Andrew/configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
configuration/common/nixos.nix
Andrew Kvalheim b32e1ae0ec Correct pam-u2f configuration
2022-06-22 10:29:27 -07:00

224 lines
6.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
palette = import ./palette.nix;
in
{
imports = [
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
../packages/kmonad.nix
];
# Nix
nix.autoOptimiseStore = true;
nix.gc = { automatic = true; options = "--delete-older-than 7d"; };
nix.extraOptions = ''
# Recommended by nix-direnv
keep-outputs = true
keep-derivations = true
'';
nixpkgs.config.allowUnfree = true;
# Boot
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.memtest86.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.plymouth.enable = true;
# Swap
zramSwap.enable = true;
# Filesystems
boot.initrd.luks = {
gpgSupport = true;
devices.pv = {
device = "/dev/disk/by-partlabel/pv-enc";
allowDiscards = true;
fallbackToPassword = true;
gpgCard.encryptedPass = ./local/luks-passphrase.gpg;
gpgCard.publicKey = ./andrew.asc;
};
};
fileSystems."/".options = [ "noatime" ];
boot.cleanTmpDir = true;
# Time and locale
time.timeZone = "America/Los_Angeles";
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
# Networking
networking.useDHCP = false; # Future default
networking.domain = "home.arpa";
networking.search = [ "home.arpa" ];
# Workaround for `avahi-daemon[1234]: Failed to read /etc/avahi/services.`
# Upstream: https://github.com/lathiat/avahi/blob/v0.8/avahi-daemon/static-services.c#L917-L919
system.activationScripts.etcAvahiServices = "mkdir -p /etc/avahi/services";
# Console
console.colors = map (lib.removePrefix "#") [
"#000000" palette.red palette.green palette.yellow palette.blue palette.orange palette.purple palette.white
palette.gray palette.red palette.green palette.yellow palette.blue palette.orange palette.purple palette.white
];
# Keyboard
services.xserver.extraLayouts.halmakish = {
description = "Halmakish";
languages = [ "eng" ];
symbolsFile = ./halmakish.xkb;
};
services.xserver.layout = "halmakish";
console.useXkbConfig = true;
kmonad = {
enable = true;
keyboards.default.config = builtins.readFile ./halmakish.kbd;
};
# Power
systemd.ctrlAltDelUnit = "poweroff.target";
# Authentication
security.pam.u2f = {
enable = true;
control = "sufficient";
cue = true;
};
# Authorization
security.sudo.extraRules = [
{
groups = [ "wheel" ];
commands = [
{ command = "/run/current-system/sw/bin/nix-channel --update"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/nixos-rebuild boot"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/nixos-rebuild switch"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/poweroff"; options = [ "NOPASSWD" ]; }
];
}
];
# SSH
services.openssh.enable = true;
# Mail
services.postfix = {
enable = true;
config = {
relayhost = "[email-smtp.us-west-2.amazonaws.com]:587";
smtp_use_tls = "yes";
smtp_tls_security_level = "encrypt";
smtp_tls_note_starttls_offer = "yes";
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/smtp_sasl_password_maps";
};
origin = "andrew.kvalhe.im";
destination = []; # Disable local delivery
};
systemd.services."alert@" = {
description = "Alert of failed %I";
serviceConfig.SyslogIdentifier = "%p";
serviceConfig.Type = "oneshot";
serviceConfig.ExecStart = ''
${pkgs.bash}/bin/bash -c "${pkgs.system-sendmail}/bin/sendmail -i root \
<<< $'Subject: %I failed\n\n'\"$(systemctl --full status %I)\""
'';
};
# SMART monitoring
services.smartd = {
enable = true;
notifications.mail.enable = true;
};
# Audio
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = { enable = true; support32Bit = true; };
pulse.enable = true;
};
# Printer
services.printing.enable = true;
services.printing.drivers = with pkgs; [
brgenml1cupswrapper
];
hardware.printers = {
ensureDefaultPrinter = "DCP-7065DN";
ensurePrinters = [ {
name = "DCP-7065DN";
description = "Brother DCP-7065DN";
model = "brother-BrGenML1-cups-en.ppd";
deviceUri = "lpd://lumberjack/binary_p1";
} ];
};
# Scanner
hardware.sane.enable = true;
hardware.sane.brscan4 = {
enable = true;
netDevices.DCP-7065DN = { model = "DCP-7065DN"; nodename = "lumberjack"; };
};
# Graphical environment
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Applications
environment.gnome.excludePackages = with pkgs.gnome; [
epiphany
geary
gnome-maps
gnome-music
gnome-photos
gnome-weather
];
services.pcscd.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
virtualisation = {
containers.registries.search = ["docker.io"];
docker = { enable = true; enableOnBoot = false; autoPrune.enable = true; };
podman.enable = true;
libvirtd.enable = true;
};
programs.zsh.enable = true;
environment.localBinInPath = true;
# Users
users.mutableUsers = false;
users.groups.ak.gid = 1000;
users.users.ak = {
isNormalUser = true;
uid = 1000;
group = "ak";
extraGroups = [
"wheel"
"networkmanager"
"lp"
"scanner"
"podman"
"docker"
"libvirtd"
];
description = "Andrew";
hashedPassword = builtins.readFile ./local/ak.passwd;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ (builtins.readFile ./andrew.pub) ];
};
# Backup
systemd.services.mirror = {
description = "Mirror to closet";
serviceConfig.Type = "oneshot";
serviceConfig.Nice = 10;
onFailure = [ "alert@%n.service" ];
path = with pkgs; [ netcat openssh rsync ];
};
systemd.timers.mirror = {
timerConfig.OnCalendar = "00,12,17:00 America/Los_Angeles";
timerConfig.Persistent = true;
wantedBy = [ "timers.target" ];
};
}
Reference in a new issue View git blame Copy permalink