diff options
Diffstat (limited to 'hosts/sif/default.nix')
| -rw-r--r-- | hosts/sif/default.nix | 78 |
1 files changed, 28 insertions, 50 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index f4de24e8..b436542f 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -12,8 +12,8 @@ let | |||
| 12 | in { | 12 | in { |
| 13 | imports = with flake.nixosModules.systemProfiles; [ | 13 | imports = with flake.nixosModules.systemProfiles; [ |
| 14 | ./hw.nix | 14 | ./hw.nix |
| 15 | ./mail ./libvirt ./greetd | 15 | ./email ./libvirt ./greetd |
| 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager | 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote |
| 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 | 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 |
| 18 | flakeInputs.impermanence.nixosModules.impermanence | 18 | flakeInputs.impermanence.nixosModules.impermanence |
| 19 | flakeInputs.nixVirt.nixosModules.default | 19 | flakeInputs.nixVirt.nixosModules.default |
| @@ -34,6 +34,10 @@ in { | |||
| 34 | initrd = { | 34 | initrd = { |
| 35 | systemd = { | 35 | systemd = { |
| 36 | emergencyAccess = config.users.users.root.hashedPassword; | 36 | emergencyAccess = config.users.users.root.hashedPassword; |
| 37 | extraBin = { | ||
| 38 | "vim" = lib.getExe pkgs.vim; | ||
| 39 | "grep" = lib.getExe pkgs.gnugrep; | ||
| 40 | }; | ||
| 37 | }; | 41 | }; |
| 38 | luks.devices = { | 42 | luks.devices = { |
| 39 | nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; | 43 | nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; |
| @@ -47,13 +51,8 @@ in { | |||
| 47 | 51 | ||
| 48 | blacklistedKernelModules = [ "nouveau" ]; | 52 | blacklistedKernelModules = [ "nouveau" ]; |
| 49 | 53 | ||
| 50 | # Use the systemd-boot EFI boot loader. | 54 | lanzaboote.configurationLimit = 15; |
| 51 | loader = { | 55 | loader = { |
| 52 | systemd-boot = { | ||
| 53 | enable = true; | ||
| 54 | configurationLimit = 15; | ||
| 55 | netbootxyz.enable = true; | ||
| 56 | }; | ||
| 57 | efi.canTouchEfiVariables = true; | 56 | efi.canTouchEfiVariables = true; |
| 58 | timeout = null; | 57 | timeout = null; |
| 59 | }; | 58 | }; |
| @@ -77,6 +76,14 @@ in { | |||
| 77 | }; | 76 | }; |
| 78 | } | 77 | } |
| 79 | ]; | 78 | ]; |
| 79 | consoleLogLevel = 3; | ||
| 80 | kernelParams = [ | ||
| 81 | "quiet" | ||
| 82 | "boot.shell_on_fail" | ||
| 83 | "udev.log_priority=3" | ||
| 84 | "rd.systemd.show_status=auto" | ||
| 85 | "plymouth.use-simpledrm" | ||
| 86 | ]; | ||
| 80 | 87 | ||
| 81 | tmp.useTmpfs = true; | 88 | tmp.useTmpfs = true; |
| 82 | 89 | ||
| @@ -98,6 +105,8 @@ in { | |||
| 98 | server ptbtime2.ptb.de prefer iburst nts | 105 | server ptbtime2.ptb.de prefer iburst nts |
| 99 | server ptbtime3.ptb.de prefer iburst nts | 106 | server ptbtime3.ptb.de prefer iburst nts |
| 100 | server ptbtime4.ptb.de prefer iburst nts | 107 | server ptbtime4.ptb.de prefer iburst nts |
| 108 | pool ntppool1.time.nl prefer iburst nts | ||
| 109 | pool ntppool2.time.nl prefer iburst nts | ||
| 101 | 110 | ||
| 102 | authselectmode require | 111 | authselectmode require |
| 103 | minsources 3 | 112 | minsources 3 |
| @@ -130,6 +139,12 @@ in { | |||
| 130 | useNetworkd = true; | 139 | useNetworkd = true; |
| 131 | }; | 140 | }; |
| 132 | 141 | ||
| 142 | environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = { | ||
| 143 | text = '' | ||
| 144 | conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf | ||
| 145 | dnssec | ||
| 146 | ''; | ||
| 147 | }; | ||
| 133 | environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { | 148 | environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { |
| 134 | text = '' | 149 | text = '' |
