diff --git a/machines/x2100/default.nix b/machines/x2100/default.nix
index 5faa55b..5e55815 100644
--- a/machines/x2100/default.nix
+++ b/machines/x2100/default.nix
@@ -1,23 +1,37 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
{
- imports =
- [
- ./hardware.nix
- ./home-julien.nix
- ../../share.nix
- ];
-
+ imports = [
+ ./hardware.nix
+ ./home-julien.nix
+ ];
+ # Lanzaboote
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
- boot.initrd.systemd.enable = true;
- sound.enable = true;
+ # Automatic root partition decryption with TPM2
+ boot.initrd = {
+ systemd = {
+ enable = true;
+ enableTpm2 = true;
+ };
+ clevis = {
+ enable = true;
+ devices."/dev/nvme0n1p1".secretFile = ./root.jwe;
+ };
+ };
+ # Sound
+ sound.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
@@ -25,13 +39,10 @@
pulse.enable = true;
wireplumber.enable = true;
};
-
hardware.pulseaudio.enable = lib.mkForce false;
services.postgresql.enable = true;
- networking.hostName = "x2100";
-
networking.wireless.enable = false;
environment.sessionVariables = {
@@ -41,7 +52,7 @@
services.logind.lidSwitch = "suspend";
services.tailscale.enable = true;
- networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
+ networking.networkmanager.enable = true;
networking.networkmanager.dns = "systemd-resolved";
services.resolved.enable = true;
@@ -71,8 +82,6 @@
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.julien.extraGroups = [ "tss" ]; # tss group has access to TPM devices
-
-
nix = {
distributedBuilds = true;
buildMachines = [
@@ -81,14 +90,16 @@
maxJobs = 100;
systems = [ "x86_64-linux" ];
sshUser = "root";
- supportedFeatures = [ "kvm" "nixos-test" ];
+ supportedFeatures = [
+ "kvm"
+ "nixos-test"
+ ];
sshKey = "/home/julien/.ssh/id_ed25519";
speedFactor = 2;
}
];
};
-
environment.systemPackages = with pkgs; [
tailscale
brightnessctl
@@ -96,7 +107,6 @@
wl-mirror
];
-
networking.wireguard.interfaces.rezo = {
ips = [ "fd81:fb3a:50cc::200/128" ];
privateKeyFile = "/root/wg-private";
@@ -109,7 +119,6 @@
];
};
-
security.pam.services.swaylock = { };
services.printing.enable = true;
@@ -118,11 +127,6 @@
# for a WiFi printer
services.avahi.openFirewall = true;
- programs.sway = {
- enable = true;
- wrapperFeatures.gtk = true;
- };
- # programs.sway.package = null;
programs.ssh.startAgent = true;
services.gnome.gnome-keyring.enable = true;
@@ -132,9 +136,34 @@
"zotero-6.0.27"
];
+ services.hash-collection = {
+ enable = true;
+ collection-url = "https://reproducibility.nixos.social";
+ tokenFile = "/home/julien/lila-secrets/tokenfile";
+ secretKeyFile = "/home/julien/lila-secrets/secret.key";
+ };
+
+ nix.settings = {
+ post-build-hook = lib.mkForce (
+ pkgs.writeScript "hash-collection-build-hook" ''
+ #!/bin/sh
+ export HASH_COLLECTION_SERVER=${config.services.hash-collection.collection-url}
+ export HASH_COLLECTION_TOKEN=$(cat ${toString config.services.hash-collection.tokenFile})
+ export HASH_COLLECTION_SECRET_KEY=$(cat ${toString config.services.hash-collection.secretKeyFile})
+
+ # redirect stderr to stdout, otherwise it appears to go missing?
+ ${pkgs.lila-build-hook}/bin/build-hook 2>&1
+ ''
+ );
+ };
+
+ # Desktop environment
+ programs.xwayland.enable = true;
+ programs.hyprland = {
+ enable = true;
+ package = pkgs.unstable.hyprland;
+ portalPackage = pkgs.unstable.xdg-desktop-portal-hyprland;
+ };
+
system.stateVersion = "23.05";
-
}
-
-
-