home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

wakasu.nix (4897B)


      1 { config, lib, pkgs, ... }:
      2 
      3 with lib;
      4 let
      5   hostname = "wakasu";
      6   secretPath = ../../secrets/machines.nix;
      7   secretCondition = (builtins.pathExists secretPath);
      8 
      9   endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
     10   endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     11   endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
     12 
     13   getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs;
     14   metadata = importTOML ../../ops/hosts.toml;
     15 
     16   # Scripts
     17   officemode = pkgs.writeShellScriptBin "officemode" ''
     18     echo "80" > /sys/class/power_supply/BAT0/charge_control_end_threshold
     19     echo "70" > /sys/class/power_supply/BAT0/charge_control_start_threshold
     20   '';
     21   roadmode = pkgs.writeShellScriptBin "roadmode" ''
     22     echo "100" > /sys/class/power_supply/BAT0/charge_control_end_threshold
     23     echo "99" > /sys/class/power_supply/BAT0/charge_control_start_threshold
     24   '';
     25 in
     26 {
     27   imports = [
     28     ../hardware/thinkpad-x1g9.nix
     29     ../../users/vincent
     30     ../../users/root
     31   ];
     32 
     33   fileSystems."/" = {
     34     device = "/dev/mapper/root";
     35     # uuid: 637ee2a5-638d-46cd-8845-3cc0fa8551bd
     36     fsType = "ext4";
     37     options = [ "noatime" "discard" ];
     38   };
     39 
     40   fileSystems."/boot" = {
     41     device = "/dev/disk/by-uuid/7D17-F310";
     42     fsType = "vfat";
     43   };
     44 
     45   swapDevices = [{ device = "/dev/disk/by-uuid/ab056cfc-fb17-4db7-a393-f93726cc2987"; }];
     46 
     47   networking = {
     48     hostName = hostname;
     49     firewall.allowedTCPPortRanges = [
     50       { from = 45000; to = 47000; }
     51     ];
     52   };
     53 
     54   boot = {
     55     initrd = {
     56       luks.devices = {
     57 	root = {
     58 	  device = "/dev/disk/by-uuid/c0cac87c-53ec-4262-9ab2-a3ee8331c75a";
     59 	  #device = "/dev/nvme0n1p1";
     60 	  preLVM = true;
     61 	  allowDiscards = true;
     62 	  keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0";
     63 	  keyFileOffset = 30992883712;
     64 	  keyFileSize = 4096;
     65 	  fallbackToPassword = lib.mkForce true;
     66 	};
     67       };
     68     };
     69     kernelPackages = pkgs.linuxPackages_latest;
     70   };
     71 
     72   hardware.sensor.iio.enable = true;
     73   hardware.sane = {
     74     enable = true;
     75     extraBackends = [ pkgs.sane-airscan ];
     76   };
     77   services.printing.enable = true;
     78   services.printing.drivers = [
     79     pkgs.gutenprint
     80     pkgs.gutenprintBin
     81     pkgs.canon-capt
     82     pkgs.canon-cups-ufr2
     83     pkgs.cups-bjnp
     84     pkgs.carps-cups
     85     pkgs.cnijfilter2
     86   ];
     87   services.udev.packages = [ pkgs.sane-airscan ];
     88   services.udev.extraRules = ''
     89     # STM32 rules for the Moonlander and Planck EZ
     90     SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \
     91         MODE:="0666", \
     92         SYMLINK+="stm32_dfu"
     93 
     94     # Suspend the system when battery level drops to 5% or lower
     95     SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
     96   '';
     97 
     98   security.sudo.extraRules = [
     99     # Allow execution of roadmode and officemode by users in wheel, without a password
    100     {
    101       groups = [ "wheel" ];
    102       commands = [
    103         { command = "${officemode}/bin/officemode"; options = [ "NOPASSWD" ]; }
    104         { command = "${roadmode}/bin/roadmode"; options = [ "NOPASSWD" ]; }
    105       ];
    106     }
    107   ];
    108 
    109   modules = {
    110     core.binfmt.enable = true;
    111     editors.emacs.enable = true;
    112     hardware = {
    113       yubikey = { enable = true; u2f = true; };
    114       laptop.enable = true;
    115       bluetooth.enable = true;
    116     };
    117     desktop = {
    118       wayland.sway.enable = true;
    119       # wayland.hyprland.enable = true;
    120     };
    121     dev = {
    122       enable = true;
    123       containers = {
    124         enable = true;
    125         # docker.enable = true;
    126         podman.enable = true;
    127       };
    128     };
    129     profiles = {
    130       work.redhat = true;
    131     };
    132     services = {
    133       syncthing = {
    134         enable = true;
    135         guiAddress = "${metadata.hosts.wakasu.wireguard.addrs.v4}:8384";
    136       };
    137       ssh.enable = true;
    138     };
    139     virtualisation.libvirt = { enable = true; nested = true; };
    140   };
    141 
    142   # TODO Migrate to modules
    143   modules.profiles.home = true;
    144   virtualisation.podman.dockerSocket.enable = true;
    145   virtualisation.podman.autoPrune.enable = true;
    146   environment.systemPackages = with pkgs; [
    147     # docker client only
    148     (docker_27.override { clientOnly = true; })
    149     officemode
    150     roadmode
    151     # obsidian # electron is eol...
    152     discord
    153     virt-manager
    154     catt
    155     go-org-readwise
    156     aerc # move it on its own
    157   ];
    158 
    159   location.provider = "geoclue2";
    160   services = {
    161     geoclue2.enable = true;
    162     # clight = {
    163     #   enable = true;
    164     # };
    165     envfs.enable = false;
    166     # automatic login is "safe" as we ask for the encryption passphrase anyway..
    167     getty.autologinUser = "vincent";
    168     wireguard = {
    169       enable = true;
    170       ips = [ "${metadata.hosts.wakasu.wireguard.addrs.v4}/24" ];
    171       endpoint = endpointIP;
    172       endpointPort = endpointPort;
    173       endpointPublicKey = endpointPublicKey;
    174     };
    175   };
    176 
    177 }