2024-09-08 21:05:56 +02:00
|
|
|
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
|
|
|
# and may be overwritten by future invocations. Please make changes
|
|
|
|
|
# to /etc/nixos/configuration.nix instead.
|
2024-11-26 19:20:10 +01:00
|
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
modulesPath,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-12-27 15:25:49 +01:00
|
|
|
|
let
|
|
|
|
|
nix_build = "/nix/build-sandbox";
|
|
|
|
|
persist = "/nix/persist";
|
|
|
|
|
in
|
|
|
|
|
|
2024-09-08 21:05:56 +02:00
|
|
|
|
{
|
2024-11-26 19:20:10 +01:00
|
|
|
|
imports = [
|
|
|
|
|
(modulesPath + "/installer/scan/not-detected.nix")
|
|
|
|
|
];
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
boot.initrd.availableKernelModules = [
|
|
|
|
|
"xhci_pci"
|
|
|
|
|
"ahci"
|
|
|
|
|
"nvme"
|
|
|
|
|
"usbhid"
|
|
|
|
|
"uas"
|
|
|
|
|
"sd_mod"
|
2024-12-27 15:25:49 +01:00
|
|
|
|
# "kvm-intel"
|
2024-11-26 19:20:10 +01:00
|
|
|
|
];
|
|
|
|
|
boot.initrd.kernelModules = [
|
|
|
|
|
"zfs"
|
|
|
|
|
"nls_cp437"
|
|
|
|
|
"nls_iso8859-1"
|
|
|
|
|
"usbhid"
|
|
|
|
|
"usb_storage"
|
|
|
|
|
"nvme"
|
|
|
|
|
];
|
2024-12-27 22:59:07 +01:00
|
|
|
|
|
|
|
|
|
boot.kernelModules = [
|
|
|
|
|
"tmpfs"
|
|
|
|
|
"iwlwifi"
|
|
|
|
|
"iwlmvm"
|
|
|
|
|
"mac80211"
|
|
|
|
|
"bluetooth"
|
|
|
|
|
"cfg80211"
|
|
|
|
|
]; # "kvm-intel"
|
|
|
|
|
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
|
|
|
|
|
|
|
|
|
|
security.lockKernelModules = false; # PAIN on an intended-portable setup
|
|
|
|
|
# security.protectKernelImage = false;
|
|
|
|
|
|
|
|
|
|
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
|
|
|
|
|
|
2024-12-29 14:17:01 +01:00
|
|
|
|
systemd.tmpfiles.settings."mount"."/mnt".d = {
|
|
|
|
|
group = "root";
|
|
|
|
|
mode = "755";
|
|
|
|
|
user = "root";
|
|
|
|
|
};
|
|
|
|
|
|
2024-09-08 21:05:56 +02:00
|
|
|
|
boot.zfs = {
|
|
|
|
|
forceImportRoot = false;
|
|
|
|
|
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
|
|
|
|
|
};
|
2024-12-27 15:25:49 +01:00
|
|
|
|
|
2024-09-08 21:05:56 +02:00
|
|
|
|
boot.supportedFilesystems.zfs = true;
|
|
|
|
|
networking.hostId = "40fa5ea8";
|
2024-10-05 12:11:14 +02:00
|
|
|
|
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
2024-11-01 16:33:26 +01:00
|
|
|
|
boot.kernelPackages = pkgs.linuxPackages_6_6;
|
2024-09-08 21:05:56 +02:00
|
|
|
|
boot.extraModulePackages = [ ];
|
|
|
|
|
services.homed.enable = true;
|
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
fileSystems."/" = {
|
2024-12-27 15:25:49 +01:00
|
|
|
|
device = "none";
|
|
|
|
|
fsType = "tmpfs";
|
2024-12-27 22:59:07 +01:00
|
|
|
|
options = [
|
|
|
|
|
"defaults"
|
|
|
|
|
"size=2G"
|
|
|
|
|
"mode=755"
|
|
|
|
|
"noexec"
|
2024-12-29 14:17:01 +01:00
|
|
|
|
"nosuid"
|
|
|
|
|
# "nodev"
|
2024-12-27 22:59:07 +01:00
|
|
|
|
];
|
2024-12-27 15:25:49 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
fileSystems."${persist}" = {
|
|
|
|
|
device = "zpool/persistent";
|
2024-11-26 19:20:10 +01:00
|
|
|
|
fsType = "zfs";
