diff --git a/machines/x2100/default.nix b/machines/x2100/default.nix index 5faa55b..5e55815 100644 --- a/machines/x2100/default.nix +++ b/machines/x2100/default.nix @@ -1,23 +1,37 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { - imports = - [ - ./hardware.nix - ./home-julien.nix - ../../share.nix - ]; - + imports = [ + ./hardware.nix + ./home-julien.nix + ]; + # Lanzaboote boot.loader.systemd-boot.enable = lib.mkForce false; boot.lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; }; - boot.initrd.systemd.enable = true; - sound.enable = true; + # Automatic root partition decryption with TPM2 + boot.initrd = { + systemd = { + enable = true; + enableTpm2 = true; + }; + clevis = { + enable = true; + devices."/dev/nvme0n1p1".secretFile = ./root.jwe; + }; + }; + # Sound + sound.enable = true; services.pipewire = { enable = true; alsa.enable = true; @@ -25,13 +39,10 @@ pulse.enable = true; wireplumber.enable = true; }; - hardware.pulseaudio.enable = lib.mkForce false; services.postgresql.enable = true; - networking.hostName = "x2100"; - networking.wireless.enable = false; environment.sessionVariables = { @@ -41,7 +52,7 @@ services.logind.lidSwitch = "suspend"; services.tailscale.enable = true; - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.networkmanager.enable = true; networking.networkmanager.dns = "systemd-resolved"; services.resolved.enable = true; @@ -71,8 +82,6 @@ security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables users.users.julien.extraGroups = [ "tss" ]; # tss group has access to TPM devices - - nix = { distributedBuilds = true; buildMachines = [ @@ -81,14 +90,16 @@ maxJobs = 100; systems = [ "x86_64-linux" ]; sshUser = "root"; - supportedFeatures = [ "kvm" "nixos-test" ]; + supportedFeatures = [ + "kvm" + "nixos-test" + ]; sshKey = "/home/julien/.ssh/id_ed25519"; speedFactor = 2; } ]; }; - environment.systemPackages = with pkgs; [ tailscale brightnessctl @@ -96,7 +107,6 @@ wl-mirror ]; - networking.wireguard.interfaces.rezo = { ips = [ "fd81:fb3a:50cc::200/128" ]; privateKeyFile = "/root/wg-private"; @@ -109,7 +119,6 @@ ]; }; - security.pam.services.swaylock = { }; services.printing.enable = true; @@ -118,11 +127,6 @@ # for a WiFi printer services.avahi.openFirewall = true; - programs.sway = { - enable = true; - wrapperFeatures.gtk = true; - }; - # programs.sway.package = null; programs.ssh.startAgent = true; services.gnome.gnome-keyring.enable = true; @@ -132,9 +136,34 @@ "zotero-6.0.27" ]; + services.hash-collection = { + enable = true; + collection-url = "https://reproducibility.nixos.social"; + tokenFile = "/home/julien/lila-secrets/tokenfile"; + secretKeyFile = "/home/julien/lila-secrets/secret.key"; + }; + + nix.settings = { + post-build-hook = lib.mkForce ( + pkgs.writeScript "hash-collection-build-hook" '' + #!/bin/sh + export HASH_COLLECTION_SERVER=${config.services.hash-collection.collection-url} + export HASH_COLLECTION_TOKEN=$(cat ${toString config.services.hash-collection.tokenFile}) + export HASH_COLLECTION_SECRET_KEY=$(cat ${toString config.services.hash-collection.secretKeyFile}) + + # redirect stderr to stdout, otherwise it appears to go missing? + ${pkgs.lila-build-hook}/bin/build-hook 2>&1 + '' + ); + }; + + # Desktop environment + programs.xwayland.enable = true; + programs.hyprland = { + enable = true; + package = pkgs.unstable.hyprland; + portalPackage = pkgs.unstable.xdg-desktop-portal-hyprland; + }; + system.stateVersion = "23.05"; - } - - -