wakasu.nix
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 hostname = "wakasu"; 6 secretPath = ../../secrets/machines.nix; 7 secretCondition = (builtins.pathExists secretPath); 8 9 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 10 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 11 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 12 13 getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs; 14 metadata = importTOML ../../ops/hosts.toml; 15 16 # Scripts 17 officemode = pkgs.writeShellScriptBin "officemode" '' 18 echo "80" > /sys/class/power_supply/BAT0/charge_control_end_threshold 19 echo "70" > /sys/class/power_supply/BAT0/charge_control_start_threshold 20 ''; 21 roadmode = pkgs.writeShellScriptBin "roadmode" '' 22 echo "100" > /sys/class/power_supply/BAT0/charge_control_end_threshold 23 echo "99" > /sys/class/power_supply/BAT0/charge_control_start_threshold 24 ''; 25 in 26 { 27 imports = [ 28 ../hardware/thinkpad-x1g9.nix 29 ../../users/vincent 30 ../../users/root 31 ]; 32 33 fileSystems."/" = { 34 device = "/dev/mapper/root"; 35 # uuid: 637ee2a5-638d-46cd-8845-3cc0fa8551bd 36 fsType = "ext4"; 37 options = [ "noatime" "discard" ]; 38 }; 39 40 fileSystems."/boot" = { 41 device = "/dev/disk/by-uuid/7D17-F310"; 42 fsType = "vfat"; 43 }; 44 45 swapDevices = [{ device = "/dev/disk/by-uuid/ab056cfc-fb17-4db7-a393-f93726cc2987"; }]; 46 47 networking = { 48 hostName = hostname; 49 firewall.allowedTCPPortRanges = [ 50 { from = 45000; to = 47000; } 51 ]; 52 }; 53 54 boot = { 55 initrd = { 56 luks.devices = { 57 root = { 58 device = "/dev/disk/by-uuid/c0cac87c-53ec-4262-9ab2-a3ee8331c75a"; 59 #device = "/dev/nvme0n1p1"; 60 preLVM = true; 61 allowDiscards = true; 62 keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0"; 63 keyFileOffset = 30992883712; 64 keyFileSize = 4096; 65 fallbackToPassword = lib.mkForce true; 66 }; 67 }; 68 }; 69 kernelPackages = pkgs.linuxPackages_latest; 70 }; 71 72 hardware.sensor.iio.enable = true; 73 hardware.sane = { 74 enable = true; 75 extraBackends = [ pkgs.sane-airscan ]; 76 }; 77 services.printing.enable = true; 78 services.printing.drivers = [ 79 pkgs.gutenprint 80 pkgs.gutenprintBin 81 pkgs.canon-capt 82 # pkgs.canon-cups-ufr2 # Doesn't compile today… 83 # pkgs.cups-bjnp # Doesn't compile today 84 pkgs.carps-cups 85 pkgs.cnijfilter2 86 ]; 87 services.udev.packages = [ pkgs.sane-airscan ]; 88 services.udev.extraRules = '' 89 KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="wheel" 90 KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="wheel" 91 # STM32 rules for the Moonlander and Planck EZ 92 # All zsa keyboards 93 SUBSYSTEM=="usb", ATTR{idVendor}=="3297", GROUP="wheel" 94 # zsa moonlander 95 SUBSYSTEM=="usb", ATTR{idVendor}=="3297", ATTR{idProduct}=="1969", GROUP="wheel" 96 SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu 97 SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", MODE:="0666", SYMLINK+="ignition_dfu" 98 99 # Suspend the system when battery level drops to 5% or lower 100 SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate" 101 102 #Flipper Zero serial port 103 SUBSYSTEMS==“usb”, ATTRS{idVendor}==“0483”, ATTRS{idProduct}==“5740”, ATTRS{manufacturer}==“Flipper Devices Inc.”, TAG+=“uaccess”, GROUP=“wheel” 104 #Flipper Zero DFU 105 SUBSYSTEMS==“usb”, ATTRS{idVendor}==“0483”, ATTRS{idProduct}==“df11”, ATTRS{manufacturer}==“STMicroelectronics”, TAG+=“uaccess”, GROUP=“wheel” 106 ''; 107 108 security.sudo.extraRules = [ 109 # Allow execution of roadmode and officemode by users in wheel, without a password 110 { 111 groups = [ "wheel" ]; 112 commands = [ 113 { command = "${officemode}/bin/officemode"; options = [ "NOPASSWD" ]; } 114 { command = "${roadmode}/bin/roadmode"; options = [ "NOPASSWD" ]; } 115 ]; 116 } 117 ]; 118 119 modules = { 120 core.binfmt.enable = true; 121 editors.emacs.enable = true; 122 editors.neovim.enable = true; 123 hardware = { 124 yubikey = { enable = true; u2f = true; }; 125 laptop.enable = true; 126 bluetooth.enable = true; 127 }; 128 desktop = { 129 wayland.sway.enable = true; 130 # wayland.hyprland.enable = true; 131 }; 132 dev = { 133 enable = true; 134 containers = { 135 enable = true; 136 # docker.enable = true; 137 podman.enable = true; 138 }; 139 }; 140 profiles = { 141 work.redhat = true; 142 }; 143 services = { 144 syncthing = { 145 enable = true; 146 guiAddress = "${metadata.hosts.wakasu.wireguard.addrs.v4}:8384"; 147 }; 148 ssh.enable = true; 149 }; 150 virtualisation.libvirt = { enable = true; nested = true; }; 151 }; 152 153 # TODO Migrate to modules 154 modules.profiles.home = true; 155 virtualisation.podman.dockerSocket.enable = true; 156 virtualisation.podman.autoPrune.enable = true; 157 environment.systemPackages = with pkgs; [ 158 # docker client only 159 (docker_27.override { clientOnly = true; }) 160 officemode 161 roadmode 162 discord 163 virt-manager 164 catt 165 go-org-readwise 166 age-plugin-tpm 167 keymapp 168 kontroll 169 ]; 170 171 location.provider = "geoclue2"; 172 security = { 173 tpm2 = { 174 enable = true; 175 pkcs11.enable = true; 176 }; 177 }; 178 services = { 179 ollama.enable = true; 180 dictd = { 181 enable = true; 182 DBs = with pkgs.dictdDBs; [ wiktionary wordnet fra2eng eng2fra ]; 183 }; 184 locate = { 185 enable = true; 186 pruneBindMounts = true; 187 }; 188 geoclue2.enable = true; 189 # clight = { 190 # enable = true; 191 # }; 192 # envfs.enable = false; 193 # automatic login is "safe" as we ask for the encryption passphrase anyway.. 194 getty.autologinUser = "vincent"; 195 wireguard = { 196 enable = true; 197 ips = [ "${metadata.hosts.wakasu.wireguard.addrs.v4}/24" ]; 198 endpoint = endpointIP; 199 endpointPort = endpointPort; 200 endpointPublicKey = endpointPublicKey; 201 }; 202 }; 203 204 }