wake on lan udev, SSH initrd, flake lock update, TODO nix settings

2026-06-24 17:36:41 +00:00 · 2026-04-03 23:16:53 +02:00
parent d51b13294c
commit 3afafba3ce
12 changed files with 217 additions and 60 deletions
@@ -0,0 +1,94 @@
+{
+  pkgs,
+  lib,
+  materusArgs,
+  mkk,
+  ...
+}:
+{
+  boot.supportedFilesystems = [
+    "ntfs"
+    "btrfs"
+    "vfat"
+    "exfat"
+    "ext4"
+  ];
+
+  boot.tmp.useTmpfs = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    device = "nodev";
+    gfxmodeEfi = pkgs.lib.mkDefault "1920x1080@240";
+    gfxmodeBios = pkgs.lib.mkDefault "1920x1080@240";
+    useOSProber = true;
+    memtest86.enable = true;
+  };
+
+  boot.plymouth.enable = true;
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  boot.kernelParams = [ "ip=${mkk.local}" ];
+  # Use latest kernel.
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_zen;
+
+  boot.initrd = {
+
+    availableKernelModules = [
+      "r8169"
+      "wireguard"
+    ];
+    luks.devices."ROOT_1".device = "/dev/disk/by-label/CRYPT_ROOT_1";
+    luks.devices."ROOT_2".device = "/dev/disk/by-label/CRYPT_ROOT_2";
+    secrets."/etc/secrets/30-wg-initrd.key" = "/mkk/keys/wireguard";
+    systemd = {
+      enable = true;
+      network = {
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = "/etc/secrets/30-wg-initrd.key";
+          };
+          wireguardPeers = [
+            {
+              AllowedIPs = [
+                "${mkk.wireguard.ip-masks.main}"
+                "${mkk.wireguard.peers.valkyrie.ip}/32"
+              ];
+              PublicKey = "${mkk.wireguard.peers.valkyrie.pubKey}";
+              Endpoint = "${mkk.network.valkyrie.ip}:${mkk.wireguard.peers.valkyrie.port}";
+              PersistentKeepalive = 25;
+            }
+          ];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [ { Address = "${mkk.wireguard.peers.materusPC.ip}/32"; } ];
+        };
+        networks."10-lan" = {
+          matchConfig.Name = "eno1";
+          networkConfig.DHCP = "yes";
+        };
+
+      };
+    };
+    network = {
+      enable = true;
+      flushBeforeStage2 = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeyFiles = [ materusArgs.files.ssh-keys.materus ];
+        hostKeys = [
+          "/mkk/keys/ssh_host_ed25519_key"
+          "/mkk/keys/ssh_host_rsa_key"
+        ];
+      };
+    };
+  };
+}