nix-config/config/basic/system.nix

82 lines
2.4 KiB
Nix
Raw Normal View History

{
inputs,
lib,
stateVersion,
pkgs,
2023-08-26 14:01:58 +02:00
config,
...
}: {
system.stateVersion = stateVersion;
age.rekey = {
inherit
2023-05-27 07:12:18 +02:00
(inputs.self.secretsConfig)
masterIdentities
extraEncryptionPubkeys
;
2024-03-02 16:09:11 +01:00
storageMode = "derivation";
forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
hostPubkey = let
2023-08-26 14:01:58 +02:00
pubkeyPath = config.node.secretsDir + "/host.pub";
in
2023-08-26 14:01:58 +02:00
lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
pubkeyPath;
2023-09-20 21:49:49 +02:00
generatedSecretsDir = config.node.secretsDir + "/generated/";
cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
};
security.sudo.enable = false;
2023-09-20 21:49:49 +02:00
security.tpm2 = {
enable = true;
pkcs11.enable = true;
};
2023-09-21 01:43:10 +02:00
# Just before switching, remove the agenix directory if it exists.
# This can happen when a secret is used in the initrd because it will
# then be copied to the initramfs under the same path. This materializes
# /run/agenix as a directory which will cause issues when the actual system tries
# to create a link called /run/agenix. Agenix should probably fail in this case,
# but doesn't and instead puts the generation link into the existing directory.
# TODO See https://github.com/ryantm/agenix/pull/187.
system.activationScripts = lib.mkIf (config.age.secrets != {}) {
2023-10-10 21:01:12 +02:00
removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix";
agenixNewGeneration.deps = ["removeAgenixLink"];
2023-10-10 21:01:12 +02:00
};
time.timeZone = lib.mkDefault "Europe/Berlin";
i18n.defaultLocale = "C.UTF-8";
console = {
2023-10-10 18:37:55 +02:00
font = "${pkgs.terminus_font}/share/consolefonts/ter-v28n.psf.gz";
packages = with pkgs; [terminus_font];
useXkbConfig = true; # use xkbOptions in tty.
keyMap = lib.mkDefault "de-latin1-nodeadkeys";
};
environment.systemPackages = with pkgs; [
wget
tree
rage
file
ripgrep
killall
fd
kitty.terminfo
2023-10-15 18:34:34 +02:00
nvd
2024-02-05 21:16:50 +01:00
htop
unzip
2024-01-15 20:46:53 +01:00
# fix pcscd
pcscliteWithPolkit.out
2024-04-01 15:01:59 +02:00
wireguard-tools
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
2023-05-27 07:12:18 +02:00
secrets.secretFiles = let
2023-08-26 14:01:58 +02:00
local = config.node.secretsDir + "/secrets.nix.age";
2023-05-27 07:12:18 +02:00
in
{
global = ../../secrets/secrets.nix.age;
2023-05-27 07:12:18 +02:00
}
2023-08-26 14:01:58 +02:00
// lib.optionalAttrs (config.node.name != null && lib.pathExists local) {inherit local;};
}