grimm-nixos-laptop/specific/grimm-nixos-ssd/hardware-configuration.nix

270 lines
5.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
nix_build = "/nix/build-sandbox";
persist = "/nix/persist";
tmp-exec = "/tmp-exec";
in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"uas"
"sd_mod"
# "kvm-intel"
];
boot.initrd.kernelModules = [
"zfs"
"nls_cp437"
"nls_iso8859-1"
"usbhid"
"usb_storage"
"nvme"
];
boot.kernelModules = [
"iwlwifi"
"iwlmvm"
"mac80211"
"bluetooth"
"cfg80211"
]; # "kvm-intel"
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelParams = [ "nosgx" ];
security.lockKernelModules = false; # PAIN on an intended-portable setup
# security.protectKernelImage = false;
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
boot.loader.systemd-boot.consoleMode = "auto";
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
mode = "755";
user = "root";
};
boot.zfs = {
forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
};
boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8";
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_12;
boot.extraModulePackages = [ ];
services.homed.enable = true;
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"mode=755"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${persist}" = {
device = "zpool/persistent";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
environment.etc."machine-id".source = "${persist}/etc/machine-id";
environment.memoryAllocator.provider = "libc";
fileSystems."/nix/var" = {
device = "/nix/var";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/etc/NetworkManager/system-connections" = {
device = "${persist}/etc/NetworkManager/system-connections";
options = [
"bind"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [
"exec"
"suid"
"nodev"
];
};
fileSystems."/var" = {
device = "zpool/var";
fsType = "zfs";
options = [
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."${nix_build}" = {
# can execute
device = "zpool/nix-build";
fsType = "zfs";
options = [
"exec"
"nosuid"
"nodev"
];
};
fileSystems."${tmp-exec}" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=2G"
"mode=755"
"exec"
"nosuid"
"nodev"
"mode=1777"
];
};
environment.sessionVariables."java.io.tmpdir" = tmp-exec;
# systemd.tmpfiles.rules = lib.singleton "D! ${tmp-exec} 1777 root root";
systemd.tmpfiles.rules = lib.singleton "D! ${nix_build} 0755 root root";
systemd.services.nix-daemon.environment.TMPDIR = nix_build;
fileSystems."/etc/nixos" = {
device = "zpool/nix_conf";
fsType = "zfs";
options = [
"noacl"
"noexec"
"nosuid"
"nodev"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"umask=077"
"noexec"
"nosuid"
"nodev"
];
};
grimmShared = {
screens = {
external = {
id = "HDMI-A-1";
pos = "0 0";
};
internal = {
id = "eDP-1";
fps = [
144
60
];
};
};
laptop_hardware.enable = true;
};
# fileSystems."/crypt-storage" =
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
# fsType = "ext4";
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
security.pam = {
zfs = {
enable = true;
homes = "zpool/home";
};
};
boot.initrd.luks.yubikeySupport = true; # enable yubikey support
boot.initrd.luks.reusePassphrases = false;
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
preLVM = true;
allowDiscards = true;
yubikey = {
slot = 2;
twoFactor = true; # Set to false for 1FA
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
keyLength = 64; # Set to $KEY_LENGTH/8
saltLength = 16; # Set to $SALT_LENGTH
storage = {
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
fsType = "ext4";
path = "/default";
};
};
};
swapDevices = [
#{
# device = "zpool/swap";
# device = "/dev/zvol/zpool/swap";
#}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}