Initial config

bibi.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, ... }:
+
+{
+}

configuration.nix

@@ -0,0 +1,40 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./hackens
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.grub.device = "nodev"; # or "nodev" for efi only
+  boot.loader.grub.configurationLimit = 2;
+
+  networking.hostName = "hackens-milieu"; # Define your hostname.
+
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.enp2s0.useDHCP = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}
+

configuration.nix~

@@ -0,0 +1,39 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./hackens
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.grub.device = "nodev"; # or "nodev" for efi only
+  boot.loader.grub.configurationLimit = 2;
+
+  networking.hostName = "hackens-milieu"; # Define your hostname.
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.enp2s0.useDHCP = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}
+

hackens/aarch64.nix

@@ -0,0 +1,3 @@
+{
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+}

hackens/audio.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+}

hackens/backups.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }: {
+  # BorgBackup repositories
+  services.borgbackup.repos = {
+    hackens-desktop = {
+      authorizedKeys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop-1"
+      ];
+      path = "/var/backups/hackens-desktop";
+    };
+  };
+}

hackens/default.nix

@@ -0,0 +1,21 @@
+{ pkgs, ... }: {
+  imports = [
+    ./system.nix
+    ./backups.nix
+    ./vpn-network
+    ./hosts.nix
+    ./syncthing.nix
+    ./programs.nix
+    ./audio.nix
+    ./graphics.nix
+    ./monitoring.nix
+    ./users.nix
+    ./i18n.nix
+    ./vim.nix
+    ./dns.nix
+    ./nightworker.nix
+    ./ssd.nix
+    ./aarch64.nix
+    # ./netboot-server.nix # -- fix quick xyz mode.
+  ];
+}

hackens/dns.nix

@@ -0,0 +1,29 @@
+{ pkgs, lib, ... }:
+{
+  networking = {
+    nameservers = [ "127.0.0.1" "::1" ];
+  };
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+
+      forwarding_rules = ./dns/forwarding.txt;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig = {
+    StateDirectory = lib.mkForce "dnscrypt-proxy2";
+  };
+}

hackens/dns/forwarding.txt

@@ -0,0 +1,3 @@
+# Résolution hackENS locale
+# e.g. hackens-milieu.lan
+.lan	192.168.1.1

hackens/graphics.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  imports = [ ./i3.nix ];
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+  services.xserver.layout = "fr";
+
+  services.autorandr.enable = true;
+}

hackens/hosts.nix

@@ -0,0 +1,3 @@
+{ pkgs, ... }:
+{
+}

hackens/i18n.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }: {
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "fr";
+  };
+  time.timeZone = "Europe/Paris";
+}

hackens/i3.nix

@@ -0,0 +1,52 @@
+{ pkgs, ... }:
+{
+  environment.pathsToLink = [ "/libexec" ];
+  environment.sessionVariables.TERMINAL = [ "kitty" ];
+  environment.variables = {
+    TERMINAL = "kitty";
+    BROWSER = "firefox";
+  };
+  services.xserver = {
+    displayManager = {
+      autoLogin = {
+        enable = true;
+        user = "hackens";
+      };
+    };
+
+    windowManager.i3 = {
+      enable = true;
+      extraSessionCommands = ''
+        ${pkgs.xlibs.xset}/bin/xset r rate 200 50
+      '';
+      extraPackages = with pkgs; [
+        rofi
+        dunst
+        i3status-rust
+        i3lock
+        kitty
+      ];
+    };
+  };
+
+  fonts.fonts = with pkgs; [
+    hack-font
+    noto-fonts
+    noto-fonts-cjk
+    noto-fonts-emoji
+    liberation_ttf
+    fira-code
+    fira-code-symbols
+    mplus-outline-fonts
+    dina-font
+    proggyfonts
+    powerline-fonts
+    font-awesome
+  ];
+
+  services.picom = {
+    enable = true;
+    vSync = true;
+  };
+}
+

hackens/kde.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+    # Enable the KDE Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
+}

