diff options
Diffstat (limited to 'machines/helium.nix')
| -rw-r--r-- | machines/helium.nix | 171 |
1 files changed, 47 insertions, 124 deletions
diff --git a/machines/helium.nix b/machines/helium.nix index 97f51c8..e2eded8 100644 --- a/machines/helium.nix +++ b/machines/helium.nix @@ -5,15 +5,10 @@ let nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix); in { - imports = [ ./users.nix ]; - - console.font = "${pkgs.fira-mono}/share/fonts/opentype/FiraMono-Regular.otf"; - - security.sudo.wheelNeedsPassword = true; - security.pam.yubico.enable = true; - security.pam.yubico.debug = false; - security.pam.yubico.control = "sufficient"; # use yubikey in lieu of password - security.pam.yubico.mode = "challenge-response"; + imports = [ + ./lib/users.nix + ./lib/base.nix + ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" @@ -38,29 +33,6 @@ in { 24800 # barrier ]; - time.timeZone = "America/New_York"; - - location.latitude = 40.80; - location.longitude = -81.52; - - fonts.fonts = with pkgs; [ - google-fonts mononoki source-code-pro fantasque-sans-mono hack-font - fira fira-code fira-code-symbols - ]; - - environment.systemPackages = with pkgs; [ - yubioath-desktop - yubico-pam - yubikey-manager - yubikey-personalization - ]; - - nixpkgs = { - config = { - allowUnfree = true; - allowBroken = true; - }; - }; hardware.video.hidpi.enable = true; hardware.enableAllFirmware = true; @@ -76,86 +48,50 @@ in { hardware.pulseaudio.daemon.logLevel = "debug"; # hardware.pulseaudio.extraConfig = "load-module module-loopback"; - programs = { - bash.enableCompletion = true; - command-not-found.enable = true; - light.enable = true; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - mosh.enable = true; - ssh.agentTimeout = "1h"; - }; + services.udev.extraRules = '' + # allows xlock to read the yubikey for challenge-response when unlocking. + # you need to do 'udevadm control --reload && udevadm trigger' after + # changing this. 'ykinfo -v' without sudo should work. + ACTION!="add|change", GOTO="yubico_end", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="ben", MODE="0600" + LABEL="yubico_end" + + # when yubi is removed, activate yubilock + #ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", ENV{ID_SERIAL}="Yubico_Yubikey_4_OTP+U2F+CCID", RUN+="${pkgs.systemd}/bin/systemctl start xlock" + + # coldcard https://github.com/Coldcard/ckcc-protocol/blob/6b6052b38c354c6edc0df79f753f455f286d7b4a/51-coinkite.rules + SUBSYSTEMS=="usb", ATTRS{idVendor}=="d13e", ATTRS{idProduct}=="cc10", GROUP="plugdev", MODE="0666" + KERNEL=="hidraw*", ATTRS{idVendor}=="d13e", ATTRS{idProduct}=="cc10", GROUP="plugdev", MODE="0666" + + #Flipper Zero serial port + SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", TAG+="uaccess" + #Flipper Zero DFU + SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", TAG+="uaccess" + ''; # flipper is not in 21.11: + "${pkgs.qFlipper}/etc/udev/rules.d/42-flipperzero.rules"; + + services.xserver.enable = true; + services.xserver.autorun = true; + services.xserver.layout = "us"; + services.xserver.libinput.enable = true; + services.xserver.libinput.mouse.additionalOptions = '' + Option "ScrollMethod" "Button" + Option "ScrollButton" "3" + ''; + services.xserver.libinput.mouse.buttonMapping = "1 2 8 4 5 6 7 3 9"; + services.xserver.dpi = 156; + + services.xserver.displayManager.sddm.enable = true; + services.xserver.windowManager.xmonad.