Compare commits
8 Commits
2fc05cdfd0
...
bootloader
| Author | SHA1 | Date | |
|---|---|---|---|
524dafd513
|
|||
|
db1e9c15ac
|
|||
|
f4b9eff715
|
|||
|
325b863238
|
|||
|
79a67284af
|
|||
|
fae6b25137
|
|||
|
4a59f6b57c
|
|||
|
4771d8c7d6
|
@@ -3,11 +3,23 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.features.bootloader;
|
||||
keyDir = "/etc/secrets/initrd";
|
||||
|
||||
mkIpString =
|
||||
{
|
||||
address,
|
||||
gateway,
|
||||
netmask,
|
||||
interface,
|
||||
...
|
||||
}:
|
||||
"${address}::${gateway}:${netmask}::${interface}:none";
|
||||
in
|
||||
{
|
||||
imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
|
||||
@@ -23,15 +35,88 @@
|
||||
default = "systemd-boot";
|
||||
};
|
||||
|
||||
plymouth.enable = lib.mkEnableOption "plymouth boot splash";
|
||||
configurationLimit = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 10;
|
||||
};
|
||||
|
||||
consoleFont = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "ter-v32n";
|
||||
};
|
||||
|
||||
resumeDevice = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
};
|
||||
|
||||
initrdSsh = {
|
||||
enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
|
||||
|
||||
networkModule = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
ip = {
|
||||
enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
|
||||
|
||||
address = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
gateway = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
netmask = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "255.255.255.0";
|
||||
};
|
||||
|
||||
interface = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
};
|
||||
|
||||
authorizedKeys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
# request the largest framebuffer uefi offers; plymouth inherits it
|
||||
boot.loader.systemd-boot.consoleMode = "max";
|
||||
|
||||
# lanzaboote inherits editor + configurationLimit from systemd-boot.*
|
||||
boot.loader.systemd-boot = {
|
||||
editor = false;
|
||||
inherit (cfg) configurationLimit;
|
||||
};
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
# block simpledrm so fbcon defers until the gpu driver binds; avoids
|
||||
# the simpledrm -> real-driver fbcon transition that mangles console
|
||||
# text and leaves the luks prompt typing offset from the visible
|
||||
# surface. hosts must put the gpu driver in initrd (nixos-hardware
|
||||
# does this for amd; manual hardware.amdgpu.initrd.enable on others)
|
||||
boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
|
||||
|
||||
# verbose boot: kernel messages and systemd unit lines visible end
|
||||
# to end. trade-off: the luks prompt will be interleaved with the
|
||||
# last few "Starting/Started ..." lines (no upstream fix exists
|
||||
# without plymouth). boot.initrd.verbose is a no-op under
|
||||
# systemd-initrd, so not set here.
|
||||
|
||||
# readable luks prompt at panel-native dpi
|
||||
console = {
|
||||
earlySetup = true;
|
||||
font = cfg.consoleFont;
|
||||
packages = [ pkgs.terminus_font ];
|
||||
};
|
||||
}
|
||||
|
||||
(lib.mkIf (cfg.mode == "systemd-boot") {
|
||||
@@ -46,26 +131,41 @@
|
||||
};
|
||||
})
|
||||
|
||||
(lib.mkIf cfg.plymouth.enable {
|
||||
# plymouth needs systemd-initrd to render the luks prompt cleanly
|
||||
boot.initrd.systemd.enable = true;
|
||||
(lib.mkIf (cfg.resumeDevice != null) {
|
||||
boot.resumeDevice = cfg.resumeDevice;
|
||||
})
|
||||
|
||||
# host is responsible for early-KMS so plymouth lands on the gpu driver,
|
||||
# not simpledrm (e.g. hardware.amdgpu.initrd.enable on amd hosts)
|
||||
boot.plymouth.enable = true;
|
||||
stylix.targets.plymouth.logoAnimated = false;
|
||||
(lib.mkIf cfg.initrdSsh.enable {
|
||||
boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
|
||||
|
||||
