277 lines
8.2 KiB
Nix
277 lines
8.2 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
username,
|
|
inputs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
./disk_yarn.nix
|
|
./common.nix
|
|
./impermanence.nix
|
|
./no-rgb.nix
|
|
./vr.nix
|
|
|
|
inputs.impermanence.nixosModules.impermanence
|
|
inputs.jovian-nixos.nixosModules.default
|
|
];
|
|
|
|
fileSystems."/media/games" = {
|
|
device = "/dev/disk/by-uuid/1878136e-765d-4784-b204-3536ab4fdac8";
|
|
fsType = "f2fs";
|
|
options = [ "nofail" ];
|
|
};
|
|
|
|
systemd.targets = {
|
|
sleep.enable = false;
|
|
suspend.enable = false;
|
|
hibernate.enable = false;
|
|
hybrid-sleep.enable = false;
|
|
};
|
|
|
|
networking.hostId = "abf570f9";
|
|
|
|
# Static IP for consistent SSH access
|
|
networking.networkmanager.ensureProfiles.profiles.enp7s0-static = {
|
|
connection = {
|
|
id = "enp7s0-static";
|
|
type = "ethernet";
|
|
interface-name = "enp7s0";
|
|
autoconnect = true;
|
|
};
|
|
ipv4 = {
|
|
method = "manual";
|
|
address1 = "192.168.1.223/24,192.168.1.1";
|
|
dns = "1.1.1.1;9.9.9.9;";
|
|
};
|
|
ipv6.method = "disabled";
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
ports = [ 22 ];
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "yes";
|
|
};
|
|
};
|
|
|
|
users.users.${username}.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
|
|
];
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
|
|
];
|
|
|
|
programs.steam = {
|
|
remotePlay.openFirewall = true;
|
|
localNetworkGameTransfers.openFirewall = true;
|
|
};
|
|
|
|
# LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
|
|
environment.systemPackages = with pkgs; [
|
|
lact
|
|
jovian-stubs
|
|
];
|
|
systemd.packages = with pkgs; [ lact ];
|
|
systemd.services.lactd.wantedBy = [ "multi-user.target" ];
|
|
|
|
systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
|
|
|
|
# root-level service that applies a pending update. Triggered by
|
|
# steamos-update (via systemctl start) when the user accepts an update.
|
|
# Runs as root so it can write the system profile and boot entry.
|
|
systemd.services.pull-update-apply = {
|
|
description = "Apply pending NixOS update pulled from binary cache";
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = pkgs.writeShellScript "pull-update-apply" ''
|
|
set -uo pipefail
|
|
export PATH=${
|
|
pkgs.lib.makeBinPath [
|
|
pkgs.curl
|
|
pkgs.coreutils
|
|
pkgs.nix
|
|
]
|
|
}
|
|
STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
|
|
if [ -z "$STORE_PATH" ]; then
|
|
echo "server unreachable"
|
|
exit 1
|
|
fi
|
|
echo "applying $STORE_PATH"
|
|
nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
|
|
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
|
|
"$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
|
|
echo "update applied; reboot required"
|
|
'';
|
|
};
|
|
};
|
|
|
|
# Allow primary user to start pull-update-apply.service without a password
|
|
security.polkit.extraConfig = ''
|
|
polkit.addRule(function(action, subject) {
|
|
if (action.id == "org.freedesktop.systemd1.manage-units" &&
|
|
action.lookup("unit") == "pull-update-apply.service" &&
|
|
subject.user == "${username}") {
|
|
return polkit.Result.YES;
|
|
}
|
|
});
|
|
'';
|
|
|
|
nixpkgs.config.allowUnfreePredicate =
|
|
pkg:
|
|
builtins.elem (lib.getName pkg) [
|
|
"steamdeck-hw-theme"
|
|
"steam-jupiter-unwrapped"
|
|
"steam"
|
|
"steam-original"
|
|
"steam-unwrapped"
|
|
"steam-run"
|
|
];
|
|
|
|
# Override jovian-stubs to disable steamos-update kernel check
|
|
# This prevents Steam from requesting reboots for "system updates"
|
|
# Steam client updates will still work normally
|
|
nixpkgs.overlays = [
|
|
(
|
|
final: prev:
|
|
let
|
|
deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
|
|
|
|
steamos-update-script = final.writeShellScript "steamos-update" ''
|
|
export PATH=${
|
|
final.lib.makeBinPath [
|
|
final.curl
|
|
final.coreutils
|
|
final.systemd
|
|
]
|
|
}
|
|
|
|
STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
|
|
|
|
if [ -z "$STORE_PATH" ]; then
|
|
>&2 echo "[steamos-update] server unreachable"
|
|
exit 7
|
|
fi
|
|
|
|
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
|
|
if [ "$CURRENT" = "$STORE_PATH" ]; then
|
|
>&2 echo "[steamos-update] no update available"
|
|
exit 0
|
|
fi
|
|
|
|
# check-only mode: just report that an update exists
|
|
if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
|
|
>&2 echo "[steamos-update] update available"
|
|
exit 0
|
|
fi
|
|
|
|
# apply: trigger the root-running systemd service to install the update
|
|
>&2 echo "[steamos-update] applying update..."
