Initial

2019-05-31 00:02:30 +00:00 · 2019-05-31 00:02:30 +00:00 · 7438942f91
commit 7438942f91
10 changed files with 499 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+hardware-configuration.nix
+wireless-networks.nix
+secrets.nix
--- a/21
+++ b/21
@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Mikhail Klementev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,15 @@
+# localhost
+
+## Installation
+
+    parted...
+    cryptsetup...
+    mount...
+
+    nix-env -iA nixos.gitMinimal
+    git clone https://code.dumpstack.io/infra/localhost.git /mnt/etc/nixos/
+
+    nixos-generate-config --root /mnt
+
+    nixos-install
+    reboot
--- a/configuration.nix
+++ b/configuration.nix
@ -0,0 +1,53 @@
+# nix-channel --add https://nixos.org/channels/nixos-19.03 nixos
+# nix-channel --add https://nixos.org/channels/nixos-unstable unstable
+# nix-channel --update
+#
+{ config, pkgs, ... }:
+
+let
+  unstable = import <unstable> {};
+in {
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/hardened.nix>
+      ./hardware-configuration.nix
+      ./packages.nix
+      ./networking.nix
+      ./desktop.nix
+      ./security.nix
+      ./hacks.nix
+    ];
+
+  time.timeZone = "UTC";
+
+  boot.kernelPackages = pkgs.linuxPackages;
+
+  i18n = {
+    consoleFont = "latarcyrheb-sun32";
+    consoleKeyMap = "us";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  swapDevices = [
+    { device = "/var/swapfile";
+      size = 32768; # MiB
+    }
+  ];
+
+  users.users.root.shell = pkgs.zsh;
+  users.users.user = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    extraGroups = [ "wheel" "audio" "libvirtd" ];
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmpOnTmpfs = true;
+
+  system.stateVersion = "19.03";
+  system.autoUpgrade.enable = true;
+
+  nix.optimise.automatic = true;
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 7d";
+}
--- a/desktop.nix
+++ b/desktop.nix
@ -0,0 +1,88 @@
+{ config, pkgs, ... }:
+
+{
+  services.xserver.enable = true;
+  services.xserver.layout = "us,ru";
+  services.xserver.xkbOptions = "ctrl:nocaps,grp:rctrl_toggle";
+  services.xserver.videoDrivers = [ "nvidia" ];
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+
+  programs.dconf.enable = true;
+  programs.light.enable = true;
+
+  hardware.opengl.extraPackages = [ pkgs.vaapiVdpau ];
+
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+
+  environment.variables = {
+    GDK_SCALE = "2";
+    GDK_DPI_SCALE = "0.4";
+  };
+
+  fonts = {
+    enableFontDir = true;
+    enableGhostscriptFonts = true;
+    fonts = with pkgs; [
+      ubuntu_font_family
+    ];
+  };
+
+  environment.etc."X11/xorg.conf.d/60-trackball.conf".text = ''
+    Section "InputClass"
+      Identifier      "Marble Mouse"
+      MatchProduct    "Logitech USB Trackball"
+      MatchIsPointer  "on"
+      MatchDevicePath "/dev/input/event*"
+      Driver          "evdev"
+
+      Option "ButtonMapping"       "3 8 1 4 5 6 7 2 2"
+      Option "EmulateWheel"        "true"
+      Option "EmulateWheelButton"  "9"
+      Option "EmulateWheelInertia" "10"
+      Option "ZAxisMapping"        "4 5"
+      Option "Emulate3Buttons"     "true"
+    EndSection
+  '';
+
+  environment.etc."X11/xorg.conf.d/61-trackpoint.conf".text = ''
+    Section "InputClass"
+      Identifier      "Trackpoint Wheel Emulation"
+      Driver          "evdev"
+      MatchProduct    "TPPS/2 Elan TrackPoint"
+      MatchDevicePath "/dev/input/event*"
+
+      Option "EmulateWheel"                       "true"
+      Option "EmulateWheelButton"                 "2"
+      Option "Emulate3Buttons"                    "false"
+      Option "XAxisMapping"                       "6 7"
+      Option "YAxisMapping"                       "4 5"
+      Option "Device Accel Constant Deceleration" "0.5"
+    EndSection
+  '';
+
+  services.xserver.displayManager.lightdm = {
+    background = "black";
+    greeters.mini = {
+      enable = true;
+      user = "user";
+    };
+  };
+
+  programs.chromium = {
+    enable = true;
+    extensions = [
+      "cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock Origin
+      "gcbommkclmclpchllfjekcdonpmejbdp" # HTTPS Everywhere
+      "pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # Privacy Badger
+      "dbepggeogbaibhgnhhndojpepiihcmeb" # Vimium
+      "aapbdbdomjkkjkaonfhkkikfgjllcleb" # Google Translate
+      "naepdomgkenhinolocfifgehidddafch" # Browserpass
+    ];
+  };
+
+  networking.localCommands = ''
+    mkdir -p /tmp/chromium && chown user:users /tmp/chromium
+  '';
+}
--- a/hacks.nix
+++ b/hacks.nix
@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [ ./suspend.nix ];
+
+  services.batteryNotifier = {  # suspend.nix
+    enable = true;
+    notifyCapacity = 20;
+    suspendCapacity = 10;
+  };
+
+  boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
+
+  systemd = {
+    services = {
+      "sid-chroot-mounts" = {
+        enable = true;
+        description = "Setup mounts for debian sid chroot";
+        wantedBy = [ "multi-user.target" ];
+        script = ''
+          ls /home/user/chroots/sid-root/home/user/.zshrc && exit
+          ${pkgs.utillinux}/bin/mount --bind /home/user /home/user/chroots/sid-root/home/user
+          ${pkgs.utillinux}/bin/mount --bind /dev /home/user/chroots/sid-root/dev
+          ${pkgs.utillinux}/bin/mount --bind /proc /home/user/chroots/sid-root/proc
+          ${pkgs.utillinux}/bin/mount --bind /sys /home/user/chroots/sid-root/sys
+        '';
+        serviceConfig.Type = "oneshot";
+      };
+    };
+  };
+}
--- a/networking.nix
+++ b/networking.nix
@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+
+let
+  secrets = import ./secrets.nix;
+in {
+  networking.hostName = "local";
+  networking.nameservers = [ "1.1.1.1" ];
+
+  networking.wireless.enable = true;
+  imports = [ ./wireless-networks.nix ];
+
+  networking.firewall = {
+    enable = true;
+    extraCommands = ''
+      iptables -F OUTPUT
+      iptables -P OUTPUT DROP
+
+      iptables -A OUTPUT -o lo+ -j ACCEPT
+      iptables -A OUTPUT -o vpn+ -j ACCEPT
+      iptables -A OUTPUT -o tun+ -j ACCEPT
+      iptables -A OUTPUT -o tap+ -j ACCEPT
+      iptables -A OUTPUT -o veth+ -j ACCEPT
+      iptables -A OUTPUT -o vnet+ -j ACCEPT
+      iptables -A OUTPUT -o docker+ -j ACCEPT
+      iptables -A OUTPUT -o virbr+ -j ACCEPT
+      iptables -A OUTPUT -o virbr0-nic -j ACCEPT
+
+      # iptables -A OUTPUT -d 192.0.2.17 -j ACCEPT
+      ${secrets.iptables}
+    '';
+    checkReversePath = false;
+  };
+
+  services.openvpn.servers.vpn = {
+    autoStart = true;
+    config = secrets.vpn-config;
+    authUserPass.username = secrets.vpn-username;
+    authUserPass.password = secrets.vpn-password;
+    updateResolvConf = true;
+  };
+
+  systemd = {
+    services = {
+      "macchanger" = {
+        description = "Changes MAC of all interfaces for privacy reasons";
+        wants = [ "network-pre.target" ];
+        wantedBy = [ "multi-user.target" ];
+        before = [ "network-pre.target" ];
+        bindsTo = [ "sys-subsystem-net-devices-wlp0s20f3.device" ];
+        after = [ "sys-subsystem-net-devices-wlp0s20f3.device" ];
