From e5857074916daa2d2a657fb59729765c6c3cd3ed Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Fri, 15 Nov 2024 21:09:57 +0100
Subject: [PATCH] chore: cleanup config and bring settings over from earlier
---
flake.nix | 4 ---
modules/image/disk/default.nix | 47 +++++++++++++++++++---------------
modules/image/disk/updater.nix | 3 ++-
modules/profiles/base.nix | 39 ++++++++++++++++++++--------
modules/profiles/network.nix | 35 +++++++++++++++----------
5 files changed, 78 insertions(+), 50 deletions(-)
diff --git a/flake.nix b/flake.nix
index f616a01..3b659db 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,10 +36,6 @@
}
)
{
- boot.kernelParams = [
- "console=ttyS0"
- "systemd.journald.forward_to_console"
- ];
system.image.updates.url = "${updateUrl}";
system.image.id = "patos";
system.image.version = releaseVersion;
diff --git a/modules/image/disk/default.nix b/modules/image/disk/default.nix
index 2862e18..cb30276 100644
--- a/modules/image/disk/default.nix
+++ b/modules/image/disk/default.nix
@@ -20,9 +20,6 @@
${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
'';
- boot.initrd.systemd.enable = true;
-
- boot.initrd.systemd.repart.enable = true;
systemd.repart.partitions = {
"10-esp" = {
Type = "esp";
@@ -62,28 +59,40 @@
};
};
- boot.initrd.compressor = "zstd";
- boot.initrd.compressorArgs = [ "-8" ];
-
boot.loader.grub.enable = false;
+ boot.loader.efi.canTouchEfiVariables = true;
+ boot.loader.systemd-boot.enable = true;
+ boot.uki.name = "patos";
- boot.initrd.luks.forceLuksSupportInInitrd = true;
- boot.initrd.kernelModules = [
- "dm_mod"
- "dm_crypt"
- ] ++ config.boot.initrd.luks.cryptoModules;
+ boot.initrd = {
+ compressor = "zstd";
+ compressorArgs = [ "-8" ];
- boot.initrd.supportedFilesystems = {
- btrfs = true;
- erofs = true;
+ luks.forceLuksSupportInInitrd = true;
+ kernelModules = [
+ "dm_mod"
+ "dm_crypt"
+ ] ++ config.boot.initrd.luks.cryptoModules;
+
+ supportedFilesystems = {
+ btrfs = true;
+ erofs = true;
+ };
+
+ systemd.enable = true;
+ systemd.repart.enable = true;
+ systemd.services.systemd-repart = {
+ after = lib.mkForce [ "sysroot.mount" ];
+ requires = [ "sysroot.mount" ];
+ serviceConfig.Environment = [
+ "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
+ ];
+ };
};
system.etc.overlay.mutable = false;
users.mutableUsers = false;
- boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ "sysroot.mount" ];
- boot.initrd.systemd.services.systemd-repart.requires = [ "sysroot.mount" ];
-
boot.kernelParams = [
"rootfstype=erofs"
"rootflags=ro"
@@ -115,10 +124,6 @@
mode = "0755";
};
- boot.initrd.systemd.services.systemd-repart.serviceConfig.Environment = [
- "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
- ];
-
# Refuse to boot on mount failure
systemd.targets."sysinit".requires = [ "local-fs.target" ];
diff --git a/modules/image/disk/updater.nix b/modules/image/disk/updater.nix
index adce617..f3c1226 100644
--- a/modules/image/disk/updater.nix
+++ b/modules/image/disk/updater.nix
@@ -1,4 +1,5 @@
-{ config, lib, ... }: {
+{ config, lib, ... }:
+{
options.system.image.updates = {
enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix
index 5cb46f5..358d8a8 100644
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@@ -16,8 +16,7 @@
nixpkgs.flake.setNixPath = false;
nixpkgs.flake.setFlakeRegistry = false;
-
- networking.hostName = "patos";
+ boot.enableContainers = false;
boot.kernelModules = [
"zram"
@@ -35,8 +34,6 @@
];
system.etc.overlay.mutable = lib.mkDefault false;
- users.mutableUsers = lib.mkDefault false;
-
systemd.watchdog = lib.mkDefault {
runtimeTime = "10s";
@@ -45,6 +42,10 @@
zramSwap.enable = true;
+ # FIXME: fstrim should only be enabled for virtual machine images?
+ services.fstrim.enable = true;
+
+
services.openssh.settings.PasswordAuthentication = lib.mkDefault false;
users.allowNoPasswordLogin = true;
@@ -52,7 +53,7 @@
security.polkit = {
enable = true;
- extraConfig =''
+ extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
@@ -63,17 +64,24 @@
i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
- systemd.enableEmergencyMode = false;
- console.enable = false;
- systemd.services."getty@tty1".enable = lib.mkDefault false;
- systemd.services."autovt@".enable = lib.mkDefault false;
+ # Console
+ # FIXME: Add option for toggle
+ # console.enable = false;
+ # systemd.services."getty@tty1".enable = lib.mkDefault false;
+ # systemd.services."autovt@".enable = lib.mkDefault false;
- boot.tmp.useTmpfs = true;
+ systemd.enableEmergencyMode = false;
boot.consoleLogLevel = lib.mkDefault 1;
boot.kernelParams = [
+ # "quiet"
"panic=1"
"boot.panic_on_fail"
"nomodeset"
+ "console=tty1"
+ "console=ttyS0,38400"
+ "systemd.log_level=info"
+ "systemd.log_target=console"
+ "systemd.journald.forward_to_console"
];
# This is vi country
@@ -81,6 +89,15 @@
programs.vim.enable = true;
programs.vim.defaultEditor = lib.mkDefault true;
+ # Temporary file
+ boot.tmp.useTmpfs = true;
+
# Logging
- services.journald.storage = "volatile";
+ services.journald = {
+ storage = "volatile";
+ extraConfig = ''
+ SystemMaxUse=10M
+ '';
+ };
+
}
diff --git a/modules/profiles/network.nix b/modules/profiles/network.nix
index d090994..e042216 100644
--- a/modules/profiles/network.nix
+++ b/modules/profiles/network.nix
@@ -1,23 +1,32 @@
{ lib, ... }:
{
- # Use TCP BBR
+ # Use networkd
+ networking.useNetworkd = true;
+ systemd.network.wait-online.enable = true;
+
+ # Firewall
+ networking.firewall.enable = false;
+ networking.nftables.enable = lib.mkDefault true;
+
+ # DNS
+ services.resolved = {
+ fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured
+ extraConfig = ''
+ DNSStubListener=no
+ '';
+
+ };
+
+ # Configuration
+ networking.hostName = "";
+
+ # Kernel
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
- services.resolved.extraConfig = ''
- DNSStubListener=no
- '';
-
- networking.firewall.enable = false;
-
- networking.nftables.enable = lib.mkDefault true;
-
- networking.useNetworkd = true;
- systemd.network.wait-online.enable = true;
-
- # Explicitly load networking modules
+ # Modules
boot.kernelModules = [
"ip_tables"
"x_tables"