|
2024-12-29 14:17:01 +01:00
|
|
|
|
options = [
|
|
|
|
|
"noexec"
|
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
|
|
|
|
];
|
2024-12-27 15:25:49 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.etc."machine-id".source = "${persist}/etc/machine-id";
|
2024-12-27 22:59:07 +01:00
|
|
|
|
environment.memoryAllocator.provider = "libc";
|
2024-12-27 15:25:49 +01:00
|
|
|
|
|
2024-12-29 14:17:01 +01:00
|
|
|
|
# fileSystems."/nix/var" = {
|
|
|
|
|
# device = "${persist}/nix/var";
|
|
|
|
|
# options = [
|
|
|
|
|
# "bind"
|
|
|
|
|
# "noexec"
|
|
|
|
|
# "nosuid"
|
|
|
|
|
# "nodev"
|
|
|
|
|
# ];
|
|
|
|
|
# };
|
|
|
|
|
|
2024-12-27 15:25:49 +01:00
|
|
|
|
fileSystems."/nix/var" = {
|
2024-12-29 14:17:01 +01:00
|
|
|
|
device = "/nix/var";
|
2024-12-27 22:59:07 +01:00
|
|
|
|
options = [
|
|
|
|
|
"bind"
|
|
|
|
|
"noexec"
|
2024-12-29 14:17:01 +01:00
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
2024-12-27 22:59:07 +01:00
|
|
|
|
];
|
2024-11-26 19:20:10 +01:00
|
|
|
|
};
|
2024-12-27 22:59:07 +01:00
|
|
|
|
|
2024-12-27 15:42:56 +01:00
|
|
|
|
fileSystems."/etc/NetworkManager/system-connections" = {
|
|
|
|
|
device = "${persist}/etc/NetworkManager/system-connections";
|
2024-12-27 22:59:07 +01:00
|
|
|
|
options = [
|
|
|
|
|
"bind"
|
|
|
|
|
"noexec"
|
2024-12-29 14:17:01 +01:00
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
2024-12-27 22:59:07 +01:00
|
|
|
|
];
|
2024-12-27 15:42:56 +01:00
|
|
|
|
};
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
fileSystems."/nix" = {
|
|
|
|
|
device = "zpool/nix";
|
|
|
|
|
fsType = "zfs";
|
2024-12-29 14:17:01 +01:00
|
|
|
|
options = [
|
|
|
|
|
"exec"
|
|
|
|
|
"suid"
|
|
|
|
|
"dev"
|
|
|
|
|
];
|
2024-11-26 19:20:10 +01:00
|
|
|
|
};
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
fileSystems."/var" = {
|
|
|
|
|
device = "zpool/var";
|
|
|
|
|
fsType = "zfs";
|
2024-12-29 14:17:01 +01:00
|
|
|
|
options = [
|
|
|
|
|
"noexec"
|
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
|
|
|
|
];
|
2024-11-26 19:20:10 +01:00
|
|
|
|
};
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-12-27 22:59:07 +01:00
|
|
|
|
fileSystems."${nix_build}" = {
|
|
|
|
|
# can execute
|
|
|
|
|
device = "none";
|
|
|
|
|
fsType = "tmpfs";
|
|
|
|
|
options = [
|
|
|
|
|
"defaults"
|
|
|
|
|
"size=30%"
|
|
|
|
|
"mode=755"
|
|
|
|
|
"exec"
|
2024-12-29 14:17:01 +01:00
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
2024-12-27 22:59:07 +01:00
|
|
|
|
];
|
2024-12-27 15:25:49 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
|
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
fileSystems."/etc/nixos" = {
|
|
|
|
|
device = "zpool/nix_conf";
|
|
|
|
|
fsType = "zfs";
|
2024-12-27 15:25:49 +01:00
|
|
|
|
options = [
|
|
|
|
|
"noacl"
|
|
|
|
|
"noexec"
|
2024-12-29 14:17:01 +01:00
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
2024-12-27 15:25:49 +01:00
|
|
|
|
];
|
2024-11-26 19:20:10 +01:00
|
|
|
|
};
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
fileSystems."/boot" = {
