machines: telecom -> fischer

machines/fischer/default.nix

@@ -0,0 +1,204 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  imports = [
+    ./hardware.nix
+    ./home-julien.nix
+    ../../users/julien.nix
+    ../../users/default.nix
+  ];
+
+  # Boot stuff
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+  boot.initrd.systemd.enable = true;
+  boot.initrd.clevis = {
+    enable = true;
+    devices."cryptroot".secretFile = ./root.jwe;
+  };
+  boot.initrd.systemd.enableTpm2 = true;
+
+  # Sound stuff
+  sound.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+
+    # use the example session manager (no others are packaged yet so this is enabled by default,
+    # no need to redefine it in your config for now)
+    #media-session.enable = true;
+    wireplumber.enable = true;
+
+  };
+
+  networking.hostName = "fischer";
+
+  networking.wireless.enable = false;
+
+  environment.sessionVariables = { LIBSEAT_BACKEND = "logind"; };
+
+  services.xserver = {
+    enable = true;
+    layout = "fr";
+    displayManager.gdm.enable = true;
+  };
+
+  programs.sway = {
+    enable = true;
+    extraOptions = [ "--unsupported-gpu" ];
+  };
+
+  nixpkgs.config.permittedInsecurePackages = [ "zotero-6.0.27" ];
+
+  services.tailscale.enable = true;
+  networking.networkmanager.enable =
+    true; # Easiest to use and most distros use this by default.
+
+  networking.networkmanager.dns = "systemd-resolved";
+  services.resolved.enable = true;
+
+  time.timeZone = "Europe/Paris";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    useXkbConfig = true; # use xkbOptions in tty.
+  };
+
+  # Enable OpenGL
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    #    driSupport32Bit = true;
+  };
+
+  # Load nvidia driver for Xorg and Wayland
+  services.xserver.videoDrivers = [ "nvidia" ];
+
+  hardware.nvidia = {
+
+    # Modesetting is required.
+    modesetting.enable = true;
+
+    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+    powerManagement.enable = false;
+    # Fine-grained power management. Turns off GPU when not in use.
+    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+    powerManagement.finegrained = false;
+
+    # Use the NVidia open source kernel module (not to be confused with the
+    # independent third-party "nouveau" open source driver).
+    # Support is limited to the Turing and later architectures. Full list of 
+    # supported GPUs is at: 
+    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus 
+    # Only available from driver 515.43.04+
+    # Do not disable this unless your GPU is unsupported or if you have a good reason to.
+    open = true;
+
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+  };
+
+  boot.initrd.kernelModules = [ "nvidia" ];
+  boot.extraModulePackages = [ config.boot.kernelPackages.nvidia_x11 ];
+
+  programs.dconf.enable = true;
+
+  security.polkit.enable = true;
+
+  services.tlp.enable = true;
+
+  security.tpm2.enable = true;
+  security.tpm2.pkcs11.enable =
+    true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+  security.tpm2.tctiEnvironment.enable =
+    true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  users.users.julien.extraGroups =
+    [ "tss" ]; # tss group has access to TPM devices
+
+  hardware.bluetooth.enable = true;
+
+  services.syncthing = {
+    enable = true;
+    user = "julien";
+    group = "users";
+    settings.options.urAccepted = -1;
+    overrideDevices = true;
+    overrideFolders = true;
+    devices = {
+      "tower" = { id = "XEPZZIP-GX73OKE-KNGZA47-XWWGI5G-LNXPU57-BMLXK5M-VNGS5UQ-ZFIZSAK"; };
+    };
+    folders = {
+      "dev" = {
+        path = "/home/julien/dev";
+        devices = [ "tower" ];
+      };
+    };
+  };
+
+  systemd.services.syncthing.serviceConfig.StateDirectory = "syncthing";
+
+  environment.systemPackages = with pkgs; [
+    tailscale
+    brightnessctl
+    unstable.diffoscope
+    sbctl
+    wl-mirror
+    texlive.combined.scheme-full
+  ];
+
+  services.printing = {
+    enable = true;
+    extraConf = ''
+      JobPrivateAccess all
+      JobPrivateValues none
+    '';
+    clientConf = ''
+      ServerName localhost
+      Encryption Required
+      User jmalka
+    '';
+
+  };
+
+  environment.variables =
+    {
+      CUPS_USER = "jmalka";
+    };
+
+  services.avahi.enable = true;
+  services.avahi.nssmdns = true;
+  # for a WiFi printer
+  services.avahi.openFirewall = true;
+
+  security.pam.services.swaylock = { };
+
+  programs.ssh.startAgent = true;
+
+  services.emacs = {
+    enable = true;
+    package = pkgs.emacs29-pgtk;
+  };
+
+  services.gnome.gnome-keyring.enable = true;
+
+  services.openssh.extraConfig = ''
+    HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+    HostKey /etc/ssh/ssh_host_ed25519_key
+    TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
+    MaxAuthTries 20
+  '';
+
+  system.stateVersion = "23.05";
+
+}

machines/fischer/hardware.nix

@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/f7072a83-0478-48ea-9f55-074541c1c524";
+      fsType = "btrfs";
+    };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/56dc5a16-94ca-4a9c-a215-51ed55aec6b5";
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/9331-9E52";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/63debceb-44e6-4e27-94df-092dd59fd9e2"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s13f0u4u4u4.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/fischer/home-julien.nix

