dotfiles/nixos/roles/workstation.nix

{ config, lib, pkgs, ... }:
let
  nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
    hostname = "cache.lumi.guide";
    username = "lumi";
  } ''
    cat > $out <<EOI
    machine $hostname
    login $username
    password ${
      builtins.readFile
      /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
    }
    EOI
  '';
in {
  imports = [ ./graphical.nix ];

  users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];
  services.printing = {
    enable = true;
    drivers = [ pkgs.gutenprint pkgs.cups-dymo ];
  };
  environment.systemPackages = with pkgs; [
    pkgs.ghostscript
    pkgs.yubikey-manager
    pkgs.glib
  ];
  environment.sessionVariables.XDG_DATA_DIRS = with pkgs; [
    "${gnome-themes-extra}/share"
    "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}"
  ];
  programs.dconf.enable = true;
  virtualisation.virtualbox.host.enable = false;
  yorick.support32bit = true;
  services.pcscd.enable = true;
  #environment.systemPackages = [pkgs.yubikey-manager];
  fonts.fonts = [ pkgs.emojione ];
  programs.wireshark.enable = true;
  nix = {
    gc.automatic = pkgs.lib.mkOverride 30 false;
    binaryCaches = [
      "https://cache.nixos.org"
      "https://cache.lumi.guide/"
      #"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read"
      #"https://nixpkgs-wayland.cachix.org"
    ];
    trustedBinaryCaches = config.nix.binaryCaches ++ [
      "ssh://yorick@jupiter.serokell.io"
      "ssh-ng://jupiter"
      "https://serokell.cachix.org"
    ];
    binaryCachePublicKeys = [
      "serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss="
      "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="
      (lib.mkIf config.yorick.lumi-vpn.enable "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=")
      "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="
      #"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
      "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0="
    ];
    extraOptions = lib.mkIf config.yorick.lumi-vpn.enable ''
      netrc-file = ${nixNetrcFile}
    '';
  };
  services.avahi = {
    enable = true;
    nssmdns = true;
  };
  virtualisation.libvirtd.enable = true;
  users.users.yorick.extraGroups = [ "libvirtd" "pico" ];
  users.users.yorick.shell = pkgs.fish;
  services.udev.extraRules = ''
    SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"
  '';

  # picoscope
  #users.users.yorick.extraGroups = ["pico"];
  services.udev.packages = [
    (pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" ''
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico"
    '')
  ];
  users.groups.pico = { };

  # development
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    package = pkgs.postgresql_10;
  };

  # git
  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;

  yorick.lumi-vpn.enable = true;

