wakasu.nix (4897B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 hostname = "wakasu"; 6 secretPath = ../../secrets/machines.nix; 7 secretCondition = (builtins.pathExists secretPath); 8 9 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 10 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 11 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 12 13 getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs; 14 metadata = importTOML ../../ops/hosts.toml; 15 16 # Scripts 17 officemode = pkgs.writeShellScriptBin "officemode" '' 18 echo "80" > /sys/class/power_supply/BAT0/charge_control_end_threshold 19 echo "70" > /sys/class/power_supply/BAT0/charge_control_start_threshold 20 ''; 21 roadmode = pkgs.writeShellScriptBin "roadmode" '' 22 echo "100" > /sys/class/power_supply/BAT0/charge_control_end_threshold 23 echo "99" > /sys/class/power_supply/BAT0/charge_control_start_threshold 24 ''; 25 in 26 { 27 imports = [ 28 ../hardware/thinkpad-x1g9.nix 29 ../../users/vincent 30 ../../users/root 31 ]; 32 33 fileSystems."/" = { 34 device = "/dev/mapper/root"; 35 # uuid: 637ee2a5-638d-46cd-8845-3cc0fa8551bd 36 fsType = "ext4"; 37 options = [ "noatime" "discard" ]; 38 }; 39 40 fileSystems."/boot" = { 41 device = "/dev/disk/by-uuid/7D17-F310"; 42 fsType = "vfat"; 43 }; 44 45 swapDevices = [{ device = "/dev/disk/by-uuid/ab056cfc-fb17-4db7-a393-f93726cc2987"; }]; 46 47 networking = { 48 hostName = hostname; 49 firewall.allowedTCPPortRanges = [ 50 { from = 45000; to = 47000; } 51 ]; 52 }; 53 54 boot = { 55 initrd = { 56 luks.devices = { 57 root = { 58 device = "/dev/disk/by-uuid/c0cac87c-53ec-4262-9ab2-a3ee8331c75a"; 59 #device = "/dev/nvme0n1p1"; 60 preLVM = true; 61 allowDiscards = true; 62 keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0"; 63 keyFileOffset = 30992883712; 64 keyFileSize = 4096; 65 fallbackToPassword = lib.mkForce true; 66 }; 67 }; 68 }; 69 kernelPackages = pkgs.linuxPackages_latest; 70 }; 71 72 hardware.sensor.iio.enable = true; 73 hardware.sane = { 74 enable = true; 75 extraBackends = [ pkgs.sane-airscan ]; 76 }; 77 services.printing.enable = true; 78 services.printing.drivers = [ 79 pkgs.gutenprint 80 pkgs.gutenprintBin 81 pkgs.canon-capt 82 pkgs.canon-cups-ufr2 83 pkgs.cups-bjnp 84 pkgs.carps-cups 85 pkgs.cnijfilter2 86 ]; 87 services.udev.packages = [ pkgs.sane-airscan ]; 88 services.udev.extraRules = '' 89 # STM32 rules for the Moonlander and Planck EZ 90 SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \ 91 MODE:="0666", \ 92 SYMLINK+="stm32_dfu" 93 94 # Suspend the system when battery level drops to 5% or lower 95 SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate" 96 ''; 97 98 security.sudo.extraRules = [ 99 # Allow execution of roadmode and officemode by users in wheel, without a password 100 { 101 groups = [ "wheel" ]; 102 commands = [ 103 { command = "${officemode}/bin/officemode"; options = [ "NOPASSWD" ]; } 104 { command = "${roadmode}/bin/roadmode"; options = [ "NOPASSWD" ]; } 105 ]; 106 } 107 ]; 108 109 modules = { 110 core.binfmt.enable = true; 111 editors.emacs.enable = true; 112 hardware = { 113 yubikey = { enable = true; u2f = true; }; 114 laptop.enable = true; 115 bluetooth.enable = true; 116 }; 117 desktop = { 118 wayland.sway.enable = true; 119 # wayland.hyprland.enable = true; 120 }; 121 dev = { 122 enable = true; 123 containers = { 124 enable = true; 125 # docker.enable = true; 126 podman.enable = true; 127 }; 128 }; 129 profiles = { 130 work.redhat = true; 131 }; 132 services = { 133 syncthing = { 134 enable = true; 135 guiAddress = "${metadata.hosts.wakasu.wireguard.addrs.v4}:8384"; 136 }; 137 ssh.enable = true; 138 }; 139 virtualisation.libvirt = { enable = true; nested = true; }; 140 }; 141 142 # TODO Migrate to modules 143 modules.profiles.home = true; 144 virtualisation.podman.dockerSocket.enable = true; 145 virtualisation.podman.autoPrune.enable = true; 146 environment.systemPackages = with pkgs; [ 147 # docker client only 148 (docker_27.override { clientOnly = true; }) 149 officemode 150 roadmode 151 # obsidian # electron is eol... 152 discord 153 virt-manager 154 catt 155 go-org-readwise 156 aerc # move it on its own 157 ]; 158 159 location.provider = "geoclue2"; 160 services = { 161 geoclue2.enable = true; 162 # clight = { 163 # enable = true; 164 # }; 165 envfs.enable = false; 166 # automatic login is "safe" as we ask for the encryption passphrase anyway.. 167 getty.autologinUser = "vincent"; 168 wireguard = { 169 enable = true; 170 ips = [ "${metadata.hosts.wakasu.wireguard.addrs.v4}/24" ]; 171 endpoint = endpointIP; 172 endpointPort = endpointPort; 173 endpointPublicKey = endpointPublicKey; 174 }; 175 }; 176 177 }