141 lines
3.9 KiB
Nix
141 lines
3.9 KiB
Nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||
# and may be overwritten by future invocations. Please make changes
|
||
# to /etc/nixos/configuration.nix instead.
|
||
{ config, lib, pkgs, modulesPath, ... }:
|
||
|
||
{
|
||
imports =
|
||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||
];
|
||
|
||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" "kvm-intel" ];
|
||
boot.initrd.kernelModules = [ "zfs" "nls_cp437" "nls_iso8859-1" "usbhid" "usb_storage" "nvme" ];
|
||
boot.zfs = {
|
||
forceImportRoot = false;
|
||
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
|
||
# [
|
||
# "zpool/home"
|
||
# "zpool/root"
|
||
# "zpool/nix"
|
||
# "zpool/var"
|
||
# ];
|
||
};
|
||
boot.kernelModules = [ "kvm-intel" ];
|
||
boot.supportedFilesystems.zfs = true;
|
||
networking.hostId = "40fa5ea8";
|
||
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||
boot.kernelPackages = pkgs.linuxPackages_6_6;
|
||
boot.extraModulePackages = [ ];
|
||
boot.kernelParams = [ "mds=full,nosmt" ];
|
||
services.homed.enable = true;
|
||
|
||
fileSystems."/" =
|
||
{ device = "zpool/root";
|
||
fsType = "zfs";
|
||
};
|
||
|
||
fileSystems."/nix" =
|
||
{ device = "zpool/nix";
|
||
fsType = "zfs";
|
||
};
|
||
|
||
fileSystems."/var" =
|
||
{ device = "zpool/var";
|
||
fsType = "zfs";
|
||
};
|
||
|
||
fileSystems."/etc/nixos" =
|
||
{ device = "zpool/nix_conf";
|
||
fsType = "zfs";
|
||
options = [ "noacl" ];
|
||
};
|
||
|
||
# fileSystems."/home" =
|
||
# { device = "zpool/home";
|
||
# fsType = "zfs";
|
||
# };
|
||
|
||
fileSystems."/boot" =
|
||
{ device = "/dev/disk/by-uuid/12CE-A600";
|
||
fsType = "vfat";
|
||
options = [ "fmask=0022" "dmask=0022" "umask=077" ];
|
||
};
|
||
|
||
|
||
grimmShared = {
|
||
screens = {
|
||
external = {
|
||
id = "HDMI-A-1";
|
||
pos = "0 0";
|
||
};
|
||
|
||
internal = {
|
||
id = "eDP-1";
|
||
fps = [
|
||
144
|
||
60
|
||
];
|
||
};
|
||
};
|
||
laptop_hardware.enable = true;
|
||
};
|
||
|
||
|
||
# fileSystems."/crypt-storage" =
|
||
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
|
||
# fsType = "ext4";
|
||
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
|
||
# };
|
||
|
||
# fileSystems."/home/grimmauld" =
|
||
# { device = "zpool/home/grimmauld";
|
||
# fsType = "zfs";
|
||
# };
|
||
|
||
security.pam = {
|
||
zfs = {
|
||
enable = true;
|
||
homes = "zpool/home";
|
||
};
|
||
};
|
||
|
||
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
|
||
|
||
boot.initrd.luks.devices."root" = {
|
||
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
|
||
preLVM = true;
|
||
allowDiscards = true;
|
||
|
||
yubikey = {
|
||
slot = 2;
|
||
twoFactor = true; # Set to false for 1FA
|
||
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
|
||
keyLength = 64; # Set to $KEY_LENGTH/8
|
||
saltLength = 16; # Set to $SALT_LENGTH
|
||
|
||
storage = {
|
||
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
|
||
fsType = "ext4";
|
||
path = "/default";
|
||
};
|
||
};
|
||
};
|
||
|
||
swapDevices = [
|
||
#{
|
||
# device = "zpool/swap";
|
||
# device = "/dev/zvol/zpool/swap";
|
||
#}
|
||
];
|
||
|
||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||
# still possible to use this option, but it's recommended to use it in conjunction
|
||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||
networking.useDHCP = lib.mkDefault true;
|
||
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
|
||
|
||
nixpkgs.hostPlatform = "x86_64-linux";
|
||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||
}
|