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + services.xserver.desktopManager.wallpaper.mode = "fill"; + + services.xserver.xautolock.enable = false; + services.xserver.xautolock.locker = "${pkgs.xlockmore}/bin/xlock -mode matrix"; + services.xserver.xautolock.nowlocker = "${pkgs.xlockmore}/bin/xlock -mode matrix"; # xautolock -locknow + services.xserver.xautolock.time = 5; # minutes + services.xserver.xautolock.enableNotifier = true; + services.xserver.xautolock.notify = 30; # seconds + services.xserver.xautolock.notifier = ''${pkgs.libnotify}/bin/notify-send "Locking in 30 seconds"''; - services = { - pcscd.enable = true; - - logind.lidSwitch = "suspend"; - logind.lidSwitchDocked = "lock"; - logind.lidSwitchExternalPower = "lock"; - #logind.extraConfig = "IdleAction=lock"; - - clight.enable = true; - clight.temperature.day = 6500; - clight.temperature.night = 1800; - - printing.enable = true; - - xserver.enable = true; - xserver.autorun = true; - xserver.layout = "us"; - xserver.libinput.enable = true; - xserver.libinput.mouse.additionalOptions = '' - Option "ScrollMethod" "Button" - Option "ScrollButton" "3" - ''; - xserver.libinput.mouse.buttonMapping = "1 2 8 4 5 6 7 3 9"; - xserver.xkbOptions = "caps:ctrl_modifier"; - xserver.dpi = 156; - - xserver.displayManager.sddm.enable = true; - xserver.windowManager.xmonad.enable = true; - xserver.desktopManager.plasma5.enable = true; - xserver.desktopManager.wallpaper.mode = "fill"; - - xserver.xautolock.enable = false; - xserver.xautolock.locker = "${pkgs.xlockmore}/bin/xlock -mode matrix"; - xserver.xautolock.nowlocker = "${pkgs.xlockmore}/bin/xlock -mode matrix"; # xautolock -locknow - xserver.xautolock.time = 5; # minutes - #xserver.xautolock.killer = "${pkgs.systemd}/bin/systemctl suspend"; - #xserver.xautolock.killtime = 120; # minutes - xserver.xautolock.enableNotifier = true; - xserver.xautolock.notify = 30; # seconds - xserver.xautolock.notifier = ''${pkgs.libnotify}/bin/notify-send "Locking in 30 seconds"''; - - vnstat.enable = true; - - # security stuff - fail2ban.enable = true; - clamav.daemon.enable = false; - clamav.updater.enable = false; - - udev.extraRules = '' - # allows xlock to read the yubikey for challenge-response when unlocking. - # you need to do 'udevadm control --reload && udevadm trigger' after - # changing this. 'ykinfo -v' without sudo should work. - ACTION!="add|change", GOTO="yubico_end", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="ben", MODE="0600" - LABEL="yubico_end" - - # when yubi is removed, activate yubilock - #ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", ENV{ID_SERIAL}="Yubico_Yubikey_4_OTP+U2F+CCID", RUN+="${pkgs.systemd}/bin/systemctl start xlock" - - # coldcard https://github.com/Coldcard/ckcc-protocol/blob/6b6052b38c354c6edc0df79f753f455f286d7b4a/51-coinkite.rules - SUBSYSTEMS=="usb", ATTRS{idVendor}=="d13e", ATTRS{idProduct}=="cc10", GROUP="plugdev", MODE="0666" - KERNEL=="hidraw*", ATTRS{idVendor}=="d13e", ATTRS{idProduct}=="cc10", GROUP="plugdev", MODE="0666" - - #Flipper Zero serial port - SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", TAG+="uaccess" - #Flipper Zero DFU - SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", TAG+="uaccess" - ''; # flipper is not in 21.11: + "${pkgs.qFlipper}/etc/udev/rules.d/42-flipperzero.rules"; - }; systemd.services = { "xlock" = { enable = false; @@ -178,19 +114,6 @@ in { powerManagement.enable = true; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - nix.nixPath = [ - "nixpkgs=${nixpkgs}" - "nixos-config=/etc/nixos/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; - - nix.gc.automatic = false; - nix.gc.dates = "03:15"; - - nix.extraOptions = '' - builders-use-substitutes = true - ''; - nix.buildMachines = [ { hostName = "dev.simatime.com"; |