@@ -0,0 +1,116 @@
+{ pkgs, lib, config, ... }:
+{
+
+  luj.hmgr.julien =
+    {
+      home.stateVersion = "22.11";
+      luj.programs.neovim.enable = true;
+      luj.programs.ssh-client.enable = true;
+      luj.programs.git.enable = true;
+      luj.programs.gtk.enable = true;
+      luj.programs.alacritty.enable = true;
+      luj.programs.sway.enable = true;
+      luj.programs.waybar.enable = true;
+      luj.programs.waybar.interfaceName = "enp0s13f0u1u4u4";
+      luj.programs.kitty.enable = true;
+      luj.programs.dunst.enable = true;
+      luj.programs.zsh.enable = true;
+      luj.emails.enable = true;
+
+      programs.rofi = {
+        enable = true;
+        package = pkgs.rofi-wayland;
+        font = "Fira Font";
+        theme = "DarkBlue";
+      };
+
+
+      home.pointerCursor = {
+        name = "Adwaita";
+        package = pkgs.gnome.adwaita-icon-theme;
+        size = 15;
+        x11 = {
+          enable = true;
+          defaultCursor = "Adwaita";
+        };
+      };
+
+      xsession.enable = true;
+      xsession.windowManager.command = "${pkgs.swayfx}/bin/sway";
+
+
+      home.packages = with pkgs;
+        [
+          du-dust
+          kitty
+          jq
+          lazygit
+          fira-code
+          feh
+          meld
+          vlc
+          jftui
+          nerdfonts
+          libreoffice
+          font-awesome
+          nodejs
+          neomutt
+          htop
+          evince
+          mosh
+          obsidian
+          zotero
+          flameshot
+          kitty
+          networkmanagerapplet
+          element-desktop
+          xdg-utils
+          sops
+          step-cli
+          coq
+          gh
+          gh-dash
+          cvc5
+          nixpkgs-patched.signal-desktop-beta
+          coqPackages.coqide
+          (why3.withProvers
+            [
+              unstable.cvc4
+              alt-ergo
+              z3
+            ])
+          libsForQt5.neochat
+          scli
+          texlive.combined.scheme-full
+        ];
+
+      fonts.fontconfig.enable = true;
+
+      home.keyboard = {
+        layout = "fr";
+      };
+
+
+      programs.chromium = {
+        enable = true;
+        commandLineArgs = [
+          "--ozone-platform-hint=wayland"
+          "--load-media-router-component-extension=1"
+        ];
+        extensions = [
+          { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
+          { id = "ldlghkoiihaelfnggonhjnfiabmaficg"; } # Alt+Q switcher
+          { id = "enjjhajnmggdgofagbokhmifgnaophmh"; } # Resolution Zoom for HiDPI
+          { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } # I don't care about cookies
+          { id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
+          { id = "hlepfoohegkhhmjieoechaddaejaokhf"; } # Refined GitHub
+          { id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
+          { id = "dcpihecpambacapedldabdbpakmachpb"; updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/src/updates/updates.xml"; }
+        ];
+      };
+
+
+    };
+
+
+}

machines/fischer/root.jwe

@@ -0,0 +1 @@
+eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlPTG9sak5fQTVia3FnMExxZzd2ZTE5TUR6TElScFJWYjdaNDVPenZ1UnBJQUJDTWFkQWdYYV9BWW5vQUU3VnRMWF9xNG44di1NdVh4YWVzVVQwUm51cEZYVzlEN2hDZ2QwY2pROFJoX2YyLWFzbGhPYWkxTU4wZ0hib3d5U25weVlYOHFfeUY5UXRZcjR6TXlwVFZfUmpwT18tdmZwSnFzYlBsTk9uWkpIc1pNd01rbHpuVXJYeXJnelpYRVlWUG9vU3RoSVFhZWF1enJDeG9DTWhKTXozTjdvNzRQT3M0MElxYjBXMHhrYW1WVjh1ZDFYbklxaG5hOGNQUDhqcjdsOXIwamRrOHJJTzF5LThhcWphTlMxVnFQYmJDNDVSNE80YUw0Y3cwV0VRTXRXVmxIWVhGcEt5dUtnN0wiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQVVLTVl0Slp2ZEltZWZla20xOFFxYTVtWWRYRlo2Q25RSi1tSkkxUFdHViIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..h1YWJLRjyGOHJF1a.oRKmPpgk3Q5fLJUOBQ.nKokH0S90iew6-k5n_aaeA