  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true; # todo: support32bit?
    pulse.enable = true;
    media-session.config.bluez-monitor.rules = [
      {
        # Matches all cards
        matches = [ { "device.name" = "~bluez_card.*"; } ];
        actions = {
          "update-props" = {
            "bluez5.reconnect-profiles" = [ "hfp_hf" "hsp_hs" "a2dp_sink" ];
            # mSBC is not expected to work on all headset + adapter combinations.
            "bluez5.msbc-support" = true;
            # SBC-XQ is not expected to work on all headset + adapter combinations.
            "bluez5.sbc-xq-support" = true;
          };
        };
      }
      {
        matches = [
          # Matches all sources
          { "node.name" = "~bluez_input.*"; }
          # Matches all outputs
          { "node.name" = "~bluez_output.*"; }
        ];
        actions = {
          "node.pause-on-idle" = false;
        };
      }
    ];
  };
  xdg.portal = {
    enable = true;
    extraPortals = with pkgs; [ xdg-desktop-portal-wlr xdg-desktop-portal-gtk ];
    gtkUsePortal = true;
  };
}
better hardware/logical separation 2017-02-02 16:31:19 +01:00			`{ config, lib, pkgs, ... }:`
initial commit 2020-05-21 17:39:38 +02:00			`let`
nixfmt 2021-05-29 18:05:31 +02:00			`nixNetrcFile = pkgs.runCommand "nix-netrc-file" {`
			`hostname = "cache.lumi.guide";`
			`username = "lumi";`
			`} ''`
			`cat > $out <<EOI`
			`machine $hostname`
			`login $username`
			`password ${`
			`builtins.readFile`
			`/home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password`
			`}`
			`EOI`
			`'';`
			`in {`
			`imports = [ ./graphical.nix ];`
remove nixpkgs-wayland impurity 2021-01-03 17:38:16 +01:00
initial commit 2020-05-21 17:39:38 +02:00			`users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];`
better hardware/logical separation 2017-02-02 16:31:19 +01:00			`services.printing = {`
			`enable = true;`
workstation: fix themes, add dymo cups driver 2021-01-02 20:49:28 +01:00			`drivers = [ pkgs.gutenprint pkgs.cups-dymo ];`
better hardware/logical separation 2017-02-02 16:31:19 +01:00			`};`
initial commit 2020-05-21 17:39:38 +02:00			`environment.systemPackages = with pkgs; [`
nixfmt 2021-05-29 18:05:31 +02:00			`pkgs.ghostscript`
			`pkgs.yubikey-manager`
			`pkgs.glib`
initial commit 2020-05-21 17:39:38 +02:00			`];`
workstation: fix themes, add dymo cups driver 2021-01-02 20:49:28 +01:00			`environment.sessionVariables.XDG_DATA_DIRS = with pkgs; [`
			`"${gnome-themes-extra}/share"`
			`"${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}"`
			`];`
			`programs.dconf.enable = true;`
initial commit 2020-05-21 17:39:38 +02:00			`virtualisation.virtualbox.host.enable = false;`
better hardware/logical separation 2017-02-02 16:31:19 +01:00			`yorick.support32bit = true;`
add yubikey 2018-03-10 17:15:37 +01:00			`services.pcscd.enable = true;`
update for 18.03 2018-03-11 18:28:25 +01:00			`#environment.systemPackages = [pkgs.yubikey-manager];`
add config for japanese typing, wireshark, bluetooth headphones 2018-11-20 22:30:30 +01:00			`fonts.fonts = [ pkgs.emojione ];`
			`programs.wireshark.enable = true;`
Add lumiguide public key 2018-05-12 18:13:48 +02:00			`nix = {`
			`gc.automatic = pkgs.lib.mkOverride 30 false;`
			`binaryCaches = [`
			`"https://cache.nixos.org"`
initial commit 2020-05-21 17:39:38 +02:00			`"https://cache.lumi.guide/"`
roles/workstation: prepare yori-nix cache 2021-01-03 17:01:33 +01:00			`#"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read"`
initial commit 2020-05-21 17:39:38 +02:00			`#"https://nixpkgs-wayland.cachix.org"`
Add lumiguide public key 2018-05-12 18:13:48 +02:00			`];`
			`trustedBinaryCaches = config.nix.binaryCaches ++ [`
enable ipv6 everywhere, unify nix cache config 2018-11-20 22:26:42 +01:00			`"ssh://yorick@jupiter.serokell.io"`
			`"ssh-ng://jupiter"`
			`"https://serokell.cachix.org"`
Add lumiguide public key 2018-05-12 18:13:48 +02:00			`];`
			`binaryCachePublicKeys = [`
			`"serokell:ic/49yTkeFIk4EBX1CZ/Wlt5fQfV7yCifaJyoM+S3Ss="`
enable ipv6 everywhere, unify nix cache config 2018-11-20 22:26:42 +01:00			`"serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="`
smithers updates 2021-10-20 11:45:16 +02:00			`(lib.mkIf config.yorick.lumi-vpn.enable "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=")`
enable ipv6 everywhere, unify nix cache config 2018-11-20 22:26:42 +01:00			`"serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="`
roles/workstation: prepare yori-nix cache 2021-01-03 17:01:33 +01:00			`#"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="`
			`"yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0="`
Add lumiguide public key 2018-05-12 18:13:48 +02:00			`];`
smithers updates 2021-10-20 11:45:16 +02:00			`extraOptions = lib.mkIf config.yorick.lumi-vpn.enable ''`
initial commit 2020-05-21 17:39:38 +02:00			`netrc-file = ${nixNetrcFile}`
			`'';`
			`};`
			`services.avahi = {`
			`enable = true;`
			`nssmdns = true;`
Add lumiguide public key 2018-05-12 18:13:48 +02:00			`};`
initial commit 2020-05-21 17:39:38 +02:00			`virtualisation.libvirtd.enable = true;`
workstation: fix eval 2021-01-03 16:39:07 +01:00			`users.users.yorick.extraGroups = [ "libvirtd" "pico" ];`
initial commit 2020-05-21 17:39:38 +02:00			`users.users.yorick.shell = pkgs.fish;`
			`services.udev.extraRules = ''`
			`SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"`
			`'';`
move picoscope+ldac+postgres stuff to workstation 2021-01-02 21:06:31 +01:00
			`# picoscope`
workstation: fix eval 2021-01-03 16:39:07 +01:00			`#users.users.yorick.extraGroups = ["pico"];`
move picoscope+ldac+postgres stuff to workstation 2021-01-02 21:06:31 +01:00			`services.udev.packages = [`
			`(pkgs.writeTextDir "lib/udev/rules.d/95-pico.rules" ''`
			`SUBSYSTEMS=="usb", ATTRS{idVendor}=="0ce9", MODE="664",GROUP="pico"`
			`'')`
			`];`
nixfmt 2021-05-29 18:05:31 +02:00			`users.groups.pico = { };`
move picoscope+ldac+postgres stuff to workstation 2021-01-02 21:06:31 +01:00
			`# development`
			`services.postgresql = {`
			`enable = true;`
			`enableTCPIP = true;`
			`package = pkgs.postgresql_10;`
			`};`

