chore: cleanup config and bring settings over from earlier

2024-11-15 21:09:57 +01:00 · 2024-11-15 21:09:57 +01:00 · e585707491
commit e585707491
parent 33f7afd87d
5 changed files with 78 additions and 50 deletions
--- a/flake.nix
+++ b/flake.nix
@ -36,10 +36,6 @@
                }
              )
              {
-                boot.kernelParams = [
-                  "console=ttyS0"
-                  "systemd.journald.forward_to_console"
-                ];
                system.image.updates.url = "${updateUrl}";
                system.image.id = "patos";
                system.image.version = releaseVersion;
--- a/modules/image/disk/default.nix
+++ b/modules/image/disk/default.nix
@ -20,9 +20,6 @@
    ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
  '';

-  boot.initrd.systemd.enable = true;
-
-  boot.initrd.systemd.repart.enable = true;
  systemd.repart.partitions = {
    "10-esp" = {
      Type = "esp";
@ -62,28 +59,40 @@
    };
  };

-  boot.initrd.compressor = "zstd";
-  boot.initrd.compressorArgs = [ "-8" ];
-
  boot.loader.grub.enable = false;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+  boot.uki.name = "patos";

-  boot.initrd.luks.forceLuksSupportInInitrd = true;
-  boot.initrd.kernelModules = [
-    "dm_mod"
-    "dm_crypt"
-  ] ++ config.boot.initrd.luks.cryptoModules;
+  boot.initrd = {
+    compressor = "zstd";
+    compressorArgs = [ "-8" ];

-  boot.initrd.supportedFilesystems = {
-    btrfs = true;
-    erofs = true;
+    luks.forceLuksSupportInInitrd = true;
+    kernelModules = [
+      "dm_mod"
+      "dm_crypt"
+    ] ++ config.boot.initrd.luks.cryptoModules;
+
+    supportedFilesystems = {
+      btrfs = true;
+      erofs = true;
+    };
+
+    systemd.enable = true;
+    systemd.repart.enable = true;
+    systemd.services.systemd-repart = {
+      after = lib.mkForce [ "sysroot.mount" ];
+      requires = [ "sysroot.mount" ];
+      serviceConfig.Environment = [
+        "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
+      ];
+    };
  };

  system.etc.overlay.mutable = false;
  users.mutableUsers = false;

-  boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ "sysroot.mount" ];
-  boot.initrd.systemd.services.systemd-repart.requires = [ "sysroot.mount" ];
-
  boot.kernelParams = [
    "rootfstype=erofs"
    "rootflags=ro"
@ -115,10 +124,6 @@
    mode = "0755";
  };

-  boot.initrd.systemd.services.systemd-repart.serviceConfig.Environment = [
-    "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
-  ];
-
  # Refuse to boot on mount failure
  systemd.targets."sysinit".requires = [ "local-fs.target" ];

--- a/modules/image/disk/updater.nix
+++ b/modules/image/disk/updater.nix
@ -1,4 +1,5 @@
-{ config, lib, ... }: {
+{ config, lib, ... }:
+{

  options.system.image.updates = {
    enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -16,8 +16,7 @@

  nixpkgs.flake.setNixPath = false;
  nixpkgs.flake.setFlakeRegistry = false;
-
-  networking.hostName = "patos";
+  boot.enableContainers = false;

  boot.kernelModules = [
    "zram"
@ -35,8 +34,6 @@
  ];

  system.etc.overlay.mutable = lib.mkDefault false;
-  users.mutableUsers = lib.mkDefault false;
-

  systemd.watchdog = lib.mkDefault {
    runtimeTime = "10s";
@ -45,6 +42,10 @@

  zramSwap.enable = true;

+  # FIXME: fstrim should only be enabled for virtual machine images?
+  services.fstrim.enable = true;
+
+
  services.openssh.settings.PasswordAuthentication = lib.mkDefault false;

  users.allowNoPasswordLogin = true;
@ -52,7 +53,7 @@

  security.polkit = {
    enable = true;
-    extraConfig =''
+    extraConfig = ''
      polkit.addRule(function(action, subject) {
        if (subject.isInGroup("wheel")) {
          return polkit.Result.YES;
@ -63,17 +64,24 @@

  i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];

-  systemd.enableEmergencyMode = false;
-  console.enable = false;
-  systemd.services."getty@tty1".enable = lib.mkDefault false;
-  systemd.services."autovt@".enable = lib.mkDefault false;
+  # Console
+  # FIXME: Add option for toggle
+  # console.enable = false;
+  # systemd.services."getty@tty1".enable = lib.mkDefault false;
+  # systemd.services."autovt@".enable = lib.mkDefault false;

-  boot.tmp.useTmpfs = true;
+  systemd.enableEmergencyMode = false;
  boot.consoleLogLevel = lib.mkDefault 1;
  boot.kernelParams = [
+    # "quiet"
    "panic=1"
    "boot.panic_on_fail"
    "nomodeset"
+    "console=tty1"
+    "console=ttyS0,38400"
+    "systemd.log_level=info"
+    "systemd.log_target=console"
+    "systemd.journald.forward_to_console"
  ];

  # This is vi country
@ -81,6 +89,15 @@
  programs.vim.enable = true;
  programs.vim.defaultEditor = lib.mkDefault true;

+  # Temporary file
+  boot.tmp.useTmpfs = true;
+
  # Logging
-  services.journald.storage = "volatile";
+  services.journald = {
+    storage = "volatile";
+    extraConfig = ''
+      SystemMaxUse=10M
+    '';
+  };
+
 }
--- a/modules/profiles/network.nix
+++ b/modules/profiles/network.nix
@ -1,23 +1,32 @@
 { lib, ... }:
 {
-  # Use TCP BBR
+  # Use networkd
+  networking.useNetworkd = true;
+  systemd.network.wait-online.enable = true;
+
+  # Firewall
+  networking.firewall.enable = false;
+  networking.nftables.enable = lib.mkDefault true;
+
+  # DNS
+  services.resolved = {
+    fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured
+    extraConfig = ''
+      DNSStubListener=no
+    '';
+
+  };
+
+  # Configuration
+  networking.hostName = "";
+
+  # Kernel
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };

-  services.resolved.extraConfig = ''
-    DNSStubListener=no
-  '';
-
-  networking.firewall.enable = false;
-
-  networking.nftables.enable = lib.mkDefault true;
-
-  networking.useNetworkd = true;
-  systemd.network.wait-online.enable = true;
-
-  # Explicitly load networking modules
+  # Modules
  boot.kernelModules = [
    "ip_tables"
    "x_tables"