hackens/monitoring.nix

@@ -0,0 +1,55 @@
+{ pkgs, ... }:
+{
+  # Monitoring
+  services.netdata.enable = true;
+  environment.etc."netdata/stream.conf" = {
+    user = "netdata";
+    group = "netdata";
+    mode = "0600";
+    text = ''
+      # hackens-desktop
+      [074e699a-4206-4e13-baa7-e4524326f1e0]
+        enabled = yes
+        default history = 3600
+        default memory mode = dbengine
+        health enabled by default = auto
+        allow from = 192.168.1.117, 2001:470:1f13:21d:49fd:1d82:d2ff:d868
+
+      # hackens-openwrt
+      [cab3fe1e-576b-420d-b301-84308e44f340]
+        enabled = yes
+        default history = 3600
+        default memory mode = dbengine
+        health enabled by default = auto
+        allow from = 192.168.1.1, 2001:470:1f13:21d::1
+    '';
+  };
+  environment.etc."netdata/health_alarm_notify.conf" = {
+    user = "netdata";
+    group = "netdata";
+    mode = "0600";
+    text = ''
+      # External tools
+      nc="${pkgs.netcat}/bin/nc"
+
+      # IRC configuration
+      SEND_IRC="YES"
+      DEFAULT_RECIPIENT_IRC="#hackens-status"
+      IRC_NETWORK="ens.wtf"
+      IRC_NICKNAME="hackens"
+      IRC_REALNAME="hackENS netdata monitoring"
+    '';
+  };
+  services.smartd.enable = true;
+  services.smartd.extraOptions = [ "-A /var/log/smartd/" ]; # For netdata.
+
+  # MQTT for every usage, notably OctoPrint events.
+  services.mosquitto = {
+    enable = true;
+    host = "192.168.1.118";
+    users = {};
+    settings = {
+      allow_anonymous = true;
+    };
+  };
+}

hackens/netboot-server.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  services.pixiecore = {
+    enable = true;
+    openFirwalle = true;
+    dhcpNoBind = true;
+  };
+}

hackens/nightworker.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  location = {
+    latitude = 48.8422;
+    longitude = 2.3452;
+  };
+
+  services.redshift = {
+    enable = true;
+  };
+}

hackens/programs.nix

@@ -0,0 +1,77 @@
+{ pkgs, ... }:
+{
+  programs.mtr.enable = true;
+  programs.mosh.enable = true;
+  programs.tmux.enable = true;
+  programs.wireshark.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    kitty
+    # Todolist
+    taskwarrior
+
+    # Slicers
+    prusa-slicer super-slicer
+
+    # CAD/3D
+    blender freecad openscad kicad-with-packages3d
+    # Microcontrollers
+    arduino arduino-cli stm32flash stm32loader
+    # FPGA
+    # python38Packages.nmigen python38Packages.nmigen-soc python38Packages.nmigen-boards
+    verilog verilator yosys symbiyosys mcy
+    # Reverse engineering
+    ghidra-bin apktool pwndbg
+    radare2
+
+    # IRC
+    weechat
+
+    # Editors
+    vscodium emacs neovim
+
+    # Utilities
+    minicom
+    smartmontools
+    starship
+    wget firefox ripgrep chromium
+    nmap
+    htop
+    dnsutils
+    ncdu
+
+    # Networking
+    speedtest-cli iperf
+
+    # CNC
+    inkscape
+  ];
+
+  programs.chromium = {
+    enable = true;
+
+    extensions = [
+      "cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock Origin
+      "gcbommkclmclpchllfjekcdonpmejbdp" # HTTPS Everywhere
+      "mbniclmhobmnbdlbpiphghaielnnpgdp" # Lightshot
+      "ldlghkoiihaelfnggonhjnfiabmaficg" # QuicKey
+    ];
+
+    homepageLocation = "https://hackens.org";
+
+    extraOpts = {
+      "BrowserSignin" = 0;
+      "SyncDisabled" = true;
+      "PasswordManagerEnabled" = false;
+      "SafeBrowsingEnabled" = false;
+      "AdvancedProtectionAllowed" = false;
+      "BrowserGuestModeEnabled" = true;
+      "SpellcheckEnabled" = true;
+      "NewTabPageLocation" = "https://hackens.org";
+      "SpellcheckLanguage" = [
+        "fr-FR"
+        "en-US"
+      ];
+    };
+  };
+}

