migrate bigger nixos-modules to nixosProfiles

- profiles are meant for a group of similar machines (see README)
- this replaced allCommon, hwCommon & parts of vmCommon modules
- highly personal settings were relocated to myOptions
- some parts are relocated into their own module: extends/cpu
main
Felix Stupp 2 months ago
parent de3f0d401b
commit 2fdd6cdf00
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -101,6 +101,8 @@
nixosModules = importFlakeMod ./nix/nixos-modules; nixosModules = importFlakeMod ./nix/nixos-modules;
nixosProfiles = importFlakeMod ./nix/nixosProfiles;
overlays = importFlakeMod ./nix/overlays; overlays = importFlakeMod ./nix/overlays;
packages = importFlakeModWithSystem ./nix/packages; packages = importFlakeModWithSystem ./nix/packages;

@ -12,6 +12,33 @@ in
{ {
config = { config = {
# personal defaults across the board
console.keyMap = lib.mkDefault "de";
documentation = {
man.mandoc.settings.output = {
paper = lib.mkDefault "a4";
};
};
i18n = {
# inspired by https://wiki.archlinux.org/title/Locale
defaultLocale = lib.mkDefault "en_US.UTF-8";
extraLocaleSettings = {
LANGUAGE = lib.mkDefault "en_US:en:C:de_DE";
LC_COLLATE = lib.mkDefault "C.UTF-8"; # language independent sorting
LC_MEASUREMENT = "de_DE.UTF-8"; # metric
LC_PAPER = "de_DE.UTF-8"; # metric
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = lib.mkDefault "en_DK.UTF-8"; # ISO 8601
};
};
# for my own modules
x-banananetwork = { x-banananetwork = {
# options defined in nixos-modules/options.nix # options defined in nixos-modules/options.nix

@ -28,11 +28,9 @@ in
./improvedDefaults ./improvedDefaults
./vmDisko ./vmDisko
# files # files
./allCommon.nix
./autoUnfree.nix ./autoUnfree.nix
./debugMinimal.nix ./debugMinimal.nix
./graphics.nix ./graphics.nix
./hwCommon.nix
./kernel.nix ./kernel.nix
./options.nix ./options.nix
./privacy.nix ./privacy.nix

@ -0,0 +1,54 @@
{ config, lib, ... }:
let
cpu = config.hardware.cpu;
anyArg = builtins.any (x: x) [
# list of conditions which require cpu type to be known
cpu.updateMicrocode
];
cpuOpts =
type:
lib.mkIf (anyArg && cpu.type == type) {
# options for all cpu types
updateMicrocode = lib.mkDefault cpu.updateMicrocode;
};
in
{
options = {
hardware.cpu = {
type = lib.mkOption {
description = ''
Configures the CPU type to expect this configuration to run on.
This setting is required when using generalizing options
like option{hardware.cpu.updateMicrocode}.
'';
type =
with lib.types;
nullOr (enum [
"amd"
"intel"
]);
# required
};
updateMicrocode = lib.mkEnableOption ''
microcode updates for CPU type selected in option{hardware.cpu.type}
'';
};
};
config = {
hardware.cpu = {
amd = cpuOpts "amd";
intel = cpuOpts "intel";
};
};
}

@ -1,6 +1,7 @@
{ {
imports = [ imports = [
# files # files
./cpu.nix
./podman.nix ./podman.nix
./printing.nix ./printing.nix
]; ];

@ -500,13 +500,13 @@ in
]; ];
}; };
hwCommon.enable = lib.mkDefault true;
privacy.enable = lib.mkDefault true; privacy.enable = lib.mkDefault true;
useable.enable = true; useable.enable = true;
}; };
# TODO wishlist: # TODO wishlist:
# - lockdown more (at least disable systemd-boot.editor OR enable TPM PCR checks)
# - enable & disable touch keyboard automatically based on convertable status # - enable & disable touch keyboard automatically based on convertable status
# - https://github.com/cynicsketch/nix-mineral (NixOS hardening) # - https://github.com/cynicsketch/nix-mineral (NixOS hardening)
# - programs.mepo # - programs.mepo