boot.kernelParams = [
|
||||
"quiet"
|
||||
"splash"
|
||||
"loglevel=3"
|
||||
"rd.systemd.show_status=false"
|
||||
"rd.udev.log_level=3"
|
||||
"udev.log_priority=3"
|
||||
"plymouth.force-scale=1"
|
||||
boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
|
||||
|
||||
boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
|
||||
"ip=${mkIpString cfg.initrdSsh.ip}"
|
||||
];
|
||||
boot.consoleLogLevel = 0;
|
||||
boot.initrd.verbose = false;
|
||||
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
hostKeys = [
|
||||
"${keyDir}/ssh_host_rsa_key"
|
||||
"${keyDir}/ssh_host_ed25519_key"
|
||||
];
|
||||
inherit (cfg.initrdSsh) authorizedKeys;
|
||||
};
|
||||
};
|
||||
|
||||
# forward LUKS password prompt to the ssh session (systemd-initrd idiom)
|
||||
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
||||
|
||||
boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
|
||||
"10-initrd" = {
|
||||
matchConfig.Driver = cfg.initrdSsh.networkModule;
|
||||
networkConfig.DHCP = "yes";
|
||||
};
|
||||
};
|
||||
})
|
||||
]
|
||||
);
|
||||
|
||||
@@ -105,7 +105,11 @@
|
||||
# bluetooth
|
||||
(lib.mkIf cfg.bluetooth.enable {
|
||||
hardware.bluetooth.enable = true;
|
||||
services.blueman.enable = true;
|
||||
services.blueman = {
|
||||
enable = true;
|
||||
# TEMP:(@janezicmatej) workaround for nixpkgs#514705, fix in nixpkgs#517250
|
||||
withApplet = false;
|
||||
};
|
||||
})
|
||||
|
||||
# apps
|
||||
|
||||
@@ -1,90 +0,0 @@
|
||||
{
|
||||
nixos =
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
cfg = config.features.initrd-ssh;
|
||||
keyDir = "/etc/secrets/initrd";
|
||||
|
||||
mkIpString =
|
||||
{
|
||||
address,
|
||||
gateway,
|
||||
netmask,
|
||||
interface,
|
||||
...
|
||||
}:
|
||||
"${address}::${gateway}:${netmask}::${interface}:none";
|
||||
in
|
||||
{
|
||||
options.features.initrd-ssh = {
|
||||
enable = lib.mkEnableOption "initrd ssh";
|
||||
|
||||
ip = {
|
||||
enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
|
||||
|
||||
address = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
gateway = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
netmask = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "255.255.255.0";
|
||||
};
|
||||
|
||||
interface = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
};
|
||||
|
||||
authorizedKeys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
networkModule = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
boot.initrd.availableKernelModules = [ cfg.networkModule ];
|
||||
boot.initrd.kernelModules = [ cfg.networkModule ];
|
||||
boot.kernelParams = lib.mkIf cfg.ip.enable [
|
||||
"ip=${mkIpString cfg.ip}"
|
||||
];
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
# remote unlock may take a while; don't let device units give up
|
||||
boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
|
||||
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
hostKeys = [
|
||||
"${keyDir}/ssh_host_rsa_key"
|
||||
"${keyDir}/ssh_host_ed25519_key"
|
||||
];
|
||||
inherit (cfg) authorizedKeys;
|
||||
};
|
||||
};
|
||||
|
||||
# systemd-networkd retries DHCP indefinitely, unlike udhcpc
|
||||
boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
|
||||
"10-initrd" = {
|
||||
matchConfig.Driver = cfg.networkModule;
|
||||
networkConfig.DHCP = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
# forward LUKS password prompt to the SSH session
|
||||
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -8,11 +8,6 @@
|
||||
options.features.power = {
|
||||
enable = lib.mkEnableOption "laptop power management";
|
||||
|
||||
resumeDevice = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
};
|
||||
|
||||
lidSwitch = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "suspend-then-hibernate";
|
