bertof/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'flake'

Browse source
This commit is contained in:
Filippo Berto 2022-06-29 11:43:15 +02:00
commit 9bee3309cf
131 changed files with 2613 additions and 1839 deletions
Download patch file Download diff file Expand all files Collapse all files

254
nixos/base.nix
View file

@ -1,254 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
<nixos-hardware/common/cpu/intel>
<nixos-hardware/common/pc/laptop>
<nixos-hardware/common/pc/laptop/ssd>
/etc/nixos/hardware-configuration.nix
# ./laptop.nix
# ./pentablet.nix
./pro_audio.nix
# ./defcon.nix
# ./mind.nix
# ./k3s.nix
./big_data.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.checkJournalingFS = true;
boot.kernelPackages = pkgs.linuxKernel.packages.linux_5_16;
boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
# # Cross-build arm
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
# Use same ACPI identifier as Dell Ubuntu
boot.kernelParams = [
"acpi_osi=Linux-Dell-Video"
];
networking = {
hostName = "odin";
networkmanager.enable = true;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
useDHCP = false;
interfaces = { enp60s0.useDHCP = true; wlp0s20f3.useDHCP = true; };
# Configure network proxy if necessary
# proxy.default = "http://user:password@proxy:port/";
# proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Open ports in the firewall.
# firewall.allowedTCPPorts = [ ... ];
# firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# firewall.enable = false;
hosts = {
"*.engine.sesar.int" = [ "172.20.28.210" ];
"vcenter.sesar.int" = [ "159.149.147.137" ];
};
};
# Set your time zone.
time.timeZone = "Europe/Rome";
# Select internationalisation properties.
i18n.defaultLocale = "it_IT.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "it";
};
# X11 windowing system.
services.xserver = {
enable = true;
# Enable the GNOME 3 Desktop Environment.
# displayManager.gdm = {
# enable = true;
# wayland = true;
# nvidiaWayland = true;
# };
desktopManager.gnome.enable = true;
# windowManager.bspwm.enable = true;
# Configure keymap in X11
layout = "it";
extraLayouts = {
eng = { languages = [ "eng" ]; description = "English layout for external keyboard"; };
};
xkbOptions = "eurosign:e;";
libinput.enable = true;
};
# Enable CUPS to print documents.
services.printing = {
enable = true;
drivers = with pkgs; [ gutenprint cups-kyocera ];
};
services.fwupd.enable = true;
# Enable sound.
# PULSE
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# PIPEWIRE
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
alsa = { enable = true; support32Bit = true; };
# media-session.enable = true;
};
environment.sessionVariables.LD_LIBRARY_PATH = lib.mkForce "${config.services.pipewire.package.jack}/lib"; # Temporary fix for WebKitGTK
# # Tablet
# hardware.opentabletdriver = {
# enable = true;
# daemon.enable = true;
# };
# Define a user account. Don't forget to set a password with passwd.
users.users.bertof = {
isNormalUser = true;
extraGroups = [ "audio" "input" "docker" "flashrom" "libvirtd" "network" "usb" "video" "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W" ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [ tmux firefox kakoune vim ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.flashrom.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
programs.steam.enable = true;
programs.dconf.enable = true;
programs.zsh = { enable = true; syntaxHighlighting.enable = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; };
# Cooling management
services.thermald.enable = true;
services.snapper = {
configs =
let
bertofExtraConfig = ''
ALLOW_USERS="bertof"
TIMELINE_CREATE=yes
TIMELINE_CLEANUP=yes
'';
common = { extraConfig = bertofExtraConfig; };
in
{
bertof_home = common // { subvolume = "/home/bertof"; };
bertof_music = common // { subvolume = "/home/bertof/Musica"; };
bertof_downloads = common // { subvolume = "/home/bertof/Scaricati"; };
bertof_images = common // { subvolume = "/home/bertof/Immagini"; };
bertof_videos = common // { subvolume = "/home/bertof/Video"; };
bertof_documents = common // { subvolume = "/home/bertof/Documenti"; };
bertof_games_ssd = common // { subvolume = "/home/bertof/Giochi/SSD"; };
# bertof_games_hdd = common // { subvolume = "/home/bertof/Giochi/HDD"; };
bertof_git = common // { subvolume = "/home/bertof/Documenti/Git"; };
};
};
services.dbus.packages = with pkgs; [ dconf ];
services.gnome.gnome-keyring.enable = true;
hardware.bluetooth.enable = true;
# services.blueman.enable = true;
services.zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; };
services.gvfs = { enable = true; package = lib.mkForce pkgs.gnome3.gvfs; };
# services.tlp.enable = false;
services.avahi = {
enable = true;
openFirewall = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;
domain = true;
userServices = true;
workstation = true;
};
extraServiceFiles = {
ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
};
};
# SMART
services.smartd = { enable = true; notifications.x11.enable = true; };
# FPRINTD
# services.fprintd = {
# enable = true;
# tod = { enable = true; driver = pkgs.libfprint-2-tod1-goodix; };
# };
security.pam.services.login.fprintAuth = true;
security.pam.services.xscreensaver.fprintAuth = true;
# Clamav
services.clamav = { daemon.enable = true; updater.enable = true; };
# Power-profiles
services.power-profiles-daemon.enable = true;
# services.teamviewer.enable = true;
# Virtualisation
virtualisation = {
docker.enable = true;
kvmgt.enable = true;
libvirtd.enable = true;
podman.enable = true;
virtualbox.host.enable = true;
};
# Allow completion for system packages
environment.pathsToLink = [ "/share/zsh" ];
security.sudo.extraConfig = ''
Defaults pwfeedback
'';
security.pam.services.sddm.enableGnomeKeyring = true;
nixpkgs.config = {
allowUnfree = true;
packageOverrides = pkgs: {
steam = pkgs.steam.override {
extraPkgs = pkgs: with pkgs; [ icu ];
};
};
};
nix = {
package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes)
"experimental-features = nix-command flakes";
gc.automatic = true;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

