security = { sudo.extraConfig = '' Cmnd_Alias SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl, ${pkgs.rewacom}/bin/rewacom %wheel ALL=(ALL) NOPASSWD: SYSCTRL ''; wrappers = { "slock".source = "${pkgs.slock}/bin/slock"; "mount".source = "${pkgs.utillinux.bin}/bin/mount"; "umount".source = "${pkgs.utillinux.bin}/bin/umount"; "newgrp".source = "${pkgs.shadow}/bin/newgrp"; "thinklight".source = "${(pkgs.callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })}/bin/thinklight"; "notify-gkleen" = { group = "users"; owner = "gkleen"; setgid = true; setuid = true; permissions = "u+rx,g+x,o+x"; source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; inherit (config.security) wrapperDir}}/bin/notify-gkleen''; }; }; polkit = { enable = true; extraConfig = '' polkit.addRule(function(action, subject) { if ( action.id == "org.freedesktop.systemd1.manage-units" && subject.isInGroup("wheel") ) { return polkit.Result.YES; } }); ''; }; }; time.timeZone = "Europe/Berlin"; hardware = { pulseaudio = { enable = true; package = with pkgs; pulseaudioFull; support32Bit = true; }; opengl = { enable = true; extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; driSupport32Bit = true; }; bluetooth.enable = true; # sane = { # enable = true; # extraBackends = with pkgs; [ samsung-unified-linux-driver ]; # configDir = "/etc/sane.d"; # }; }; sound.enable = true; # nix.gc = { # automatic = true; # dates = "daily"; # options = "--delete-older-than 30d"; # }; nix.useSandbox = true; environment.variables = { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; }; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./hel/wacom.conf; environment.etc."sane.d/dll.conf".text = "xerox_mfp"; environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil"; systemd.services."kill-user@" = { serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I"; }; }; systemd.targets."sleep" = { after = [ "kill-user@uucp.service" ]; wants = [ "kill-user@uucp.service" ]; }; virtualisation.virtualbox.host = { enable = true; }; systemd.automounts = [ { enable = true; where = "/run/media/var/media"; automountConfig = { DirectoryMode = "700"; }; wantedBy = [ "local-fs.target" ]; } ]; systemd.mounts = [ { enable = true; where = "/run/media/var/media"; what = "/var/media"; type = "none"; options = "bind"; mountConfig = { DirectoryMode = "700"; }; } ]; systemd.user.services."pulseaudio".enable = lib.mkForce false; systemd.user.services."ssh-agent".enable = lib.mkForce false; systemd.user.sockets."pulseaudio".enable = lib.mkForce false; }