feat,fix: cach up hostkey0 with structure changes, update x13s and config firewall

2024-03-07 22:01:03 +01:00 · 2024-03-07 22:01:03 +01:00 · f779649c0c
commit f779649c0c
parent b144c4501f
8 changed files with 79 additions and 58 deletions
--- a/nix/os/devices/steveej-x13s/configuration.nix
+++ b/nix/os/devices/steveej-x13s/configuration.nix
@ -13,6 +13,7 @@
    enable = true;
    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
+    kernel = "jhovold";
  };

  services.illum.enable = true;
@ -65,6 +66,7 @@
    ./disko.nix

    ../../snippets/nix-settings.nix
+    ../../snippets/nix-settings-holo-chain.nix
    ../../profiles/common/user.nix

    {
@ -81,6 +83,21 @@
      };
    }

+    # TODO: create syncthing os snippet
+    (let
+      tcp = [22000];
+      udp = [
+        22000
+        21027
+      ];
+    in {
+      # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
+      networking.firewall.interfaces."en+".allowedTCPPorts = tcp;
+      networking.firewall.interfaces."en+".allowedUDPPorts = udp;
+      networking.firewall.interfaces."wl+".allowedTCPPorts = tcp;
+      networking.firewall.interfaces."wl+".allowedUDPPorts = udp;
+    })
+
    ../../snippets/home-manager-with-zsh.nix
    ../../snippets/sway-desktop.nix
    ../../snippets/bluetooth.nix
@ -132,6 +149,23 @@
    loader.efi.canTouchEfiVariables = lib.mkForce false;
    loader.efi.efiSysMountPoint = "/boot";
    blacklistedKernelModules = ["wwan"];
+
+    # kernelParams = let
+    #   dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb";
+    # in lib.mkForce [
+    #   # needed to boot
+    #   "dtb=${dtbName}"
+
+    #   # jhovold recommended
+    #   "efi=noruntime"
+    #   "clk_ignore_unused"
+    #   "pd_ignore_unused"
+    #   # "regulator_ignore_unused"
+    #   "arm64.nopauth"
+
+    #   # blacklist graphics in initrd so the firmware can load from disk
+    #   "rd.driver.blacklist=msm"
+    # ];
  };

  # see https://linrunner.de/tlp/
@ -145,12 +179,20 @@
  };

  # android on linux
-  virtualisation.waydroid.enable = true;
+  virtualisation.waydroid.enable = false;
  virtualisation.podman.enable = true;
  virtualisation.podman.dockerCompat = true;

  hardware.ledger.enable = true;

+  nix.settings.substituters = [
+    "https://nixos-x13s.cachix.org"
+  ];
+
+  nix.settings.trusted-public-keys = [
+    "nixos-x13s.cachix.org-1:SzroHbidolBD3Sf6UusXp12YZ+a5ynWv0RtYF0btFos="
+  ];
+
  steveej.holo-zerotier = {
    enable = true;
    autostart = false;