| 135 | except-interface=virbr0 | 150 | except-interface=virbr0 |
| @@ -372,19 +387,6 @@ in { | |||
| 372 | ]; | 387 | ]; |
| 373 | 388 | ||
| 374 | services = { | 389 | services = { |
| 375 | uucp = { | ||
| 376 | enable = true; | ||
| 377 | nodeName = "sif"; | ||
| 378 | remoteNodes = { | ||
| 379 | "ymir" = { | ||
| 380 | publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"]; | ||
| 381 | hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
| 382 | }; | ||
| 383 | }; | ||
| 384 | |||
| 385 | defaultCommands = lib.mkForce []; | ||
| 386 | }; | ||
| 387 | |||
| 388 | avahi.enable = true; | 390 | avahi.enable = true; |
| 389 | 391 | ||
| 390 | fwupd.enable = true; | 392 | fwupd.enable = true; |
| @@ -403,8 +405,8 @@ in { | |||
| 403 | 405 | ||
| 404 | logind = { | 406 | logind = { |
| 405 | lidSwitch = "suspend"; | 407 | lidSwitch = "suspend"; |
| 406 | lidSwitchDocked = "lock"; | 408 | lidSwitchDocked = "ignore"; |
| 407 | lidSwitchExternalPower = "lock"; | 409 | lidSwitchExternalPower = "ignore"; |
| 408 | }; | 410 | }; |
| 409 | 411 | ||
| 410 | atd = { | 412 | atd = { |
| @@ -446,11 +448,6 @@ in { | |||
| 446 | 448 | ||
| 447 | systemd.tmpfiles.settings = { | 449 | systemd.tmpfiles.settings = { |
| 448 | "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; | 450 | "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; |
| 449 | |||
| 450 | # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" { | ||
| 451 | # last_user = "gkleen"; | ||
| 452 | # user_to_last_sess.gkleen = "Niri"; | ||
| 453 | # }); | ||
| 454 | }; | 451 | }; |
| 455 | 452 | ||
| 456 | users = { | 453 | users = { |
| @@ -610,25 +607,6 @@ in { | |||
| 610 | 607 | ||
| 611 | environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; | 608 | environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; |
| 612 | 609 | ||
| 613 | systemd.services."ac-plugged" = { | ||
| 614 | description = "Inhibit handling of lid-switch and sleep"; | ||
| 615 | |||
| 616 | path = with pkgs; [ systemd coreutils ]; | ||
| 617 | |||
| 618 | script = '' | ||
| 619 | exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity | ||
| 620 | ''; | ||
| 621 | |||
| 622 | serviceConfig = { | ||
| 623 | Type = "simple"; | ||
| 624 | }; | ||
| 625 | }; | ||
| 626 | |||
| 627 | services.udev.extraRules = with pkgs; lib.mkAfter '' | ||
| 628 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" | ||
| 629 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" | ||
| 630 | ''; | ||
| 631 | |||
| 632 | systemd.services."nix-daemon".serviceConfig = { | 610 | systemd.services."nix-daemon".serviceConfig = { |
| 633 | MemoryAccounting = true; | 611 | MemoryAccounting = true; |
| 634 | MemoryHigh = "50%"; | 612 | MemoryHigh = "50%"; |
| @@ -688,7 +666,7 @@ in { | |||
| 688 | directories = [ | 666 | directories = [ |
| 689 | "/nix" | 667 | "/nix" |
| 690 | "/root" | 668 | "/root" |
| 691 | "/home" | 669 | "/home" |
| 692 | "/var/log" | 670 | "/var/log" |
| 693 | "/var/lib/sops-nix" | 671 | "/var/lib/sops-nix" |
| 694 | "/var/lib/nixos" | 672 | "/var/lib/nixos" |
| @@ -698,9 +676,9 @@ in { | |||
| 698 | "/var/lib/bluetooth" | 676 | "/var/lib/bluetooth" |
| 699 | "/var/lib/upower" | 677 | "/var/lib/upower" |
| 700 | "/var/lib/postfix" | 678 | "/var/lib/postfix" |
| 679 | "/var/lib/regreet" | ||
| 701 | "/etc/NetworkManager/system-connections" | 680 | "/etc/NetworkManager/system-connections" |
| 702 | { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } | 681 | config.boot.lanzaboote.pkiBundle |
| 703 | { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; } | ||
| 704 | ]; | 682 | ]; |
| 705 | files = [ | 683 | files = [ |
| 706 | ]; | 684 | ]; |