commit 3687de61519e86e39392ff6a34baf3a289f9ae2e Author: hackens milieu Date: Tue Nov 2 19:30:28 2021 +0100 Initial config diff --git a/bibi.nix b/bibi.nix new file mode 100644 index 0000000..565de78 --- /dev/null +++ b/bibi.nix @@ -0,0 +1,4 @@ +{ pkgs, lib, ... }: + +{ +} diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..99a08a3 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,40 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./hackens + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.grub.device = "nodev"; # or "nodev" for efi only + boot.loader.grub.configurationLimit = 2; + + networking.hostName = "hackens-milieu"; # Define your hostname. + + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp2s0.useDHCP = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? +} + diff --git a/configuration.nix~ b/configuration.nix~ new file mode 100644 index 0000000..dd11db4 --- /dev/null +++ b/configuration.nix~ @@ -0,0 +1,39 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./hackens + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.grub.device = "nodev"; # or "nodev" for efi only + boot.loader.grub.configurationLimit = 2; + + networking.hostName = "hackens-milieu"; # Define your hostname. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp2s0.useDHCP = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? +} + diff --git a/hackens/aarch64.nix b/hackens/aarch64.nix new file mode 100644 index 0000000..44f9c4e --- /dev/null +++ b/hackens/aarch64.nix @@ -0,0 +1,3 @@ +{ + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +} diff --git a/hackens/audio.nix b/hackens/audio.nix new file mode 100644 index 0000000..734c6bf --- /dev/null +++ b/hackens/audio.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + # Enable sound. + sound.enable = true; + hardware.pulseaudio.enable = true; +} diff --git a/hackens/backups.nix b/hackens/backups.nix new file mode 100644 index 0000000..76f9b82 --- /dev/null +++ b/hackens/backups.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: { + # BorgBackup repositories + services.borgbackup.repos = { + hackens-desktop = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop-1" + ]; + path = "/var/backups/hackens-desktop"; + }; + }; +} diff --git a/hackens/default.nix b/hackens/default.nix new file mode 100644 index 0000000..e21df07 --- /dev/null +++ b/hackens/default.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: { + imports = [ + ./system.nix + ./backups.nix + ./vpn-network + ./hosts.nix + ./syncthing.nix + ./programs.nix + ./audio.nix + ./graphics.nix + ./monitoring.nix + ./users.nix + ./i18n.nix + ./vim.nix + ./dns.nix + ./nightworker.nix + ./ssd.nix + ./aarch64.nix + # ./netboot-server.nix # -- fix quick xyz mode. + ]; +} diff --git a/hackens/dns.nix b/hackens/dns.nix new file mode 100644 index 0000000..7546126 --- /dev/null +++ b/hackens/dns.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, ... }: +{ + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + + forwarding_rules = ./dns/forwarding.txt; + + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + }; + + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = lib.mkForce "dnscrypt-proxy2"; + }; +} diff --git a/hackens/dns/forwarding.txt b/hackens/dns/forwarding.txt new file mode 100644 index 0000000..80187f6 --- /dev/null +++ b/hackens/dns/forwarding.txt @@ -0,0 +1,3 @@ +# Résolution hackENS locale +# e.g. hackens-milieu.lan +.lan 192.168.1.1 diff --git a/hackens/graphics.nix b/hackens/graphics.nix new file mode 100644 index 0000000..779a669 --- /dev/null +++ b/hackens/graphics.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +{ + imports = [ ./i3.nix ]; + + # Enable the X11 windowing system. + services.xserver.enable = true; + services.xserver.layout = "fr"; + + services.autorandr.enable = true; +} diff --git a/hackens/hosts.nix b/hackens/hosts.nix new file mode 100644 index 0000000..6e5b8c3 --- /dev/null +++ b/hackens/hosts.nix @@ -0,0 +1,3 @@ +{ pkgs, ... }: +{ +} diff --git a/hackens/i18n.nix b/hackens/i18n.nix new file mode 100644 index 0000000..3dc4532 --- /dev/null +++ b/hackens/i18n.