# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hel/hw.nix ./hel/boot.nix ./users.nix ./custom/zsh.nix ./custom/tinc/def.nix ./custom/tinc/yggdrasil.nix ./custom/uucp.nix ./custom/btrfs-snapshots.nix ]; system.stateVersion = "16.09"; networking = { hostName = "hel"; domain = "midgard.yggdrasil"; hosts = { "127.0.0.1" = [ "hel.midgard.yggdrasil" "hel" ]; "::1" = [ "hel.midgard.yggdrasil" "hel" ]; }; firewall = { enable = true; allowedTCPPorts = [ 22 # ssh ]; }; networkmanager = { enable = true; unmanaged = [ "docker0" ]; }; }; systemd.services.ModemManager = { enable = true; wantedBy = [ "network.target" ]; }; powerManagement.enable = true; i18n = { consoleFont = "lat9w-16"; consoleKeyMap = "dvp"; defaultLocale = "en_US.UTF-8"; }; boot.kernelPackages = pkgs.linuxPackages_latest; # boot.kernelPatches = [ # { patch = ./patches/udl.patch; # name = "udl-vblank"; # } # ]; environment.systemPackages = with pkgs; [ git slock shadow (callPackage ./utils/nix/rebuild-system.nix {}) rewacom autorandr ntfs3g exfat ]; nixpkgs.config.packageOverrides = pkgs: rec { rewacom = pkgs.writeScriptBin "rewacom" '' #!${pkgs.stdenv.shell} modprobe -r wacom modprobe wacom ''; samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: { buildInputs = oldAttrs.buildInputs ++ [ pkgs.makeWrapper ]; builder = pkgs.writeScript "builder.sh" '' #!${pkgs.stdenv.shell} source ${pkgs.stdenv}/setup ${oldAttrs.builder} ${pkgs.lib.concatStringsSep " " oldAttrs.args} export PATH=${pkgs.makeWrapper}/bin:$PATH echo "Wrapping samsung filters" wrapProgram $out/lib/cups/filter/rastertosamsungspl \ --prefix PATH : ${pkgs.ghostscript}/bin wrapProgram $out/lib/cups/filter/rastertosamsungsplc \ --prefix PATH : ${pkgs.ghostscript}/bin ''; }); }; nixpkgs.config.allowUnfree = true; virtualisation.docker = { enable = true; autoPrune.enable = true; enableOnBoot = false; }; services = { vnstat = { enable = true; }; journald = { rateLimitBurst = 0; }; gpsd = { enable = true; debugLevel = 3; device = "/dev/gps0"; readonly = false; }; logind.extraConfig = '' HandleLidSwitch=sleep HandleSuspendKey=sleep LidSwitchIgnoreInhibited=no ''; openssh = { enable = true; extraConfig = '' Match User media ForceCommand internal-sftp PermitTTY no AllowTcpForwarding no AllowStreamLocalForwarding no X11Forwarding no AllowAgentForwarding no ChrootDirectory /run/%u AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u ''; }; atd = { enable = true; allowEveryone = true; }; xserver = { enable = true; layout = "us"; xkbVariant = "dvp"; xkbOptions = "compose:caps"; displayManager.slim = { enable = true; defaultUser = "gkleen"; }; desktopManager = { default = "none"; xterm.enable = false; }; windowManager = { default = "xmonad"; xmonad = { enable = true; extraPackages = haskellPackages: (with haskellPackages; [ xmonad-contrib hostname libnotify aeson temporary parsec network taffybar ]); }; }; wacom.enable = true; multitouch.enable = true; dpi = 210; }; ntp.enable = false; timesyncd.enable = false; chrony = { enable = true; extraConfig = '' refclock SOCK /var/run/chrony.gps0.sock refid GPS ''; }; yggdrasilTinc = { enable = true; connect = true; name = "hel"; interfaceConfig = { ip4 = [ { address = "10.141.2.3"; prefixLength = 16; } ]; }; }; uucp = { enable = true; nodeName = "hel"; remoteNodes = ["isaac" "ymir"]; # legacy name for odin sshUser = { openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir'' ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico ${config.security.wrapperDir}/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin'' ]; }; sshConfig = '' Host isaac Hostname odin.asgard.yggdrasil IdentityFile ~/.ssh/odin