+        # we always return true to avoid errors while 'nixos-rebuild switch'
+        # because it does not stop interfaces
+        # TODO it must be changed to work only when system starts
+        script = ''
+          ${pkgs.macchanger}/bin/macchanger -e wlp0s20f3 || true
+          ${pkgs.macchanger}/bin/macchanger -e enp0s31f6 || true
+        '';
+        serviceConfig.Type = "oneshot";
+      };
+      "openvpn-restart-after-suspend" = {
+        description = "Restart OpenVPN after suspend";
+        after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
+        wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
+        script = ''
+          ${pkgs.systemd}/bin/systemctl try-restart openvpn-vpn.service
+        '';
+      };
+    };
+  };
+}
--- a/packages.nix
+++ b/packages.nix
@ -0,0 +1,97 @@
+{ config, pkgs, ... }:
+
+let
+  unstable = import <unstable> {};
+in {
+  nixpkgs.config.allowUnfree = true;
+
+  programs.zsh.enable = true;
+  programs.browserpass.enable = true;
+  programs.adb.enable = true;
+
+  programs.java = {
+    enable = true;
+    package = unstable.pkgs.jdk11;
+  };
+
+  services.ntp.enable = true;
+  services.tlp.enable = true;
+  services.vnstat.enable = true;
+
+  virtualisation.docker.enable = true;
+
+  virtualisation.libvirtd = {
+    enable = true;
+    qemuVerbatimConfig = ''
+      namespaces = []
+      user = "user"
+      group = "users"
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [
+    # nix
+    patchelfUnstable nix-index
+    appimage-run
+
+    # gpu
+    nvtop cudatoolkit_10
+
+    # utils
+    wget tmux zsh vim emacs htop acpi bc p7zip mpv
+    git pass unzip zip w3m whois dnsutils feh
+    parted iotop nmap tldr sshfs pinentry_ncurses
+    oathToolkit neomutt pciutils easyrsa openvpn
+    lsof tcpdump ddcutil pmount woeusb tigervnc
+    file mkpasswd irssi heroku hdparm debootstrap
+    proot fakeroot fakechroot lm_sensors powertop
+    exfat traceroute graphicsmagick-imagemagick-compat
+    pdftk vnstat dunst ghostscript graphicsmagick
+    browsh
+
+    # gpg-related
+    gnupg unstable.yubikey-manager unstable.yubikey-personalization
+
+    # virtualization
+    nixops
+    kvm
+    virtmanager
+    virtviewer
+    spice
+    spice-gtk
+
+    # python
+    python2Full
+    python2Packages.obfsproxy
+
+    python3Full 
+    python3Packages.ipython
+
+    # dev
+    go gnumake gcc clang clang-analyzer global
+    maven binutils-unwrapped openssl bison flex fop libxslt
+    cmake manpages unstable.gradle cargo rustc guile
+
+    # re
+    radare2 radare2-cutter
+
+    # x render
+    vdpauinfo
+
+    # base x
+    rofi xlibs.xmodmap ubuntu_font_family i3lock unstable.kitty
+    xfce.xfce4notifyd libnotify gtk_engines x2x lxappearance-gtk3
+    pulsemixer arc-theme xorg.xhost xclip
+    gnome3.dconf gnome3.dconf-editor gsettings-desktop-schemas gsettings-qt
+    xorg.xcursorthemes capitaine-cursors
+
+    # x apps
+    unstable.chromium escrotum unstable.wire-desktop tdesktop ssvnc tightvnc
+    quaternion veracrypt evince krita gimp gnome3.gnome-maps
+    android-file-transfer darktable xournal gnome3.eog audacious audacity
+    matrique libreoffice electrum adobe-reader unstable.wireshark lmms
+    unstable.firefox
+
+    (pkgs.writeShellScriptBin "virt-manager-unstable" "${unstable.virtmanager}/bin/virt-manager $@")
+  ];
+}
--- a/security.nix
+++ b/security.nix
@ -0,0 +1,50 @@
+{ config, pkgs, ... }:
+
+{
+  security.allowUserNamespaces = true;
+  security.allowSimultaneousMultithreading = true;
+  security.lockKernelModules = false;
+
+  programs.ssh.startAgent = false;
