]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/courge/hardware.nix
nix: add PR for kernel-hardening-checker
[julm/julm-nix.git] / hosts / courge / hardware.nix
1 { pkgs, lib, config, hostName, ... }:
2 with lib;
3 {
4 imports = [
5 ../../nixos/profiles/hardware/T480.nix
6 ../../nixos/profiles/zfs.nix
7 ../../nixos/profiles/zramSwap.nix
8 #hardware/nvidia.nix
9 ];
10
11 # Setting the machine-id avoids to reencrypt all credentials
12 # when reinstalling NixOS on a new drive.
13 # Manually generated with : uuidgen | tr -d -
14 environment.etc.machine-id.source = ./machine-id.clear;
15
16 # The 32-bit host id of the host, formatted as 8 hexadecimal characters.
17 # You should try to make this id unique among your hosts.
18 # Manually generated with : uuidgen | head -c8
19 networking.hostId = "e6eba6c4";
20
21 boot.kernelParams = [
22 #"boot.trace"
23 "boot.shell_on_fail"
24 #"boot.debug1"
25 ];
26 boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
27 boot.loader = {
28 efi = {
29 canTouchEfiVariables = true;
30 efiSysMountPoint = "/boot1";
31 };
32 systemd-boot = {
33 enable = true;
34 #editor = false;
35 # Roughly 25MiB (initrd) + 9MiB (kernel) per configuration
36 configurationLimit = 6;
37 memtest86.enable = true;
38 /*
39 extraInstallCommands = ''
40 rm -rf /efiboot/efi2
41 cp -r /efiboot/efi1 /efiboot/efi2
42 '';
43 */
44 # FIXME: needs https://github.com/NixOS/nixpkgs/pull/246897
45 #mirroredBoots = [ ];
46 };
47 };
48 boot.zfs.requestEncryptionCredentials = [ "${hostName}/root" ];
49
50 hardware.enableRedistributableFirmware = true;
51 # Disable IR camera
52 services.udev.extraRules = ''
53 ACTION=="add", ATTRS{idVendor}=="5986", ATTRS{idProduct}=="1141", RUN="${pkgs.runtimeShell} -c 'echo 1 >/sys$devpath/remove'"
54 '';
55
56 fileSystems."/boot1" =
57 {
58 device = "/dev/disk/by-partlabel/${hostName}_ssd1_boot";
59 fsType = "vfat";
60 options = [ "rw" "noexec" "nodev" "nofail" "X-mount.mkdir" "iocharset=iso8859-1" ];
61 };
62 swapDevices = [
63 {
64 device = "/dev/disk/by-partlabel/${hostName}_ssd1_swap";
65 randomEncryption = {
66 enable = true;
67 cipher = "aes-xts-plain64";
68 source = "/dev/urandom";
69 };
70 }
71 ];
72
73 boot.supportedFilesystems = [ "ntfs" "vfat" ];
74
75 fileSystems."/" =
76 {
77 device = "${hostName}/root";
78 fsType = "zfs";
79 options = [ "zfsutil" ];
80 };
81 fileSystems."/nix" =
82 {
83 device = "${hostName}/root/nix";
84 fsType = "zfs";
85 options = [ "X-mount.mkdir" "zfsutil" ];
86 };
87 fileSystems."/var" =
88 {
89 device = "${hostName}/root/var";
90 fsType = "zfs";
91 options = [ "X-mount.mkdir" "zfsutil" ];
92 };
93
94 services.pipewire.jack.enable = true;
95
96 }