starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-20 16:01:21 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
4db8d0d2cb01c19e57493a3473e6131b72fd2dc5
nix-config/hosts/12kingdoms-shoukei/hardware-configuration.nix
Ryan Yin 69f77fecca feat: new host - idols-akane, hardens VFAT /boot mounts (#245) 
* feat: new host - idols-akane

* fix: missing efi files

* fix: efi partition - permission issue
2026-03-07 23:54:13 +08:00

187 lines
5.4 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
device = "/dev/disk/by-uuid/c2e8b249-240e-4eef-bf4e-81e7dbbf4887";
in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./apple-silicon.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
# depending on how you configured your disk mounts, change this to /boot or /boot/efi.
boot.loader.efi.efiSysMountPoint = "/boot";
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = [
"x86_64-linux"
"riscv64-linux"
];
# This enables the kernel to preload the emulator binaries when the binfmt registrations are added,
# obviating the need to make the emulator binaries available inside chroots and chroot-like sandboxes.
boot.binfmt.preferStaticEmulators = true; # required to work with podman
nixpkgs.overlays = [
(final: previous: {
# https://github.com/NixOS/nixpkgs/issues/392673
# aarch64-unknown-linux-musl-ld: (.text+0x484): warning: too many GOT entries for -fpic, please recompile with -fPIC
nettle = previous.nettle.overrideAttrs (
lib.optionalAttrs final.stdenv.hostPlatform.isStatic {
CCPIC = "-fPIC";
}
);
})
# https://github.com/NixOS/nixpkgs/issues/366902
(final: prev: {
qemu-user = prev.qemu-user.overrideAttrs (
old:
lib.optionalAttrs final.stdenv.hostPlatform.isStatic {
configureFlags = old.configureFlags ++ [ "--disable-pie" ];
}
);
})
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = lib.mkForce [
"ext4"
"btrfs"
"xfs"
"ntfs"
"fat"
"vfat"
"exfat"
];
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
boot.initrd = {
# unlocked luks devices via a keyfile or prompt a passphrase.
luks.devices."crypted-nixos" = {
device = "/dev/disk/by-uuid/1c37820e-2501-46e4-bec4-27c28691a5b4";
# the keyfile(or device partition) that should be used as the decryption key for the encrypted device.
# if not specified, you will be prompted for a passphrase instead.
#keyFile = "/root-part.key";
# whether to allow TRIM requests to the underlying device.
# it's less secure, but faster.
allowDiscards = true;
# Whether to bypass dm-crypts internal read and write workqueues.
# Enabling this should improve performance on SSDs;
# https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
bypassWorkqueues = true;
};
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/01CE-1DFD";
fsType = "vfat";
options = [
"fmask=0177" # File mask: 777-177=600 (Owner: rw-, Group/Others: ---)
"dmask=0077" # Directory mask: 777-077=700 (Owner: rwx, Group/Others: ---)
"noexec,nosuid,nodev" # Security: Block execution, ignore setuid, and disable device nodes
];
};
# equal to `mount -t tmpfs tmpfs /`
fileSystems."/" = {
device = "tmpfs";
fsType = "tmpfs";
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
options = [
"relatime"
"mode=755"
];
};
fileSystems."/nix" = {
inherit device;
fsType = "btrfs";
options = [
"subvol=@nix"
"noatime"
"compress-force=zstd:1"
];
};
fileSystems."/tmp" = {
inherit device;
fsType = "btrfs";
options = [
"subvol=@tmp"
"noatime"
"compress-force=zstd:1"
];
};
fileSystems."/persistent" = {
inherit device;
fsType = "btrfs";
options = [
"subvol=@persistent"
"noatime"
"compress-force=zstd:1"
];
# preservation's data is required for booting.
neededForBoot = true;
};
fileSystems."/snapshots" = {
inherit device;
fsType = "btrfs";
options = [
"subvol=@snapshots"
"noatime"
"compress-force=zstd:1"
];
};
# mount swap subvolume in readonly mode.
fileSystems."/swap" = {
inherit device;
fsType = "btrfs";
options = [
"subvol=@swap"
"ro"
];
};
# remount swapfile in read-write mode
fileSystems."/swap/swapfile" = {
# the swapfile is located in /swap subvolume, so we need to mount /swap first.
depends = [ "/swap" ];
device = "/swap/swapfile";
fsType = "none";
options = [
"bind"
"rw"
];
};
swapDevices = [
{ device = "/swap/swapfile"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}
Reference in New Issue View Git Blame Copy Permalink