main
1{ pkgs, lib, ... }:
2{
3 environment.systemPackages = with pkgs; [
4 sbctl
5 ];
6
7 boot = {
8 # Secure boot configuration
9 bootspec.enable = true;
10 # First boot systemd-boot has to be enabled, then switch to lanzaboote
11 loader.systemd-boot.enable = lib.mkForce false;
12 lanzaboote = {
13 enable = true;
14 pkiBundle = "/var/lib/sbctl";
15 };
16
17 initrd = {
18 luks.devices."cryptroot" = {
19 crypttabExtraOpts = [ "fido2-device=auto" ];
20 };
21 systemd = {
22 fido2.enable = true;
23 };
24 };
25
26 # extraModprobeConfig = ''
27 # options snd_hda_intel power_save=1
28 # '';
29
30 blacklistedKernelModules = [
31 "sierra_net" # sierra wireless modules
32 "cdc_mbim" # modem mobile broadband modules
33 "cdc_ncm" # similar
34 ];
35 kernelModules = [
36 "ahci" # sata controller, might not be needed
37 "nvme" # required for nvme disks
38 "thunderbolt" # required for thunderbolt (dock, …)
39 # from thinkpad x1 gen 9
40 "dm-mod"
41 "cryptd" # required for encryption
42 "xhci_pci" # usb controller related
43 "usb_storage" # usb storage related
44 "sd_mod" # block device related
45 "sdhci_pci" # block device related as well
46 "aesni-intel" # advanced encryption for intel
47 "kvm_intel"
48 ];
49
50 kernelParams = [
51 # Kernel GPU Savings Options (NOTE i915 chipset only)
52 # "i915.enable_rc6=1"
53 # "i915.enable_fbc=1"
54 # "i915.lvds_use_ssc=0"
55 # "drm.debug=0"
56 # "drm.vblankoffdelay=1"
57 "kvm_intel.nested=1"
58 "intel_iommu=on"
59 ];
60
61 kernelPackages = pkgs.cachyosKernels.linuxPackages-cachyos-latest-lto-x86_64-v3;
62 };
63}