hosts: fixes for initial lifebook

add lanzaboote lifebook
2024-08-10 06:08:14 +02:00 · 2024-08-10 06:08:14 +02:00 · b05a692b47
parent e5db869b82
commit b05a692b47
3 changed files with 17 additions and 20 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -63,6 +63,7 @@ in
    specialArgs = { inherit inputs user location nixos-hardware agenix lanzaboote; };
    modules = [
      agenix.nixosModules.default
+      lanzaboote.nixosModule.lanzaboote
      ./lifebook
      ./configuration_desktop.nix
      ../modules/hardware/hydraCache.nix
--- a/hosts/lifebook/default.nix
+++ b/hosts/lifebook/default.nix
@ -17,7 +17,7 @@
 #           └─ default.nix
 #

-{ config, pkgs, user, ... }:
+{ lib, config, pkgs, user, ... }:

 {
  imports =                                                         # For now, if applying to other system, swap files
@ -32,13 +32,18 @@
    kernelPackages = pkgs.linuxPackages_latest;

    loader = {                              # EFI Boot
-      systemd-boot.enable = true;
+      systemd-boot.enable = lib.mkForce false;
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot";
      };
      timeout = 1;                          # Grub auto select time
    };
+
+    lanzaboote = {
+        enable = true;
+        pkiBundle = "/etc/secureboot";
+    };
  };

 #  hardware.sane = {                           # Used for scanning with Xsane
@ -51,9 +56,8 @@

  environment = {
    systemPackages = with pkgs; [
-#      simple-scan
+       linux-firmware
       intel-media-driver
-#       alacritty
    ];
  };

@ -62,14 +66,7 @@
  };

  services = {
-    tlp = {
-      enable = true;                      # TLP and auto-cpufreq for power management
-      settings = {
-        USB_DENYLIST="fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510";
-      };
-    };
-
-    logind.lidSwitch = "suspend-then-hibernate";            # Laptop does not go to sleep when lid is closed
+    logind.lidSwitch = "hibernate";            # Laptop does not go to sleep when lid is closed
    #auto-cpufreq.enable = true;
    blueman.enable = true;
    printing = {                            # Printing and drivers for TS5300
--- a/hosts/lifebook/hardware-configuration.nix
+++ b/hosts/lifebook/hardware-configuration.nix
@ -32,10 +32,10 @@
 	  };

 	  kernelModules = [ "kvm-intel" ];
-	  kernelParams = [ "luks.options=fido2-device=auto" ];
-#	  extraModprobeConfig = ''
-#		  options i915 enable_guc=3 enable_fbc=1 fastboot=1
-#		  '';
+	  kernelParams = [ "luks.options=fido2-device=auto" "sysrq_always_enabled=1" ];
+	  extraModprobeConfig = ''
+		  options i915 enable_guc=3
+		  '';
 	  tmp.useTmpfs = false;
 	  tmp.cleanOnBoot = true;
  };
@ -174,16 +174,15 @@
    #defaultGateway = "192.168.0.1";
    #nameservers = [ "192.168.0.4" ];
    firewall = {
-      checkReversePath = "loose";
+      checkReversePath = "false";
      enable = true;
-      allowedUDPPorts = [ 24727 ];
+      allowedUDPPorts = [ 24727 51820 ];
      allowedTCPPorts = [ 24727 ];
    };
  };

  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  powerManagement = {
-    #cpuFreqGovernor = lib.mkDefault "schedutil";
-    #powertop.enable = true;    
+    powertop.enable = true;    
  };
 }