summaryrefslogtreecommitdiff
path: root/hosts/sif/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif/default.nix')
-rw-r--r--hosts/sif/default.nix149
1 files changed, 40 insertions, 109 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 0897e1d8..258a83f7 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
12in { 12in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail ./libvirt ./greetd 15 ./email ./libvirt ./greetd
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18 flakeInputs.impermanence.nixosModules.impermanence
19 flakeInputs.nixVirt.nixosModules.default 18 flakeInputs.nixVirt.nixosModules.default
20 ]; 19 ];
21 20
@@ -34,6 +33,10 @@ in {
34 initrd = { 33 initrd = {
35 systemd = { 34 systemd = {
36 emergencyAccess = config.users.users.root.hashedPassword; 35 emergencyAccess = config.users.users.root.hashedPassword;
36 extraBin = {
37 "vim" = lib.getExe pkgs.vim;
38 "grep" = lib.getExe pkgs.gnugrep;
39 };
37 }; 40 };
38 luks.devices = { 41 luks.devices = {
39 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; 42 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
47 50
48 blacklistedKernelModules = [ "nouveau" ]; 51 blacklistedKernelModules = [ "nouveau" ];
49 52
50 # Use the systemd-boot EFI boot loader. 53 lanzaboote.configurationLimit = 15;
51 loader = { 54 loader = {
52 systemd-boot = {
53 enable = true;
54 configurationLimit = 15;
55 netbootxyz.enable = true;
56 };
57 efi.canTouchEfiVariables = true; 55 efi.canTouchEfiVariables = true;
58 timeout = null; 56 timeout = null;
59 }; 57 };
@@ -64,19 +62,27 @@ in {
64 kernelPatches = [ 62 kernelPatches = [
65 { name = "edac-config"; 63 { name = "edac-config";
66 patch = null; 64 patch = null;
67 extraStructuredConfig = with lib.kernel; { 65 structuredExtraConfig = with lib.kernel; {
68 EDAC = yes; 66 EDAC = yes;
69 EDAC_IE31200 = yes; 67 EDAC_IE31200 = yes;
70 }; 68 };
71 } 69 }
72 { name = "zswap-default"; 70 { name = "zswap-default";
73 patch = null; 71 patch = null;
74 extraStructuredConfig = with lib.kernel; { 72 structuredExtraConfig = with lib.kernel; {
75 ZSWAP_DEFAULT_ON = yes; 73 ZSWAP_DEFAULT_ON = yes;
76 ZSWAP_SHRINKER_DEFAULT_ON = yes; 74 ZSWAP_SHRINKER_DEFAULT_ON = yes;
77 }; 75 };
78 } 76 }
79 ]; 77 ];
78 consoleLogLevel = 3;
79 kernelParams = [
80 "quiet"
81 "boot.shell_on_fail"
82 "udev.log_priority=3"
83 "rd.systemd.show_status=auto"
84 "plymouth.use-simpledrm"
85 ];
80 86
81 tmp.useTmpfs = true; 87 tmp.useTmpfs = true;
82 88
@@ -98,6 +104,8 @@ in {
98 server ptbtime2.ptb.de prefer iburst nts 104 server ptbtime2.ptb.de prefer iburst nts
99 server ptbtime3.ptb.de prefer iburst nts 105 server ptbtime3.ptb.de prefer iburst nts
100 server ptbtime4.ptb.de prefer iburst nts 106 server ptbtime4.ptb.de prefer iburst nts
107 pool ntppool1.time.nl prefer iburst nts
108 pool ntppool2.time.nl prefer iburst nts
101 109
102 authselectmode require 110 authselectmode require
103 minsources 3 111 minsources 3
@@ -126,40 +134,16 @@ in {
126 rulesetFile = ./ruleset.nft; 134 rulesetFile = ./ruleset.nft;
127 }; 135 };
128 136
129 # firewall = {
130 # enable = true;
131 # allowedTCPPorts = [ 22 # ssh
132 # 8000 # quickserve
133 # ];
134 # };
135
136 # wlanInterfaces = {
137 # wlan0 = {
138 # device = "wlp82s0";
139 # };
140 # };
141
142 # bonds = {
143 # "lan" = {
144 # interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
145 # driverOptions = {
146 # miimon = "1000";
147 # mode = "active-backup";
148 # primary_reselect = "always";
149 # };
150 # };
151 # };
152
153 useDHCP = false; 137 useDHCP = false;
154 useNetworkd = true; 138 useNetworkd = true;
155
156 # interfaces."tinc.yggdrasil" = {
157 # virtual = true;
158 # virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
159 # macAddress = "5c:93:21:c3:61:39";
160 # };
161 }; 139 };
162 140
141 environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
142 text = ''
143 conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
144 dnssec
145 '';
146 };
163 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 147 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
164 text = '' 148 text = ''
165 except-interface=virbr0 149 except-interface=virbr0
@@ -402,19 +386,6 @@ in {
402 ]; 386 ];
403 387
404 services = { 388 services = {
405 uucp = {
406 enable = true;
407 nodeName = "sif";
408 remoteNodes = {
409 "ymir" = {
410 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
411 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
412 };
413 };
414
415 defaultCommands = lib.mkForce [];
416 };
417
418 avahi.enable = true; 389 avahi.enable = true;
419 390
420 fwupd.enable = true; 391 fwupd.enable = true;
@@ -431,10 +402,10 @@ in {
431 402
432 thinkfan.enable = true; 403 thinkfan.enable = true;
433 404
434 logind = { 405 logind.settings.Login = {
