grimm-nixos-laptop/specific/grimm-nixos-ssd/hardware-configuration.nix

288 lines
6.2 KiB
Nix
Raw Normal View History

2024-11-26 19:20:10 +01:00
{
config,
lib,
pkgs,
modulesPath,
...
}:
2024-09-08 21:05:56 +02:00
2024-12-27 15:25:49 +01:00
let
nix_build = "/nix/build-sandbox";
persist = "/nix/persist";
tmp-exec = "/tmp-exec";
2024-12-27 15:25:49 +01:00
in
2024-09-08 21:05:56 +02:00
{
2024-11-26 19:20:10 +01:00
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
2024-09-08 21:05:56 +02:00
2024-11-26 19:20:10 +01:00
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"uas"
"sd_mod"
2024-12-27 15:25:49 +01:00
# "kvm-intel"
2024-11-26 19:20:10 +01:00
];
boot.initrd.kernelModules = [
"zfs"
"nls_cp437"
"nls_iso8859-1"
"usbhid"
"usb_storage"
"nvme"
];
2024-12-27 22:59:07 +01:00
boot.kernelModules = [
"iwlwifi"
"iwlmvm"
"mac80211"
"bluetooth"
"cfg80211"
2025-01-08 19:06:22 +01:00
"kvm-intel"
];
2024-12-27 22:59:07 +01:00
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelParams = [ "nosgx" ];
2024-12-27 22:59:07 +01:00
security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false;
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
boot.loader.systemd-boot.consoleMode = "auto";
2024-12-27 22:59:07 +01:00
2024-12-29 14:17:01 +01:00
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
mode = "755";
user = "root";
};
2024-09-08 21:05:56 +02:00
boot.zfs = {
forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
};
2024-12-27 15:25:49 +01:00
2024-09-08 21:05:56 +02:00
boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8";
2024-10-05 12:11:14 +02:00
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_12;
2024-09-08 21:05:56 +02:00
boot.extraModulePackages = [ ];
services.homed.enable = true;
2024-11-26 19:20:10 +01:00
fileSystems."/" = {
2024-12-27 15:25:49 +01:00
device = "none";
fsType = "tmpfs";
2024-12-27 22:59:07 +01:00
options = [
"defaults"
"size=2G"
"mode=755"
"noexec"
2024-12-29 14:17:01 +01:00
"nosuid"
"nodev"
2024-12-27 22:59:07 +01:00
];
2024-12-27 15:25:49 +01:00
};
fileSystems."${persist}" = {
device = "zpool/persistent";
2024-11-26 19:20:10 +01:00
fsType = "zfs";
2024-12-29 14:17:01 +01:00
options = [
"noexec"
"nosuid"
"nodev"
];
2024-12-27 15:25:49 +01:00
};
2025-01-03 15:57:36 +01:00
environment.etc =
lib.genAttrs
[
"machine-id"
"ssh/ssh_host_ed25519_key"
"ssh/ssh_host_ed25519_key.pub"
"ssh/ssh_host_rsa_key"
"ssh/ssh_host_rsa_key.pub"
]
(n: {
source = "${persist}/etc/${n}";
});
2024-12-27 22:59:07 +01:00
environment.memoryAllocator.provider = "libc";
2024-12-27 15:25:49 +01:00
fileSystems."/nix/var" = {
2024-12-29 14:17:01 +01:00
device = "/nix/var";
2024-12-27 22:59:07 +01:00
options = [
"bind"
"noexec"
2024-12-29 14:17:01 +01:00
"nosuid"
"nodev"
2024-12-27 22:59:07 +01:00
];
2024-11-26 19:20:10 +01:00
};
2024-12-27 22:59:07 +01:00
2024-12-27 15:42:56 +01:00
fileSystems."/etc/NetworkManager/system-connections" = {
device = "${persist}/etc/NetworkManager/system-connections";
2024-12-27 22:59:07 +01:00
options = [
"bind"
"noexec"
2024-12-29 14:17:01 +01:00
"nosuid"
"nodev"
2024-12-27 22:59:07 +01:00
];
2024-12-27 15:42:56 +01:00
};
2024-09-08 21:05:56 +02:00
2024-11-26 19:20:10 +01:00
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
