summaryrefslogtreecommitdiff
path: root/hosts/sif/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif/default.nix')
-rw-r--r--hosts/sif/default.nix115
1 files changed, 40 insertions, 75 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index f4de24e8..258a83f7 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
12in { 12in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail ./libvirt ./greetd 15 ./email ./libvirt ./greetd
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18 flakeInputs.impermanence.nixosModules.impermanence
19 flakeInputs.nixVirt.nixosModules.default 18 flakeInputs.nixVirt.nixosModules.default
20 ]; 19 ];
21 20
@@ -34,6 +33,10 @@ in {
34 initrd = { 33 initrd = {
35 systemd = { 34 systemd = {
36 emergencyAccess = config.users.users.root.hashedPassword; 35 emergencyAccess = config.users.users.root.hashedPassword;
36 extraBin = {
37 "vim" = lib.getExe pkgs.vim;
38 "grep" = lib.getExe pkgs.gnugrep;
39 };
37 }; 40 };
38 luks.devices = { 41 luks.devices = {
39 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; 42 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
47 50
48 blacklistedKernelModules = [ "nouveau" ]; 51 blacklistedKernelModules = [ "nouveau" ];
49 52
50 # Use the systemd-boot EFI boot loader. 53 lanzaboote.configurationLimit = 15;
51 loader = { 54 loader = {
52 systemd-boot = {
53 enable = true;
54 configurationLimit = 15;
55 netbootxyz.enable = true;
56 };
57 efi.canTouchEfiVariables = true; 55 efi.canTouchEfiVariables = true;
58 timeout = null; 56 timeout = null;
59 }; 57 };
@@ -64,19 +62,27 @@ in {
64 kernelPatches = [ 62 kernelPatches = [
65 { name = "edac-config"; 63 { name = "edac-config";
66 patch = null; 64 patch = null;
67 extraStructuredConfig = with lib.kernel; { 65 structuredExtraConfig = with lib.kernel; {
68 EDAC = yes; 66 EDAC = yes;
69 EDAC_IE31200 = yes; 67 EDAC_IE31200 = yes;
70 }; 68 };
71 } 69 }
72 { name = "zswap-default"; 70 { name = "zswap-default";
73 patch = null; 71 patch = null;
74 extraStructuredConfig = with lib.kernel; { 72 structuredExtraConfig = with lib.kernel; {
75 ZSWAP_DEFAULT_ON = yes; 73 ZSWAP_DEFAULT_ON = yes;
76 ZSWAP_SHRINKER_DEFAULT_ON = yes; 74 ZSWAP_SHRINKER_DEFAULT_ON = yes;
77 }; 75 };
78 } 76 }
79 ]; 77 ];
78 consoleLogLevel = 3;
79 kernelParams = [
80 "quiet"
81 "boot.shell_on_fail"
82 "udev.log_priority=3"
83 "rd.systemd.show_status=auto"
84 "plymouth.use-simpledrm"
85 ];
80 86
81 tmp.useTmpfs = true; 87 tmp.useTmpfs = true;
82 88
@@ -98,6 +104,8 @@ in {
98 server ptbtime2.ptb.de prefer iburst nts 104 server ptbtime2.ptb.de prefer iburst nts
99 server ptbtime3.ptb.de prefer iburst nts 105 server ptbtime3.ptb.de prefer iburst nts
100 server ptbtime4.ptb.de prefer iburst nts 106 server ptbtime4.ptb.de prefer iburst nts
107 pool ntppool1.time.nl prefer iburst nts
108 pool ntppool2.time.nl prefer iburst nts
101 109
102 authselectmode require 110 authselectmode require
103 minsources 3 111 minsources 3
@@ -130,6 +138,12 @@ in {
130 useNetworkd = true; 138 useNetworkd = true;
131 }; 139 };
132 140
141 environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
142 text = ''
143 conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
144 dnssec
145 '';
146 };
133 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 147 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
134 text = '' 148 text = ''
135 except-interface=virbr0 149 except-interface=virbr0
@@ -372,19 +386,6 @@ in {
372 ]; 386 ];
373 387
374 services = { 388 services = {
375 uucp = {
376 enable = true;
377 nodeName = "sif";
378 remoteNodes = {
379 "ymir" = {
380 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
381 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
382 };
383 };
384
385 defaultCommands = lib.mkForce [];
386 };
387
388 avahi.enable = true; 389 avahi.enable = true;
389 390
390 fwupd.enable = true; 391 fwupd.enable = true;
@@ -401,10 +402,10 @@ in {
401 402
402 thinkfan.enable = true; 403 thinkfan.enable = true;
403 404
404 logind = { 405 logind.settings.Login = {
405 lidSwitch = "suspend"; 406 HandleLidSwitch = "suspend";
406 lidSwitchDocked = "lock"; 407 HandleLidSwitchDocked = "ignore";
407 lidSwitchExternalPower = "lock"; 408 HandleLidSwitchExternalPower = "ignore";
408 }; 409 };
409 410
410 atd = { 411 atd = {
@@ -446,11 +447,6 @@ in {
446 447
