auto-update-daily-20260202
1{
2 libx,
3 pkgs,
4 lib,
5 globals,
6 ...
7}:
8{
9
10 imports = [
11 ../common/hardware/laptop.nix
12 ../common/programs/direnv.nix
13 ../common/programs/git.nix
14 ../common/programs/tmux.nix
15 ../common/services/networkmanager.nix
16 ../common/services/containers.nix
17 ../common/services/docker.nix
18 ../common/services/libvirt.nix
19 ../common/services/binfmt.nix
20
21 ../redhat
22 ];
23
24 # It takes.. multiple GB, and I don't really use it...
25 programs.obs-studio = {
26 enable = false;
27 plugins = with pkgs.obs-studio-plugins; [
28 wlrobs
29 obs-backgroundremoval
30 obs-pipewire-audio-capture
31 input-overlay
32 ];
33 };
34
35 services = {
36 getty = {
37 autologinOnce = true;
38 autologinUser = "vincent";
39 };
40 # TODO probably migrate elsewhere
41 kanata = {
42 enable = true;
43 package = pkgs.kanata-with-cmd;
44 keyboards.x1 = {
45 devices = [ "/dev/input/event0" ]; # internal keyboard
46 config = builtins.readFile (./. + "/main.kbd");
47 extraDefCfg = ''
48 danger-enable-cmd yes
49 process-unmapped-keys yes
50 override-release-on-activation yes
51 concurrent-tap-hold yes
52 '';
53 };
54 };
55 dictd = {
56 enable = true;
57 DBs = with pkgs.dictdDBs; [
58 wiktionary
59 wordnet
60 fra2eng
61 eng2fra
62 ];
63 };
64 locate = {
65 enable = true;
66 pruneBindMounts = true;
67 };
68 wireguard = {
69 enable = true;
70 ips = libx.wg-ips globals.machines.kyushu.net.vpn.ips;
71 endpoint = "${globals.net.vpn.endpoint}";
72 endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
73 };
74 hardware.bolt.enable = true;
75 printing = {
76 enable = true;
77 drivers = with pkgs; [
78 # cnijfilter2 # Disabled: broken in nixpkgs-unstable (bool typedef error)
79 gutenprint
80 gutenprintBin
81 ];
82 };
83 };
84
85 hardware.keyboard.qmk.enable = true;
86
87 services.udev.packages = [ pkgs.sane-airscan ];
88 hardware.sane = {
89 enable = true;
90 extraBackends = [ pkgs.sane-airscan ];
91 openFirewall = true;
92 netConf = "192.168.12.70";
93 };
94
95 environment.systemPackages = with pkgs; [
96 kanata
97 nixos-rebuild-ng
98 battery-monitor
99 # backup
100 virt-manager
101 ];
102
103 # Make sure we don't start docker until required
104 systemd.services.docker.wantedBy = lib.mkForce [ ];
105
106 # Slack Archive - daily backup of public Slack channels
107 systemd.tmpfiles.rules = [
108 "d /var/lib/slack-archive 0750 vincent users -"
109 ];
110
111 systemd.services.slack-archive = {
112 description = "Slack Public Channel Archiver";
113 after = [ "network-online.target" ];
114 wants = [ "network-online.target" ];
115
116 serviceConfig = {
117 Type = "oneshot";
118 User = "vincent";
119 Group = "users";
120 ExecStart = "${pkgs.slack-archive}/bin/slack-archive archive";
121 Environment = [
122 "SLACK_ARCHIVE_DIR=/var/lib/slack-archive"
123 "SLACK_ARCHIVE_HTML_DIR=/home/vincent/src/experiments/tektoncd-slack-archive"
124 "HOME=/home/vincent"
125 "XDG_CACHE_HOME=/home/vincent/.local/cache"
126 ];
127
128 # Security hardening
129 PrivateTmp = true;
130 ProtectSystem = "strict";
131 ProtectHome = "read-only";
132 ReadWritePaths = [
133 "/var/lib/slack-archive"
134 "/home/vincent/.local/cache/slackdump"
135 "/home/vincent/.local/cache/uv"
136 "/home/vincent/.local/share/uv"
137 "/home/vincent/src/experiments/tektoncd-slack-archive"
138 ];
139 NoNewPrivileges = true;
140
141 # Logging
142 StandardOutput = "journal";
143 StandardError = "journal";
144 SyslogIdentifier = "slack-archive";
145 };
146 };
147
148 systemd.timers.slack-archive = {
149 description = "Daily Slack Archive Timer";
150 wantedBy = [ "timers.target" ];
151
152 timerConfig = {
153 OnCalendar = "daily";
154 RandomizedDelaySec = 3600; # 0-1 hour random delay
155 Persistent = true;
156 };
157 };
158}