Home Explore Help
Sign In
badbayan
/
nix-config
Watch 1
Star 0
Fork 0
Files
Tree: ba879006f2
Branches Tags
nix-config
/
hosts
/
higan
/
default.nix

default.nix 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. { config, pkgs, inputs, ... }:
    2. 

  2. 

  3. {
    4. 

  4.   imports = with inputs.self.modules; [
    5. 

  5.     ./disko.nix
    6. 

  6. 

  7.     users.aya
    8. 

  8.   ];
    9. 

  9. 

  10.   roles = {
    11. 

  11.     desktop = "gnome";
    12. 

  12.     tpm2.enable = true;
    13. 

  13.   };
    14. 

  14. 

  15.   boot = {
    16. 

  16.     loader = {
    17. 

  17.       # systemd-boot.enable = true;
    18. 

  18.       timeout = 1;
    19. 

  19.     };
    20. 

  20.     lanzaboote = {
    21. 

  21.       enable = true;
    22. 

  22.       pkiBundle = "/etc/secureboot";
    23. 

  23.     };
    24. 

  24.     initrd.availableKernelModules = [ "nvme" "xhci_pci" ];
    25. 

  25.     kernelModules = [ "kvm-amd" ];
    26. 

  26.     kernelPackages = pkgs.linuxPackages_6_12;
    27. 

  27.     kernelParams = [ "tsc=unstable" ];
    28. 

  28.   };
    29. 

  29. 

  30.   environment.persistence."/system/persist" = {
    31. 

  31.     directories = [
    32. 

  32.       config.boot.lanzaboote.pkiBundle
    33. 

  33.       "/etc/NetworkManager"
    34. 

  34.       "/var/db/sudo"
    35. 

  35.       "/var/lib"
    36. 

  36.       "/var/log"
    37. 

  37.     ];
    38. 

  38.     files = [
    39. 

  39.       "/etc/machine-id"
    40. 

  40.       { file = "/root/.ssh/id_ed25519";
    41. 

  41.         parentDirectory = {
    42. 

  42.           defaultPerms.mode = "0700";
    43. 

  43.           mode = "0700";
    44. 

  44.         };
    45. 

  45.       }
    46. 

  46.     ];
    47. 

  47.   };
    48. 

  48. 

  49.   fileSystems."/system".neededForBoot = true;
    50. 

  50. 

  51.   age = {
    52. 

  52.     identityPaths = [ "/system/persist/root/.ssh/id_ed25519" ];
    53. 

  53.     secrets = with inputs.self.modules; {
    54. 

  54.       higan-wg0.file = secrets.higan-wg0;
    55. 

  55.       yama-wg0-higan.file = secrets.yama-wg0-higan;
    56. 

  56.     };
    57. 

  57.   };
    58. 

  58. 

  59.   networking = {
    60. 

  60.     hostName = "higan";
    61. 

  61.     networkmanager.enable = true;
    62. 

  62. 

  63.     wireguard.interfaces = {
    64. 

  64.       wg0 = {
    65. 

  65.         ips = [ "10.0.0.3/24" ];
    66. 

  66.         listenPort = 51820;
    67. 

  67.         privateKeyFile = config.age.secrets.higan-wg0.path;
    68. 

  68.         peers = [
    69. 

  69.           { # yama
    70. 

  70.             publicKey = "Tan9IHvGvzeHFBSg3ZnhqNuJFYtAB+hfybbh9SPWRwk=";
    71. 

  71.             presharedKeyFile = config.age.secrets.yama-wg0-higan.path;
    72. 

  72.             endpoint = "notbad.dynv6.net:51820";
    73. 

  73.             allowedIPs = [ "10.0.0.1/32" ];
    74. 

  74.             dynamicEndpointRefreshSeconds = 10;
    75. 

  75.           }
    76. 

  76.         ];
    77. 

  77.       };
    78. 

  78.     };
    79. 

  79.   };
    80. 

  80. 

  81.   services = {
    82. 

  82.     btrfs.autoScrub = {
    83. 

  83.       enable = true;
    84. 

  84.       fileSystems = [ "/system" ];
    85. 

  85.     };
    86. 

  86.     dnsmasq.enable = true;
    87. 

  87.     logind.lidSwitch = "suspend-then-hibernate";
    88. 

  88.     yggdrasil.enable = true;
    89. 

  89.   };
    90. 

  90. 

  91.   systemd.sleep.extraConfig = ''
    92. 

  92.     # SuspendState=freeze
    93. 

  93.     HibernateDelaySec=20m
    94. 

  94.   '';
    95. 

  95. 

  96.   zramSwap.enable = true;
    97. 

  97. }
    98. 

  98.