276
nixos/big_data.nix
View file

@ -1,276 +0,0 @@
{ config, lib, pkgs, ... }:
let
setup_scirpt = ''
sudo mkdir -p /hdfs
sudo chown -R hdfs:hadoop /hdfs
for p in {nn,dn,jn,rm,nm,jhs,HTTP}; do
sudo kadmin.local -q "ank -randkey $p/my.engine";
sudo kadmin.local -q "xst -k /etc/hadoop.keytab $p/my.engine";
sudo kadmin.local -q "ktrem -k /etc/hadoop.keytab $p/my.engine old"
done
sudo chown hdfs:hadoop /etc/hadoop.keytab
sudo kadmin.local -q "ank -randkey spark/my.engine";
sudo kadmin.local -q "xst -k /etc/spark.keytab spark/my.engine";
sudo kadmin.local -q "ktrem -k /etc/spark.keytab spark/my.engine old"
sudo chown spark:spark /etc/spark.keytab
'';
hadoop_keytab_path = "/etc/hadoop.keytab";
spark_keytab_path = "/etc/spark.keytab";
pysparkPackageSelector = p: with p; [ numpy pyspark ];
pysparkEnv = pkgs.python3.withPackages pysparkPackageSelector;
hadoopConf = import <nixos/nixos/modules/services/cluster/hadoop/conf.nix> {
inherit pkgs lib;
cfg = config.services.hadoop;
};
hadoopConfDir = "${hadoopConf}/";
spark = pkgs.spark.override {
extraPythonPackages = pysparkPackageSelector pkgs.python3.pkgs;
};
sparkConfDir = pkgs.stdenv.mkDerivation {
name = "spark-conf";
dontUnpack = true;
installPhase = ''
# source standard environment
. $stdenv/setup
# shorthands
base_conf=${pkgs.spark}/lib/${pkgs.spark.untarDir}/conf/
# create output dirs for new derivation
mkdir -p $out/
# link unchanged files from the original gnome-session
for f in $base_conf/*.template ; do
ln -sf $f $out/
done
# change selected files
cp $out/log4j.properties{.template,}
cat > $out/spark-env.sh <<- STOP
export JAVA_HOME="${pkgs.jdk8}"
export SPARK_HOME="${pkgs.spark}/lib/${pkgs.spark.untarDir}"
export SPARK_DIST_CLASSPATH=$(${pkgs.hadoop}/bin/hadoop classpath)
export PYSPARK_PYTHON="${pysparkEnv.outPath}/bin/${pysparkEnv.executable}"
export PYSPARK_DRIVER_PYTHON="${pysparkEnv.outPath}/bin/${pysparkEnv.executable}"
export PYTHONPATH="\$PYTHONPATH:$PYTHONPATH"
export HADOOP_CONF_DIR="${hadoopConfDir}"
export SPARKR_R_SHELL="${pkgs.R}/bin/R"
export PATH="\$PATH:${pkgs.R}/bin"
STOP
cat > $out/spark-defaults.conf <<- STOP
spark.eventLog.enabled true
spark.eventLog.dir hdfs://localhost:/logs/spark
spark.history.fs.logDirectory hdfs://localhost:/logs/spark
# spark.yarn.keytab ${spark_keytab_path}
# spark.yarn.principal spark/my.engine@MY.ENGINE
spark.history.ui.acls.enable true
spark.history.kerberos.enabled true
spark.history.kerberos.keytab ${spark_keytab_path}
spark.history.kerberos.principal spark/my.engine@MY.ENGINE
spark.yarn.appMasterEnv.PYSPARK_PYTHON ${pysparkEnv.outPath}/bin/${pysparkEnv.executable}
spark.yarn.appMasterEnv.PYTHONPATH ${pysparkEnv.outPath}/lib/${pysparkEnv.executable}/site-packages
spark.executorEnv.PYSPARK_PYTHON ${pysparkEnv.outPath}/bin/${pysparkEnv.executable}
STOP
'';
};
in
{
networking = {
hosts = {
"127.0.0.1" = [
"ds.my.engine"
"kdc.my.engine"
"my.engine"
];
};
};
services = {
spark = {
package = spark;
master = { enable = true; restartIfChanged = true; };
worker = { enable = true; restartIfChanged = true; };
confDir = sparkConfDir;
};
hadoop = {
coreSite = {
"fs.defaultFS" = "hdfs://my.engine:8020";
# HDFS IMPERSONATION
"hadoop.proxyuser.hdfs.hosts" = "*";
"hadoop.proxyuser.hdfs.groups" = "*";
# HIVE IMPERSONATION
"hadoop.proxyuser.hive.hosts" = "*";
"hadoop.proxyuser.hive.groups" = "*";
# ENABLE AUTHENTICATION
"hadoop.security.authentication" = "kerberos";
"hadoop.security.authorization" = "true";
"hadoop.rpc.protection" = "privacy";
"hadoop.security.auth_to_local" = ''
RULE:[2:$1/$2@$0]([ndj]n/.*@MY\.ENGINE)s/.*/hdfs/
RULE:[2:$1/$2@$0]([rn]m/.*@MY\.ENGINE)s/.*/yarn/
RULE:[2:$1/$2@$0](jhs/.*@MY\.ENGINE)s/.*/mapred/
DEFAULT
'';
};
hdfsSite = {
# DATA
"dfs.namenode.name.dir" = "/hdfs/dfs/name";
"dfs.datanode.data.dir" = "/hdfs/dfs/data";
"dfs.journalnode.edits.dir" = "/hdfs/dfs/edits";
# HDFS SECURITY
"dfs.block.access.token.enable" = "true";
# NAME NODE SECURITY
"dfs.namenode.keytab.file" = hadoop_keytab_path;
"dfs.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
"dfs.namenode.kerberos.internal.spnego.principal" = "HTTP/my.engine@MY.ENGINE";
# SECONDARY NAME NODE SECURITY
"dfs.secondary.namenode.keytab.file" = hadoop_keytab_path;
"dfs.secondary.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
"dfs.secondary.namenode.kerberos.internal.spnego.principal" = "HTTP/my.engine@MY.ENGINE";
