2 files changed, 40 insertions, 48 deletions

diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix
index f0fbf27..2098d1b 100644
--- a/nixos/alpha/configuration.nix
+++ b/nixos/alpha/configuration.nix
@@ -16,7 +16,8 @@
     sudo.wheelNeedsPassword = false;
   };
 
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  # Use latest LTS kernel (https://github.com/NixOS/nixpkgs/pull/341596)
+  boot.kernelPackages = pkgs.linuxPackages;
   boot.kernelParams = [
     # "nohibernate"
     "console=tty1"
@@ -33,24 +34,16 @@
   boot.zfs.forceImportAll = false;
   boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS
 
-  # GRUB bootloader
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub = {
-    enable = true;
-
-    efiSupport = true;
-    configurationLimit = 10;
-    device = "nodev";
-    useOSProber = true;
-    copyKernels = true;
-    extraEntries = ''
-      menuentry "Reboot" {
-        reboot
-      }
-      menuentry "Shutdown" {
-        halt
-      }
-    '';
+  boot.loader.systemd-boot = {
+    # Managed by lanzaboote
+    enable = false;
+    editor = false;
+    configurationLimit = 16;
+    # TODO: https://github.com/NixOS/nixpkgs/pull/334526
+    # bootCounting.enable = true;
+    # bootCounting.tries = 3;
+    # bootCounting.enable = true;
+    # bootCounting.tries = 3;
   };
 
   boot.initrd.postDeviceCommands = lib.mkAfter ''
@@ -115,17 +108,25 @@
 
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
-  services.openssh.hostKeys = [
-    {
-      path = "/persist/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-    {
-      path = "/persist/ssh/ssh_host_rsa_key";
-      type = "rsa";
-      bits = 4096;
-    }
-  ];
+
+  modules = {
+    secure-boot.enable = true;
+
+    persistence = {
+      enable = true;
+      storagePath = "/persist";
+      setupSshHostKeys = true;
+
+      directories = [
+        "/etc/NetworkManager/system-connections"
+        "/var/lib/nixos"
+        "/var/lib/bluetooth"
+        "/var/lib/tailscale"
+        "/var/lib/libvirt"
+        "/etc/cups"
+      ];
+    };
+  };
 
   sops.secrets.borg-alpha-rolling-pass = { };
   services.borgbackup.jobs.alpha-rolling = {
@@ -138,6 +139,7 @@
       # Ephemeral user files
       "**/.cache"
       "**/.nix-profile"
+      "**/.config"
       # Rust build files
       "**/target"
       # Large, non-essential files
@@ -175,8 +177,6 @@
 
   services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH";
 
-  sound.enable = true;
-
   services.pipewire = {
     enable = true;
 
@@ -208,14 +208,6 @@
   services.avahi.enable = true;
   services.avahi.nssmdns4 = true;
 
-  environment.persistence."/persist".directories = [
-    "/etc/NetworkManager/system-connections"
-    "/var/lib/bluetooth"
-    "/var/lib/tailscale"
-    "/var/lib/libvirt"
-    "/etc/cups"
-  ];
-
   services.pcscd.enable = true;
 
   programs.dconf.enable = true;
@@ -284,7 +276,8 @@
     fontDir.enable = true;
 
     packages = with pkgs; [
-      (nerdfonts.override { fonts = [ "Iosevka" "JetBrainsMono" ]; })
+      nerd-fonts.iosevka
+      nerd-fonts.jetbrains-mono
       cozette
       dina-font
       emacs-all-the-icons-fonts
@@ -342,16 +335,16 @@
     remotePlay.openFirewall = true;
     dedicatedServer.openFirewall = true;
   };
-  nixpkgs.allowedUnfree = [ "steam" "steam-original" "steam-run" "brgenml1lpr" ];
+  nixpkgs.allowedUnfree = [ "steam" "steam-unwrapped" "brgenml1lpr" ];
+
+  madness.enable = true;
 
   environment.sessionVariables = {
     WLR_NO_HARDWARE_CURSORS = "1"; # Prevent cursors disappearing on nouveau
   };
 
-  hardware.opengl.enable = true;
-  hardware.opengl.driSupport = true;
-  hardware.opengl.driSupport32Bit = true;
-  hardware.opengl.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ];
+  hardware.graphics.enable = true;
+  hardware.graphics.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ];
 
   xdg.portal = {
     enable = true;
@@ -367,8 +360,6 @@
 
   users.mutableUsers = false;
 
-  fileSystems."/persist".neededForBoot = true;
-
   users.users = {
     root.hashedPasswordFile = config.sops.secrets.root-password.path;
     sefidel = {
diff --git a/nixos/alpha/hardware-configuration.nix b/nixos/alpha/hardware-configuration.nix
index 5ec5d86..8c40065 100644
--- a/nixos/alpha/hardware-configuration.nix
+++ b/nixos/alpha/hardware-configuration.nix
@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/12CE-A600";
       fsType = "vfat";
+      options = [ "umask=0077" ];
     };
 
   fileSystems."/nix" =