Commit 903000cf56c9
Changed files (6)
lib/default.nix
@@ -41,6 +41,7 @@
{
hostname,
desktop ? null,
+ hardwareType ? "",
system ? "x86_64-linux",
pkgsInput ? inputs.nixpkgs,
homeInput ? inputs.home-manager,
@@ -55,6 +56,7 @@
stateVersion
hostname
desktop
+ hardwareType
system
globals
;
systems/athena/boot.nix
@@ -1,7 +1,10 @@
{ lib, pkgs, ... }:
{
+ console.keyMap = lib.mkForce "us";
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+ initrd.systemd.enable = lib.mkForce false;
+ # initrd.systemd.enableTpm2 = false;
initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
systems/common/base/default.nix
@@ -12,6 +12,7 @@
./hardware.nix
./locale.nix
./nh.nix
+ ./tpm.nix
# All my machine have this running
../services/avahi.nix
@@ -39,7 +40,6 @@
pv
ripgrep
rsync
- tpm2-tss
traceroute
tree
usbutils
@@ -59,11 +59,6 @@
security = {
polkit.enable = true;
rtkit.enable = true;
- tpm2 = {
- enable = true;
- pkcs11.enable = true;
- abrmd.enable = true;
- };
};
# Clear out /tmp after a fortnight and give all normal users a ~/tmp
systems/common/base/tpm.nix
@@ -0,0 +1,27 @@
+{
+ lib,
+ hardwareType,
+ pkgs,
+ ...
+}:
+let
+ # Detect if we are building RPI4 host, because RPI4 doesn't have TPM support
+ isRPI4 = hardwareType == "rpi4";
+in
+{
+ environment.systemPackages =
+ if isRPI4 then
+ [ ]
+ else
+ with pkgs;
+ [
+ tpm2-tss
+ ];
+ security = lib.mkIf (!isRPI4) {
+ tpm2 = {
+ enable = true;
+ pkcs11.enable = true;
+ abrmd.enable = true;
+ };
+ };
+}
systems/common/programs/age.nix
@@ -1,12 +1,15 @@
{
+ config,
pkgs,
...
}:
{
- environment.systemPackages = with pkgs; [
- age
- age-plugin-tpm
- agenix
- passage
- ];
+ environment.systemPackages =
+ with pkgs;
+ [
+ age
+ agenix
+ passage
+ ]
+ ++ lib.optional config.security.tpm2.enable pkgs.age-plugin-tpm;
}
flake.nix
@@ -88,6 +88,7 @@
athena = libx.mkHost {
hostname = "athena";
system = "aarch64-linux";
+ hardwareType = "rpi4";
pkgsInput = inputs.nixpkgs-24_11;
homeInput = inputs.home-manager-24_11;
};