Stefan Kempinger
5d6a7ad2b4
Enable systemd-boot and allow touching EFI variables. Move i915.enable_guc=3 into boot.kernelParams and remove duplicate entry.
197 lines
5.4 KiB
Nix
197 lines
5.4 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
];
|
|
|
|
boot = {
|
|
loader.systemd-boot.enable = true;
|
|
loader.efi.canTouchEfiVariables = true;
|
|
kernelParams = [
|
|
"i915.enable_guc=3"
|
|
];
|
|
};
|
|
|
|
|
|
services.xserver.videoDrivers = [ "modesetting" ];
|
|
|
|
hardware.graphics = {
|
|
enable = true;
|
|
extraPackages = with pkgs; [
|
|
# Required for modern Intel GPUs (Xe iGPU and ARC)
|
|
intel-media-driver # VA-API (iHD) userspace
|
|
vpl-gpu-rt # oneVPL (QSV) runtime
|
|
|
|
# Optional (compute / tooling):
|
|
intel-compute-runtime # OpenCL (NEO) + Level Zero for Arc/Xe
|
|
# NOTE: 'intel-ocl' also exists as a legacy package; not recommended for Arc/Xe.
|
|
# libvdpau-va-gl # Only if you must run VDPAU-only apps
|
|
];
|
|
};
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
environment.sessionVariables = {
|
|
LIBVA_DRIVER_NAME = "iHD";
|
|
QT_QPA_PLATFORM = "wayland";
|
|
WLR_NO_HARDWARE_CURSORS = "1";
|
|
};
|
|
|
|
networking.hostName = "nixos-lnf";
|
|
networking.wireless.enable = true;
|
|
networking.networkmanager.enable = true;
|
|
networking.firewall.enable = false;
|
|
|
|
time.timeZone = "Europe/Vienna";
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
i18n.extraLocaleSettings = {
|
|
LC_ADDRESS = "de_AT.UTF-8";
|
|
LC_IDENTIFICATION = "de_AT.UTF-8";
|
|
LC_MEASUREMENT = "de_AT.UTF-8";
|
|
LC_MONETARY = "de_AT.UTF-8";
|
|
LC_NAME = "de_AT.UTF-8";
|
|
LC_NUMERIC = "de_AT.UTF-8";
|
|
LC_PAPER = "de_AT.UTF-8";
|
|
LC_TELEPHONE = "de_AT.UTF-8";
|
|
LC_TIME = "de_AT.UTF-8";
|
|
};
|
|
|
|
services.xserver.xkb = {
|
|
layout = "de";
|
|
variant = "";
|
|
};
|
|
console.keyMap = "de";
|
|
|
|
users.users.user = {
|
|
isNormalUser = true;
|
|
description = "user";
|
|
extraGroups = [
|
|
"networkmanager"
|
|
"wheel"
|
|
"video"
|
|
];
|
|
packages = with pkgs; [ ];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTpZThOE2EeDZ1rS7ynLS3mGtoSIQ9WazZDBUdP9THi tth@tth-worker"
|
|
# Michael Roland
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7CHRy95muwEYKpQOL5T02vQEwSgJL8Z/q2YPXiV17+ ED25519/mroland@INSMR02NB/20250209"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILf0Wca6U/ee6NN7uxPMVSeHoNpLBM3K0pDA9Cmdblqc ED25519-KEY/mroland@MRPHONE2022/20220511"
|
|
|
|
# René Mayrhofer
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/IX6NdpL3qW8gnfnDcXw906N7PCLuGHgCHdsMlR6Lh"
|
|
|
|
# Franz Bauer
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLNosW/ZcQErMFuNA8pzKNKnaISvVj4Um7Y4D7151t7 FJB_ed25519_4INS-Server"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0h7HWbl3CpX8TCQmG/CjQVVTGpzegQJupGgykB5shJ eddsa-key-20250826"
|
|
];
|
|
};
|
|
users.users.root = {
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTpZThOE2EeDZ1rS7ynLS3mGtoSIQ9WazZDBUdP9THi tth@tth-worker"
|
|
# Michael Roland
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7CHRy95muwEYKpQOL5T02vQEwSgJL8Z/q2YPXiV17+ ED25519/mroland@INSMR02NB/20250209"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILf0Wca6U/ee6NN7uxPMVSeHoNpLBM3K0pDA9Cmdblqc ED25519-KEY/mroland@MRPHONE2022/20220511"
|
|
|
|
# René Mayrhofer
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/IX6NdpL3qW8gnfnDcXw906N7PCLuGHgCHdsMlR6Lh"
|
|
|
|
# Franz Bauer
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLNosW/ZcQErMFuNA8pzKNKnaISvVj4Um7Y4D7151t7 FJB_ed25519_4INS-Server"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0h7HWbl3CpX8TCQmG/CjQVVTGpzegQJupGgykB5shJ eddsa-key-20250826"
|
|
];
|
|
};
|
|
|
|
security.sudo.extraRules = [
|
|
{
|
|
users = [ "user" ];
|
|
commands = [
|
|
{
|
|
command = "/run/current-system/sw/bin/systemctl restart cage-tty1.service";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
git
|
|
nil
|
|
nixd
|
|
wlr-randr
|
|
kmsxx
|
|
libinput
|
|
swayimg
|
|
vlc
|
|
ffmpeg-full
|
|
(pkgs.python3.withPackages (python-pkgs: with python-pkgs; [
|
|
requests
|
|
]))
|
|
jq
|
|
bash
|
|
|
|
(pkgs.writeScriptBin "kiosk-run" ''
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if [[ $# -lt 1 ]]; then
|
|
echo "Usage: kiosk-run <command...>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "Setting command: $*"
|
|
echo "$*" > /etc/cage/current-cmd
|
|
|
|
echo "Restarting cage..."
|
|
sudo systemctl kill cage-tty1.service
|
|
sudo systemctl start cage-tty1.service
|
|
|
|
echo "Done."
|
|
'')
|
|
];
|
|
|
|
programs.firefox.enable = true;
|
|
|
|
# writable by the kiosk user at runtime
|
|
environment.etc."cage/current-cmd" = {
|
|
mode = "0777";
|
|
text = "curl -sL https://www.ins.jku.at/images/logos/logo-jku-ins-360x118.png | swayimg -f -";
|
|
};
|
|
|
|
systemd.services.cage-tty1 = {
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "1s";
|
|
TimeoutStopSec = "1";
|
|
TimeoutAbortSec = "5";
|
|
KillSignal = "SIGKILL";
|
|
};
|
|
};
|
|
|
|
services.cage = {
|
|
enable = true;
|
|
user = "user";
|
|
program = "${pkgs.bash}/bin/bash /etc/cage/current-cmd";
|
|
};
|
|
|
|
services.getty.loginProgram = "${pkgs.coreutils}/bin/true";
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
PermitRootLogin = "prohibit-password";
|
|
};
|
|
};
|
|
|
|
nix.settings.experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
system.stateVersion = "25.11";
|
|
}
|