Harald Hoyer
96e66ebad4
Multiple boot options have been added in the hardware-configuration for the x86_64-linux system. This includes unsafe secrets mitigation options, such as 'noibrs', 'noibpb', 'nopti', etc., to potentially enhance system performance.
112 lines
2.7 KiB
Nix
112 lines
2.7 KiB
Nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||
# and may be overwritten by future invocations. Please make changes
|
||
# to /etc/nixos/configuration.nix instead.
|
||
{ config, lib, pkgs, modulesPath, ... }:
|
||
|
||
{
|
||
imports = [
|
||
(modulesPath + "/installer/scan/not-detected.nix")
|
||
];
|
||
|
||
boot.kernelModules = [ "kvm-intel" ];
|
||
boot.initrd.availableKernelModules = [
|
||
"ahci"
|
||
"nvme"
|
||
"rng_core"
|
||
"sd_mod"
|
||
"sdhci_pci"
|
||
"thunderbolt"
|
||
"tpm"
|
||
"tpm_crb"
|
||
"tpm_tis"
|
||
"tpm_tis_core"
|
||
"trusted"
|
||
"uas"
|
||
"usb_storage"
|
||
"usbhid"
|
||
"xhci_pci"
|
||
"uas"
|
||
];
|
||
boot.initrd.kernelModules = [ ];
|
||
boot.kernelParams = [
|
||
"lockdown=confidentiality"
|
||
"intel_iommu=on"
|
||
"quiet"
|
||
"splash"
|
||
"video=efifb:nobgrt"
|
||
|
||
# unsafe, but no secrets on that machine
|
||
"noibrs"
|
||
"noibpb"
|
||
"nopti"
|
||
"nospectre_v2"
|
||
"nospectre_v1"
|
||
"l1tf=off"
|
||
"nospec_store_bypass_disable"
|
||
"no_stf_barrier"
|
||
"mds=off"
|
||
"tsx=on"
|
||
"tsx_async_abort=off"
|
||
"mitigations=off"
|
||
];
|
||
|
||
boot.extraModulePackages = [ ];
|
||
|
||
services.btrfs.autoScrub.enable = true;
|
||
swapDevices = [{ device = "/swapfile"; }];
|
||
|
||
boot.initrd.luks.devices.crypted = {
|
||
device = "/dev/nvme0n1p2";
|
||
preLVM = true;
|
||
};
|
||
|
||
fileSystems = {
|
||
"/" =
|
||
{
|
||
device = "/dev/mapper/crypted";
|
||
fsType = "btrfs";
|
||
options = [ "subvol=/rootfs" ];
|
||
neededForBoot = true;
|
||
};
|
||
"/nix" = {
|
||
device = "/dev/mapper/crypted";
|
||
fsType = "btrfs";
|
||
options = [ "subvol=/nix" ];
|
||
neededForBoot = true;
|
||
};
|
||
"/home" = {
|
||
device = "/dev/mapper/crypted";
|
||
fsType = "btrfs";
|
||
options = [ "subvol=/home" ];
|
||
};
|
||
"/persist" = {
|
||
device = "/dev/mapper/crypted";
|
||
fsType = "btrfs";
|
||
options = [ "subvol=/persist" ];
|
||
neededForBoot = true;
|
||
};
|
||
"/boot" =
|
||
{
|
||
device = "/dev/disk/by-partlabel/disk-one-ESP";
|
||
fsType = "vfat";
|
||
};
|
||
};
|
||
|
||
console.keyMap = "de-latin1-nodeadkeys";
|
||
services.xserver = {
|
||
layout = "de";
|
||
xkbVariant = "nodeadkeys";
|
||
};
|
||
|
||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||
# still possible to use this option, but it's recommended to use it in conjunction
|
||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||
networking.useDHCP = lib.mkDefault true;
|
||
# networking.interfaces.enp82s0u1u3u4.useDHCP = lib.mkDefault true;
|
||
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
|
||
|
||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||
}
|