fix: sops secrets not rendered on boot

also fixes an org-caldav error that required org/appointments.org to exist
2025-12-06 09:07:21 +01:00 · 2024-08-04 11:21:51 +02:00 · 2024-08-04 11:21:51 +02:00 · 40e81f104b
commit 40e81f104b
parent 175078feee
21 changed files with 855 additions and 1141 deletions
--- a/profiles/nbl-imba-2/default.nix
+++ b/profiles/nbl-imba-2/default.nix
@ -5,6 +5,7 @@
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd

    ./hardware-configuration.nix
+    ./disk-config.nix

    ../optional/nixos/steam.nix
    # ../optional/nixos/virtualbox.nix
@ -29,6 +30,8 @@
    };
  };

+  networking.networkmanager.wifi.scanRandMacAddress = false;
+
  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
@ -55,6 +58,9 @@

  services = {
    fwupd.enable = true;
+    udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20"
+    '';
  };

  swarselsystems = {
@ -62,11 +68,14 @@
    hasBluetooth = true;
    hasFingerprint = true;
    initialSetup = true;
+    impermanence = false;
+    isBtrfs = true;
  };

  home-manager.users.swarsel.swarselsystems = {
    isLaptop = true;
    isNixos = true;
+    isBtrfs = true;
    # temperatureHwmon = {
    #   isAbsolutePath = true;
    #   path = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
@ -75,31 +84,45 @@
    #  ------   -----
    # | DP-4 | |eDP-1|
    #  ------   -----
-    # monitors = {
-    #   main = {
-    #     name = "California Institute of Technology 0x1407 Unknown";
-    #     mode = "1920x1080"; # TEMPLATE
-    #     scale = "1";
-    #     position = "2560,0";
-    #     workspace = "2:二";
-    #     output = "eDP-1";
-    #   };
-    #   homedesktop = {
-    #     name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
-    #     mode = "2560x1440";
-    #     scale = "1";
-    #     position = "0,0";
-    #     workspace = "1:一";
-    #     output = "DP-4";
-    #   };
-    # };
-    # inputs =  {
-    #   "1:1:AT_Translated_Set_2_keyboard" = {
-    #     xkb_layout = "us";
-    #     xkb_options = "grp:win_space_toggle";
-    #     xkb_variant = "altgr-intl";
-    #   };
-    # };
+    monitors = {
+      main = {
+        name = "BOE 0x0BC9 Unknown";
+        mode = "2560x1600"; # TEMPLATE
+        scale = "1";
+        position = "2560,0";
+        workspace = "2:二";
+        output = "eDP-2";
+      };
+      homedesktop = {
+        name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
+        mode = "2560x1440";
+        scale = "1";
+        position = "0,0";
+        workspace = "1:一";
+        output = "DP-11";
+      };
+      workdesktop = {
+        name = "LG Electronics LG Ultra HD 0x000305A6";
+        mode = "2560x1440";
+        scale = "1";
+        position = "0,0";
+        workspace = "1:一";
+        output = "DP-10";
+      };
+    };
+    inputs = {
+      "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
+        xkb_layout = "us";
+        xkb_options = "grp:win_space_toggle";
+        xkb_variant = "altgr-intl";
+      };
+      "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
+        dwt = "enabled";
+        tap = "enabled";
+        natural_scroll = "enabled";
+        middle_emulation = "enabled";
+      };
+    };
    keybindings = { };
  };
 }
--- a/profiles/nbl-imba-2/disk-config.nix
+++ b/profiles/nbl-imba-2/disk-config.nix
@ -33,30 +33,30 @@
                  "--perf-no_write_workqueue"
                ];
                # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
-                settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];};
+                settings = { crypttabExtraOpts = [ "fido2-device=auto" "token-timeout=10" ]; };
                content = {
                  type = "btrfs";
-                  extraArgs = ["-L" "nixos" "-f"];
+                  extraArgs = [ "-L" "nixos" "-f" ];
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
-                      mountOptions = ["subvol=root" "compress=zstd" "noatime"];
+                      mountOptions = [ "subvol=root" "compress=zstd" "noatime" ];
                    };
                    "/home" = {
                      mountpoint = "/home";
-                      mountOptions = ["subvol=home" "compress=zstd" "noatime"];
+                      mountOptions = [ "subvol=home" "compress=zstd" "noatime" ];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
-                      mountOptions = ["subvol=nix" "compress=zstd" "noatime"];
+                      mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ];
                    };
                    "/persist" = {
                      mountpoint = "/persist";
-                      mountOptions = ["subvol=persist" "compress=zstd" "noatime"];
+                      mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ];
                    };
                    "/log" = {
                      mountpoint = "/var/log";
-                      mountOptions = ["subvol=log" "compress=zstd" "noatime"];
+                      mountOptions = [ "subvol=log" "compress=zstd" "noatime" ];
                    };
                    "/swap" = {
                      mountpoint = "/swap";
--- a/profiles/nbl-imba-2/hardware-configuration.nix
+++ b/profiles/nbl-imba-2/hardware-configuration.nix
@ -5,7 +5,8 @@

 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
    ];

  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
@ -13,50 +14,57 @@
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
+  # fileSystems."/" =
+  #   {
+  #     device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
+  #     fsType = "btrfs";
+  #     options = [ "subvol=root" ];
+  #   };

-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/98b9bf76-ca01-49f5-91ee-1884ae9ce383";
+  # boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/98b9bf76-ca01-49f5-91ee-1884ae9ce383";

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/5236-F44A";
-      fsType = "vfat";
-    };
+  # fileSystems."/boot" =
+  #   {
+  #     device = "/dev/disk/by-uuid/5236-F44A";
+  #     fsType = "vfat";
+  #   };

-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
+  # fileSystems."/home" =
+  #   {
+  #     device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
+  #     fsType = "btrfs";
+  #     options = [ "subvol=home" ];
+  #   };

-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
-      fsType = "btrfs";
-      options = [ "subvol=nix" ];
-    };
+  # fileSystems."/nix" =
+  #   {
+  #     device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
+  #     fsType = "btrfs";
+  #     options = [ "subvol=nix" ];
+  #   };

-  fileSystems."/persist" =
-    { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
-      fsType = "btrfs";
-      options = [ "subvol=persist" ];
-    };
+  # fileSystems."/persist" =
+  #   {
+  #     device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
+  #     fsType = "btrfs";
+  #     options = [ "subvol=persist" ];
+  #   };

-  fileSystems."/swap" =
-    { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
-      fsType = "btrfs";
-      options = [ "subvol=swap" ];
-    };
+  # fileSystems."/swap" =
+  #   {
+  #     device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
+  #     fsType = "btrfs";
+  #     options = [ "subvol=swap" ];
+  #   };

-  fileSystems."/var/log" =
-    { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
-      fsType = "btrfs";
-      options = [ "subvol=log" ];
-    };
+  # fileSystems."/var/log" =
+  #   {
+  #     device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
+  #     fsType = "btrfs";
+  #     options = [ "subvol=log" ];
+  #   };

-  swapDevices = [ ];
+  # swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's