435 lidSwitch = "suspend"; 406 HandleLidSwitch = "suspend";
436 lidSwitchDocked = "lock"; 407 HandleLidSwitchDocked = "ignore";
437 lidSwitchExternalPower = "lock"; 408 HandleLidSwitchExternalPower = "ignore";
438 }; 409 };
439 410
440 atd = { 411 atd = {
@@ -476,11 +447,6 @@ in {
476 447
477 systemd.tmpfiles.settings = { 448 systemd.tmpfiles.settings = {
478 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; 449 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
479
480 # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
481 # last_user = "gkleen";
482 # user_to_last_sess.gkleen = "Niri";
483 # });
484 }; 450 };
485 451
486 users = { 452 users = {
@@ -606,10 +572,9 @@ in {
606 # setLdLibraryPath = true; 572 # setLdLibraryPath = true;
607 }; 573 };
608 574
609 firmware = [ pkgs.firmwareLinuxNonfree ]; 575 firmware = [ pkgs.linux-firmware ];
610 576
611 keyboard.uhk.enable = true; 577 keyboard.uhk.enable = true;
612 nitrokey.enable = true;
613 }; 578 };
614 579
615 # sound.enable = true; 580 # sound.enable = true;
@@ -640,25 +605,6 @@ in {
640 605
641 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 606 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
642 607
643 systemd.services."ac-plugged" = {
644 description = "Inhibit handling of lid-switch and sleep";
645
646 path = with pkgs; [ systemd coreutils ];
647
648 script = ''
649 exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
650 '';
651
652 serviceConfig = {
653 Type = "simple";
654 };
655 };
656
657 services.udev.extraRules = with pkgs; lib.mkAfter ''
658 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
659 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
660 '';
661
662 systemd.services."nix-daemon".serviceConfig = { 608 systemd.services."nix-daemon".serviceConfig = {
663 MemoryAccounting = true; 609 MemoryAccounting = true;
664 MemoryHigh = "50%"; 610 MemoryHigh = "50%";
@@ -682,6 +628,10 @@ in {
682 dconf.enable = true; 628 dconf.enable = true;
683 niri.enable = true; 629 niri.enable = true;
684 fuse.userAllowOther = true; 630 fuse.userAllowOther = true;
631 captive-browser = {
632 enable = true;
633 interface = "wlp82s0";
634 };
685 }; 635 };
686 636
687 services.pcscd.enable = true; 637 services.pcscd.enable = true;
@@ -693,11 +643,6 @@ in {
693 group = "users"; 643 group = "users";
694 }; 644 };
695 645
696 i18n.inputMethod = {
697 enable = true;
698 type = "ibus";
699 };
700
701 environment.sessionVariables."GTK_USE_PORTAL" = "1"; 646 environment.sessionVariables."GTK_USE_PORTAL" = "1";
702 xdg.portal = { 647 xdg.portal = {
703 enable = true; 648 enable = true;
@@ -708,7 +653,7 @@ in {
708 "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; 653 "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
709 "org.freedesktop.impl.portal.Access" = ["gtk"]; 654 "org.freedesktop.impl.portal.Access" = ["gtk"];
710 "org.freedesktop.impl.portal.Notification" = ["gtk"]; 655 "org.freedesktop.impl.portal.Notification" = ["gtk"];
711 "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; 656 "org.freedesktop.impl.portal.Secret" = ["none"];
712 "org.freedesktop.impl.portal.Inhibit" = ["none"]; 657 "org.freedesktop.impl.portal.Inhibit" = ["none"];
713 }; 658 };
714 }; 659 };
@@ -718,7 +663,7 @@ in {
718 directories = [ 663 directories = [
719 "/nix" 664 "/nix"
720 "/root" 665 "/root"
721 "/home" 666 "/home"
722 "/var/log" 667 "/var/log"
723 "/var/lib/sops-nix" 668 "/var/lib/sops-nix"
724 "/var/lib/nixos" 669 "/var/lib/nixos"
@@ -728,33 +673,19 @@ in {
728 "/var/lib/bluetooth" 673 "/var/lib/bluetooth"
729 "/var/lib/upower" 674 "/var/lib/upower"
730 "/var/lib/postfix" 675 "/var/lib/postfix"
676 "/var/lib/regreet"
731 "/etc/NetworkManager/system-connections" 677 "/etc/NetworkManager/system-connections"
732 { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } 678 config.boot.lanzaboote.pkiBundle
733 { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
734 ]; 679 ];
735 files = [ 680 files = [
736 ]; 681 ];
682 timezone = true;
737 }; 683 };
738 684
739 systemd.services.timezone = { 685 security.pam.services.quickshell = {};
740 wantedBy = [ "multi-user.target" ];
741 serviceConfig = {
742 Type = "oneshot";
743 RemainAfterExit = true;
744 ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
745 ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
746 };
747 };
748 services.tzupdate.enable = true;
749
750 security.pam.services.gtklock = {};
751 686
752 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; 687 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
753 688
754 environment.pathsToLink = [
755 "share/zsh"
756 ];
757
758 system.stateVersion = "24.11"; 689 system.stateVersion = "24.11";
759 }; 690 };
760} 691}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-17 10:38:02 +0000