||||
@@ -40,8 +35,6 @@
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
|
||||
|
||||
services.logind.settings.Login = {
|
||||
HandleLidSwitch = cfg.lidSwitch;
|
||||
HandlePowerKey = cfg.powerKey;
|
||||
|
||||
72
flake.lock
generated
72
flake.lock
generated
@@ -156,11 +156,11 @@
|
||||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777678872,
|
||||
"narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
|
||||
"lastModified": 1777988971,
|
||||
"narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "5250617bffd85403b14dbf43c3870e7f255d2c16",
|
||||
"rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -177,11 +177,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777678872,
|
||||
"narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
|
||||
"lastModified": 1777988971,
|
||||
"narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "5250617bffd85403b14dbf43c3870e7f255d2c16",
|
||||
"rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -273,11 +273,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777852249,
|
||||
"narHash": "sha256-XdbGWnFlX4McOEG5NioVsp35Ic6XL/rXnp8as71cu6o=",
|
||||
"lastModified": 1778248595,
|
||||
"narHash": "sha256-dhFgEjoeJMYN/7OY6xfxS799YB4IjbbYXTjyGIJyLpc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "c909892de502b4de9e92838a503c09a9c8ebe4aa",
|
||||
"rev": "fdb2ccba9d5e1238d32e0c4a3ec1a277efa80c1d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -317,11 +317,11 @@
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777853108,
|
||||
"narHash": "sha256-GyUvw2G212P0nDfUh6/4fPfZK1UBJak1MYr6If8b7H4=",
|
||||
"lastModified": 1778285091,
|
||||
"narHash": "sha256-4YwkGkjvLD0EB7rQGCRA9J/zgwrnTL20dJd7Wmnicj0=",
|
||||
"owner": "nix-community",
|
||||
"repo": "neovim-nightly-overlay",
|
||||
"rev": "06974a7b4913f950c67eaa398ac0c5781e29fe9c",
|
||||
"rev": "cca2a2d1c03f763fdcd7066791363d792313c641",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -333,11 +333,11 @@
|
||||
"neovim-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1777850416,
|
||||
"narHash": "sha256-a/mK2LVrU8zFBt2iZRngGv2Qu+7ju/SL4je8BewBpBg=",
|
||||
"lastModified": 1778266020,
|
||||
"narHash": "sha256-qoydKalrn/QGsGYVRicz0Hzb7bfGmV7Z9CnVONXN/Lc=",
|
||||
"owner": "neovim",
|
||||
"repo": "neovim",
|
||||
"rev": "0e69a380263f5a78d11cd05c65cc224a3c74b53e",
|
||||
"rev": "b7d8a41d91dcfebe9a5f3d0cf2f0bb0b8d59e32e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -348,11 +348,11 @@
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1777796046,
|
||||
"narHash": "sha256-bEJp/zaQApzynGRaAO62BZSz9tFikKtIHCn2yIA/s7Q=",
|
||||
"lastModified": 1778143761,
|
||||
"narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "eeb02f6e29fc8139c0b15af5ff0fdfdc6d0d3d90",
|
||||
"rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -364,11 +364,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1777641297,
|
||||
"narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=",
|
||||
"lastModified": 1778124196,
|
||||
"narHash": "sha256-pYEytCNic/czazbV9r3tbQ6BZzqRBg/41x2dIC5ymOo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0",
|
||||
"rev": "68a8af93ff4297686cb68880845e61e5e2e41d92",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -395,11 +395,11 @@
|
||||
},
|
||||
"nixpkgs-master": {
|
||||
"locked": {
|
||||
"lastModified": 1777879473,
|
||||
"narHash": "sha256-tRKCOIIFH8gj6YZtd2PdTKwhPRJUmHa0I+vold0EcgY=",
|
||||
"lastModified": 1778360830,
|
||||
"narHash": "sha256-tD44tgf123UcERx3cC91rwefFmGmlTd2M1QdL6d5iLc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "93fb83c111c35a6f88e9edfb0d9c3a494f3e1400",
|
||||
"rev": "82cbc979e10cf2b893566a0f259daf5e1f26c887",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -411,11 +411,11 @@
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1777673416,
