{ config, pkgs, lib, username, inputs, site_config, ... }: { imports = [ ../../modules/desktop-common.nix ../../modules/no-rgb.nix ./disk.nix ./impermanence.nix ./vr.nix inputs.impermanence.nixosModules.impermanence inputs.jovian-nixos.nixosModules.default ]; fileSystems."/media/games" = { device = "/dev/disk/by-uuid/1878136e-765d-4784-b204-3536ab4fdac8"; fsType = "f2fs"; options = [ "nofail" ]; }; systemd.targets = { sleep.enable = false; suspend.enable = false; hibernate.enable = false; hybrid-sleep.enable = false; }; networking.hostId = "abf570f9"; # Static IP for consistent SSH access networking.networkmanager.ensureProfiles.profiles.enp7s0-static = { connection = { id = "enp7s0-static"; type = "ethernet"; interface-name = "enp7s0"; autoconnect = true; }; ipv4 = { method = "manual"; address1 = "${site_config.hosts.yarn.ip}/24,${site_config.lan.gateway}"; dns = lib.concatMapStrings (n: "${n};") site_config.dns_servers; }; ipv6.method = "disabled"; }; services.openssh = { enable = true; ports = [ 22 ]; settings = { PasswordAuthentication = false; PermitRootLogin = "yes"; }; }; users.users.${username}.openssh.authorizedKeys.keys = [ site_config.ssh_keys.laptop ]; users.users.root.openssh.authorizedKeys.keys = [ site_config.ssh_keys.laptop site_config.ssh_keys.ci_deploy ]; programs.steam = { remotePlay.openFirewall = true; localNetworkGameTransfers.openFirewall = true; }; # LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT environment.systemPackages = with pkgs; [ lact jovian-stubs ]; systemd.packages = with pkgs; [ lact ]; systemd.services.lactd.wantedBy = [ "multi-user.target" ]; systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\""; # root-level service that applies a pending update. Triggered by # steamos-update (via systemctl start) when the user accepts an update. # Runs as root so it can write the system profile and boot entry. systemd.services.pull-update-apply = { description = "Apply pending NixOS update pulled from binary cache"; serviceConfig = { Type = "oneshot"; ExecStart = pkgs.writeShellScript "pull-update-apply" '' set -uo pipefail export PATH=${ pkgs.lib.makeBinPath [ pkgs.curl pkgs.coreutils pkgs.nix ] } STORE_PATH=$(curl -sf --max-time 30 "${site_config.binary_cache.url}/deploy/yarn" || true) if [ -z "$STORE_PATH" ]; then echo "server unreachable" exit 1 fi CURRENT=$(readlink -f /nix/var/nix/profiles/system) if [ "$CURRENT" = "$STORE_PATH" ]; then echo "already up to date: $STORE_PATH" exit 0 fi echo "applying $STORE_PATH (was $CURRENT)" nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \ || { echo "fetch failed"; exit 1; } nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \ || { echo "profile set failed"; exit 1; } "$STORE_PATH/bin/switch-to-configuration" boot \ || { echo "boot entry failed"; exit 1; } echo "update applied; reboot required" ''; }; }; # Allow primary user to start pull-update-apply.service without a password security.polkit.extraConfig = '' polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "pull-update-apply.service" && subject.user == "${username}") { return polkit.Result.YES; } }); ''; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "steamdeck-hw-theme" "steam-jupiter-unwrapped" "steam" "steam-original" "steam-unwrapped" "steam-run" ]; # Override jovian-stubs to disable steamos-update kernel check # This prevents Steam from requesting reboots for "system updates" # Steam client updates will still work normally nixpkgs.overlays = [ ( final: prev: let deploy-url = "${site_config.binary_cache.url}/deploy/yarn"; steamos-update-script = final.writeShellScript "steamos-update" '' export PATH=${ final.lib.makeBinPath [ final.curl final.coreutils final.systemd ] } STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true) if [ -z "$STORE_PATH" ]; then >&2 echo "[steamos-update] server unreachable" exit 7 fi CURRENT=$(readlink -f /nix/var/nix/profiles/system) if [ "$CURRENT" = "$STORE_PATH" ]; then >&2 echo "[steamos-update] no update available" exit 0 fi # check-only mode: just report that an update exists if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then >&2 echo "[steamos-update] update available" exit 0 fi # apply: trigger the root-running systemd service to install the update >&2 echo "[steamos-update] applying update..." if systemctl start --wait pull-update-apply.service; then >&2 echo "[steamos-update] update installed, reboot to apply" exit 0 else >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'" exit 1 fi ''; in { # Only replace holo-update (and its steamos-update alias) with our # binary-cache pull script. All other stubs (pkexec, sudo, # holo-reboot, holo-select-branch, …) come from upstream unchanged. jovian-stubs = prev.jovian-stubs.overrideAttrs (old: { buildCommand = (old.buildCommand or "") + '' install -D -m 755 ${steamos-update-script} $out/bin/holo-update install -D -m 755 ${steamos-update-script} $out/bin/steamos-update ''; }); } ) ]; jovian = { devices.steamdeck.enable = false; steam = { enable = true; autoStart = true; desktopSession = "niri"; user = username; }; }; # Jovian-NixOS requires sddm # https://github.com/Jovian-Experiments/Jovian-NixOS/commit/52f140c07493f8bb6cd0773c7e1afe3e1fd1d1fa services.displayManager.sddm.wayland.enable = true; # Disable gamescope from common.nix to avoid conflict with jovian-nixos programs.gamescope.enable = lib.mkForce false; }