move stuff

2025-08-26 17:20:27 -05:00
parent f66c0726b0
commit d15762b199
68 changed files with 24 additions and 25 deletions
--- a/systems/x86_64-linux/jallen-nas/boot.nix
+++ b/systems/x86_64-linux/jallen-nas/boot.nix
@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  configLimit = 50;
+  kernel = pkgs.linuxPackages; # linuxPackages_latest;
+in
+{
+  # Configure bootloader with lanzaboot and secureboot
+  boot = {
+    kernelModules = [ "nct6775" ];
+    loader = {
+      systemd-boot = {
+        enable = false;
+        configurationLimit = configLimit;
+      };
+
+      efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot";
+      };
+    };
+
+    kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+      "vm.swappiness" = 60;
+    };
+
+    # Override kernel to latest
+    kernelPackages = kernel;
+
+    kernelParams = [
+      "nohibernate"
+    ];
+
+    consoleLogLevel = 3;
+    bootspec.enable = true;
+
+    plymouth.enable = lib.mkForce false;
+
+    initrd = {
+      kernelModules = [
+        "tpm"
+        "tpm_tis"
+        "tpm_crb"
+        "tpm_infineon"
+      ];
+      systemd = {
+        enable = true;
+        # tpm2.enable = true;
+        tpm2.enable = true;
+      };
+      clevis = {
+        enable = true;
+        devices = {
+          "/dev/disk/by-label/nas_pool".secretFile = config.sops.secrets."jallen-nas/nas_pool".path;
+        };
+      };
+    };
+
+    # Enable binfmt emulation for ARM
+    binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux
+  };
+
+  environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path;
+
+  zramSwap = {
+    enable = true;
+  };
+}