+  programs.gnupg = {
+    agent.enable = true;
+    agent.enableSSHSupport = true;
+    agent.enableExtraSocket = true;
+    agent.enableBrowserSocket = true;
+    dirmngr.enable = true;
+  };
+
+  # Bus 001 Device 002: ID 1050:0404 Yubico.com Yubikey 4 CCID
+  services.udev = {
+    extraRules = ''
+      ACTION=="add|change", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", MODE="0666"
+    '';
+  };
+
+  systemd = {
+    services = {
+      "force-lock-after-suspend" = {
+        serviceConfig.User = "user";
+        description = "Force i3lock after suspend";
+        before = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
+        wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
+        script = ''
+          DISPLAY=:0 ${pkgs.i3lock}/bin/i3lock -n -c 000000
+        '';
+      };
+    };
+  };
+
+  # Allow manage backlight without sudo
+  security.sudo = {
+    enable = true;
+    extraConfig = ''
+      %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
+    '';
+  };
+
+  security.wrappers = {
+    pmount.source = "${pkgs.pmount}/bin/pmount";
+    pumount.source = "${pkgs.pmount}/bin/pumount";
+  };
+}
--- a/suspend.nix
+++ b/suspend.nix
@ -0,0 +1,71 @@
+# https://gist.github.com/domenkozar/82886ee82efee623cdc0d19eb81c7fb7
+
+{ config, lib, pkgs, ...}:
+
+with lib;
+
+let
+  cfg = config.services.batteryNotifier;
+in {
+  options = {
+    services.batteryNotifier = {
+      enable = mkOption {
+        default = false;
+        description = ''
+          Whether to enable battery notifier.
+        '';
+      };
+      device = mkOption {
+        default = "BAT0";
+        description = ''
+          Device to monitor.
+        '';
+      };
+      notifyCapacity = mkOption {
+        default = 10;
+        description = ''
+          Battery level at which a notification shall be sent.
+        '';
+      };
+      suspendCapacity = mkOption {
+        default = 5;
+        description = ''
+          Battery level at which a suspend unless connected shall be sent.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.user.timers."lowbatt" = {
+      description = "check battery level";
+      timerConfig.OnBootSec = "1m";
+      timerConfig.OnUnitInactiveSec = "1m";
+      timerConfig.Unit = "lowbatt.service";
+      wantedBy = ["timers.target"];
+    };
+    systemd.user.services."lowbatt" = {
+      description = "battery level notifier";
+      serviceConfig.PassEnvironment = "DISPLAY";
+      script = ''
+        export battery_capacity=$(${pkgs.coreutils}/bin/cat /sys/class/power_supply/${cfg.device}/capacity)
+        export battery_status=$(${pkgs.coreutils}/bin/cat /sys/class/power_supply/${cfg.device}/status)
+
+        if [[ $battery_capacity -le ${builtins.toString cfg.notifyCapacity} && $battery_status = "Discharging" ]]; then
+            ${pkgs.libnotify}/bin/notify-send --urgency=critical --hint=int:transient:1 --icon=battery_empty "Battery Low" "You should probably plug-in."
+        fi
+
+        if [[ $battery_capacity -le ${builtins.toString cfg.suspendCapacity} && $battery_status = "Discharging" ]]; then
+            ${pkgs.libnotify}/bin/notify-send --urgency=critical --hint=int:transient:1 --icon=battery_empty "Battery Critically Low" "Computer will suspend in 60 seconds."
+            sleep 60s
+
+            battery_status=$(${pkgs.coreutils}/bin/cat /sys/class/power_supply/${cfg.device}/status)
+            if [[ $battery_status = "Discharging" ]]; then
+                #systemctl suspend
+                systemctl poweroff
+            fi
+        fi
+      '';
+    };
+  };
+}