hosts/kioku/configuration.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

{
  config,
  lib,
  pkgs,
  secrets,
  self,
  ...
}:
{
  imports = [
    "${self}/modules/core"
    "${self}/modules/options"
  ];

  config = {
    modules.primaryUser = "ebisu";
    time.timeZone = secrets.i18n.timezone;
    system.stateVersion = "24.05";
    raspberry-pi-nix.kernel-version = "v6_10_12";

    environment.systemPackages = with pkgs; [
      fastfetch
      htop
    ];

    users = {
      groups.${config.modules.primaryUser} = { };

      users =
        let
          defaultOptions = {
            initialHashedPassword = secrets.initial_hashed_password;
            openssh.authorizedKeys.keys = [ secrets.kioku_openssh_public_key ];
          };
        in
        {
          root = defaultOptions;

          ${config.modules.primaryUser} = defaultOptions // {
            group = config.modules.primaryUser;
            isNormalUser = true;
          };
        };
    };

    zramSwap = {
      enable = true;
      priority = 100;
      memoryMax = 268435456;
      algorithm = "lz4";
      memoryPercent = 50;
    };

    networking = {
      firewall.enable = lib.mkForce false;
      hostName = "kioku";
      useDHCP = lib.mkDefault true;

      wireless =
        let
          network = builtins.elemAt secrets.wifi 0;
        in
        {
          enable = true;
          interfaces = [ "wlan0" ];
          networks."${network.ssid}".psk = network.psk;
        };
    };

    services = {
      openssh.settings.PermitRootLogin = "prohibit-password";

      samba = {
        enable = true;
        openFirewall = true;

        settings = {
          usb = {
            browseable = "yes";
            path = "/mnt/usb_share";
            "guest ok" = "no";
            "read only" = "no";
            "create mask" = "777";
            "directory mask" = "777";
            "valid users" = config.modules.primaryUser;
          };
        };
      };

      samba-wsdd = {
        enable = true;
        openFirewall = true;
      };
    };

    systemd.services.usbshare = {
      description = "USB Share Watchdog";
      wantedBy = [ "multi-user.target" ];

      serviceConfig =
        let
          usb_share_script = pkgs.fetchurl {
            url = "https://gist.githubusercontent.com/davidhoness/0f45ef6a41bac6311614f109acbf92db/raw/970badd0ae4b097e3af8d5142e65c34b21f5cfab/usb_share.py";
            sha256 = "sha256-Z8HoOmzK3UjZac6hB3297fCDrbLwiFFNwxhqzr1WMSo";
          };
        in
        {
          ExecStart = "${pkgs.python3.withPackages (ps: [ ps.watchdog ])}/bin/python3 ${usb_share_script}";
          Restart = "always";
          Type = "simple";
          Environment = "PATH=${pkgs.kmod}/bin:${pkgs.coreutils}/bin";
        };
    };
  };
}