From e5857074916daa2d2a657fb59729765c6c3cd3ed Mon Sep 17 00:00:00 2001 From: Daniel Lundin Date: Fri, 15 Nov 2024 21:09:57 +0100 Subject: [PATCH] chore: cleanup config and bring settings over from earlier --- flake.nix | 4 --- modules/image/disk/default.nix | 47 +++++++++++++++++++--------------- modules/image/disk/updater.nix | 3 ++- modules/profiles/base.nix | 39 ++++++++++++++++++++-------- modules/profiles/network.nix | 35 +++++++++++++++---------- 5 files changed, 78 insertions(+), 50 deletions(-) diff --git a/flake.nix b/flake.nix index f616a01..3b659db 100644 --- a/flake.nix +++ b/flake.nix @@ -36,10 +36,6 @@ } ) { - boot.kernelParams = [ - "console=ttyS0" - "systemd.journald.forward_to_console" - ]; system.image.updates.url = "${updateUrl}"; system.image.id = "patos"; system.image.version = releaseVersion; diff --git a/modules/image/disk/default.nix b/modules/image/disk/default.nix index 2862e18..cb30276 100644 --- a/modules/image/disk/default.nix +++ b/modules/image/disk/default.nix @@ -20,9 +20,6 @@ ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS ''; - boot.initrd.systemd.enable = true; - - boot.initrd.systemd.repart.enable = true; systemd.repart.partitions = { "10-esp" = { Type = "esp"; @@ -62,28 +59,40 @@ }; }; - boot.initrd.compressor = "zstd"; - boot.initrd.compressorArgs = [ "-8" ]; - boot.loader.grub.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot.enable = true; + boot.uki.name = "patos"; - boot.initrd.luks.forceLuksSupportInInitrd = true; - boot.initrd.kernelModules = [ - "dm_mod" - "dm_crypt" - ] ++ config.boot.initrd.luks.cryptoModules; + boot.initrd = { + compressor = "zstd"; + compressorArgs = [ "-8" ]; - boot.initrd.supportedFilesystems = { - btrfs = true; - erofs = true; + luks.forceLuksSupportInInitrd = true; + kernelModules = [ + "dm_mod" + "dm_crypt" + ] ++ config.boot.initrd.luks.cryptoModules; + + supportedFilesystems = { + btrfs = true; + erofs = true; + }; + + systemd.enable = true; + systemd.repart.enable = true; + systemd.services.systemd-repart = { + after = lib.mkForce [ "sysroot.mount" ]; + requires = [ "sysroot.mount" ]; + serviceConfig.Environment = [ + "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard" + ]; + }; }; system.etc.overlay.mutable = false; users.mutableUsers = false; - boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ "sysroot.mount" ]; - boot.initrd.systemd.services.systemd-repart.requires = [ "sysroot.mount" ]; - boot.kernelParams = [ "rootfstype=erofs" "rootflags=ro" @@ -115,10 +124,6 @@ mode = "0755"; }; - boot.initrd.systemd.services.systemd-repart.serviceConfig.Environment = [ - "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard" - ]; - # Refuse to boot on mount failure systemd.targets."sysinit".requires = [ "local-fs.target" ]; diff --git a/modules/image/disk/updater.nix b/modules/image/disk/updater.nix index adce617..f3c1226 100644 --- a/modules/image/disk/updater.nix +++ b/modules/image/disk/updater.nix @@ -1,4 +1,5 @@ -{ config, lib, ... }: { +{ config, lib, ... }: +{ options.system.image.updates = { enable = lib.mkEnableOption "system updates via systemd-sysupdate" // { diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index 5cb46f5..358d8a8 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -16,8 +16,7 @@ nixpkgs.flake.setNixPath = false; nixpkgs.flake.setFlakeRegistry = false; - - networking.hostName = "patos"; + boot.enableContainers = false; boot.kernelModules = [ "zram" @@ -35,8 +34,6 @@ ]; system.etc.overlay.mutable = lib.mkDefault false; - users.mutableUsers = lib.mkDefault false; - systemd.watchdog = lib.mkDefault { runtimeTime = "10s"; @@ -45,6 +42,10 @@ zramSwap.enable = true; + # FIXME: fstrim should only be enabled for virtual machine images? + services.fstrim.enable = true; + + services.openssh.settings.PasswordAuthentication = lib.mkDefault false; users.allowNoPasswordLogin = true; @@ -52,7 +53,7 @@ security.polkit = { enable = true; - extraConfig ='' + extraConfig = '' polkit.addRule(function(action, subject) { if (subject.isInGroup("wheel")) { return polkit.Result.YES; @@ -63,17 +64,24 @@ i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ]; - systemd.enableEmergencyMode = false; - console.enable = false; - systemd.services."getty@tty1".enable = lib.mkDefault false; - systemd.services."autovt@".enable = lib.mkDefault false; + # Console + # FIXME: Add option for toggle + # console.enable = false; + # systemd.services."getty@tty1".enable = lib.mkDefault false; + # systemd.services."autovt@".enable = lib.mkDefault false; - boot.tmp.useTmpfs = true; + systemd.enableEmergencyMode = false; boot.consoleLogLevel = lib.mkDefault 1; boot.kernelParams = [ + # "quiet" "panic=1" "boot.panic_on_fail" "nomodeset" + "console=tty1" + "console=ttyS0,38400" + "systemd.log_level=info" + "systemd.log_target=console" + "systemd.journald.forward_to_console" ]; # This is vi country @@ -81,6 +89,15 @@ programs.vim.enable = true; programs.vim.defaultEditor = lib.mkDefault true; + # Temporary file + boot.tmp.useTmpfs = true; + # Logging - services.journald.storage = "volatile"; + services.journald = { + storage = "volatile"; + extraConfig = '' + SystemMaxUse=10M + ''; + }; + } diff --git a/modules/profiles/network.nix b/modules/profiles/network.nix index d090994..e042216 100644 --- a/modules/profiles/network.nix +++ b/modules/profiles/network.nix @@ -1,23 +1,32 @@ { lib, ... }: { - # Use TCP BBR + # Use networkd + networking.useNetworkd = true; + systemd.network.wait-online.enable = true; + + # Firewall + networking.firewall.enable = false; + networking.nftables.enable = lib.mkDefault true; + + # DNS + services.resolved = { + fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured + extraConfig = '' + DNSStubListener=no + ''; + + }; + + # Configuration + networking.hostName = ""; + + # Kernel boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; }; - services.resolved.extraConfig = '' - DNSStubListener=no - ''; - - networking.firewall.enable = false; - - networking.nftables.enable = lib.mkDefault true; - - networking.useNetworkd = true; - systemd.network.wait-online.enable = true; - - # Explicitly load networking modules + # Modules boot.kernelModules = [ "ip_tables" "x_tables"