diff options
Diffstat (limited to 'hosts/sif/default.nix')
| -rw-r--r-- | hosts/sif/default.nix | 94 |
1 files changed, 39 insertions, 55 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index b50cad60..258a83f7 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -12,10 +12,9 @@ let | |||
| 12 | in { | 12 | in { |
| 13 | imports = with flake.nixosModules.systemProfiles; [ | 13 | imports = with flake.nixosModules.systemProfiles; [ |
| 14 | ./hw.nix | 14 | ./hw.nix |
| 15 | ./mail ./libvirt ./greetd | 15 | ./email ./libvirt ./greetd |
| 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager | 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote |
| 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 | 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 |
| 18 | flakeInputs.impermanence.nixosModules.impermanence | ||
| 19 | flakeInputs.nixVirt.nixosModules.default | 18 | flakeInputs.nixVirt.nixosModules.default |
| 20 | ]; | 19 | ]; |
| 21 | 20 | ||
| @@ -34,6 +33,10 @@ in { | |||
| 34 | initrd = { | 33 | initrd = { |
| 35 | systemd = { | 34 | systemd = { |
| 36 | emergencyAccess = config.users.users.root.hashedPassword; | 35 | emergencyAccess = config.users.users.root.hashedPassword; |
| 36 | extraBin = { | ||
| 37 | "vim" = lib.getExe pkgs.vim; | ||
| 38 | "grep" = lib.getExe pkgs.gnugrep; | ||
| 39 | }; | ||
| 37 | }; | 40 | }; |
| 38 | luks.devices = { | 41 | luks.devices = { |
| 39 | nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; | 42 | nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; |
| @@ -47,13 +50,8 @@ in { | |||
| 47 | 50 | ||
| 48 | blacklistedKernelModules = [ "nouveau" ]; | 51 | blacklistedKernelModules = [ "nouveau" ]; |
| 49 | 52 | ||
| 50 | # Use the systemd-boot EFI boot loader. | 53 | lanzaboote.configurationLimit = 15; |
| 51 | loader = { | 54 | loader = { |
| 52 | systemd-boot = { | ||
| 53 | enable = true; | ||
| 54 | configurationLimit = 15; | ||
| 55 | netbootxyz.enable = true; | ||
| 56 | }; | ||
| 57 | efi.canTouchEfiVariables = true; | 55 | efi.canTouchEfiVariables = true; |
| 58 | timeout = null; | 56 | timeout = null; |
| 59 | }; | 57 | }; |
| @@ -64,19 +62,27 @@ in { | |||
| 64 | kernelPatches = [ | 62 | kernelPatches = [ |
| 65 | { name = "edac-config"; | 63 | { name = "edac-config"; |
| 66 | patch = null; | 64 | patch = null; |
| 67 | extraStructuredConfig = with lib.kernel; { | 65 | structuredExtraConfig = with lib.kernel; { |
| 68 | EDAC = yes; | 66 | EDAC = yes; |
| 69 | EDAC_IE31200 = yes; | 67 | EDAC_IE31200 = yes; |
| 70 | }; | 68 | }; |
| 71 | } | 69 | } |
| 72 | { name = "zswap-default"; | 70 | { name = "zswap-default"; |
| 73 | patch = null; | 71 | patch = null; |
| 74 | extraStructuredConfig = with lib.kernel; { | 72 | structuredExtraConfig = with lib.kernel; { |
| 75 | ZSWAP_DEFAULT_ON = yes; | 73 | ZSWAP_DEFAULT_ON = yes; |
| 76 | ZSWAP_SHRINKER_DEFAULT_ON = yes; | 74 | ZSWAP_SHRINKER_DEFAULT_ON = yes; |
| 77 | }; | 75 | }; |
| 78 | } | 76 | } |
| 79 | ]; | 77 | ]; |
| 78 | consoleLogLevel = 3; | ||
| 79 | kernelParams = [ | ||
| 80 | "quiet" | ||
| 81 | "boot.shell_on_fail" | ||
| 82 | "udev.log_priority=3" | ||
| 83 | "rd.systemd.show_status=auto" | ||
| 84 | "plymouth.use-simpledrm" | ||
