remote install config
This commit is contained in:
@@ -3,7 +3,9 @@
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./disk.nix
|
||||
../../modules/nixos/garbage-collection.nix
|
||||
inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
|
||||
];
|
||||
|
||||
hardware.graphics.enable32Bit = true;
|
||||
@@ -16,6 +18,25 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# LUKS2 unlock via systemd-cryptenroll + FIDO2 (Yubikey).
|
||||
# Enroll with: systemd-cryptenroll --fido2-device=auto /dev/disk/by-partlabel/disk-main-luks
|
||||
# A recovery passphrase in slot 0 is kept as fallback by cryptenroll by default.
|
||||
# initrdUnlock is false in disk.nix so we own the full device config here.
|
||||
boot.initrd.systemd.fido2.enable = true;
|
||||
boot.initrd.luks.devices."cryptroot" = {
|
||||
device = "/dev/disk/by-partlabel/disk-main-luks";
|
||||
allowDiscards = true;
|
||||
bypassWorkqueues = true;
|
||||
crypttabExtraOpts = [ "fido2-device=auto" ];
|
||||
};
|
||||
|
||||
# zram swap — 8 GB on a 16 GB machine, no swap partition needed
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 50;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
# Use latest kernel
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
@@ -135,8 +156,32 @@
|
||||
pinentry-curses
|
||||
ranger
|
||||
nodejs_24
|
||||
gqrx
|
||||
];
|
||||
programs.noisetorch.enable = true;
|
||||
|
||||
# btrfs snapshots — timeline via snapper
|
||||
services.snapper.configs.root = {
|
||||
SUBVOLUME = "/";
|
||||
ALLOW_USERS = [ "sonja" ];
|
||||
TIMELINE_CREATE = true;
|
||||
TIMELINE_CLEANUP = true;
|
||||
TIMELINE_LIMIT_HOURLY = 24;
|
||||
TIMELINE_LIMIT_DAILY = 7;
|
||||
TIMELINE_LIMIT_WEEKLY = 4;
|
||||
TIMELINE_LIMIT_MONTHLY = 6;
|
||||
TIMELINE_LIMIT_YEARLY = 2;
|
||||
};
|
||||
|
||||
# sops — dormant until .sops.yaml is populated with your GPG fingerprint
|
||||
# and secrets/secrets.yaml is created and encrypted.
|
||||
# sops.defaultSopsFile = ../../secrets/secrets.yaml;
|
||||
# sops.gnupg.sshKeyPaths = [];
|
||||
# sops.secrets.ssh_host_ed25519_key = {
|
||||
# path = "/etc/ssh/ssh_host_ed25519_key";
|
||||
# mode = "0600";
|
||||
# };
|
||||
|
||||
# Note: system.autoUpgrade with a channel URL does not apply to flake-managed
|
||||
# systems. Use `nixos-rebuild switch --flake .#coven` to upgrade instead.
|
||||
system.stateVersion = "25.11";
|
||||
|
||||
Reference in New Issue
Block a user