hackens/pubkeys/gdd.keys

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc gab@ThinkGab
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

hackens/pubkeys/raito.keys

@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtS70Y1Merif66/G4bsP1/E3jyjiqjf7ZMsU07lw+Wf
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ

hackens/ssd.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  services.fstrim = {
+    enable = true;
+  };
+}

hackens/syncthing.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  services.syncthing = {
+    enable = true;
+    user = "hackens";
+    openDefaultPorts = true;
+    dataDir = "/home/hackens";
+  };
+}

hackens/system.nix

@@ -0,0 +1,30 @@
+{ pkgs, ... }: {
+  # Upgrades
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+  };
+
+  # Auto-GC and store optimizations
+  nix = {
+    trustedUsers = [ "root" "hackens" ];
+    package = pkgs.nixUnstable;
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 60d";
+    };
+    optimise.automatic = true;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      # Thank you
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+    '';
+  };
+
+  services.locate.enable = true;
+  services.openssh.enable = true;
+  networking.firewall.enable = false;
+  documentation.info.enable = false;
+}

hackens/users.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  users.users.hackens = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+
+    openssh.authorizedKeys.keys = [ 
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop"
+    ];
+    openssh.authorizedKeys.keyFiles = [
+      ./pubkeys/raito.keys
+      ./pubkeys/gdd.keys
+    ];
+  };
+
+  users.users.root = {
+    openssh.authorizedKeys.keyFiles = [
+      ./pubkeys/raito.keys
+      ./pubkeys/gdd.keys
+    ];
+  };
+
+}

hackens/vim.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    nixfmt
+    git
+    (neovim.override {
+      vimAlias = true;
+      configure.plug.plugins = with vimPlugins; [ vim-nix vim-lastplace ];
+    })
+  ];
+}

hackens/vpn-network/default.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  imports = [ 
+    ./wg-peers.nix
+  ];
+
+  networking.wireguard.interfaces.wghackens = {
+    ips = [ "192.168.2.1/24" ];
+    listenPort = 51820;
+
+    privateKeyFile = "/etc/secrets/wghackens";
+    generatePrivateKeyFile = true;
+  };
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+}
+

hackens/vpn-network/wg-peers.nix

@@ -0,0 +1,22 @@
+{ ... }:
+let
+  startPrefix = "192.168.2";
+  mkPeer = i: publicKey: {
+    inherit publicKey;
+    allowedIPs = [ "${startPrefix}.${toString i}/32" ]; # Only one IP.
+  };
+in
+  {
+    # Comment s'ajouter ?
+    # Ajouter un élément dans la liste sous la forme
+    # (mkPeer i "publicKey")
+    # i := c'est le i dans 192.168.2.i qui sera l'IP « allouée » sur le tunnel
+    # publicKey := votre clef publique WireGuard
+    # si on veut mettre une presharedKey, faut rajouter une entrée manuellement en suivant la doc :).
+    # Ne pas oublier un commentaire à la fin de l'entrée pour documenter qui est quoi.
+    # Clef publique actuelle: 95dW/JJDnbOelgot/yWMJMswCzHdQGCqPDvriwq9CT4=
+    networking.wireguard.interfaces.wghackens.peers = [
+      (mkPeer 2 "ed5ib4LwK6YvRDqUPyvLnbS0onrBQpFApv5HreYuMHs=") # Raito
+      (mkPeer 3 "cm0G/YTSnu4sD72wMqXjNqDuauTh5XJHf/nvE0gOpFk=") # BiBi
+    ];
+  }

hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/nixos-root";
+      fsType = "btrfs";
+      options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-label/BOOT";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-label/SWAP"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+}