Laptop specific configs, fingerprint scanner

2025-02-02 16:56:07 +01:00
parent 9da67d058d
commit 1ce7875398
11 changed files with 88 additions and 71 deletions
--- a/modules/development.nix
+++ b/modules/development.nix
@ -36,6 +36,5 @@

  services.ollama = {
    enable = true;
-    acceleration = "cuda";
  };
 }
--- a/modules/hardware/graphics/default.nix
+++ b/modules/hardware/graphics/default.nix
@ -1,7 +1,5 @@
 {
-  imports = [
-    ./nvidia.nix
-  ];
+  imports = [ ];

  # Enable OpenGL
  hardware.graphics.enable = true;
--- a/modules/hardware/graphics/nvidia.nix
+++ b/modules/hardware/graphics/nvidia.nix
@ -1,28 +0,0 @@
-{ pkgs, ... }:
-
-{
-  boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
-
-  # For hardware acceleration
-  environment.sessionVariables.LIBVA_DRIVER_NAME = "nvidia";
-
-  hardware = {
-    graphics.extraPackages = with pkgs; [
-      # Used for hardware-acceleration
-      nvidia-vaapi-driver
-    ];
-    nvidia = {
-      # Required
-      modesetting.enable = true;
-      # Use closed-source drivers
-      open = false;
-      # Enable the Nvidia settings menu
-      nvidiaSettings = true;
-      # Enable nvidia-suspend.service, nvidia-hibernate.service and nvidia-resume.service
-      powerManagement.enable = true;
-    };
-  };
-
-  # Load Nvidia driver for Xorg and Wayland
-  services.xserver.videoDrivers = [ "nvidia" ];
-}
--- a/modules/hardware/hardware-configuration.nix
+++ b/modules/hardware/hardware-configuration.nix
@ -15,26 +15,26 @@
  ];

  boot.initrd.availableKernelModules = [
-    "xhci_pci"
-    "ahci"
    "nvme"
+    "xhci_pci"
    "usb_storage"
-    "usbhid"
    "sd_mod"
-    "sr_mod"
+    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/5e3f0f97-4bb4-4a53-ace2-9ed19ff9e8ea";
-    fsType = "btrfs";
-    options = [ "subvol=@" ];
+    device = "/dev/disk/by-uuid/5ac9c425-35ae-47d5-a683-68ee0dbfc2bc";
+    fsType = "ext4";
  };

+  boot.initrd.luks.devices."luks-99b73f22-3fa1-42b5-ad48-54b0ccff72cc".device =
+    "/dev/disk/by-uuid/99b73f22-3fa1-42b5-ad48-54b0ccff72cc";
+
  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/D188-48A9";
+    device = "/dev/disk/by-uuid/3CFB-D12A";
    fsType = "vfat";
    options = [
      "fmask=0077"
@ -49,10 +49,9 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s20f0u8.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp6s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/security.nix
+++ b/modules/security.nix
@ -11,7 +11,27 @@
  security = {
    pam = {
      services = {
-        login.u2fAuth = false; # U2F and password
+        gdm-fingerprint.text = ''
+          auth       required                    pam_shells.so
+          auth       requisite                   pam_nologin.so
+          auth       requisite                   pam_faillock.so      preauth
+          auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+          auth       optional                    pam_permit.so
+          auth       required                    pam_env.so
+          auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
+          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+
+          account    include                     login
+
+          password   required                    pam_deny.so
+
+          session    include                     login
+          session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
+        '';
+        login = {
+          fprintAuth = false;
+          u2fAuth = false; # U2F and password
+        };
        sudo.u2fAuth = true; # U2F or password
      };
      u2f = {
@ -24,6 +44,23 @@
    };
  };

+  # Start the driver at boot
+  systemd.services.fprintd = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "simple";
+  };
+
+  # Install the driver
+  services.fprintd = {
+    enable = true;
+    tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)
+  };
+
+  # however for focaltech 2808:a658, use fprintd with overidden package (without tod)
+  # services.fprintd.package = pkgs.fprintd.override {
+  #   libfprint = pkgs.libfprint-focaltech-2808-a658;
+  # };
+
  services = {
    pcscd.enable = true; # Required for Yubikey
    udev.packages = with pkgs; [ yubikey-personalization ];