			`# git`
			`boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;`
add lumi-vpn module 2021-01-03 17:38:59 +01:00
			`yorick.lumi-vpn.enable = true;`
update 2021-05-23 17:19:28 +02:00
pipewire 2021-08-14 12:18:09 +02:00			`security.rtkit.enable = true;`
			`services.pipewire = {`
			`enable = true;`
			`alsa.enable = true;`
			`alsa.support32Bit = true; # todo: support32bit?`
			`pulse.enable = true;`
			`media-session.config.bluez-monitor.rules = [`
			`{`
			`# Matches all cards`
			`matches = [ { "device.name" = "~bluez_card.*"; } ];`
			`actions = {`
			`"update-props" = {`
			`"bluez5.reconnect-profiles" = [ "hfp_hf" "hsp_hs" "a2dp_sink" ];`
			`# mSBC is not expected to work on all headset + adapter combinations.`
			`"bluez5.msbc-support" = true;`
			`# SBC-XQ is not expected to work on all headset + adapter combinations.`
			`"bluez5.sbc-xq-support" = true;`
			`};`
			`};`
			`}`
			`{`
			`matches = [`
			`# Matches all sources`
			`{ "node.name" = "~bluez_input.*"; }`
			`# Matches all outputs`
			`{ "node.name" = "~bluez_output.*"; }`
			`];`
			`actions = {`
			`"node.pause-on-idle" = false;`
			`};`
			`}`
			`];`
			`};`
update 2021-05-23 17:19:28 +02:00			`xdg.portal = {`
			`enable = true;`
nixfmt 2021-05-29 18:05:31 +02:00			`extraPortals = with pkgs; [ xdg-desktop-portal-wlr xdg-desktop-portal-gtk ];`
update 2021-05-23 17:19:28 +02:00			`gtkUsePortal = true;`
			`};`
disbale redshifit, move nix gc 2018-05-12 18:15:42 +02:00			`}`