# DATA NODE SECURITY
"dfs.datanode.keytab.file" = hadoop_keytab_path;
"dfs.datanode.kerberos.principal" = "dn/my.engine@MY.ENGINE";
# JOURNAL NODE SECURITY
"dfs.journalnode.keytab.file" = hadoop_keytab_path;
"dfs.journalnode.kerberos.principal" = "jn/my.engine@MY.ENGINE";
# WEBHDFS SECURITY
"dfs.webhdfs.enabled" = "true";
# WEB AUTHENTICATION CONFIG
"dfs.web.authentication.kerberos.principal" = "HTTP/my.engine@MY.ENGINE";
"dfs.web.authentication.kerberos.keytab" = hadoop_keytab_path;
"ignore.secure.ports.for.testing" = "true";
"dfs.http.policy" = "HTTP_ONLY";
"dfs.data.transfer.protection" = "privacy";
# ## MULTIHOMED
# "dfs.namenode.rpc-bind-host" = "0.0.0.0";
# "dfs.namenode.servicerpc-bind-host" = "0.0.0.0";
# "dfs.namenode.http-bind-host" = "0.0.0.0";
# "dfs.namenode.https-bind-host" = "0.0.0.0";
# "dfs.client.use.datanode.hostname" = "true"; # force connection by hostname
# "dfs.datanode.use.datanode.hostname" = "true"; # force connection by hostname
};
yarnSite = {
"yarn.nodemanager.admin-env" = "PATH=$PATH";
"yarn.nodemanager.aux-services" = "mapreduce_shuffle";
"yarn.nodemanager.aux-services.mapreduce_shuffle.class" = "org.apache.hadoop.mapred.ShuffleHandler";
"yarn.nodemanager.bind-host" = "0.0.0.0";
"yarn.nodemanager.container-executor.class" = "org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor";
"yarn.nodemanager.env-whitelist" = "JAVA_HOME,HADOOP_COMMON_HOME,HADOOP_HDFS_HOME,HADOOP_CONF_DIR,CLASSPATH_PREPEND_DISTCACHE,HADOOP_YARN_HOME,HADOOP_HOME,LANG,TZ";
"yarn.nodemanager.linux-container-executor.group" = "hadoop";
"yarn.nodemanager.linux-container-executor.path" = "/run/wrappers/yarn-nodemanager/bin/container-executor";
"yarn.nodemanager.log-dirs" = "/var/log/hadoop/yarn/nodemanager";
"yarn.resourcemanager.bind-host" = "0.0.0.0";
"yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler";
"yarn.resourcemanager.keytab" = hadoop_keytab_path;
"yarn.resourcemanager.principal" = "rm/my.engine@MY.ENGINE";
"yarn.nodemanager.keytab" = hadoop_keytab_path;
"yarn.nodemanager.principal" = "nm/my.engine@MY.ENGINE";
# "yarn.nodemanager.container-executor.class" = "org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor";
"yarn.scheduler.capacity.root.queues" = "default";
"yarn.scheduler.capacity.root.default.capacity" = 100;
# "yarn.scheduler.capacity.root.default.state" = "RUNNING";
"yarn.scheduler.capacity.root.acl_submit_applications" = "hadoop,yarn,mapred,hdfs";
};
extraConfDirs = [ ];
hdfs = {
namenode = { enable = true; formatOnInit = true; restartIfChanged = true; };
datanode = { enable = true; restartIfChanged = true; };
journalnode = { enable = true; restartIfChanged = true; };
zkfc = { enable = false; restartIfChanged = true; }; # ZOOKEEPER DISABLED, not using High Availability setup
httpfs = { enable = true; restartIfChanged = true; };
};
yarn = {
resourcemanager = { enable = true; restartIfChanged = true; };
nodemanager = { enable = true; restartIfChanged = true; };
};
};
kerberos_server = {
enable = true;
realms."MY.ENGINE".acl = [
{ principal = "*/admin"; access = "all"; }
{ principal = "*/my.engine"; access = "all"; }
];
};
};
krb5 = {
enable = true;
realms = {
"MY.ENGINE" = {
admin_server = "kdc.my.engine";
kdc = "kdc.my.engine";
# default_domain = "my.engine";
# kpasswd_server = "odin";
};
};
domain_realm = {
# ".my.engine" = "MY.ENGINE";
"my.engine" = "MY.ENGINE";
};
libdefaults = {
default_realm = "MY.ENGINE";
dns_lookup_realm = true;
dns_lookup_kdc = true;
ticket_lifetime = "24h";
renew_lifetime = "7d";
forwardable = true;
};
extraConfig = ''
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
'';
};
users.users.bertof.extraGroups = [ "hadoop" ];
systemd.services.spark-history = {
path = with pkgs; [ procps openssh nettools ];
description = "spark history service.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
environment = {
SPARK_CONF_DIR = sparkConfDir;
SPARK_LOG_DIR = "/var/log/spark";
};
serviceConfig = {
Type = "forking";
User = "spark";
Group = "spark";
WorkingDirectory = "${pkgs.spark}/lib/${pkgs.spark.untarDir}";
ExecStart = "${pkgs.spark}/lib/${pkgs.spark.untarDir}/sbin/start-history-server.sh";
ExecStop = "${pkgs.spark}/lib/${pkgs.spark.untarDir}/sbin/stop-history-server.sh";
TimeoutSec = 300;
StartLimitBurst = 10;
Restart = "always";
};
};
}

