wytch/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remote install config

Browse Source
This commit is contained in:
wytch
2026-04-24 14:48:12 -05:00
parent 015e786e23
commit 613e37d58b
11 changed files with 283 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
hosts/coven/configuration.nix
View File

@@ -3,7 +3,9 @@
{
imports = [
./hardware-configuration.nix
./disk.nix
../../modules/nixos/garbage-collection.nix
inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
];
hardware.graphics.enable32Bit = true;
@@ -16,6 +18,25 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# LUKS2 unlock via systemd-cryptenroll + FIDO2 (Yubikey).
# Enroll with: systemd-cryptenroll --fido2-device=auto /dev/disk/by-partlabel/disk-main-luks
# A recovery passphrase in slot 0 is kept as fallback by cryptenroll by default.
# initrdUnlock is false in disk.nix so we own the full device config here.
boot.initrd.systemd.fido2.enable = true;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-partlabel/disk-main-luks";
allowDiscards = true;
bypassWorkqueues = true;
crypttabExtraOpts = [ "fido2-device=auto" ];
};
# zram swap — 8 GB on a 16 GB machine, no swap partition needed
zramSwap = {
enable = true;
memoryPercent = 50;
algorithm = "zstd";
};
# Use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -135,8 +156,32 @@
pinentry-curses
ranger
nodejs_24
gqrx
];
programs.noisetorch.enable = true;
# btrfs snapshots — timeline via snapper
services.snapper.configs.root = {
SUBVOLUME = "/";
ALLOW_USERS = [ "sonja" ];
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_LIMIT_HOURLY = 24;
TIMELINE_LIMIT_DAILY = 7;
TIMELINE_LIMIT_WEEKLY = 4;
TIMELINE_LIMIT_MONTHLY = 6;
TIMELINE_LIMIT_YEARLY = 2;
};
# sops — dormant until .sops.yaml is populated with your GPG fingerprint
# and secrets/secrets.yaml is created and encrypted.
# sops.defaultSopsFile = ../../secrets/secrets.yaml;
# sops.gnupg.sshKeyPaths = [];
# sops.secrets.ssh_host_ed25519_key = {
# path = "/etc/ssh/ssh_host_ed25519_key";
# mode = "0600";
# };
# Note: system.autoUpgrade with a channel URL does not apply to flake-managed
# systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead.
system.stateVersion = "25.11";