2024-12-29 14:17:01 +01:00
options = [
"exec"
"suid"
"nodev"
2024-12-29 14:17:01 +01:00
];
2024-11-26 19:20:10 +01:00
};
2024-09-08 21:05:56 +02:00
2024-11-26 19:20:10 +01:00
fileSystems."/var" = {
device = "zpool/var";
fsType = "zfs";
2024-12-29 14:17:01 +01:00
options = [
"noexec"
"nosuid"
"nodev"
];
2024-11-26 19:20:10 +01:00
};
2024-09-08 21:05:56 +02:00
2024-12-27 22:59:07 +01:00
fileSystems."${nix_build}" = {
# can execute
device = "zpool/nix-build";
fsType = "zfs";
options = [
"exec"
"nosuid"
"nodev"
];
};
fileSystems."${tmp-exec}" = {
2024-12-27 22:59:07 +01:00
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
2024-12-27 22:59:07 +01:00
"exec"
2024-12-29 14:17:01 +01:00
"nosuid"
"nodev"
"mode=1777"
2024-12-27 22:59:07 +01:00
];
2024-12-27 15:25:49 +01:00
};
2025-01-03 15:57:36 +01:00
# environment.sessionVariables."java.io.tmpdir" = tmp-exec;
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
2025-01-03 15:57:36 +01:00
systemd.tmpfiles.rules = [
"D! ${nix_build} 0755 root root"
2025-01-12 19:10:42 +01:00
"D! /var/cache 0755 root root"
"D! /var/.Trash-0 0755 root root"
"D! /var/tmp 0755 root root"
2025-01-03 15:57:36 +01:00
# "D! /root 0700 root root"
];
2024-12-27 15:25:49 +01:00
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
2024-11-26 19:20:10 +01:00
fileSystems."/etc/nixos" = {
device = "zpool/nix_conf";
fsType = "zfs";
2024-12-27 15:25:49 +01:00
options = [
"noacl"
"noexec"
2024-12-29 14:17:01 +01:00
"nosuid"
"nodev"
2024-12-27 15:25:49 +01:00
];
2024-11-26 19:20:10 +01:00
};
2024-09-08 21:05:56 +02:00
2024-11-26 19:20:10 +01:00
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"umask=077"
2024-12-27 15:25:49 +01:00
"noexec"
2024-12-29 14:17:01 +01:00
"nosuid"
"nodev"
2024-11-26 19:20:10 +01:00
];
2025-01-03 15:57:36 +01:00
# noCheck = true;
# neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out...
2024-11-26 19:20:10 +01:00
};
2024-09-08 21:05:56 +02:00
grimmShared = {
screens = {
external = {
id = "HDMI-A-1";
pos = "0 0";
};
internal = {
id = "eDP-1";
fps = [
144
60
];
};
};
laptop_hardware.enable = true;
};
2024-11-26 19:20:10 +01:00
# fileSystems."/crypt-storage" =
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
# fsType = "ext4";
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
2024-09-08 21:05:56 +02:00
security.pam = {
zfs = {
enable = true;
homes = "zpool/home";
};
};
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
boot.initrd.luks.reusePassphrases = false;
2024-09-08 21:05:56 +02:00
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
preLVM = true;
allowDiscards = true;
2024-11-26 19:20:10 +01:00
2024-09-08 21:05:56 +02:00
yubikey = {
slot = 2;
twoFactor = true; # Set to false for 1FA
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
keyLength = 64; # Set to $KEY_LENGTH/8
saltLength = 16; # Set to $SALT_LENGTH
2024-11-26 19:20:10 +01:00
2024-09-08 21:05:56 +02:00
storage = {
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
fsType = "ext4";
path = "/default";
};
};
};
2024-11-23 17:06:12 +01:00
swapDevices = [
#{
2024-11-26 19:20:10 +01:00
# device = "zpool/swap";
2024-11-23 17:06:12 +01:00
# device = "/dev/zvol/zpool/swap";
#}
];
2024-09-08 21:05:56 +02:00
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}