@ -1,142 +0,0 @@
# applicable to all hosts running on bare hardware
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.hwCommon;
cpu = config.hardware.cpu;
in
{
options = {
hardware.cpu = {
type = lib.mkOption {
description = ''
Configures the CPU type to expect this configuration to run on.
This setting is required when using generalizing options
like option{hardware.cpu.updateMicrocode}.
'';
type =
with lib.types;
nullOr (enum [
"amd"
"intel"
]);
# required
};
updateMicrocode = lib.mkEnableOption ''
microcode updates for CPU type selected in option{hardware.cpu.type}.
Because this module is not yet part of upstream,
it requires option{x-banananetwork.hwCommon.enable} to be enabled.
'';
};
x-banananetwork.hwCommon = {
enable = lib.mkEnableOption ''
settings common to all bare hardware-based hosts
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.enable -> !config.x-banananetwork.vmCommon.enable;
message = "hwCommon & vmCommon profiles cannot both be enabled at the same time";
}
];
boot = {
# TODO adapt better
loader = {
efi.canTouchEfiVariables = lib.mkDefault true;
systemd-boot = {
enable = true;
editor = lib.mkDefault true; # TODO lockdown (disable this OR enable TPM PCR checks)
memtest86.enable = lib.mkDefault true;
};
};
};
environment.systemPackages = with pkgs; [
pciutils
usbutils
];
hardware = {
cpu = lib.mkMerge [
# TODO maybe upstream?
(
let
type = config.hardware.cpu.type;
opts = isType: { updateMicrocode = lib.mkDefault (isType && config.hardware.cpu.updateMicrocode); };
in
{
amd = opts (type == "amd");
intel = opts (type == "intel");
}
)
{ updateMicrocode = lib.mkDefault true; }
];
enableRedistributableFirmware = lib.mkDefault true;
};
powerManagement = {
cpuFreqGovernor = "ondemand";
enable = true;
};
services = {
fwupd = {
enable = true;
};
power-profiles-daemon = {
# 2024-08-14: tlp seems way better in my experience, hence disable it
enable = lib.mkIf config.services.tlp.enable false;
};
smartd = {
enable = true;
};
tlp = {
# energy-saving daemon, similar to powertop --autotune, but adaptive to BAT / AC
enable = true;
};
};
x-banananetwork = {
allCommon.enable = true;
useable.enable = lib.mkDefault true; # add docs & tools for emergencies
};
};
}

@ -8,29 +8,6 @@
}: }:
let let
cfg = config.x-banananetwork.vmCommon; cfg = config.x-banananetwork.vmCommon;
# Based on https://unix.stackexchange.com/questions/16578/resizable-serial-console-window
resize = pkgs.writeShellScriptBin "resize" ''
export PATH="${lib.getBin pkgs.coreutils}/bin"
if [ ! -t 0 ]; then
# not a interactive...
exit 0
fi
TTY="$(tty)"
if [[ "$TTY" != /dev/ttyS* ]] && [[ "$TTY" != /dev/ttyAMA* ]] && [[ "$TTY" != /dev/ttySIF* ]]; then
# probably not a known serial console, we could make this check more
# precise by using `setserial` but this would require some additional
# dependency
exit 0
fi
old=$(stty -g)
stty raw -echo min 0 time 5
printf '\0337\033[r\033[999;999H\033[6n\0338' > /dev/tty
IFS='[;R' read -r _ rows cols _ < /dev/tty
stty "$old"
stty cols "$cols" rows "$rows"
'';
in in
{ {
@ -39,7 +16,7 @@ in
x-banananetwork.vmCommon = { x-banananetwork.vmCommon = {
enable = lib.mkEnableOption '' enable = lib.mkEnableOption ''
settings common to all hosts running in VMs settings for all my VMs
''; '';
userName = lib.mkOption { userName = lib.mkOption {
@ -98,26 +75,6 @@ in
boot = { boot = {
initrd = {
availableKernelModules = [
"9p"
"9pnet_virtio"
"virtio_blk"
"virtio_mmio"
"virtio_net"
"virtio_pci"
"virtio_scsi"
];
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_gpu"
"virtio_rng"
];
};
kernelParams = lib.singleton "console=ttyS0,115200";
loader = { loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
grub.enable = false; grub.enable = false;
@ -130,10 +87,6 @@ in
}; };
console.keyMap = "de";
# for fast debugging of systems, keep small
environment.systemPackages = [ resize ];
networking = { networking = {
@ -184,8 +137,6 @@ in
services = { services = {
qemuGuest.enable = true;
openssh = { openssh = {
enable = true; enable = true;
authorizedKeysInHomedir = false; authorizedKeysInHomedir = false;
@ -208,10 +159,6 @@ in
operation = "boot"; # change only on reboots operation = "boot"; # change only on reboots
}; };
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
time.hardwareClockInLocalTime = false; # just to make sure
users = { users = {
mutableUsers = false; mutableUsers = false;
users.${cfg.userName} = { users.${cfg.userName} = {
@ -236,8 +183,6 @@ in
}; };
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
# TODO wishlist items (in prio order): # TODO wishlist items (in prio order):
# - ntfy.sh as mailer # - ntfy.sh as mailer
# own script # own script