13
nixos/defcon.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
networking.hosts = {
"54.176.11.243" = [ "vpn.mhackeroni.it" ];
"10.100.0.50" = [ "master.cb.cloud.mhackeroni.it" "bartender.cb.cloud.mhackeroni.it" "grafana.cb.cloud.mhackeroni.it" "menu.cb.cloud.mhackeroni.it" "maitre.cb.cloud.mhackeroni.it" "accountant.cb.cloud.mhackeroni.it" ];
"10.100.0.150" = [ "flowgui.cloud.mhackeroni.it" "smb.cloud.mhackeroni.it" ];
"10.100.0.200" = [ "tunniceddu.cloud.mhackeroni.it" ];
"10.100.0.250" = [ "rev.cloud.mhackeroni.it" ];
"10.100.0.66" = [ "attackerbackup.cloud.mhackeroni.it" ];
"192.168.128.1" = [ "smb.hotel.mhackeroni.it" "rev.hotel.mhackeroni.it" ];
};
}

5
nixos/k3s.nix
View file

@ -1,5 +0,0 @@
{
services.k3s = {
enable = true;
};
}

27
nixos/laptop.nix
View file

@ -1,27 +0,0 @@
{ config, lib, ... }:
{
# SSD swappines
boot.kernel.sysctl = {
"vm.swappiness" = lib.mkDefault 1;
};
# Atheros WiFi module
boot.blacklistedKernelModules = lib.optionals (!config.hardware.enableRedistributableFirmware) [
"ath3k"
];
# ACPI support
boot = {
kernelModules = [ "acpi_call" ];
extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
};
# Touchpad support
services.xserver.libinput.enable = lib.mkDefault true;
# SSD trim service
services.fstrim.enable = lib.mkDefault true;
# Hard disk protection if the laptop falls:
services.hdapsd.enable = lib.mkDefault true;
}