|
|
if systemctl start --wait pull-update-apply.service; then
|
|
>&2 echo "[steamos-update] update installed, reboot to apply"
|
|
exit 0
|
|
else
|
|
>&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
|
|
exit 1
|
|
fi
|
|
'';
|
|
in
|
|
{
|
|
jovian-stubs = prev.stdenv.mkDerivation {
|
|
name = "jovian-stubs";
|
|
dontUnpack = true;
|
|
installPhase = ''
|
|
mkdir -p $out/bin
|
|
ln -s ${steamos-update-script} $out/bin/steamos-update
|
|
ln -s ${steamos-update-script} $out/bin/steamos-mandatory-update
|
|
|
|
# jupiter-initial-firmware-update: no-op (not a real steam deck)
|
|
cat > $out/bin/jupiter-initial-firmware-update << 'STUB'
|
|
#!/bin/sh
|
|
exit 0
|
|
STUB
|
|
|
|
# jupiter-biosupdate: no-op (not a real steam deck)
|
|
cat > $out/bin/jupiter-biosupdate << 'STUB'
|
|
#!/bin/sh
|
|
exit 0
|
|
STUB
|
|
|
|
# steamos-reboot: reboot the system
|
|
cat > $out/bin/steamos-reboot << 'STUB'
|
|
#!/bin/sh
|
|
>&2 echo "[JOVIAN] $0: stub called with: $*"
|
|
systemctl reboot
|
|
STUB
|
|
|
|
# steamos-select-branch: no-op stub
|
|
cat > $out/bin/steamos-select-branch << 'STUB'
|
|
#!/bin/sh
|
|
>&2 echo "[JOVIAN] $0: stub called with: $*"
|
|
exit 0
|
|
STUB
|
|
|
|
# steamos-factory-reset-config: no-op stub
|
|
cat > $out/bin/steamos-factory-reset-config << 'STUB'
|
|
#!/bin/sh
|
|
>&2 echo "[JOVIAN] $0: stub called with: $*"
|
|
exit 0
|
|
STUB
|
|
|
|
# steamos-firmware-update: no-op stub
|
|
cat > $out/bin/steamos-firmware-update << 'STUB'
|
|
#!/bin/sh
|
|
>&2 echo "[JOVIAN] $0: stub called with: $*"
|
|
exit 0
|
|
STUB
|
|
|
|
# pkexec: pass through to real pkexec
|
|
cat > $out/bin/pkexec << 'STUB'
|
|
#!/bin/sh
|
|
exec /run/wrappers/bin/pkexec "$@"
|
|
STUB
|
|
|
|
# sudo: strip flags and run the command directly (no escalation).
|
|
# privileged ops are delegated to root systemd services via systemctl.
|
|
cat > $out/bin/sudo << 'STUB'
|
|
#!/bin/sh
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
-*) shift ;;
|
|
*) break ;;
|
|
esac
|
|
done
|
|
exec "$@"
|
|
STUB
|
|
|
|
find $out/bin -type f -exec chmod 755 {} +
|
|
'';
|
|
};
|
|
}
|
|
)
|
|
];
|
|
|
|
jovian = {
|
|
devices.steamdeck.enable = false;
|
|
steam = {
|
|
enable = true;
|
|
autoStart = true;
|
|
desktopSession = "niri";
|
|
user = username;
|
|
};
|
|
};
|
|
|
|
# Jovian-NixOS requires sddm
|
|
# https://github.com/Jovian-Experiments/Jovian-NixOS/commit/52f140c07493f8bb6cd0773c7e1afe3e1fd1d1fa
|
|
services.displayManager.sddm.wayland.enable = true;
|
|
|
|
# Disable gamescope from common.nix to avoid conflict with jovian-nixos
|
|
programs.gamescope.enable = lib.mkForce false;
|
|
}
|