{ config, lib, pkgs, ... }: { imports = [ ../modules/profiles/laptop.nix ]; ### TODO double check with generated hw-config boot = { # TODO lanzaboote = { # enable = true; # pkiBundle = "/var/lib/sbctl"; #}; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; initrd = { availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; # TODO disable for lanzaboote systemd.enable = true; # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false # for now. #boot.loader.systemd-boot.enable = lib.mkForce false; luks.devices = { root = { # TODO device = "/dev/disk/by-uuid/todo"; allowDiscards = true; # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL #crypttabExtraOpts = [ "fido2-device=auto" ]; }; }; }; }; environment.systemPackages = [ # For debugging and troubleshooting Secure Boot. pkgs.sbctl ]; # TODO compare with nixos-generate-config --show-hardware-config fileSystems = { "/boot" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "vfat"; }; "/" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "btrfs"; options = [ "subvol=root" "compress=zstd" ]; }; "/home" = { # TODO device = "/dev/disk/by-uuid/todo"; options = [ "compress=zstd" "subvol=home" ]; }; "/home/dadada" = { # TODO device = "/dev/disk/by-uuid/todo"; options = [ "compress=zstd" "subvol=home/dadada" ]; }; "/nix" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "btrfs"; options = [ "noatime" "compress=zstd" "subvol=nix" ]; }; "/nix/var/nix/builds" = { device = "none"; fsType = "tmpfs"; options = [ # Max 80% of available RAM "size=80%" # Only owner (nix daemon may write) "mode=755" ]; }; "/root" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "btrfs"; options = [ "compress=zstd" "subvol=root" ]; }; "/var" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "btrfs"; options = [ "compress=zstd" "subvol=var" ]; }; "/var/lib/paperless" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "btrfs"; options = [ "compress=zstd" "subvol=var/lib/paperless" ]; }; "/var/swap" = { # TODO device = "/dev/disk/by-uuid/todo"; fsType = "btrfs"; options = [ "noatime" "subvol=swap" ]; }; # NOTE: /tmp is tmpfs because of config in base.nix }; # TODO btrfs filesystem mkswapfile --uuid clear /var/swap/swapfile # swapDevices = [{ # device = "/var/swap/swapfile"; # size = 80*1024; # Creates an 80GB swap file # }]; hardware = { # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; framework.laptop13.audioEnhancement.enable = true; graphics = { enable = true; extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; }; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod? powerUpCommands = '' echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold ''; }; networking = { hostName = "stolas"; firewall = { enable = true; allowedTCPPorts = [ 22000 # Syncthing ]; allowedUDPPorts = [ 21027 # Syncthing ]; }; }; nix = { settings.max-jobs = lib.mkDefault 16; }; # TODO dadada.backupClient.backup1.enable = true; # dadada.backupClient.backup2 = { # enable = true; # passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; # sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; # repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup"; # }; programs = { adb.enable = true; firefox = { enable = true; package = pkgs.firefox-wayland; }; gnupg.agent.enable = true; ssh.startAgent = true; wireshark.enable = true; }; services = { avahi.enable = true; desktopManager.plasma6.enable = true; displayManager = { sddm.enable = true; sddm.wayland.enable = true; }; gnome.gnome-keyring.enable = lib.mkForce false; smartd.enable = true; printing = { enable = true; browsing = true; }; paperless = { # TODO migrate DB enable = true; passwordFile = config.age.secrets.paperless.path; }; tlp.enable = false; }; system = { stateVersion = "25.05"; }; systemd.tmpfiles.rules = let cfg = config.services.paperless; in [ ( if cfg.consumptionDirIsPublic then "d '${cfg.consumptionDir}' 777 - - - -" else "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" ) ]; systemd.services = { modem-manager.enable = lib.mkForce false; "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; }; systemd.sleep.extraConfig = '' HibernateDelaySec=1h ''; virtualisation.libvirtd.enable = true; users = { users = { dadada = { isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "libvirtd" "adbusers" "kvm" "video" "scanner" "lp" "docker" "dialout" "wireshark" "paperless" ]; shell = "/run/current-system/sw/bin/zsh"; }; }; }; age.secrets = { paperless = { file = "${config.dadada.secrets.path}/paperless.age"; mode = "700"; owner = "paperless"; }; }; # Create compressing swap space in RAM zramSwap.enable = true; }