{ config, lib, pkgs, modulesPath, ... }: let nix_build = "/nix/build-sandbox"; persist = "/nix/persist"; tmp-exec = "/tmp-exec"; in { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" # "kvm-intel" ]; boot.initrd.kernelModules = [ "zfs" "nls_cp437" "nls_iso8859-1" "usbhid" "usb_storage" "nvme" ]; boot.kernelModules = [ "iwlwifi" "iwlmvm" "mac80211" "bluetooth" "cfg80211" "kvm-intel" ]; boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.kernelParams = [ "nosgx" ]; security.lockKernelModules = false; # PAIN on an intended-portable setup # security.protectKernelImage = false; boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work? boot.loader.systemd-boot.consoleMode = "auto"; systemd.tmpfiles.settings."mount"."/mnt".d = { group = "root"; mode = "755"; user = "root"; }; boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. }; boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelPackages = pkgs.linuxPackages_6_12; boot.extraModulePackages = [ ]; services.homed.enable = true; fileSystems."/" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "mode=755" "noexec" "nosuid" "nodev" ]; }; fileSystems."${persist}" = { device = "zpool/persistent"; fsType = "zfs"; options = [ "noexec" "nosuid" "nodev" ]; }; environment.etc = lib.genAttrs [ "machine-id" "ssh/ssh_host_ed25519_key" "ssh/ssh_host_ed25519_key.pub" "ssh/ssh_host_rsa_key" "ssh/ssh_host_rsa_key.pub" ] (n: { source = "${persist}/etc/${n}"; }); environment.memoryAllocator.provider = "libc"; fileSystems."/nix/var" = { device = "/nix/var"; options = [ "bind" "noexec" "nosuid" "nodev" ]; }; fileSystems."/etc/NetworkManager/system-connections" = { device = "${persist}/etc/NetworkManager/system-connections"; options = [ "bind" "noexec" "nosuid" "nodev" ]; }; fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; options = [ "exec" "suid" "nodev" ]; }; fileSystems."/var" = { device = "zpool/var"; fsType = "zfs"; options = [ "noexec" "nosuid" "nodev" ]; }; fileSystems."${nix_build}" = { # can execute device = "zpool/nix-build"; fsType = "zfs"; options = [ "exec" "nosuid" "nodev" ]; }; fileSystems."${tmp-exec}" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "exec" "nosuid" "nodev" "mode=1777" ]; }; # environment.sessionVariables."java.io.tmpdir" = tmp-exec; # systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root"; systemd.tmpfiles.rules = [ "D! ${nix_build} 0755 root root 7d" "D! /var/cache 0755 root root 7d" "e! /var/.Trash-0 0755 root root 14d" "D! /var/tmp 0755 root root 14d" # "D! /root 0700 root root" ]; systemd.user.tmpfiles.users = let forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; }; in lib.mergeAttrsList ( forEachUser ( name: user: { "${name}".rules = [ # "d /home/${user}/Downloads - - - 14d" "e ${user.home}/.vim/undodir - - - 7d" "d ${user.home}/.cache - - - 7d" "e ${user.home}/.java - - - 7d" "e ${user.home}/.gradle - - - 7d" "e ${user.home}/.cargo - - - 7d" "e ${user.home}/.rustup - - - 7d" "e ${user.home}/.templateengine - - - 7d" "e ${user.home}/.sane - - - 7d" "e ${user.home}/.dotnet - - - 7d" "e ${user.home}/.nuget - - - 7d" # "d /home/${user}/.local/state/mpv/watch_later - - - 14d" ]; } ) ); systemd.services.nix-daemon.environment.TMPDIR = nix_build; fileSystems."/etc/nixos" = { device = "zpool/nix_conf"; fsType = "zfs"; options = [ "noacl" "noexec" "nosuid" "nodev" ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/12CE-A600"; fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" "umask=077" "noexec" "nosuid" "nodev" ]; # noCheck = true; # neededForBoot = true; # FIXME: this is a hack. Without this, the disk times out... }; grimmShared = { screens = { external = { id = "HDMI-A-1"; pos = "0 0"; }; internal = { id = "eDP-1"; fps = [ 144 60 ]; }; }; laptop_hardware.enable = true; }; # fileSystems."/crypt-storage" = # { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # fsType = "ext4"; # options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. # }; security.pam = { zfs = { enable = true; homes = "zpool/home"; }; }; boot.initrd.systemd.enable = false; # breaks with luks system.etc.overlay.enable = false; # requires systemd initrd1 boot.initrd.luks.yubikeySupport = true; # enable yubikey support boot.initrd.luks.reusePassphrases = false; boot.initrd.luks.devices."root" = { device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3 preLVM = true; allowDiscards = true; yubikey = { slot = 2; twoFactor = true; # Set to false for 1FA gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted keyLength = 64; # Set to $KEY_LENGTH/8 saltLength = 16; # Set to $SALT_LENGTH storage = { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier fsType = "ext4"; path = "/default"; }; }; }; swapDevices = [ #{ # device = "zpool/swap"; # device = "/dev/zvol/zpool/swap"; #} ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }