-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhardware-configuration.nix
153 lines (131 loc) · 5.42 KB
/
hardware-configuration.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# vim:tabstop=2:shiftwidth=2
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"nvme"
"ehci_pci"
"xhci_pci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
# just in case, but my lsmod said these were loaded anyways
"aesni_intel"
"cryptd"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModprobeConfig = ''
options thinkpad_acpi fan_control=1
options usbcore autosuspend=5
options snd_hda_intel enable_msi=1
blacklist iTCO_wdt
blacklist sp5100_tco
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a24c5ca6-aa90-4985-b598-28dd07b5f12e";
fsType = "ext4";
options = [
# asynchronously flushes commit blocks to disk without waiting for descriptor block to be written.
# improves i/o perf
#
# must use data=writeback or data=journal
#
# this will prevent this drive being mounted on ancient kernels.
"journal_async_commit"
# highest safety guarantees, and theoretically higher throughput
"data=writeback"
# im on a laptop so 5 -> 15 second commit is fine
"commit=15"
# forcefully fsync()'s file replacements if not done by the bad application
"auto_da_alloc"
# 64-bit inode version support
"i_version"
# journal checksumming for e2fsck recovery support
# internally enabled if using journal_async_commit
"journal_checksum"
];
};
boot.initrd.luks.devices."luks-9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19" = {
device = "/dev/disk/by-uuid/9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19";
# work queues dont make sense for fast hardware like SSDs, plus these
# are sync/blocking ops in linux which introduces kernel-thread deadlocks
# under extreme I/O load.
#
# check if this applies using luksDump after reboot. idk why this config option didnt work for me.
# sudo cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --allow-discards --persistent refresh luks-9cff8e4d-0e9e-48a4-8dd4-1b48f68c2e19
bypassWorkqueues = true;
# allow SSD TRIM ops; warning that this leaks metadata. this *may* expose FS-level ops
# on the physical SSD controller such as formatted FS type, amount of space used, etc.
# which *can* be of concern regarding forensics
allowDiscards = true;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/24C8-CDA5";
fsType = "vfat";
options = [
# /boot doesn't need any of this
"noexec"
"nosuid"
"nodev"
# /boot doesnt need access times
"noatime"
# /boot is just used by root
"umask=0077"
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [{
device = "/dev/disk/by-partuuid/fc7bf131-5531-4673-a033-43bc892234e5";
# on modern linux >=5.6; urandom and random both use CSPRNGs, but random will wait/block
# for CSPRNG init. urandom will try to init at the time of use.
# beyond that, they both behave the same and just better atp to use random. ancient
# advice to use urandom for everything.
#
# <https://lore.kernel.org/lkml/[email protected]/>
randomEncryption.source = "/dev/random";
randomEncryption.enable = true;
# nvme id-ns -H /dev/nvme0n1 | grep 'LBA Format'
#
# if you support more than 512 sector size and are currently not using it,
# then reinstall nixos and go through: <https://wiki.archlinux.org/title/Advanced_Format#NVMe_solid_state_drives>
# then change this to your new sector size
randomEncryption.sectorSize = 512;
# 512 instead of 256 default key size (for aes-xts-plain64) can't hurt
randomEncryption.keySize = 512;
# allow SSD TRIM ops; warning that this leaks metadata. this *may* expose FS-level ops
# on the physical SSD controller such as formatted FS type, amount of space used, etc.
# which *can* be of concern regarding forensics
randomEncryption.allowDiscards = true;
}];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
# i want all my firmware and microcode pls
hardware.enableAllFirmware = true;
# dmesg | grep -i microcode
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
hardware.bluetooth.settings = {
General = {
Enable = "Source,Sink,Media,Socket";
Experimental = true;
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}