327
nixos/loki.nix
View file

@ -1,327 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
/etc/nixos/hardware-configuration.nix
];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
networking = {
hostName = "loki";
networkmanager.enable = true;
useDHCP = false;
interfaces = { eno1.useDHCP = true; wlp7s0.useDHCP = true; };
};
time.timeZone = "Europe/Rome";
i18n.defaultLocale = "it_IT.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "it";
};
services.xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
layout = "it";
xkbOptions = "eurosign:e;";
libinput.enable = true;
};
hardware = {
nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
nvidia.prime = {
offload.enable = false;
sync.enable = true;
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
};
opengl = {
enable = true;
extraPackages = with pkgs; [ intel-media-driver libvdpau-va-gl vaapiIntel vaapiVdpau ];
};
bluetooth.enable = true;
};
users.users = {
bertof = {
isNormalUser = true;
extraGroups = [ "audio" "input" "docker" "libvirtd" "network" "usb" "video" "wheel" ];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W" ];
shell = pkgs.zsh;
};
tiziano = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMExwtJFk6HjySrTZwJH67SOHC3hlL28NO4oe2GXsv6k" ];
};
};
programs = {
gnupg.agent = { enable = true; enableSSHSupport = true; };
zsh = { enable = true; syntaxHighlighting.enable = true; };
};
environment.pathsToLink = [ "/share/zsh" ];
services = {
avahi = {
enable = true;
openFirewall = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;
domain = true;
userServices = true;
workstation = true;
};
extraServiceFiles = {
ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
smb = ''<?xml version="1.0" standalone='no'?><!--*-nxml-*--><!DOCTYPE service-group SYSTEM "avahi-service.dtd"><service-group><name replace-wildcards="yes">%h</name><service><type>_smb._tcp</type><port>445</port></service></service-group>'';
};
};
bazarr = {
enable = true;
openFirewall = true;
group = "users";
};
blueman.enable = true;
dbus.packages = with pkgs; [ gnome.dconf ];
fail2ban = { enable = true; bantime-increment.enable = true; };
gnome.gnome-keyring.enable = true;
gvfs = { enable = true; package = lib.mkForce pkgs.gnome3.gvfs; };
jackett = {
enable = true;
openFirewall = true;
group = "users";
};
logind.lidSwitch = "ignore";
node-red = {
enable = true;
openFirewall = true;
withNpmAndGcc = true;
};
openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; };
plex = { enable = true; openFirewall = true; group = "users"; };
power-profiles-daemon.enable = true;
radarr = {
enable = true;
openFirewall = true;
group = "users";
};
samba-wsdd = {
enable = true;
discovery = true;
};
samba = {
enable = true;
enableNmbd = true;
enableWinbindd = true;
nsswins = true;
extraConfig = ''
workgroup = WORKGROUP
load printers = no
smb encrypt = required
'';
shares = let common = {
"public" = "no";
"writeable" = "yes";
"create mask" = "0700";
"directory mask" = "2700";
"browseable" = "yes";
"guest ok" = "no";
"read only" = "no";
"force group" = "users";
}; in
{
bertof = common // {
path = "/mnt/raid/bertof";
comment = "Bertof samba share";
"force user" = "bertof";
"valid users" = "bertof";
};
tiziano = common // {
path = "/mnt/raid/tiziano";
comment = "Tiziano samba share";
"force user" = "tiziano";
"valid users" = "tiziano";
};
condiviso = common // {
path = "/mnt/raid/condiviso";
comment = "Samba share condiviso";
"valid users" = "bertof tiziano";