|
||||
"narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=",
|
||||
"lastModified": 1778003029,
|
||||
"narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "26ef669cffa904b6f6832ab57b77892a37c1a671",
|
||||
"rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -427,11 +427,11 @@
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1777578337,
|
||||
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
|
||||
"lastModified": 1777954456,
|
||||
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
|
||||
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -550,11 +550,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777338324,
|
||||
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
|
||||
"lastModified": 1777944972,
|
||||
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
|
||||
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -583,11 +583,11 @@
|
||||
"tinted-zed": "tinted-zed"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777835090,
|
||||
"narHash": "sha256-VLH8zPweblCOvpnQXp4fVs7f6Q79YhXF5XFKlOrvIFk=",
|
||||
"lastModified": 1778104276,
|
||||
"narHash": "sha256-/DSSnU0LLmOTG/OCgGwYpxP6+5YvxRx2g/GhI4x6aCU=",
|
||||
"owner": "danth",
|
||||
"repo": "stylix",
|
||||
"rev": "7989a1054b01153212dede6005abfd1576b8328c",
|
||||
"rev": "18ed8d270231e067fe2739998479ed5d7c659c2c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@@ -55,7 +55,6 @@ in
|
||||
"git"
|
||||
"gnupg"
|
||||
"harmonia"
|
||||
"initrd-ssh"
|
||||
"localisation"
|
||||
"neovim"
|
||||
"networkmanager"
|
||||
@@ -124,6 +123,7 @@ in
|
||||
"localisation"
|
||||
"networkmanager"
|
||||
"nix-settings"
|
||||
"onepassword"
|
||||
"sway"
|
||||
"udev"
|
||||
"zsh"
|
||||
|
||||
@@ -2,6 +2,6 @@
|
||||
|
||||
{
|
||||
flake.overlays.default = final: _prev: {
|
||||
mcp-nixos = inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}.mcp-nixos;
|
||||
inherit (inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}) mcp-nixos;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -10,16 +10,13 @@
|
||||
inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
|
||||
];
|
||||
|
||||
features.bootloader.plymouth.enable = true;
|
||||
features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
|
||||
features.desktop.bluetooth.enable = true;
|
||||
features.gnupg.yubikey.enable = true;
|
||||
features.udev = {
|
||||
ledger.enable = true;
|
||||
keyboard-zsa.enable = true;
|
||||
};
|
||||
features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
|
||||
|
||||
boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
|
||||
|
||||
programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
|
||||
|
||||
|
||||
@@ -37,10 +37,7 @@
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/42D9-FAFD";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
options = [ "umask=0077" ];
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
|
||||
@@ -8,7 +8,11 @@
|
||||
features.nix-settings.towerCache.enable = false;
|
||||
features.bootloader = {
|
||||
mode = "lanzaboote";
|
||||
plymouth.enable = true;
|
||||
initrdSsh = {
|
||||
enable = true;
|
||||
networkModule = "r8169";
|
||||
authorizedKeys = userKeys.sshAuthorizedKeys;
|
||||
};
|
||||
};
|
||||
features.desktop.bluetooth.enable = true;
|
||||
features.gnupg.yubikey.enable = true;
|
||||
@@ -16,17 +20,14 @@
|
||||
ledger.enable = true;
|
||||
keyboard-zsa.enable = true;
|
||||
};
|
||||
features.initrd-ssh = {
|
||||
networkModule = "r8169";
|
||||
authorizedKeys = userKeys.sshAuthorizedKeys;
|
||||
};
|
||||
|
||||
# nix store signing
|
||||
sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
|
||||
nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
|
||||
|
||||
boot.kernelParams = [ "btusb.reset=1" ];
|
||||