| 85 | ]; | ||
| 80 | 86 | ||
| 81 | tmp.useTmpfs = true; | 87 | tmp.useTmpfs = true; |
| 82 | 88 | ||
| @@ -98,6 +104,8 @@ in { | |||
| 98 | server ptbtime2.ptb.de prefer iburst nts | 104 | server ptbtime2.ptb.de prefer iburst nts |
| 99 | server ptbtime3.ptb.de prefer iburst nts | 105 | server ptbtime3.ptb.de prefer iburst nts |
| 100 | server ptbtime4.ptb.de prefer iburst nts | 106 | server ptbtime4.ptb.de prefer iburst nts |
| 107 | pool ntppool1.time.nl prefer iburst nts | ||
| 108 | pool ntppool2.time.nl prefer iburst nts | ||
| 101 | 109 | ||
| 102 | authselectmode require | 110 | authselectmode require |
| 103 | minsources 3 | 111 | minsources 3 |
| @@ -130,6 +138,12 @@ in { | |||
| 130 | useNetworkd = true; | 138 | useNetworkd = true; |
| 131 | }; | 139 | }; |
| 132 | 140 | ||
| 141 | environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = { | ||
| 142 | text = '' | ||
| 143 | conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf | ||
| 144 | dnssec | ||
| 145 | ''; | ||
| 146 | }; | ||
| 133 | environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { | 147 | environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { |
| 134 | text = '' | 148 | text = '' |
| 135 | except-interface=virbr0 | 149 | except-interface=virbr0 |
| @@ -372,19 +386,6 @@ in { | |||
| 372 | ]; | 386 | ]; |
| 373 | 387 | ||
| 374 | services = { | 388 | services = { |
| 375 | uucp = { | ||
| 376 | enable = true; | ||
| 377 | nodeName = "sif"; | ||
| 378 | remoteNodes = { | ||
| 379 | "ymir" = { | ||
| 380 | publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"]; | ||
| 381 | hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
| 382 | }; | ||
| 383 | }; | ||
| 384 | |||
| 385 | defaultCommands = lib.mkForce []; | ||
| 386 | }; | ||
| 387 | |||
| 388 | avahi.enable = true; | 389 | avahi.enable = true; |
| 389 | 390 | ||
| 390 | fwupd.enable = true; | 391 | fwupd.enable = true; |
| @@ -401,10 +402,10 @@ in { | |||
| 401 | 402 | ||
| 402 | thinkfan.enable = true; | 403 | thinkfan.enable = true; |
| 403 | 404 | ||
| 404 | logind = { | 405 | logind.settings.Login = { |
| 405 | lidSwitch = "suspend"; | 406 | HandleLidSwitch = "suspend"; |
| 406 | lidSwitchDocked = "ignore"; | 407 | HandleLidSwitchDocked = "ignore"; |
| 407 | lidSwitchExternalPower = "ignore"; | 408 | HandleLidSwitchExternalPower = "ignore"; |
| 408 | }; | 409 | }; |
| 409 | 410 | ||
| 410 | atd = { | 411 | atd = { |
| @@ -446,11 +447,6 @@ in { | |||
| 446 | 447 | ||
| 447 | systemd.tmpfiles.settings = { | 448 | systemd.tmpfiles.settings = { |
| 448 | "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; | 449 | "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; |
| 449 | |||
| 450 | # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" { | ||
| 451 | # last_user = "gkleen"; | ||
| 452 | # user_to_last_sess.gkleen = "Niri"; | ||
| 453 | # }); | ||
| 454 | }; | 450 | }; |
| 455 | 451 | ||
| 456 | users = { | 452 | users = { |
| @@ -576,10 +572,9 @@ in { | |||
| 576 | # setLdLibraryPath = true; | 572 | # setLdLibraryPath = true; |
| 577 | }; | 573 | }; |
| 578 | 574 | ||
| 579 | firmware = [ pkgs.firmwareLinuxNonfree ]; | 575 | firmware = [ pkgs.linux-firmware ]; |
| 580 | 576 | ||
| 581 | keyboard.uhk.enable = true; | 577 | keyboard.uhk.enable = true; |
| 582 | nitrokey.enable = true; | ||
| 583 | }; | 578 | }; |
| 584 | 579 | ||
| 585 | # sound.enable = true; | 580 | # sound.enable = true; |
| @@ -633,6 +628,10 @@ in { | |||
| 633 | dconf.enable = true; | 628 | dconf.enable = true; |
| 634 | niri.enable = true; | 629 | niri.enable = true; |
| 635 | fuse.userAllowOther = true; | 630 | fuse.userAllowOther = true; |
| 631 | captive-browser = { | ||
| 632 | enable = true; | ||
| 633 | interface = "wlp82s0"; | ||
| 634 | }; | ||
| 636 | }; | 635 | }; |
| 637 | 636 | ||
| 638 | services.pcscd.enable = true; | 637 | services.pcscd.enable = true; |
| @@ -644,11 +643,6 @@ in { | |||
| 644 | group = "users"; | 643 | group = "users"; |
| 645 | }; | 644 | }; |
| 646 | 645 | ||
| 647 | i18n.inputMethod = { | ||
| 648 | enable = true; | ||
| 649 | type = "ibus"; | ||
| 650 | }; | ||
| 651 | |||
| 652 | environment.sessionVariables."GTK_USE_PORTAL" = "1"; | 646 | environment.sessionVariables."GTK_USE_PORTAL" = "1"; |
| 653 | xdg.portal = { | 647 | xdg.portal = { |
| 654 | enable = true; | 648 | enable = true; |
| @@ -659,7 +653,7 @@ in { | |||
| 659 | "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; | 653 | "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; |
| 660 | "org.freedesktop.impl.portal.Access" = ["gtk"]; | 654 | "org.freedesktop.impl.portal.Access" = ["gtk"]; |
| 661 | "org.freedesktop.impl.portal.Notification" = ["gtk"]; | 655 | "org.freedesktop.impl.portal.Notification" = ["gtk"]; |
| 662 | "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; | 656 | "org.freedesktop.impl.portal.Secret" = ["none"]; |
| 663 | "org.freedesktop.impl.portal.Inhibit" = ["none"]; | 657 | "org.freedesktop.impl.portal.Inhibit" = ["none"]; |
| 664 | }; | 658 | }; |
| 665 | }; | 659 | }; |
| @@ -679,26 +673,16 @@ in { | |||
| 679 | "/var/lib/bluetooth" | 673 | "/var/lib/bluetooth" |
| 680 | "/var/lib/upower" | 674 | "/var/lib/upower" |
| 681 | "/var/lib/postfix" | 675 | "/var/lib/postfix" |
| 676 | "/var/lib/regreet" | ||
| 682 | "/etc/NetworkManager/system-connections" | 677 | "/etc/NetworkManager/system-connections" |
| 683 | { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } | 678 | config.boot.lanzaboote.pkiBundle |
| 684 | { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; } | ||
| 685 | ]; | 679 | ]; |
| 686 | files = [ | 680 | files = [ |
| 687 | ]; | 681 | ]; |
| 682 | timezone = true; | ||
| 688 | }; | 683 | }; |
| 689 | 684 | ||
| 690 | systemd.services.timezone = { | 685 | security.pam.services.quickshell = {}; |
| 691 | wantedBy = [ "multi-user.target" ]; | ||
| 692 | serviceConfig = { | ||
| 693 | Type = "oneshot"; | ||
| 694 | RemainAfterExit = true; | ||
| 695 | ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime"; | ||
| 696 | ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime"; | ||
| 697 | }; | ||
| 698 | }; | ||
| 699 | services.tzupdate.enable = true; | ||
| 700 | |||
| 701 | security.pam.services.gtklock = {}; | ||
| 702 | 686 | ||
| 703 | home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; | 687 | home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; |
| 704 | 688 | ||