hosts/nan2gua1/hardware.nix

   1 {
   2   lib,
   3   pkgs,
   4   config,
   5   hostName,
   6   inputs,
   7   ...
   8 }:
   9 {
  10   imports = [
  11     ../../nixos/profiles/hardware/T14sAMDGen1.nix
  12     ../../nixos/profiles/zfs.nix
  13     #./lanzaboote.nix
  14   ];
  15
  16   # Setting the machine-id avoids to reencrypt all credentials
  17   # when reinstalling NixOS on a new drive.
  18   # Manually generated with : uuidgen | tr -d -
  19   environment.etc.machine-id.source = ./machine-id.clear;
  20
  21   # The 32-bit host id of the host, formatted as 8 hexadecimal characters.
  22   # You should try to make this id unique among your hosts.
  23   networking.hostId = lib.readFile ./host-id.clear;
  24
  25   boot.kernelParams = [
  26     #"boot.trace"
  27     "boot.shell_on_fail"
  28     #"boot.debug1"
  29   ];
  30
  31   # Deprecated in nixos-24.11
  32   #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  33   boot.loader = {
  34     efi = {
  35       canTouchEfiVariables = true;
  36       efiSysMountPoint = "/boot1";
  37     };
  38     systemd-boot = {
  39       enable = true;
  40       #editor = false;
  41       # Roughly 25MiB (initrd) + 9MiB (kernel) per configuration
  42       configurationLimit = 6;
  43       memtest86.enable = true;
  44       /*
  45         extraInstallCommands = ''
  46           rm -rf /efiboot/efi2
  47           cp -r /efiboot/efi1 /efiboot/efi2
  48         '';
  49       */
  50       # FIXME: needs https://github.com/NixOS/nixpkgs/pull/246897
  51       #mirroredBoots = [ ];
  52     };
  53   };
  54   boot.zfs.requestEncryptionCredentials = [ "${hostName}/root" ];
  55
  56   #console.keyMap = lib.mkForce "de";
  57
  58   hardware.enableRedistributableFirmware = true;
  59
  60   fileSystems."/boot1" = {
  61     device = "/dev/disk/by-partlabel/${hostName}_disk1_boot";
  62     fsType = "vfat";
  63     options = [
  64       "rw"
  65       "noexec"
  66       "nodev"
  67       "nofail"
  68       "X-mount.mkdir"
  69       "iocharset=iso8859-1"
  70     ];
  71   };
  72   swapDevices = [
  73     {
  74       device = "/dev/disk/by-partlabel/${hostName}_disk1_swap";
  75       randomEncryption = {
  76         enable = true;
  77         cipher = "aes-xts-plain64";
  78         source = "/dev/urandom";
  79       };
  80     }
  81   ];
  82
  83   boot.supportedFilesystems = [
  84     "ntfs"
  85     "vfat"
  86   ];
  87
  88   fileSystems."/" = {
  89     device = "${hostName}/root";
  90     fsType = "zfs";
  91     options = [ "zfsutil" ];
  92   };
  93   fileSystems."/nix" = {
  94     device = "${hostName}/root/nix";
  95     fsType = "zfs";
  96     options = [
  97       "X-mount.mkdir"
  98       "zfsutil"
  99     ];
 100   };
 101   fileSystems."/var" = {
 102     device = "${hostName}/root/var";
 103     fsType = "zfs";
 104     options = [
 105       "X-mount.mkdir"
 106       "zfsutil"
 107     ];
 108   };
 109
 110   services.pcscd = {
 111     enable = true;
 112   };
 113
 114   services.pipewire.jack.enable = true;
 115
 116   services.acpid = {
 117   };
 118
 119   services.auto-cpufreq = {
 120     enable = true;
 121     settings = {
 122       battery = {
 123         enable_thresholds = true;
 124         start_threshold = 65;
 125         stop_threshold = 80;
 126       };
 127     };
 128   };
 129
 130   security.tpm2.enable = true;
 131   security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
 132   security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
 133
 134 }