|
|
|
|
|
device = "/dev/disk/by-uuid/12CE-A600";
|
|
|
|
|
fsType = "vfat";
|
|
|
|
|
options = [
|
|
|
|
|
"fmask=0022"
|
|
|
|
|
"dmask=0022"
|
|
|
|
|
"umask=077"
|
2024-12-27 15:25:49 +01:00
|
|
|
|
"noexec"
|
2024-12-29 14:17:01 +01:00
|
|
|
|
"nosuid"
|
|
|
|
|
"nodev"
|
2024-11-26 19:20:10 +01:00
|
|
|
|
];
|
|
|
|
|
};
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
|
|
|
|
grimmShared = {
|
|
|
|
|
screens = {
|
|
|
|
|
external = {
|
|
|
|
|
id = "HDMI-A-1";
|
|
|
|
|
pos = "0 0";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
internal = {
|
|
|
|
|
id = "eDP-1";
|
|
|
|
|
fps = [
|
|
|
|
|
144
|
|
|
|
|
60
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
laptop_hardware.enable = true;
|
|
|
|
|
};
|
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
# fileSystems."/crypt-storage" =
|
|
|
|
|
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
|
|
|
|
|
# fsType = "ext4";
|
|
|
|
|
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
|
|
|
|
|
# };
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
2024-11-26 19:20:10 +01:00
|
|
|
|
# fileSystems."/home/grimmauld" =
|
|
|
|
|
# { device = "zpool/home/grimmauld";
|
|
|
|
|
# fsType = "zfs";
|
|
|
|
|
# };
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
|
|
|
|
security.pam = {
|
|
|
|
|
zfs = {
|
|
|
|
|
enable = true;
|
|
|
|
|
homes = "zpool/home";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
|
|
|
|
|
|
|
|
|
|
boot.initrd.luks.devices."root" = {
|
|
|
|
|
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
|
|
|
|
|
preLVM = true;
|
|
|
|
|
allowDiscards = true;
|
2024-11-26 19:20:10 +01:00
|
|
|
|
|
2024-09-08 21:05:56 +02:00
|
|
|
|
yubikey = {
|
|
|
|
|
slot = 2;
|
|
|
|
|
twoFactor = true; # Set to false for 1FA
|
|
|
|
|
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
|
|
|
|
|
keyLength = 64; # Set to $KEY_LENGTH/8
|
|
|
|
|
saltLength = 16; # Set to $SALT_LENGTH
|
2024-11-26 19:20:10 +01:00
|
|
|
|
|
2024-09-08 21:05:56 +02:00
|
|
|
|
storage = {
|
|
|
|
|
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
|
|
|
|
|
fsType = "ext4";
|
|
|
|
|
path = "/default";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2024-11-23 17:06:12 +01:00
|
|
|
|
swapDevices = [
|
|
|
|
|
#{
|
2024-11-26 19:20:10 +01:00
|
|
|
|
# device = "zpool/swap";
|
2024-11-23 17:06:12 +01:00
|
|
|
|
# device = "/dev/zvol/zpool/swap";
|
|
|
|
|
#}
|
|
|
|
|
];
|
2024-09-08 21:05:56 +02:00
|
|
|
|
|
|
|
|
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
|
|
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
|
|
|
# still possible to use this option, but it's recommended to use it in conjunction
|
|
|
|
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
|
|
|
networking.useDHCP = lib.mkDefault true;
|
|
|
|
|
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
|
|
|
|
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
|
|
|
|
|
|
|
|
|
|
nixpkgs.hostPlatform = "x86_64-linux";
|
|
|
|
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
|
|
|
}
|