Move remaining nix configs into folders.

2024-12-29 15:27:03 -05:00
parent 81315e4c7b
commit fe820e5843
5 changed files with 9 additions and 9 deletions
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -0,0 +1,95 @@
+# ISO does not work with systemd initrd yet https://github.com/NixOS/nixpkgs/pull/291750
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options = {
+    me.secureBoot = {
+      enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Enable to use secure boot.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf (!config.me.buildingIso) {
+
+      boot.loader.grub.enable = false;
+      # Use the systemd-boot EFI boot loader.
+      boot.loader.systemd-boot.enable = true;
+      # TODO: make not write bootx64.efi
+      boot.loader.efi.canTouchEfiVariables = false;
+
+      # Automatically delete old generations
+      boot.loader.systemd-boot.configurationLimit = 3;
+
+      # Check what will be lost with `zfs diff zroot/linux/root@blank`
+      boot.initrd.systemd.enable = lib.mkDefault true;
+      boot.initrd.systemd.services.zfs-rollback = {
+        description = "Rollback ZFS root dataset to blank snapshot";
+        wantedBy = [
+          "initrd.target"
+        ];
+        after = [
+          "zfs-import-zroot.service"
+        ];
+        before = [
+          "sysroot.mount"
+        ];
+        path = with pkgs; [
+          zfs
+        ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          zfs rollback -r zroot/linux/nix/root@blank
+          zfs rollback -r zroot/linux/nix/home@blank
+          echo "rollback complete"
+        '';
+      };
+
+      # boot.loader.systemd-boot.extraEntries = {
+      #   "windows.conf" = ''
+      #     title Windows
+      #     efi /EFI/Microsoft/Boot/bootmgfw.efi
+      #     options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa
+      #   '';
+      # };
+    })
+    (lib.mkIf (config.me.secureBoot.enable) {
+      # For debugging and troubleshooting Secure Boot.
+      environment.systemPackages = with pkgs; [
+        sbctl
+      ];
+      boot.loader.systemd-boot.enable = lib.mkForce false;
+      boot.lanzaboote = {
+        enable = true;
+        pkiBundle = "/etc/secureboot";
+      };
+      environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+        hideMounts = true;
+        directories = [
+          "/etc/secureboot" # Secure Boot Keys
+        ];
+      };
+    })
+  ];
+}
+# efibootmgr -c -d /dev/sda -p 1 -L NixOS-boot -l '\EFI\NixOS-boot\grubx64.efi'
+
+# Text-only:
+# sudo cp "$(nix-build '<nixpkgs>' --no-out-link -A 'refind')/share/refind/refind_x64.efi" /boot/EFI/boot/bootx64.efi
+
+# Full graphics:
+# $ sudo nix-shell -p refind efibootmgr
+# $ refind-install
--- a/nix/configuration/roles/gpg/default.nix
+++ b/nix/configuration/roles/gpg/default.nix
@@ -89,11 +89,11 @@
    pcsctools
  ];

-  nixpkgs.overlays = [
-    (final: prev: {
-      gnupg = pkgs-unstable.gnupg;
-      scdaemon = pkgs-unstable.scdaemon;
-    })
-  ];
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     gnupg = pkgs-unstable.gnupg;
+  #     scdaemon = pkgs-unstable.scdaemon;
+  #   })
+  # ];

 }
--- a/nix/configuration/roles/network/default.nix
+++ b/nix/configuration/roles/network/default.nix
@@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  networking.dhcpcd.enable = false;
+  networking.useDHCP = false;
+  networking.nameservers = [
+    "194.242.2.2#doh.mullvad.net"
+    "2a07:e340::2#doh.mullvad.net"
+  ];
+  services.resolved = {
+    enable = true;
+    # dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ ];
+    dnsovertls = "true";
+  };
+
+  # Without this, systemd-resolved will send DNS requests for <X>.home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection anging and timing out. This causes firefox startup to take an extra 10+ seconds.
+  #
+  # Test with: drill @127.0.0.53 odo.home.arpa
+  networking.extraHosts = ''
+    127.0.0.1 odo.home.arpa
+    10.216.1.1		homeserver
+    10.216.1.6		media
+    10.216.1.12		odo
+    10.217.1.1		drmario
+    10.217.2.1		mrmanager
+  '';
+
+  networking.wireless.iwd = {
+    enable = true;
+
+    settings = {
+      General = {
+        EnableNetworkConfiguration = true;
+        AddressRandomization = "network";
+        ControlPortOverNL80211 = false;
+      };
+    };
+  };
+  environment.systemPackages = with pkgs; [
+    iw
+    iwd
+    ldns # for drill
+    arp-scan # To find devices on the network
+  ];
+}
--- a/nix/configuration/roles/zfs/default.nix
+++ b/nix/configuration/roles/zfs/default.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  boot.zfs.devNodes = "/dev/disk/by-partuuid";
+
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      interval = "monthly";
+    };
+    trim.enable = true;
+  };
+
+}