HackENS/hackens-org-configurations
5
0
Fork 0
Code Issues 2 Pull requests 1 Projects Releases Packages Wiki Activity

Initial config

Browse source
This commit is contained in:
hackens milieu 2021-11-02 19:30:28 +01:00
commit 3687de6151
28 changed files with 541 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bibi.nix Normal file
View file

@ -0,0 +1,4 @@
{ pkgs, lib, ... }:
{
}

40
configuration.nix Normal file
View file

@ -0,0 +1,40 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./hackens
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.efi.efiSysMountPoint = "/boot";
boot.loader.grub.device = "nodev"; # or "nodev" for efi only
boot.loader.grub.configurationLimit = 2;
networking.hostName = "hackens-milieu"; # Define your hostname.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp2s0.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}

39
configuration.nix~ Normal file
View file

@ -0,0 +1,39 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./hackens
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.efi.efiSysMountPoint = "/boot";
boot.loader.grub.device = "nodev"; # or "nodev" for efi only
boot.loader.grub.configurationLimit = 2;
networking.hostName = "hackens-milieu"; # Define your hostname.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp2s0.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}

3
hackens/aarch64.nix Normal file
View file

@ -0,0 +1,3 @@
{
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

6
hackens/audio.nix Normal file
View file

@ -0,0 +1,6 @@
{ pkgs, ... }:
{
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
}

11
hackens/backups.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs, ... }: {
# BorgBackup repositories
services.borgbackup.repos = {
hackens-desktop = {
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop-1"
];
path = "/var/backups/hackens-desktop";
};
};
}

21
hackens/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ pkgs, ... }: {
imports = [
./system.nix
./backups.nix
./vpn-network
./hosts.nix
./syncthing.nix
./programs.nix
./audio.nix
./graphics.nix
./monitoring.nix
./users.nix
./i18n.nix
./vim.nix
./dns.nix
./nightworker.nix
./ssd.nix
./aarch64.nix
# ./netboot-server.nix # -- fix quick xyz mode.
];
}

29
hackens/dns.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, ... }:
{
networking = {
nameservers = [ "127.0.0.1" "::1" ];
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
forwarding_rules = ./dns/forwarding.txt;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = lib.mkForce "dnscrypt-proxy2";
};
}

3
hackens/dns/forwarding.txt Normal file
View file

@ -0,0 +1,3 @@
# Résolution hackENS locale
# e.g. hackens-milieu.lan
.lan 192.168.1.1

10
hackens/graphics.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
imports = [ ./i3.nix ];
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "fr";
services.autorandr.enable = true;
}

3
hackens/hosts.nix Normal file
View file

@ -0,0 +1,3 @@
{ pkgs, ... }:
{
}

8
hackens/i18n.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }: {
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "fr";
};
time.timeZone = "Europe/Paris";
}

52
hackens/i3.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, ... }:
{
environment.pathsToLink = [ "/libexec" ];
environment.sessionVariables.TERMINAL = [ "kitty" ];
environment.variables = {
TERMINAL = "kitty";
BROWSER = "firefox";
};
services.xserver = {
displayManager = {
autoLogin = {
enable = true;
user = "hackens";
};
};
windowManager.i3 = {
enable = true;
extraSessionCommands = ''
${pkgs.xlibs.xset}/bin/xset r rate 200 50
'';
extraPackages = with pkgs; [
rofi
dunst
i3status-rust
i3lock
kitty
];
};
};
fonts.fonts = with pkgs; [
hack-font
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
liberation_ttf
fira-code
fira-code-symbols
mplus-outline-fonts
dina-font
proggyfonts
powerline-fonts
font-awesome
];
services.picom = {
enable = true;
vSync = true;
};
}

6
hackens/kde.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
# Enable the KDE Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
}

55
hackens/monitoring.nix Normal file
View file

@ -0,0 +1,55 @@
{ pkgs, ... }:
{
# Monitoring
services.netdata.enable = true;
environment.etc."netdata/stream.conf" = {
user = "netdata";
group = "netdata";
mode = "0600";
text = ''
# hackens-desktop
[074e699a-4206-4e13-baa7-e4524326f1e0]
enabled = yes
default history = 3600
default memory mode = dbengine
health enabled by default = auto
allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868
# hackens-openwrt
[cab3fe1e-576b-420d-b301-84308e44f340]
enabled = yes
default history = 3600
default memory mode = dbengine
health enabled by default = auto
allow from = 192.168.1.1, 2001:470:1f13:21d::1
'';
};
environment.etc."netdata/health_alarm_notify.conf" = {
user = "netdata";
group = "netdata";
mode = "0600";
text = ''
# External tools
nc="${pkgs.netcat}/bin/nc"
# IRC configuration
SEND_IRC="YES"
DEFAULT_RECIPIENT_IRC="#hackens-status"
IRC_NETWORK="ens.wtf"
IRC_NICKNAME="hackens"
IRC_REALNAME="hackENS netdata monitoring"
'';
};
services.smartd.enable = true;
services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata.
# MQTT for every usage, notably OctoPrint events.
services.mosquitto = {
enable = true;
host = "192.168.1.118";
users = {};
settings = {
allow_anonymous = true;
};
};
}

8
hackens/netboot-server.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }:
{
services.pixiecore = {
enable = true;
openFirwalle = true;
dhcpNoBind = true;
};
}