Host ymir Hostname ymir.niflheim.yggdrasil IdentityFile ~/.ssh/ymir ''; commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" config.security.wrapperDir ]; defaultCommands = []; commands = { "isaac" = ["recv-media" "notify-gkleen"]; }; protocols = { "isaac" = "t"; }; }; postfix = { enable = true; enableSmtp = true; enableSubmission = false; setSendmail = true; networksStyle = "host"; hostname = "hel.midgard.yggdrasil"; destination = []; relayHost = "uucp:ymir"; recipientDelimiter = "+"; extraMasterConf = '' uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient) sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient ''; transport = '' gkleen+sent@yggdrasil.li uucp:isaac ''; extraConfig = '' always_bcc = gkleen+sent@yggdrasil.li default_transport = uucp:ymir inet_interfaces = loopback-only authorized_submit_users = !uucp, static:anyone message_size_limit = 0 sender_dependent_default_transport_maps = regexp:${pkgs.writeText "sender_relay" '' /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ sshsendmail:math60.mathinst.loc /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de /@campus\.lmu\.de$/ smtp:postout.lrz.de ''} smtp_sasl_auth_enable = yes smtp_sender_dependent_authentication = yes smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = dane smtp_sasl_password_maps = texthash:/var/db/postfix/sasl_passwd smtp_cname_overrides_servername = no smtp_always_send_ehlo = yes smtp_tls_loglevel = 1 smtp_dns_support_level = dnssec ''; }; printing = { enable = true; drivers = with pkgs; [ samsung-unified-linux-driver ]; }; upower = { enable = true; }; locate = { enable = true; interval = "hourly"; locate = pkgs.mlocate; localuser = null; prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"]; }; dbus = { enable = true; packages = [ (pkgs.writeTextFile { name = "eavesdrop.conf"; text = '' ''; destination = "/etc/dbus-1/system.d/eavesdrop.conf"; }) ]; }; }; systemd.services."gpsd".wants = [ "chronyd.service" ]; systemd.services."gpsd".after = [ "chronyd.service" ]; users = { mutableUsers = false; extraUsers.root = { inherit (import ./users/gkleen.nix) shell hashedPassword; }; extraUsers.gkleen.extraGroups = [ "media" "networkmanager" "docker" ]; extraUsers.media = { group = "media"; home = "/var/media"; isSystemUser = true; openssh.authorizedKeys.keyFiles = [ ./users/keys/gkleen-media-hel.pub ]; useDefaultShell = true; }; extraUsers.postfix_ssh = { isSystemUser = true; home = "/var/db/postfix_ssh"; }; extraGroups = { network = {}; media = { members = [ "uucp" "media" ]; }; }; }; security = { sudo.extraConfig = '' Cmnd_Alias SYSCTRL = /run/current-system/sw/sbin/shutdown, /run/current-system/sw/sbin/reboot, /run/current-system/sw/sbin/halt, /run/current-system/sw/bin/systemctl, ${pkgs.rewacom}/bin/rewacom %wheel ALL=(ALL) NOPASSWD: SYSCTRL ''; wrappers = { "slock".source = "${pkgs.slock}/bin/slock"; "mount".source = "${pkgs.utillinux.bin}/bin/mount"; "umount".source = "${pkgs.utillinux.bin}/bin/umount"; "newgrp".source = "${pkgs.shadow}/bin/newgrp"; "sg".source = "${pkgs.shadow}/bin/sg"; "thinklight".source = "${(pkgs.callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })}/bin/thinklight"; "notify-gkleen" = { group = "users"; owner = "gkleen"; setgid = true; setuid = true; permissions = "u+rx,g+x,o+x"; source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen''; }; }; polkit = { enable = true; extraConfig = '' polkit.addRule(function(action, subject) { if ( action.id == "org.freedesktop.systemd1.manage-units" && subject.isInGroup("wheel") ) { return polkit.Result.YES; } }); ''; }; }; time.timeZone = "Europe/Berlin"; hardware = { pulseaudio = { enable = true; package = with pkgs; pulseaudioFull; support32Bit = true; }; opengl = { enable = true; extraPackages = with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]; driSupport32Bit = true; }; bluetooth = { enable = true; extraConfig = '' [General] Enable=Source,Sink,Media,Socket ''; }; # sane = { # enable = true; # extraBackends = with pkgs; [ samsung-unified-linux-driver ]; # configDir = "/etc/sane.d"; # }; sensor.iio.enable = true; }; sound.enable = true; # nix.gc = { # automatic = true; # dates = "daily"; # options = "--delete-older-than 30d"; # }; nix = { useSandbox = true; autoOptimiseStore = true; daemonNiceLevel = 10; daemonIONiceLevel = 3; }; environment.variables = { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; SANE_CONFIG_DIR = "/etc/sane.d"; TPRINT_BASEURL = "http://bragi.asgard.yggdrasil/thermoprint/api"; MPD_HOST = "bragi.asgard.yggdrasil"; MPD_PORT = "6600"; }; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./hel/wacom.conf; environment.etc."sane.d/dll.conf".text = "xerox_mfp"; environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil"; systemd.services."kill-user@" = { serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I"; }; }; systemd.targets."sleep" = { after = [ "kill-user@uucp.service" ]; wants = [ "kill-user@uucp.service" ]; }; systemd.automounts = [ { enable = true; where = "/run/media/var/media"; automountConfig = { DirectoryMode = "700"; }; wantedBy = [ "local-fs.target" ]; } ]; systemd.mounts = [ { enable = true; where = "/run/media/var/media"; what = "/var/media"; type = "none"; options = "bind"; mountConfig = { DirectoryMode = "700"; }; } ]; systemd.user.services."pulseaudio".enable = lib.mkForce false; systemd.user.services."ssh-agent".enable = lib.mkForce false; systemd.user.sockets."pulseaudio".enable = lib.mkForce false; systemd.services."ac-plugged" = { description = "Inhibit handling of lid-switch and sleep"; path = with pkgs; [ systemd coreutils ]; script = '' exec systemd-inhibit --what=handle-lid-switch:sleep --why="AC is connected" --mode=block sleep infinity ''; serviceConfig = { Type = "simple"; }; }; services.udev.extraRules = with pkgs; '' SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" KERNELS=="1-2:1.2", ENV{ID_MM_DEVICE_IGNORE}="1", SYMLINK+="gps0" KERNELS=="1-2:1.3", ENV{ID_MM_DEVICE_IGNORE}="1", SYMLINK+="gpsctl0", TAG+="systemd" ''; systemd.services."gpscfg" = { description = "Configure GPS"; script = '' printf 'AT!GPSTRACK=1,255,30,1000,1\r' > /dev/gpsctl0 ''; }; systemd.timers."gpscfg" = { enable = true; bindsTo = [ "dev-gpscfg0.device" ]; after = [ "dev-gpscfg0.device" ]; wantedBy = [ "timers.target" ]; timerConfig = { OnActiveSec = "0s"; OnUnitInactiveSec = "5m"; }; }; systemd.services."NetworkManager-wait-online".enable = true; services.btrfs-snapshots.enable = true; systemd.timers."backup-odin@home-gkleen" = { enable = true; wantedBy = [ "timers.target" ]; timerConfig = { Persistent = true; OnUnitInactiveSec = "6h"; OnBootSec = "6h"; }; }; systemd.services."backup-odin@" = { enable = true; bindsTo = [ "btrfs-snapshot@%i.service" "network-online.target" ]; after = [ "btrfs-snapshot@%i.service" "network-online.target" ]; path = with pkgs; [borgbackup]; script = '' borg create \ --stats \ --list \ --filter 'AME' \ --exclude-caches \ --keep-exclude-tags \ --patterns-from .backup \ --one-file-system \ --compression auto,lzma \ borg.odin:/srv/backup/borg::yggdrasil.midgard.hel.$1-{utcnow} ''; scriptArgs = "%i"; serviceConfig = { Type = "oneshot"; WorkingDirectory = "/mnt/snapshot-%i"; Nice = 15; IOSchedulingClass = 2; IOSchedulingPriority = 7; SuccessExitStatus = [1 2]; }; }; }