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: { + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; + time.timeZone = "Europe/Paris"; +} diff --git a/hackens/i3.nix b/hackens/i3.nix new file mode 100644 index 0000000..3a0834f --- /dev/null +++ b/hackens/i3.nix @@ -0,0 +1,52 @@ +{ pkgs, ... }: +{ + environment.pathsToLink = [ "/libexec" ]; + environment.sessionVariables.TERMINAL = [ "kitty" ]; + environment.variables = { + TERMINAL = "kitty"; + BROWSER = "firefox"; + }; + services.xserver = { + displayManager = { + autoLogin = { + enable = true; + user = "hackens"; + }; + }; + + windowManager.i3 = { + enable = true; + extraSessionCommands = '' + ${pkgs.xlibs.xset}/bin/xset r rate 200 50 + ''; + extraPackages = with pkgs; [ + rofi + dunst + i3status-rust + i3lock + kitty + ]; + }; + }; + + fonts.fonts = with pkgs; [ + hack-font + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + liberation_ttf + fira-code + fira-code-symbols + mplus-outline-fonts + dina-font + proggyfonts + powerline-fonts + font-awesome + ]; + + services.picom = { + enable = true; + vSync = true; + }; +} + diff --git a/hackens/kde.nix b/hackens/kde.nix new file mode 100644 index 0000000..217be99 --- /dev/null +++ b/hackens/kde.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + # Enable the KDE Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; +} diff --git a/hackens/monitoring.nix b/hackens/monitoring.nix new file mode 100644 index 0000000..abfcb8e --- /dev/null +++ b/hackens/monitoring.nix @@ -0,0 +1,55 @@ +{ pkgs, ... }: +{ + # Monitoring + services.netdata.enable = true; + environment.etc."netdata/stream.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + # hackens-desktop + [074e699a-4206-4e13-baa7-e4524326f1e0] + enabled = yes + default history = 3600 + default memory mode = dbengine + health enabled by default = auto + allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868 + + # hackens-openwrt + [cab3fe1e-576b-420d-b301-84308e44f340] + enabled = yes + default history = 3600 + default memory mode = dbengine + health enabled by default = auto + allow from = 192.168.1.1, 2001:470:1f13:21d::1 + ''; + }; + environment.etc."netdata/health_alarm_notify.conf" = { + user = "netdata"; + group = "netdata"; + mode = "0600"; + text = '' + # External tools + nc="${pkgs.netcat}/bin/nc" + + # IRC configuration + SEND_IRC="YES" + DEFAULT_RECIPIENT_IRC="#hackens-status" + IRC_NETWORK="ens.wtf" + IRC_NICKNAME="hackens" + IRC_REALNAME="hackENS netdata monitoring" + ''; + }; + services.smartd.enable = true; + services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata. + + # MQTT for every usage, notably OctoPrint events. + services.mosquitto = { + enable = true; + host = "192.168.1.118"; + users = {}; + settings = { + allow_anonymous = true; + }; + }; +} diff --git a/hackens/netboot-server.nix b/hackens/netboot-server.nix new file mode 100644 index 0000000..bc31f32 --- /dev/null +++ b/hackens/netboot-server.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.pixiecore = { + enable = true; + openFirwalle = true; + dhcpNoBind = true; + }; +} diff --git a/hackens/nightworker.nix b/hackens/nightworker.nix new file mode 100644 index 0000000..7260956 --- /dev/null +++ b/hackens/nightworker.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + location = { + latitude = 48.8422; + longitude = 2.3452; + }; + + services.redshift = { + enable = true; + }; +} diff --git a/hackens/programs.nix b/hackens/programs.nix new file mode 100644 index 0000000..c2d5af2 --- /dev/null +++ b/hackens/programs.nix @@ -0,0 +1,77 @@ +{ pkgs, ... }: +{ + programs.mtr.enable = true; + programs.mosh.enable = true; + programs.tmux.enable = true; + programs.wireshark.enable = true; + + environment.systemPackages = with pkgs; [ + kitty + # Todolist + taskwarrior + + # Slicers + prusa-slicer super-slicer + + # CAD/3D + blender freecad openscad kicad-with-packages3d + # Microcontrollers + arduino arduino-cli stm32flash stm32loader + # FPGA + # python38Packages.nmigen python38Packages.nmigen-soc python38Packages.nmigen-boards + verilog verilator yosys symbiyosys mcy + # Reverse engineering + ghidra-bin apktool pwndbg + radare2 + + # IRC + weechat + + # Editors + vscodium emacs neovim + + # Utilities + minicom + smartmontools + starship + wget firefox ripgrep chromium + nmap + htop + dnsutils + ncdu + + # Networking + speedtest-cli iperf + + # CNC + inkscape + ]; + + programs.chromium = { + enable = true; + + extensions = [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock Origin + "gcbommkclmclpchllfjekcdonpmejbdp" # HTTPS Everywhere + "mbniclmhobmnbdlbpiphghaielnnpgdp" # Lightshot + "ldlghkoiihaelfnggonhjnfiabmaficg" # QuicKey + ]; + + homepageLocation = "https://hackens.org"; + + extraOpts = { + "BrowserSignin" = 0; + "SyncDisabled" = true; + "PasswordManagerEnabled" = false; + "SafeBrowsingEnabled" = false; + "AdvancedProtectionAllowed" = false; + "BrowserGuestModeEnabled" = true; + "SpellcheckEnabled" = true; + "NewTabPageLocation" = "https://hackens.org"; + "SpellcheckLanguage" = [ + "fr-FR" + "en-US" + ]; + }; + }; +} diff --git a/hackens/pubkeys/gdd.keys b/hackens/pubkeys/gdd.keys new file mode 100644 index 0000000..32f6325 --- /dev/null +++ b/hackens/pubkeys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc gab@ThinkGab +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/hackens/pubkeys/raito.keys b/hackens/pubkeys/raito.keys new file mode 100644 index 0000000..2473c6b --- /dev/null +++ b/hackens/pubkeys/raito.keys @@ -0,0 +1,3 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtS70Y1Merif66/G4bsP1/E3jyjiqjf7ZMsU07lw+Wf +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ diff --git a/hackens/ssd.nix b/hackens/ssd.nix new file mode 100644 index 0000000..f197688 --- /dev/null +++ b/hackens/ssd.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + services.fstrim = { + enable = true; + }; +} diff --git a/hackens/syncthing.nix b/hackens/syncthing.nix new file mode 100644 index 0000000..d666ae5 --- /dev/null +++ b/hackens/syncthing.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + services.syncthing = { + enable = true; + user = "hackens"; + openDefaultPorts = true; + dataDir = "/home/hackens"; + }; +} diff --git a/hackens/system.nix b/hackens/system.nix new file mode 100644 index 0000000..76367d3 --- /dev/null +++ b/hackens/system.nix @@ -0,0 +1,30 @@ +{ pkgs, ... }: { + # Upgrades + system.autoUpgrade = { + enable = true; + allowReboot = false; + }; + + # Auto-GC and store optimizations + nix = { + trustedUsers = [ "root" "hackens" ]; + package = pkgs.nixUnstable; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 60d"; + }; + optimise.automatic = true; + extraOptions = '' + experimental-features = nix-command flakes + # Thank you + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + services.locate.enable = true; + services.openssh.enable = true; + networking.firewall.enable = false; + documentation.info.enable = false; +} diff --git a/hackens/users.nix b/hackens/users.nix new file mode 100644 index 0000000..de4f44b --- /dev/null +++ b/hackens/users.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +{ + users.users.hackens = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop" + ]; + openssh.authorizedKeys.keyFiles = [ + ./pubkeys/raito.keys + ./pubkeys/gdd.keys + ]; + }; + + users.users.root = { + openssh.authorizedKeys.keyFiles = [ + ./pubkeys/raito.keys + ./pubkeys/gdd.keys + ]; + }; + +} diff --git a/hackens/vim.nix b/hackens/vim.nix new file mode 100644 index 0000000..616693e --- /dev/null +++ b/hackens/vim.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + nixfmt + git + (neovim.override { + vimAlias = true; + configure.plug.plugins = with vimPlugins; [ vim-nix vim-lastplace ]; + }) + ]; +} diff --git a/hackens/vpn-network/default.nix b/hackens/vpn-network/default.nix new file mode 100644 index 0000000..9f2ffec --- /dev/null +++ b/hackens/vpn-network/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + imports = [ + ./wg-peers.nix + ]; + + networking.wireguard.interfaces.wghackens = { + ips = [ "192.168.2.1/24" ]; + listenPort = 51820; + + privateKeyFile = "/etc/secrets/wghackens"; + generatePrivateKeyFile = true; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; +} + diff --git a/hackens/vpn-network/wg-peers.nix b/hackens/vpn-network/wg-peers.nix new file mode 100644 index 0000000..8c0a5e7 --- /dev/null +++ b/hackens/vpn-network/wg-peers.nix @@ -0,0 +1,22 @@ +{ ... }: +let + startPrefix = "192.168.2"; + mkPeer = i: publicKey: { + inherit publicKey; + allowedIPs = [ "${startPrefix}.${toString i}/32" ]; # Only one IP. + }; +in + { + # Comment s'ajouter ? + # Ajouter un élément dans la liste sous la forme + # (mkPeer i "publicKey") + # i := c'est le i dans 192.168.2.i qui sera l'IP « allouée » sur le tunnel + # publicKey := votre clef publique WireGuard + # si on veut mettre une presharedKey, faut rajouter une entrée manuellement en suivant la doc :). + # Ne pas oublier un commentaire à la fin de l'entrée pour documenter qui est quoi. + # Clef publique actuelle: 95dW/JJDnbOelgot/yWMJMswCzHdQGCqPDvriwq9CT4= + networking.wireguard.interfaces.wghackens.peers = [ + (mkPeer 2 "ed5ib4LwK6YvRDqUPyvLnbS0onrBQpFApv5HreYuMHs=") # Raito + (mkPeer 3 "cm0G/YTSnu4sD72wMqXjNqDuauTh5XJHf/nvE0gOpFk=") # BiBi + ]; + } diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..0891328 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos-root"; + fsType = "btrfs"; + options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/SWAP"; } + ]; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; +}