# early kms so plymouth lands on amdgpu, not simpledrm
|
||||
# pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
|
||||
# from the start, no driver-swap mode-set
|
||||
hardware.amdgpu.initrd.enable = true;
|
||||
|
||||
services.udisks2.enable = true;
|
||||
|
||||
29
justfile
29
justfile
@@ -2,31 +2,20 @@
|
||||
default:
|
||||
@just --list
|
||||
|
||||
# rebuild and switch
|
||||
switch config="":
|
||||
nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo
|
||||
|
||||
# fetch flake inputs
|
||||
sync:
|
||||
nix flake prefetch-inputs
|
||||
# rebuild the system
|
||||
rebuild op="switch" host=`hostname`:
|
||||
nixos-rebuild {{op}} --flake .#{{host}} --sudo
|
||||
|
||||
# update flake inputs
|
||||
update:
|
||||
nix flake update
|
||||
|
||||
# update flake inputs, rebuild and switch
|
||||
bump: update switch
|
||||
|
||||
# update a package to latest version
|
||||
update-package pkg:
|
||||
bash packages/{{pkg}}/update.sh
|
||||
|
||||
# update all packages with update scripts
|
||||
update-package-all:
|
||||
update-package:
|
||||
@for script in packages/*/update.sh; do bash "$script"; done
|
||||
|
||||
# build all packages and hosts
|
||||
build:
|
||||
check:
|
||||
nix flake check
|
||||
|
||||
# build installation iso
|
||||
@@ -37,10 +26,6 @@ iso:
|
||||
ephvm *ARGS:
|
||||
bash scripts/ephvm-run.sh {{ARGS}}
|
||||
|
||||
# ssh into running ephemeral VM
|
||||
ephvm-ssh port="2222":
|
||||
ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
|
||||
|
||||
# provision a host with nixos-anywhere
|
||||
provision host ip:
|
||||
#!/usr/bin/env bash
|
||||
@@ -59,8 +44,8 @@ provision host ip:
|
||||
ssh root@{{ip}} reboot
|
||||
|
||||
# deploy config to a remote host
|
||||
deploy host remote=host:
|
||||
nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
|
||||
deploy op="switch" host=`hostname` remote=host:
|
||||
nixos-rebuild {{op}} --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
|
||||
|
||||
# garbage collect old generations
|
||||
clean host=`hostname`:
|
||||
|
||||
@@ -87,6 +87,17 @@ nixpkgs.lib.nixosSystem {
|
||||
{ nixpkgs.config.allowUnfree = true; }
|
||||
{ networking.hostName = name; }
|
||||
|
||||
# TEMP:(@janezicmatej) temporary mitigation for dirty frag
|
||||
# blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
|
||||
# remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
|
||||
{
|
||||
boot.blacklistedKernelModules = [
|
||||
"esp4"
|
||||
"esp6"
|
||||
"rxrpc"
|
||||
];
|
||||
}
|
||||
|
||||
featureEnableModule
|
||||
hostConfig
|
||||
]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
let
|
||||
inherit (pkgs) stdenv lib;
|
||||
version = "2.1.126";
|
||||
version = "2.1.138";
|
||||
|
||||
# upstream ships platform-native binaries as separate npm packages under
|
||||
# @anthropic-ai/claude-code-<platform>; the wrapper package is just a
|
||||
@@ -10,19 +10,19 @@ let
|
||||
sources = {
|
||||
"x86_64-linux" = {
|
||||
slug = "linux-x64";
|
||||
hash = "sha256-RTei2TOHb4OB9RTWILLuYDnwJT2PxyAwn3TwASOFYIc=";
|
||||
hash = "sha256-MGYEPPO4O84Egb5Ym/9f56l+TzPqogpSabosvHTIJZg=";
|
||||
};
|
||||
"aarch64-linux" = {
|
||||
slug = "linux-arm64";
|
||||
hash = "sha256-RTBJeh99Yiqdq5sNPLRENGD5mOapW3t9FkDlW+MiAQQ=";
|
||||
hash = "sha256-LWBtOAjPDFtLP93TNrsd8bPHJd7VKK6J90CRxUp1/XQ=";
|
||||
};
|
||||
"x86_64-darwin" = {
|
||||
slug = "darwin-x64";
|
||||
hash = "sha256-Xii9HPQEdg6HQVHMqkIV7Js4aeedCjlg5xJBF3Ef7oQ=";
|
||||
hash = "sha256-tkupKzb+XAPmdCRNoT90cfVLKUar3FCTRgufiMVuVPc=";
|
||||
};
|
||||
"aarch64-darwin" = {
|
||||
slug = "darwin-arm64";
|
||||
hash = "sha256-UKgwm0AGcO7fFZttIUR4LEQAH2NRfjerV7IByp3Nbqk=";
|
||||
hash = "sha256-jmB4t11BI1LKanuuXRJv5IBe8a9gSrFvTMP3KarsioU=";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user