girlbossceo-archive/nixos-config
1
0
Fork 0
mirror of https://github.com/girlbossceo/nixos-config.git synced 2025-04-29 05:59:26 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
nixos-config/hardware-configuration.nix
June Clementine Strawberry a7e0208785
some t495 fixes, add fingerprint support 
Signed-off-by: June Clementine Strawberry <strawberry@puppygock.gay>
2024-12-26 17:15:37 -05:00

153 lines
5.4 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# vim:tabstop=2:shiftwidth=2
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"nvme"
"ehci_pci"
"xhci_pci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
# just in case, but my lsmod said these were loaded anyways
"aesni_intel"
"cryptd"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModprobeConfig = ''
options thinkpad_acpi fan_control=1
options usbcore autosuspend=5
options snd_hda_intel enable_msi=1
blacklist iTCO_wdt
blacklist sp5100_tco
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a24c5ca6-aa90-4985-b598-28dd07b5f12e";
fsType = "ext4";
options = [
# asynchronously flushes commit blocks to disk without waiting for descriptor block to be written.
# improves i/o perf
#
# must use data=writeback or data=journal
#
# this will prevent this drive being mounted on ancient kernels.
"journal_async_commit"
# highest safety guarantees, and theoretically higher throughput
"data=writeback"
# im on a laptop so 5 -> 15 second commit is fine
"commit=15"
# forcefully fsync()'s file replacements if not done by the bad application
"auto_da_alloc"
# 64-bit inode version support
"i_version"
# journal checksumming for e2fsck recovery support
# internally enabled if using journal_async_commit
"journal_checksum"
];
};
boot.initrd.luks.devices."luks-9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19" = {
device = "/dev/disk/by-uuid/9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19";
# work queues dont make sense for fast hardware like SSDs, plus these
# are sync/blocking ops in linux which introduces kernel-thread deadlocks
# under extreme I/O load.
#
# check if this applies using luksDump after reboot. idk why this config option didnt work for me.
# sudo cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --allow-discards --persistent refresh luks-9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19
bypassWorkqueues = true;
# allow SSD TRIM ops; warning that this leaks metadata. this *may* expose FS-level ops
# on the physical SSD controller such as formatted FS type, amount of space used, etc.
# which *can* be of concern regarding forensics
allowDiscards = true;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/24C8-CDA5";
fsType = "vfat";
options = [
# /boot doesn't need any of this
"noexec"
"nosuid"
"nodev"
# /boot doesnt need access times
"noatime"
# /boot is just used by root
"umask=0077"
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [{
device = "/dev/disk/by-partuuid/fc7bf131-5531-4673-a033-43bc892234e5";
# on modern linux >=5.6; urandom and random both use CSPRNGs, but random will wait/block
# for CSPRNG init. urandom will try to init at the time of use.
# beyond that, they both behave the same and just better atp to use random. ancient
# advice to use urandom for everything.
#
# <https://lore.kernel.org/lkml/20200131204924.GA455123@mit.edu/>
randomEncryption.source = "/dev/random";
randomEncryption.enable = true;
# nvme id-ns -H /dev/nvme0n1 | grep 'LBA Format'
#
# if you support more than 512 sector size and are currently not using it,
# then reinstall nixos and go through: <https://wiki.archlinux.org/title/Advanced_Format#NVMe_solid_state_drives>
# then change this to your new sector size
randomEncryption.sectorSize = 512;
# 512 instead of 256 default key size (for aes-xts-plain64) can't hurt
randomEncryption.keySize = 512;
# allow SSD TRIM ops; warning that this leaks metadata. this *may* expose FS-level ops
# on the physical SSD controller such as formatted FS type, amount of space used, etc.
# which *can* be of concern regarding forensics
randomEncryption.allowDiscards = true;
}];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
# i want all my firmware and microcode pls
hardware.enableAllFirmware = true;
# dmesg | grep -i microcode
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
hardware.bluetooth.settings = {
General = {
Enable = "Source,Sink,Media,Socket";
Experimental = true;
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}
Reference in a new issue View git blame Copy permalink