"create mask" = "0770";
"directory mask" = "2770";
"force create mode" = "0660";
"force directory mode" = "2770";
};
bertof_safe = common // {
path = "/mnt/raid1/bertof";
comment = "Bertof samba share";
"force user" = "bertof";
"valid users" = "bertof";
};
tiziano_safe = common // {
path = "/mnt/raid1/tiziano";
comment = "Tiziano samba share";
"force user" = "tiziano";
"valid users" = "tiziano";
};
condiviso_safe = common // {
path = "/mnt/raid1/condiviso";
comment = "Samba share condiviso";
"valid users" = "bertof tiziano";
"create mask" = "0770";
"directory mask" = "2770";
"force create mode" = "0660";
"force directory mode" = "2770";
};
};
};
smartd = { enable = true; notifications.x11.enable = true; };
sonarr = {
enable = true;
openFirewall = true;
group = "users";
};
thermald.enable = true;
transmission = {
enable = true;
openFirewall = true;
group = "users";
settings = {
download-dir = "/mnt/raid/condiviso/Scaricati/Torrent";
incomplete-dir = "/mnt/raid/condiviso/Scaricati/Torrent/.incomplete";
};
};
zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; };
};
# services.snapper = {
# configs =
# let
# bertofExtraConfig = ''
# ALLOW_USERS="bertof"
# TIMELINE_CREATE=yes
# TIMELINE_CLEANUP=yes
# '';
# common = { extraConfig = bertofExtraConfig; };
# in
# {
# bertof_home = common // { subvolume = "/home/bertof"; };
# };
# };
systemd.packages = with pkgs; [ syncthing ];
systemd.services = let common = {
after = [ "network.target" ];
environment = { STNORESTART = "yes"; STNOUPGRADE = "yes"; };
wantedBy = [ "default.target" ];
serviceConfig = {
Restart = "on-failure";
SuccessExitStatus = "2 3 4";
RestartForceExitStatus = "3 4";
Group = config.ids.gids.users;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = [ "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" "~CAP_SYS_TIME" "~CAP_KILL" ];
};
}; in
{
syncthing-bertof = common // {
description = "Syncthing service bertof";
serviceConfig = { User = "bertof"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid/bertof/Syncthing/.config"; };
};
syncthing-tiziano = common // {
description = "Syncthing service tiziano";
serviceConfig = { User = "tiziano"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid/tiziano/Syncthing/.config"; };
};
};
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
445 # SAMBA
139 # SAMBA
5357 # SAMBA-WSDD
8123 # HOME ASSISTANT
8384 # SYNCTHING
8385 # SYNCTHING
];
allowedUDPPorts = [
137 # SYNCTHING
138 # SYNCTHING
3702 # SAMBA-WSDD
];
extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
};
virtualisation = {
docker.enable = true;
kvmgt.enable = true;
libvirtd.enable = true;
podman.enable = true;
virtualbox.host.enable = true;
oci-containers.containers = {
hass = {
image = "ghcr.io/home-assistant/home-assistant:stable";
environment = {
TZ = "Europe/Rome";
};
extraOptions = [ "--privileged" "--network=host" "--pull=always" ];
ports = [ "8123:8123" ];
volumes = [
"/var/lib/hass:/config"
"/mnt/raid/condiviso:/media"
];
};
};
};
environment.systemPackages = with pkgs; [ htop kakoune vim tmux ];
security.sudo.extraConfig = ''
Defaults pwfeedback
'';
nixpkgs.config.allowUnfree = true;
nix = {
package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes)
"experimental-features = nix-command flakes";
gc.automatic = true;
};
system.autoUpgrade = {
enable = true;
allowReboot = true;
flags = [
"-I"
"nixos-config=/home/bertof/.config/nixpkgs/nixos/loki.nix"
"--upgrade"
];
};
system.stateVersion = "21.11";
}

