nix/os: tidy up hw/boot handling

nix/os/devices/steveej-laptop/boot.nix

@@ -4,10 +4,4 @@
   # workaround to disable CPU wining
   # current CPU has 9 idle cstates.
   boot.kernelParams = [ "intel_idle.max_cstate=9" ];
-
-  # Workaround for nm-pptp to enforce module load
-  boot.kernelModules = [ 
-      "nf_conntrack_proto_gre"
-      "nf_conntrack_pptp"
-  ];
 }

nix/os/devices/steveej-laptop/hw.nix

@@ -4,25 +4,20 @@
 { config, lib, pkgs, ... }:
 
 {
-    nix.maxJobs = 3;
-    nix.buildCores = 3;
+    boot.initrd.availableKernelModules = [
+      "aesni_intel"
+      "kvm-intel"
+      "aes_x86_64"
+    ];
 
-    hardware.enableAllFirmware = true;
-    hardware.trackpoint.emulateWheel = true;
-
-    boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-    boot.kernelModules = [ "kvm-intel" ];
     boot.extraModprobeConfig = ''
       options kvm-intel nested=1
       options kvm-intel enable_shadow_vmcs=1
       options kvm-intel enable_apicv=1
       options kvm-intel ept=1
     '';
-    boot.extraModulePackages = [ ];
-
-    boot.loader.systemd-boot.enable = true;
-    boot.loader.efi.canTouchEfiVariables = true;
 
+    # TODO: migrate this to the encryptedDisk module
     fileSystems."/boot" = {
         device = "/dev/disk/by-uuid/445D-DBAA";
         fsType = "vfat";

nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix

@@ -1,5 +1,9 @@
 { ... }:
 
 {
-  hardware.encryptedDisk.diskId = "mmc-SL32G_0x259093f6";
+  # TASK: new device
+  hardware.encryptedDisk = {
+    enable = true;
+    diskId = "mmc-SL32G_0x259093f6";
+  };
 }

nix/os/devices/steveej-t480s-work/hw.nix

@@ -7,14 +7,12 @@
     diskId = "nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K827498";
   };
 
-  nix.maxJobs = 3;
-  nix.buildCores = 3;
+  boot.initrd.availableKernelModules = [
+    "aesni_intel"
+    "kvm-intel"
+    "aes_x86_64"
+  ];
 
-  hardware.enableAllFirmware = true;
-  hardware.trackpoint.emulateWheel = true;
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModprobeConfig = ''
     options kvm-intel nested=1
     options kvm-intel enable_shadow_vmcs=1

nix/os/devices/steveej-t480s-work/system.nix

@@ -30,11 +30,12 @@
     ];
   };
 
-  services.fprintd.enable = true;
-  security.pam.services = {
-    login.fprintAuth = true;
-    sudo.fprintAuth = true;
-  };
+# TODO: get external fingerprint reader
+#  services.fprintd.enable = true;
+#  security.pam.services = {
+#    login.fprintAuth = true;
+#    sudo.fprintAuth = true;
+#  };
 
   # Kubernetes
   # services.kubernetes.roles = ["master" "node"];

nix/os/profiles/common/boot.nix

@@ -11,7 +11,14 @@
     version = 2;
   };
 
+  boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.tmpOnTmpfs = true;
+
+  # Workaround for nm-pptp to enforce module load
+  boot.kernelModules = [
+      "nf_conntrack_proto_gre"
+      "nf_conntrack_pptp"
+  ];
 }
 

nix/os/profiles/common/configuration.nix

@@ -6,5 +6,6 @@
     ./pkg.nix
     ./user.nix
     ./system.nix
+    ./hw.nix
   ];
 }

nix/os/profiles/common/hw.nix

@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  hardware.trackpoint.emulateWheel = true;
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+    "cryptd"
+  ];
+}

nix/os/profiles/graphical/boot.nix

@@ -0,0 +1,7 @@
+
+{ lib
+, ...
+}:
+
+{
+}

nix/os/profiles/graphical/configuration.nix

@@ -4,6 +4,8 @@
 
 {
   imports = [
+    ./boot.nix
     ./system.nix
+    ./hw.nix
   ];
 }

nix/os/profiles/graphical/hw.nix

@@ -0,0 +1,7 @@
+{
+...
+}:
+
+{
+  hardware.enableAllFirmware = true;
+}

nix/os/profiles/removable-medium/boot.nix

@@ -5,33 +5,5 @@
 {
   boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
   boot.loader.efi.canTouchEfiVariables = lib.mkForce false; 
-
-  boot.initrd.availableKernelModules = [ 
-    "xhci_pci"
-    "ahci"
-    "usb_storage"
-    "sd_mod"
-    "rtsx_pci_sdmmc"
-    "aes_x86_64"
-    "aesni_intel"
-    "cryptd"
-  ];
-
-  boot.kernelModules = [ 
-    "kvm-intel"
-
-    # Workaround for nm-pptp to enforce module load
-    "nf_conntrack_proto_gre"
-    "nf_conntrack_pptp"
-  ];
-
-  boot.extraModprobeConfig = ''
-    options kvm-intel nested=1
-    options kvm-intel enable_shadow_vmcs=1
-    options kvm-intel enable_apicv=1
-    options kvm-intel ept=1
-  '';
   boot.extraModulePackages = [ ];
-
-  boot.loader.systemd-boot.enable = true;
 }

nix/os/profiles/removable-medium/hw.nix

@@ -3,5 +3,4 @@
 {
   hardware.encryptedDisk.enable = true;
   hardware.enableAllFirmware = true;
-  hardware.trackpoint.emulateWheel = true;
 }