@ -44,6 +44,7 @@ in
]; ];
}; };
} }
outputs.nixosProfiles.blade
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x13-yoga inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x13-yoga
{ {
# hardware # hardware

@ -0,0 +1,14 @@
# NixOS system profiles
In my case, those are to collect options common to a certain group of systems.
Their main goals & properties are:
- to make a system working for its intended platform / hypervisor
- also make it nice behaving (e.g. install optional agents)
- configuring stuff across the whole system
- do not introduce their own options
- do not introduce functionality which can be isolated
- each setup may import up to one profile
- but profiles can, if theyre compatible, import each other
Some of them are opioniated in some ways,
read their descriptions before using.

@ -0,0 +1,68 @@
# applicable to all systems running on bare hardware
{
config,
lib,
pkgs,
...
}:
{
imports = [
# from here
./common.nix
];
config = {
# EFI by default
boot.loader = {
efi.canTouchEfiVariables = lib.mkDefault true;
grub.memtest86.enable = lib.mkDefault true;
systemd-boot = {
enable = lib.mkDefault true;
editor = lib.mkDefault true;
memtest86.enable = lib.mkDefault true;
};
};
environment.systemPackages = with pkgs; [
pciutils
usbutils
];
hardware = {
cpu.updateMicrocode = lib.mkIf config.hardware.enableRedistributableFirmware true;
enableRedistributableFirmware = lib.mkDefault true;
};
powerManagement = {
cpuFreqGovernor = "ondemand";
enable = lib.mkDefault true;
};
services = {
fwupd = {
enable = true;
};
smartd = {
enable = true;
};
tlp = {
# 2024-08-14: tlp seems way better in my experience
# energy-saving daemon, similar to powertop --autotune, but adaptive to BAT / AC
enable = true;
};
};
x-banananetwork = {
# add docs & tools for emergencies
useable.enable = lib.mkDefault true;
};
};
}