20
nixos/mind.nix
View file

@ -1,20 +0,0 @@
{
services.postgresql = {
enable = true;
ensureDatabases = [
"mfh"
];
ensureUsers = [
{
name = "bertof";
ensurePermissions = {
"DATABASE \"mfh\"" = "ALL PRIVILEGES";
};
}
];
};
services.apache-kafka = {
enable = true;
};
}

37
nixos/odin-intel.nix
View file

@ -1,37 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
./base.nix
];
boot.initrd.kernelModules = [ "i915" ];
hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
hardware.opengl.enable = true;
hardware.opengl.extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
];
services.xserver = {
displayManager.gdm = {
enable = true;
wayland = true;
};
};
# This runs only Intel and nvidia does not drain power.
##### disable nvidia for a very nice battery life.
hardware.nvidiaOptimus.disable = true;
boot.blacklistedKernelModules = [ "nouveau" "nvidia" ];
services.xserver.videoDrivers = [ "intel" ];
hardware.opengl.driSupport32Bit = true;
}

36
nixos/odin-nvidia.nix
View file

@ -1,36 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
<nixos-hardware/common/cpu/amd>
<nixos-hardware/common/pc/laptop/ssd>
./base.nix
];
boot.initrd.kernelModules = [ "i915" ];
hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
services.xserver = {
videoDrivers = [ "nvidia" ];
displayManager.sddm = {
enable = true;
autoNumlock = true;
};
};
hardware.nvidia.prime = {
offload.enable = false;
sync.enable = true;
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
};
# hardware.nvidia.modesetting.enable = true;
# hardware.nvidia.package = pkgs.linuxPackages.nvidia_x11;
hardware.opengl.driSupport32Bit = true;
}

11
nixos/pentablet.nix
View file

@ -1,11 +0,0 @@
{ config, lib, pkgs, modulesPath, ...}:
{
# udev rules
services.udev.extraRules = ''
KERNEL=="uinput",MODE:="0666",OPTIONS+="static_node=uinput"
SUBSYSTEMS=="usb",ATTRS{idVendor}=="28bd",MODE:="0666"
'';
# XP-Pen tablet driver
environment.systemPackages = [ pkgs.pentablet-driver ];
}

61
nixos/pro_audio.nix
View file

@ -1,61 +0,0 @@
{ pkgs, lib, ... }: {
boot = {
# kernelModules = [ "snd-seq" "snd-rawmidi" ];
# kernel.sysctl = { "vm.swappiness" = 10; "fs.inotify.max_user_watches" = 524288; };
# kernelParams = [ "threadirq" ];
# kernelPatches = lib.singleton {
# name = "pro_audio";
# patch = null;
# extraConfig = ''
# PREEMPT_RT y
# PREEMPT y
# IOSCHED_DEADLINE y
# DEFAULT_DEADLINE y
# DEFAULT_IOSCHED "deadline"
# HPET_TIMER y
# CPU_FREQ n
# TREE_RCU_TRACE n
# '';
# };
# postBootCommands = ''
# echo 2048 > /sys/class/rtc/rtc0/max_user_freq
# echo 2048 > /proc/sys/dev/hpet/max-user-freq
# # setpci -v -d *:* latency_timer=b0
# # setpci -v -s $00:1b.0 latency_timer=ff
# '';
# The SOUND_CARD_PCI_ID can be obtained like so:
# $ lspci ¦ grep -i audio
};
# powerManagement.cpuFreqGovernor = "performance";
# fileSystems."/" = { options = "noatime errors=remount-ro"; };
security.pam.loginLimits = [
{ domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
{ domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
{ domain = "@audio"; item = "nofile"; type = "soft"; value = "99999"; }
{ domain = "@audio"; item = "nofile"; type = "hard"; value = "99999"; }
];
# services = {
# udev = {
# packages = [ pkgs.ffado ]; # If you have a FireWire audio interface
# extraRules = ''
# KERNEL=="rtc0", GROUP="audio"
# KERNEL=="hpet", GROUP="audio"
# '';
# };
# cron.enable = false;
# };
environment.shellInit = ''
export VST_PATH=/nix/var/nix/profiles/default/lib/vst:/var/run/current-system/sw/lib/vst:~/.vst
export LXVST_PATH=/nix/var/nix/profiles/default/lib/lxvst:/var/run/current-system/sw/lib/lxvst:~/.lxvst
export LADSPA_PATH=/nix/var/nix/profiles/default/lib/ladspa:/var/run/current-system/sw/lib/ladspa:~/.ladspa
export LV2_PATH=/nix/var/nix/profiles/default/lib/lv2:/var/run/current-system/sw/lib/lv2:~/.lv2
export DSSI_PATH=/nix/var/nix/profiles/default/lib/dssi:/var/run/current-system/sw/lib/dssi:~/.dssi
'';
}

