1 files changed, 32 insertions, 39 deletions

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 6214569a..258a83f7 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -13,9 +13,8 @@ in {
   imports = with flake.nixosModules.systemProfiles; [
     ./hw.nix
     ./email ./libvirt ./greetd
-    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
+    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
     flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
-    flakeInputs.impermanence.nixosModules.impermanence
     flakeInputs.nixVirt.nixosModules.default
   ];
 
@@ -34,6 +33,10 @@ in {
       initrd = {
         systemd = {
           emergencyAccess = config.users.users.root.hashedPassword;
+          extraBin = {
+            "vim" = lib.getExe pkgs.vim;
+            "grep" = lib.getExe pkgs.gnugrep;
+          };
         };
         luks.devices = {
           nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
 
       blacklistedKernelModules = [ "nouveau" ];
 
-      # Use the systemd-boot EFI boot loader.
+      lanzaboote.configurationLimit = 15;
       loader = {
-        systemd-boot = {
-          enable = true;
-          configurationLimit = 15;
-          netbootxyz.enable = true;
-        };
         efi.canTouchEfiVariables = true;
         timeout = null;
       };
@@ -64,19 +62,27 @@ in {
       kernelPatches = [
         { name = "edac-config";
           patch = null;
-          extraStructuredConfig = with lib.kernel; {
+          structuredExtraConfig = with lib.kernel; {
             EDAC = yes;
             EDAC_IE31200 = yes;
           };
         }
         { name = "zswap-default";
           patch = null;
-          extraStructuredConfig = with lib.kernel; {
+          structuredExtraConfig = with lib.kernel; {
             ZSWAP_DEFAULT_ON = yes;
             ZSWAP_SHRINKER_DEFAULT_ON = yes;
           };
         }
       ];
+      consoleLogLevel = 3;
+      kernelParams = [
+        "quiet"
+        "boot.shell_on_fail"
+        "udev.log_priority=3"
+        "rd.systemd.show_status=auto"
+        "plymouth.use-simpledrm"
+      ];
 
       tmp.useTmpfs = true;
 
@@ -98,6 +104,8 @@ in {
         server ptbtime2.ptb.de prefer iburst nts
         server ptbtime3.ptb.de prefer iburst nts
         server ptbtime4.ptb.de prefer iburst nts
+        pool ntppool1.time.nl prefer iburst nts
+        pool ntppool2.time.nl prefer iburst nts
 
         authselectmode require
         minsources 3
@@ -394,10 +402,10 @@ in {
 
       thinkfan.enable = true;
 
-      logind = {
-        lidSwitch = "suspend";
-        lidSwitchDocked = "ignore";
-        lidSwitchExternalPower = "ignore";
+      logind.settings.Login = {
+        HandleLidSwitch = "suspend";
+        HandleLidSwitchDocked = "ignore";
+        HandleLidSwitchExternalPower = "ignore";
       };
 
       atd = {
@@ -439,11 +447,6 @@ in {
 
     systemd.tmpfiles.settings = {
       "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
-
-      # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
-      #   last_user = "gkleen";
-      #   user_to_last_sess.gkleen = "Niri";
-      # });
     };
 
     users = {
@@ -569,10 +572,9 @@ in {
         # setLdLibraryPath = true;
       };
 
-      firmware = [ pkgs.firmwareLinuxNonfree ];
+      firmware = [ pkgs.linux-firmware ];
 
       keyboard.uhk.enable = true;
-      nitrokey.enable = true;
     };
 
     # sound.enable = true;
@@ -626,6 +628,10 @@ in {
       dconf.enable = true;
       niri.enable = true;
       fuse.userAllowOther = true;
+      captive-browser = {
+        enable = true;
+        interface = "wlp82s0";
+      };
     };
 
     services.pcscd.enable = true;
@@ -637,11 +643,6 @@ in {
       group = "users";
     };
 
-    i18n.inputMethod = {
-      enable = true;
-      type = "ibus";
-    };
-
     environment.sessionVariables."GTK_USE_PORTAL" = "1";
     xdg.portal = {
       enable = true;
@@ -652,7 +653,7 @@ in {
         "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
         "org.freedesktop.impl.portal.Access" = ["gtk"];
         "org.freedesktop.impl.portal.Notification" = ["gtk"];
-        "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
+        "org.freedesktop.impl.portal.Secret" = ["none"];
         "org.freedesktop.impl.portal.Inhibit" = ["none"];
       };
     };
@@ -672,24 +673,16 @@ in {
         "/var/lib/bluetooth"
         "/var/lib/upower"
         "/var/lib/postfix"
+        "/var/lib/regreet"
         "/etc/NetworkManager/system-connections"
+        config.boot.lanzaboote.pkiBundle
       ];
       files = [
       ];
+      timezone = true;
     };
 
-    systemd.services.timezone = {
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-        ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
-        ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
-      };
-    };
-    services.tzupdate.enable = true;
-
-    security.pam.services.gtklock = {};
+    security.pam.services.quickshell = {};
 
     home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];