@ -17,20 +17,27 @@ in
x-banananetwork.allCommon = { x-banananetwork.allCommon = {
enable = lib.mkEnableOption '' # TODO remove option, plan:
settings common to all systems # - verify all configs still build (nix flake check)
a set of opionated options to make systems useable & debugable for users. # - i.e. all with allCommon.enable=true are using this module
# - remove option here & from all configs
This means e.g. adding common, useful tools and add documentation. # - again: nix flake check
''; enable = lib.mkEnableOption "for compatibility reasons" // {
default = true;
internal = true;
};
}; };
}; };
config = lib.mkIf cfg.enable { config = {
assertions = [ assertions = [
{
assertion = cfg.enable;
message = "config imported profiles/common but tried to disable it";
}
( (
let let
defName = options.networking.hostName.default; defName = options.networking.hostName.default;
@ -42,40 +49,15 @@ in
) )
]; ];
documentation = {
man.mandoc.settings.output = {
paper = lib.mkDefault "a4";
};
};
i18n = {
# inspired by https://wiki.archlinux.org/title/Locale
defaultLocale = lib.mkDefault "en_US.UTF-8";
extraLocaleSettings = {
LANGUAGE = lib.mkDefault "en_US:en:C:de_DE";
LC_COLLATE = lib.mkDefault "C.UTF-8"; # language independent sorting
LC_MEASUREMENT = "de_DE.UTF-8"; # metric
LC_PAPER = "de_DE.UTF-8"; # metric
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = lib.mkDefault "en_DK.UTF-8"; # ISO 8601
};
};
nix = { nix = {
channel.enable = false; channel.enable = false;
daemonCPUSchedPolicy = "batch"; daemonCPUSchedPolicy = lib.mkDefault "batch";
daemonIOSchedClass = "best-effort"; daemonIOSchedClass = lib.mkDefault "best-effort";
daemonIOSchedPriority = 7; daemonIOSchedPriority = lib.mkDefault 7;
settings = { settings = {
allowed-users = [
"root"
"@wheel"
];
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = [ experimental-features = [
"flakes" "flakes"
@ -93,7 +75,6 @@ in
OOMScoreAdjust = lib.mkDefault 250; OOMScoreAdjust = lib.mkDefault 250;
}; };
# well-known public keys
programs = { programs = {
# for nixos-rebuild with flakes # for nixos-rebuild with flakes
@ -104,6 +85,7 @@ in
"ssh-ed25519" "ssh-ed25519"
"ssh-rsa" "ssh-rsa"
]; ];
# well-known public keys
knownHosts = { knownHosts = {
"git.banananet.work".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE854AkY/LYJ8kMe1olR+OsAxKIgvZ/JK+G+e0mMVWdH"; "git.banananet.work".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE854AkY/LYJ8kMe1olR+OsAxKIgvZ/JK+G+e0mMVWdH";
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60"; "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
@ -172,7 +154,6 @@ in
''; '';
time = { time = {
hardwareClockInLocalTime = lib.mkDefault false;
timeZone = lib.mkDefault "Etc/UTC"; timeZone = lib.mkDefault "Etc/UTC";
}; };

@ -0,0 +1,9 @@
{ ... }@flakeArg:
let
importProfile = path: import path;
in
{
blade = importProfile ./blade.nix;
common = importProfile ./common.nix;
pveGuest = importProfile ./pveGuest.nix;
}

@ -0,0 +1,97 @@
# makes for nice-behaving pve-guests with:
# - qemu-guest-agent & drivers
# - EFI booting
# - support for serial output (but graphic output should still work the same)
{
lib,
modulesPath,
pkgs,
...
}:
let
# Based on https://unix.stackexchange.com/questions/16578/resizable-serial-console-window
resize = pkgs.writeShellScriptBin "resize" ''
export PATH="${lib.getBin pkgs.coreutils}/bin"
if [ ! -t 0 ]; then
# not a interactive...
exit 0
fi
TTY="$(tty)"
if [[ "$TTY" != /dev/ttyS* ]] && [[ "$TTY" != /dev/ttyAMA* ]] && [[ "$TTY" != /dev/ttySIF* ]]; then
# probably not a known serial console, we could make this check more
# precise by using `setserial` but this would require some additional
# dependency
exit 0
fi
old=$(stty -g)
stty raw -echo min 0 time 5
printf '\0337\033[r\033[999;999H\033[6n\0338' > /dev/tty
IFS='[;R' read -r _ rows cols _ < /dev/tty
stty "$old"
stty cols "$cols" rows "$rows"
'';
in
{
imports = [
# from nixpkgs
"${modulesPath}/profiles/qemu-guest.nix"
# from here
./common.nix
];
config = {
boot = {
# TODO duplicated by imported profile from nixpkgs
initrd = {
availableKernelModules = [
"9p"
"9pnet_virtio"
"virtio_blk"
"virtio_mmio"
"virtio_net"
"virtio_pci"
"virtio_scsi"
];
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_gpu"
"virtio_rng"
];
};
kernelParams = [
# show kernel log on serial
"console=ttyS0,115200"
# but use virtual tty as /dev/console (last entry)
"console=tty0"
];
# configure for EFI only
loader = {
efi.canTouchEfiVariables = true;
grub.enable = lib.mkDefault false;
grub.efiSupport = true; # in case grub is preferred for some reason
systemd-boot.enable = lib.mkDefault true;
};
};
environment.systemPackages = [ resize ];
services = {
qemuGuest.enable = true;
};
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
time.hardwareClockInLocalTime = false; # just to make sure
};
}
Loading…
Cancel
Save