bertof/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-dotfiles/nixos/loki.nix
Filippo Berto 15a96c6883 Fix firewall ports
2021-11-09 23:05:10 +01:00

227 lines
6.6 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
{
imports = [
/etc/nixos/hardware-configuration.nix
];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
networking = {
hostName = "loki";
networkmanager.enable = true;
useDHCP = false;
interfaces = { eno1.useDHCP = true; wlp7s0.useDHCP = true; };
};
time.timeZone = "Europe/Rome";
i18n.defaultLocale = "it_IT.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "it";
};
services.xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
layout = "it";
xkbOptions = "eurosign:e;";
libinput.enable = true;
};
hardware = {
nvidia.prime = {
offload.enable = false;
sync.enable = true;
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
};
opengl = {
enable = true;
extraPackages = with pkgs; [ intel-media-driver libvdpau-va-gl vaapiIntel vaapiVdpau ];
};
bluetooth.enable = true;
};
users.users = {
bertof = {
isNormalUser = true;
extraGroups = [ "audio" "input" "docker" "libvirtd" "network" "usb" "video" "wheel" ];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W" ];
shell = pkgs.zsh;
};
tiziano = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMExwtJFk6HjySrTZwJH67SOHC3hlL28NO4oe2GXsv6k" ];
};
};
programs = {
gnupg.agent = { enable = true; enableSSHSupport = true; };
zsh = { enable = true; syntaxHighlighting.enable = true; };
};
environment.pathsToLink = [ "/share/zsh" ];
services = {
avahi = {
enable = true;
openFirewall = true;
nssmdns = true;
publish = { enable = true; addresses = true; userServices = true; };
extraServiceFiles = {
ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
smb = ''<?xml version="1.0" standalone='no'?><!--*-nxml-*--><!DOCTYPE service-group SYSTEM "avahi-service.dtd"><service-group><name replace-wildcards="yes">%h</name><service><type>_smb._tcp</type><port>445</port></service></service-group>'';
};
};
blueman.enable = true;
dbus.packages = with pkgs; [ gnome.dconf ];
fail2ban = { enable = true; bantime-increment.enable = true; };
gnome.gnome-keyring.enable = true;
gvfs = { enable = true; package = lib.mkForce pkgs.gnome3.gvfs; };
logind.lidSwitch = "ignore";
openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; };
plex = { enable = true; openFirewall = true; group = "users"; };
power-profiles-daemon.enable = true;
samba = {
enable = true;
enableNmbd = true;
enableWinbindd = true;
nsswins = true;
extraConfig = ''
workgroup = WORKGROUP
load printers = no
smb encrypt = required
'';
shares = let common = {
"public" = "no";
"writeable" = "yes";
"create mask" = "0700";
"directory mask" = "2700";
"browseable" = "yes";
"guest ok" = "no";
"read only" = "no";
"force group" = "users";
}; in
{
bertof = common // {
path = "/mnt/raid/bertof";
comment = "Bertof samba share";
"force user" = "bertof";
"valid users" = "bertof";
};
tiziano = common // {
path = "/mnt/raid/tiziano";
comment = "Tiziano samba share";
"force user" = "tiziano";
"valid users" = "tiziano";
};
condiviso = common // {
path = "/mnt/raid/condiviso";
comment = "Samba share condiviso";
"valid users" = "bertof tiziano";
"create mask" = "0770";
"directory mask" = "2770";
"force create mode" = "0660";
"force directory mode" = "2770";
};
};
};
smartd = { enable = true; notifications.x11.enable = true; };
thermald.enable = true;
zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; };
};
# services.snapper = {
# configs =
# let
# bertofExtraConfig = ''
# ALLOW_USERS="bertof"
# TIMELINE_CREATE=yes
# TIMELINE_CLEANUP=yes
# '';
# common = { extraConfig = bertofExtraConfig; };
# in
# {
# bertof_home = common // { subvolume = "/home/bertof"; };
# };
# };
systemd.packages = with pkgs; [ syncthing ];
systemd.services = let common = {
after = [ "network.target" ];
environment = { STNORESTART = "yes"; STNOUPGRADE = "yes"; };
wantedBy = [ "default.target" ];
serviceConfig = {
Restart = "on-failure";
SuccessExitStatus = "2 3 4";
RestartForceExitStatus = "3 4";
Group = config.ids.gids.users;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = [ "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" "~CAP_SYS_TIME" "~CAP_KILL" ];
};
}; in
{
syncthing-bertof = common // {
description = "Syncthing service bertof";
serviceConfig = { User = "bertof"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid/bertof/Syncthing/.config"; };
};
syncthing-tiziano = common // {
description = "Syncthing service tiziano";
serviceConfig = { User = "tiziano"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid/tiziano/Syncthing/.config"; };
};
};
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
445 # SAMBA
139 # SAMBA
8384 # SYNCTHING
8385 # SYNCTHING
];
allowedUDPPorts = [
137 # SYNCTHING
138 # SYNCTHING
];
extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
};
virtualisation = {
docker.enable = true;
kvmgt.enable = true;
libvirtd.enable = true;
podman.enable = true;
virtualbox.host.enable = true;
};
environment.systemPackages = with pkgs; [ htop kakoune vim tmux ];
security.sudo.extraConfig = ''
Defaults pwfeedback
'';
nixpkgs.config.allowUnfree = true;
nix.gc.automatic = true;
system.stateVersion = "21.05";
}
Reference in a new issue View git blame Copy permalink