223
nixos/thor.nix
View file

@ -1,223 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports = [
<nixos-hardware/common/cpu/amd>
<nixos-hardware/common/pc/ssd>
/etc/nixos/hardware-configuration.nix
./pro_audio.nix
./big_data.nix
];
boot = {
binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
checkJournalingFS = true;
luks.devices = {
root = {
device = "/dev/nvme0n1p2";
preLVM = true;
allowDiscards = true;
};
};
};
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
environment = {
pathsToLink = [ "/share/zsh" ];
systemPackages = with pkgs; [
kakoune
tmux
vim
];
};
hardware = {
bluetooth.enable = true;
enableRedistributableFirmware = true;
pulseaudio.enable = false;
# nvidia.modesetting.enable = true;
};
i18n.defaultLocale = "it_IT.UTF-8";
programs = {
dconf.enable = true;
flashrom.enable = true;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
steam = {
enable = true;
};
zsh = {
enable = true;
syntaxHighlighting.enable = true;
};
};
networking = {
hostName = "thor"; # Define your hostname.
interfaces = {
eno1.useDHCP = true;
wlp5s0.useDHCP = true;
};
networkmanager.enable = true;
useDHCP = false;
hosts = {
"*.engine.sesar.int" = [ "172.20.28.210" ];
"vcenter.sesar.int" = [ "172.20.28.20" ];
};
};
time.timeZone = "Europe/Rome";
services = {
avahi = {
enable = true;
openFirewall = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;
domain = true;
userServices = true;
workstation = true;
};
extraServiceFiles = {
ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
};
};
clamav = { daemon.enable = true; updater.enable = true; };
dbus.packages = with pkgs; [ pkgs.dconf ];
gnome.gnome-keyring.enable = true;
gvfs = { enable = true; package = pkgs.gnome3.gvfs; };
fwupd.enable = true;
openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; forwardX11 = true; };
pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
media-session.enable = true;
};
power-profiles-daemon.enable = true;
smartd = { enable = true; notifications.x11.enable = true; };
snapper = {
configs =
let
common = {
extraConfig = ''
ALLOW_USERS="bertof"
TIMELINE_CREATE=yes
TIMELINE_CLEANUP=yes
'';
};
in
{
bertof_home = common // { subvolume = "/home/bertof"; };
};
};
thermald.enable = true;
xserver = {
enable = true;
desktopManager = {
# gnome.enable = true;
# cinnamon.enable = true;
plasma5 = {
enable = true;
runUsingSystemd = true;
useQtScaling = true;
};
};
# displayManager.gdm = { enable = true; nvidiaWayland = true; };
displayManager.sddm.enable = true;
layout = "us";
videoDrivers = [ "nvidia" ];
xkbOptions = "eurosign:e";
};
# gnome.gnome-remote-desktop.enable = true;
zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; };
ethminer = {
enable = false;
wallet = "0x73b788882e1C182123333f42FFf275B7dd7f51bb";
toolkit = "opencl";
rig = "thor";
pool = "eth-eu1.nanopool.org";
stratumPort = 9999;
registerMail = "";
};
# teamviewer.enable = true;
};
services.teamviewer.enable = true;
security = {
pam.services."kde" = {
enableKwallet = true;
};
rtkit.enable = true;
sudo.extraConfig = ''
Defaults pwfeedback
'';
};
sound.enable = false;
users.users.bertof = {
isNormalUser = true;
extraGroups = [ "audio" "input" "docker" "flashrom" "libvirtd" "network" "networkmanager" "usb" "video" "wheel" ];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W" ];
shell = pkgs.zsh;
useDefaultShell = false;
};
virtualisation = {
docker.enable = true;
kvmgt.enable = true;
libvirtd.enable = true;
podman.enable = true;
virtualbox.host.enable = true;
};
nixpkgs.config = {
allowUnfree = true;
packageOverrides = pkgs: {
steam = pkgs.steam.override {
extraPkgs = pkgs: with pkgs; [ ];
extraLibraries = pkgs: with pkgs; [ fontconfig.lib icu freetype ];
};
};
# cudaSupport = true;
};
nix = {
package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes)
"experimental-features = nix-command flakes";
gc.automatic = true;
};
system.stateVersion = "21.05"; # Did you read the comment?
}