447 systemd.tmpfiles.settings = { 448 systemd.tmpfiles.settings = {
448 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; 449 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
449
450 # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
451 # last_user = "gkleen";
452 # user_to_last_sess.gkleen = "Niri";
453 # });
454 }; 450 };
455 451
456 users = { 452 users = {
@@ -576,10 +572,9 @@ in {
576 # setLdLibraryPath = true; 572 # setLdLibraryPath = true;
577 }; 573 };
578 574
579 firmware = [ pkgs.firmwareLinuxNonfree ]; 575 firmware = [ pkgs.linux-firmware ];
580 576
581 keyboard.uhk.enable = true; 577 keyboard.uhk.enable = true;
582 nitrokey.enable = true;
583 }; 578 };
584 579
585 # sound.enable = true; 580 # sound.enable = true;
@@ -610,25 +605,6 @@ in {
610 605
611 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 606 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
612 607
613 systemd.services."ac-plugged" = {
614 description = "Inhibit handling of lid-switch and sleep";
615
616 path = with pkgs; [ systemd coreutils ];
617
618 script = ''
619 exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
620 '';
621
622 serviceConfig = {
623 Type = "simple";
624 };
625 };
626
627 services.udev.extraRules = with pkgs; lib.mkAfter ''
628 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
629 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
630 '';
631
632 systemd.services."nix-daemon".serviceConfig = { 608 systemd.services."nix-daemon".serviceConfig = {
633 MemoryAccounting = true; 609 MemoryAccounting = true;
634 MemoryHigh = "50%"; 610 MemoryHigh = "50%";
@@ -652,6 +628,10 @@ in {
652 dconf.enable = true; 628 dconf.enable = true;
653 niri.enable = true; 629 niri.enable = true;
654 fuse.userAllowOther = true; 630 fuse.userAllowOther = true;
631 captive-browser = {
632 enable = true;
633 interface = "wlp82s0";
634 };
655 }; 635 };
656 636
657 services.pcscd.enable = true; 637 services.pcscd.enable = true;
@@ -663,11 +643,6 @@ in {
663 group = "users"; 643 group = "users";
664 }; 644 };
665 645
666 i18n.inputMethod = {
667 enable = true;
668 type = "ibus";
669 };
670
671 environment.sessionVariables."GTK_USE_PORTAL" = "1"; 646 environment.sessionVariables."GTK_USE_PORTAL" = "1";
672 xdg.portal = { 647 xdg.portal = {
673 enable = true; 648 enable = true;
@@ -678,7 +653,7 @@ in {
678 "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; 653 "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
679 "org.freedesktop.impl.portal.Access" = ["gtk"]; 654 "org.freedesktop.impl.portal.Access" = ["gtk"];
680 "org.freedesktop.impl.portal.Notification" = ["gtk"]; 655 "org.freedesktop.impl.portal.Notification" = ["gtk"];
681 "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; 656 "org.freedesktop.impl.portal.Secret" = ["none"];
682 "org.freedesktop.impl.portal.Inhibit" = ["none"]; 657 "org.freedesktop.impl.portal.Inhibit" = ["none"];
683 }; 658 };
684 }; 659 };
@@ -688,7 +663,7 @@ in {
688 directories = [ 663 directories = [
689 "/nix" 664 "/nix"
690 "/root" 665 "/root"
691 "/home" 666 "/home"
692 "/var/log" 667 "/var/log"
693 "/var/lib/sops-nix" 668 "/var/lib/sops-nix"
694 "/var/lib/nixos" 669 "/var/lib/nixos"
@@ -698,26 +673,16 @@ in {
698 "/var/lib/bluetooth" 673 "/var/lib/bluetooth"
699 "/var/lib/upower" 674 "/var/lib/upower"
700 "/var/lib/postfix" 675 "/var/lib/postfix"
676 "/var/lib/regreet"
701 "/etc/NetworkManager/system-connections" 677 "/etc/NetworkManager/system-connections"
702 { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } 678 config.boot.lanzaboote.pkiBundle
703 { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
704 ]; 679 ];
705 files = [ 680 files = [
706 ]; 681 ];
682 timezone = true;
707 }; 683 };
708 684
709 systemd.services.timezone = { 685 security.pam.services.quickshell = {};
710 wantedBy = [ "multi-user.target" ];
711 serviceConfig = {
712 Type = "oneshot";
713 RemainAfterExit = true;
714 ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
715 ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
716 };
717 };
718 services.tzupdate.enable = true;
719
720 security.pam.services.gtklock = {};
721 686
722 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; 687 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
723 688
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-16 12:17:11 +0000