nix-config/hosts/pulsebert/configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

let
  ympdPort = 8080;
  mpdVhost = "mpd.hq.c3d2.de";
in {
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../lib
    ../../lib/admins.nix
    ../../lib/hq.nix
    ./mpdConsole.nix
  ];

  c3d2 = {
    users = {
      emery = true;
      k-ot = true;
    };
    isInHq = true;
    mapHqHosts = true;
    hq = {
      interface = "eno1";
      enableMpdProxy = true;
      yggdrasi.enableGateway = true;
    };
    enableHail = true;
  };

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelPackages = pkgs.linuxPackages_4_19;

  networking.hostName = "pulsebert"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  i18n = {
    consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
    consoleKeyMap = "us";
    defaultLocale = "en_US.UTF-8";
  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    # specific printer drivers for our printers
    epson-escpr
    splix
    # utilities
    nix-index
    usbutils
    tmux
    vim
    git
    openssl
    # NCurses Music Player Client (Plus Plus)
    # a commandline front-end client for mpd
    # 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben.
#    ncmpcpp
    home-manager
    mumble
    ncpamixer
    ffmpeg
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # X11 Forwarding for mumble...
  programs.ssh.forwardX11 = true;
  services.openssh.forwardX11 = true;

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [
    4713 # PulseAudio
    631 # cups
    80
    443 # Web/ympd
    5000 # shairport
    config.services.mpd.network.port
  ];
  networking.firewall.allowedUDPPorts = [ 631 ];
  networking.firewall.extraCommands = ''
    iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT   # zeroconf
    iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT  # zeroconf
  ''; # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # Enable CUPS to print documents.
  services.printing = {
    enable = true;
    browsing = true;
    listenAddresses = [ "*:631" ];
    defaultShared = true;
    # logLevel = "debug";
    drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ];
    extraConf =
      ''
        DefaultAuthType Basic
        <Location />
          Order allow,deny
          Allow ALL
        </Location>
        <Location /admin>
          Order allow,deny
          Allow ALL
        </Location>
        <Location /admin/conf>
          AuthType Basic
          Require user @SYSTEM
          Order allow,deny
          Allow ALL
        </Location>
        <Policy default>
          <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
            Require user @OWNER @SYSTEM
            Order deny,allow
          </Limit>
          <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
            AuthType Basic
            Require user @SYSTEM
            Order deny,allow
          </Limit>
          <Limit Cancel-Job CUPS-Authenticate-Job>
            Require user @OWNER @SYSTEM
            Order deny,allow
          </Limit>
          <Limit All>
            Order deny,allow
          </Limit>
        </Policy>
      '';

  };

  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  # PulseAudio as-a-Service
  hardware.pulseaudio.systemWide = true;
  hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [
    "127.0.0.0/8" "::1/128"
    "172.22.99.0/24" "2a02:8106:208:5201:58::/64"
  ];
  hardware.pulseaudio.tcp.enable = true;
  hardware.pulseaudio.zeroconf.publish.enable = true;

  # tell Avahi to publish CUPS and PulseAudio
  services.avahi = {
    enable = true;
    publish.enable = true;
    publish.userServices = true;
  };

  # Enable Audio streaming for Mac clients
  services.shairport-sync.enable = true;

  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";

  # Enable touchpad support.
  # services.xserver.libinput.enable = true;

  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
  # services.xserver.desktopManager.plasma5.enable = true;

  security.pam.enableSSHAgentAuth = true;
  security.sudo = {
    enable = true;
    wheelNeedsPassword = false;
  };

  users.users.k-ot.extraGroups = [ "wheel" ];

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "18.09"; # Did you read the comment?

  # vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden
  ####	https://nixos.org/nixos/options.html#services.mpd.enable
  # See ../../mpd.nix
  services.mpd = {
    enable = true;
    dbFile = null;
    musicDirectory = "/mnt/storage/Music";
    playlistDirectory = "/home/k-ot/Playlists";
    network.listenAddress = "any";

    extraConfig = ''
      audio_output {
        type "pulse"
        name "/proc"
      }
    '';
  };

  services.caddy = {
    enable = true;
    agree = true;
    # TODO: add auth?
    config = ''
      ${mpdVhost} {
        proxy / localhost:${toString ympdPort}
      }

      :80 {
        redir https://${mpdVhost}{uri}
      }
    '';
  };

  fileSystems."/mnt/storage" = {
    #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool";
    #device = "storage-ng.hq.c3d2.de:/c3d2/rpool";
    device =
      "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool";
    fsType = "ceph";
    options = [
      "rw"
      "relatime"
      "name=public"
      "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ=="
      "acl"
      "wsize=16777216"
      "_netdev"
    ];
  };

  # MPD music playing daemon with webinterface
  services.ympd = {
    enable = true;
    webPort = toString ympdPort;
  };
  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
    ympd = ympd.overrideAttrs (oldAttrs: {
      src = fetchFromGitHub {
        owner = "c3d2";
        repo = "ympd";
        rev = "feature/somafm_browser";
        sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1";
      };
    });
  };
  programs.bash.shellAliases = {
    mpv = "mpv --no-vid";
  };

  users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
}