# Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: let nix_build = "/nix/build-sandbox"; persist = "/nix/persist"; in { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" # "kvm-intel" ]; boot.initrd.kernelModules = [ "zfs" "nls_cp437" "nls_iso8859-1" "usbhid" "usb_storage" "nvme" ]; boot.kernelModules = [ "tmpfs" "iwlwifi" "iwlmvm" "mac80211" "bluetooth" "cfg80211" ]; # "kvm-intel" boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; security.lockKernelModules = false; # PAIN on an intended-portable setup # security.protectKernelImage = false; boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work? systemd.tmpfiles.settings."mount"."/mnt".d = { group = "root"; mode = "755"; user = "root"; }; boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. }; boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelPackages = pkgs.linuxPackages_6_6; boot.extraModulePackages = [ ]; services.homed.enable = true; fileSystems."/" = { device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=2G" "mode=755" "noexec" "nosuid" # "nodev" ]; }; fileSystems."${persist}" = { device = "zpool/persistent"; fsType = "zfs"; options = [ "noexec" "nosuid" "nodev" ]; }; environment.etc."machine-id".source = "${persist}/etc/machine-id"; environment.memoryAllocator.provider = "libc"; # fileSystems."/nix/var" = { # device = "${persist}/nix/var"; # options = [ # "bind" # "noexec" # "nosuid" # "nodev" # ]; # }; fileSystems."/nix/var" = { device = "/nix/var"; options = [ "bind" "noexec" "nosuid" "nodev" ]; }; fileSystems."/etc/NetworkManager/system-connections" = { device = "${persist}/etc/NetworkManager/system-connections"; options = [ "bind" "noexec" "nosuid" "nodev" ]; }; fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; options = [ "exec" "suid" "dev" ]; }; fileSystems."/var" = { device = "zpool/var"; fsType = "zfs"; options = [ "noexec" "nosuid" "nodev" ]; }; fileSystems."${nix_build}" = { # can execute device = "none"; fsType = "tmpfs"; options = [ "defaults" "size=30%" "mode=755" "exec" "nosuid" "nodev" ]; }; systemd.services.nix-daemon.environment.TMPDIR = nix_build; fileSystems."/etc/nixos" = { device = "zpool/nix_conf"; fsType = "zfs"; options = [ "noacl" "noexec" "nosuid" "nodev" ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/12CE-A600"; fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" "umask=077" "noexec" "nosuid" "nodev" ]; }; grimmShared = { screens = { external = { id = "HDMI-A-1"; pos = "0 0"; }; internal = { id = "eDP-1"; fps = [ 144 60 ]; }; }; laptop_hardware.enable = true; }; # fileSystems."/crypt-storage" = # { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # fsType = "ext4"; # options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. # }; # fileSystems."/home/grimmauld" = # { device = "zpool/home/grimmauld"; # fsType = "zfs"; # }; security.pam = { zfs = { enable = true; homes = "zpool/home"; }; }; boot.initrd.luks.yubikeySupport = true; # enable yubikey support boot.initrd.luks.devices."root" = { device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3 preLVM = true; allowDiscards = true; yubikey = { slot = 2; twoFactor = true; # Set to false for 1FA gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted keyLength = 64; # Set to $KEY_LENGTH/8 saltLength = 16; # Set to $SALT_LENGTH storage = { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier fsType = "ext4"; path = "/default"; }; }; }; swapDevices = [ #{ # device = "zpool/swap"; # device = "/dev/zvol/zpool/swap"; #} ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }