1 files changed, 28 insertions, 42 deletions

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b50cad60..ed85ca17 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
 in {
   imports = with flake.nixosModules.systemProfiles; [
     ./hw.nix
-    ./mail ./libvirt ./greetd
-    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
+    ./email ./libvirt ./greetd
+    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
     flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
-    flakeInputs.impermanence.nixosModules.impermanence
     flakeInputs.nixVirt.nixosModules.default
   ];
 
@@ -34,6 +33,10 @@ in {
       initrd = {
         systemd = {
           emergencyAccess = config.users.users.root.hashedPassword;
+          extraBin = {
+            "vim" = lib.getExe pkgs.vim;
+            "grep" = lib.getExe pkgs.gnugrep;
+          };
         };
         luks.devices = {
           nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
 
       blacklistedKernelModules = [ "nouveau" ];
 
-      # Use the systemd-boot EFI boot loader.
+      lanzaboote.configurationLimit = 15;
       loader = {
-        systemd-boot = {
-          enable = true;
-          configurationLimit = 15;
-          netbootxyz.enable = true;
-        };
         efi.canTouchEfiVariables = true;
         timeout = null;
       };
@@ -64,19 +62,27 @@ in {
       kernelPatches = [
         { name = "edac-config";
           patch = null;
-          extraStructuredConfig = with lib.kernel; {
+          structuredExtraConfig = with lib.kernel; {
             EDAC = yes;
             EDAC_IE31200 = yes;
           };
         }
         { name = "zswap-default";
           patch = null;
-          extraStructuredConfig = with lib.kernel; {
+          structuredExtraConfig = with lib.kernel; {
             ZSWAP_DEFAULT_ON = yes;
             ZSWAP_SHRINKER_DEFAULT_ON = yes;
           };
         }
       ];
+      consoleLogLevel = 3;
+      kernelParams = [
+        "quiet"
+        "boot.shell_on_fail"
+        "udev.log_priority=3"
+        "rd.systemd.show_status=auto"
+        "plymouth.use-simpledrm"
+      ];
 
       tmp.useTmpfs = true;
 
@@ -98,6 +104,8 @@ in {
         server ptbtime2.ptb.de prefer iburst nts
         server ptbtime3.ptb.de prefer iburst nts
         server ptbtime4.ptb.de prefer iburst nts
+        pool ntppool1.time.nl prefer iburst nts
+        pool ntppool2.time.nl prefer iburst nts
 
         authselectmode require
         minsources 3
@@ -130,6 +138,12 @@ in {
       useNetworkd = true;
     };
 
+    environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
+      text = ''
+        conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
+        dnssec
+      '';
+    };
     environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
       text = ''
         except-interface=virbr0
@@ -372,19 +386,6 @@ in {
     ];
 
     services = {
-      uucp = {
-        enable = true;
-        nodeName = "sif";
-        remoteNodes = {
-          "ymir" = {
-            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
-            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
-          };
-        };
-
-        defaultCommands = lib.mkForce [];
-      };
-
       avahi.enable = true;
 
       fwupd.enable = true;
@@ -446,11 +447,6 @@ in {
 
     systemd.tmpfiles.settings = {
       "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
-
-      # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
-      #   last_user = "gkleen";
-      #   user_to_last_sess.gkleen = "Niri";
-      # });
     };
 
     users = {
@@ -679,25 +675,15 @@ in {
         "/var/lib/bluetooth"
         "/var/lib/upower"
         "/var/lib/postfix"
+        "/var/lib/regreet"
         "/etc/NetworkManager/system-connections"
-        { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }
-        { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
+        config.boot.lanzaboote.pkiBundle
       ];
       files = [
       ];
+      timezone = true;
     };
 
-    systemd.services.timezone = {
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-        ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
-        ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
-      };
-    };
-    services.tzupdate.enable = true;
-
     security.pam.services.gtklock = {};
 
     home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];