11
hackens/nightworker.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
location = {
latitude = 48.8422;
longitude = 2.3452;
};
services.redshift = {
enable = true;
};
}

77
hackens/programs.nix Normal file
View file

@ -0,0 +1,77 @@
{ pkgs, ... }:
{
programs.mtr.enable = true;
programs.mosh.enable = true;
programs.tmux.enable = true;
programs.wireshark.enable = true;
environment.systemPackages = with pkgs; [
kitty
# Todolist
taskwarrior
# Slicers
prusa-slicer super-slicer
# CAD/3D
blender freecad openscad kicad-with-packages3d
# Microcontrollers
arduino arduino-cli stm32flash stm32loader
# FPGA
# python38Packages.nmigen python38Packages.nmigen-soc python38Packages.nmigen-boards
verilog verilator yosys symbiyosys mcy
# Reverse engineering
ghidra-bin apktool pwndbg
radare2
# IRC
weechat
# Editors
vscodium emacs neovim
# Utilities
minicom
smartmontools
starship
wget firefox ripgrep chromium
nmap
htop
dnsutils
ncdu
# Networking
speedtest-cli iperf
# CNC
inkscape
];
programs.chromium = {
enable = true;
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock Origin
"gcbommkclmclpchllfjekcdonpmejbdp" # HTTPS Everywhere
"mbniclmhobmnbdlbpiphghaielnnpgdp" # Lightshot
"ldlghkoiihaelfnggonhjnfiabmaficg" # QuicKey
];
homepageLocation = "https://hackens.org";
extraOpts = {
"BrowserSignin" = 0;
"SyncDisabled" = true;
"PasswordManagerEnabled" = false;
"SafeBrowsingEnabled" = false;
"AdvancedProtectionAllowed" = false;
"BrowserGuestModeEnabled" = true;
"SpellcheckEnabled" = true;
"NewTabPageLocation" = "https://hackens.org";
"SpellcheckLanguage" = [
"fr-FR"
"en-US"
];
};
};
}

2
hackens/pubkeys/gdd.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc gab@ThinkGab
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

3
hackens/pubkeys/raito.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtS70Y1Merif66/G4bsP1/E3jyjiqjf7ZMsU07lw+Wf
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ

6
hackens/ssd.nix Normal file
View file

@ -0,0 +1,6 @@
{ pkgs, ... }:
{
services.fstrim = {
enable = true;
};
}

9
hackens/syncthing.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
services.syncthing = {
enable = true;
user = "hackens";
openDefaultPorts = true;
dataDir = "/home/hackens";
};
}

30
hackens/system.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, ... }: {
# Upgrades
system.autoUpgrade = {
enable = true;
allowReboot = false;
};
# Auto-GC and store optimizations
nix = {
trustedUsers = [ "root" "hackens" ];
package = pkgs.nixUnstable;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 60d";
};
optimise.automatic = true;
extraOptions = ''
experimental-features = nix-command flakes
# Thank you
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
services.locate.enable = true;
services.openssh.enable = true;
networking.firewall.enable = false;
documentation.info.enable = false;
}

23
hackens/users.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, ... }:
{
users.users.hackens = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop"
];
openssh.authorizedKeys.keyFiles = [
./pubkeys/raito.keys
./pubkeys/gdd.keys
];
};
users.users.root = {
openssh.authorizedKeys.keyFiles = [
./pubkeys/raito.keys
./pubkeys/gdd.keys
];
};
}

10
hackens/vim.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
nixfmt
git
(neovim.override {
vimAlias = true;
configure.plug.plugins = with vimPlugins; [ vim-nix vim-lastplace ];
})
];
}

17
hackens/vpn-network/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, ... }:
{
imports = [
./wg-peers.nix
];
networking.wireguard.interfaces.wghackens = {
ips = [ "192.168.2.1/24" ];
listenPort = 51820;
privateKeyFile = "/etc/secrets/wghackens";
generatePrivateKeyFile = true;
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
}

22
hackens/vpn-network/wg-peers.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
let
startPrefix = "192.168.2";
mkPeer = i: publicKey: {
inherit publicKey;
allowedIPs = [ "${startPrefix}.${toString i}/32" ]; # Only one IP.
};
in
{
# Comment s'ajouter ?
# Ajouter un élément dans la liste sous la forme
# (mkPeer i "publicKey")
# i := c'est le i dans 192.168.2.i qui sera l'IP « allouée » sur le tunnel
# publicKey := votre clef publique WireGuard
# si on veut mettre une presharedKey, faut rajouter une entrée manuellement en suivant la doc :).
# Ne pas oublier un commentaire à la fin de l'entrée pour documenter qui est quoi.
# Clef publique actuelle: 95dW/JJDnbOelgot/yWMJMswCzHdQGCqPDvriwq9CT4=
networking.wireguard.interfaces.wghackens.peers = [
(mkPeer 2 "ed5ib4LwK6YvRDqUPyvLnbS0onrBQpFApv5HreYuMHs=") # Raito
(mkPeer 3 "cm0G/YTSnu4sD72wMqXjNqDuauTh5XJHf/nvE0gOpFk=") # BiBi
];
}

33
hardware-configuration.nix Normal file
View file

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-label/nixos-root";
fsType = "btrfs";
options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-label/SWAP"; }
];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}