extern/nix-config
1
0
Fork 1
mirror of https://github.com/donovanglover/nix-config.git synced 2024-11-22 16:23:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
83740051ea
nix-config/modules/system.nix

264 lines
5.5 KiB
Nix
Raw Normal View History

feat: Pass nix-config as self to avoid infinite recursion This change makes it possible to use this nix-config in all the different ways imaginable (containers, bare metal, tests, and as a separate flake input) *without* running into infinite recursion issues with self. It does this by using a trick similar to JavaScript in which `var self = this;`, thus enabling the usage of "this" (or self, in Nix's case) where it wouldn't otherwise be possible. Note that this *only* works if the input for this repository is named nix-config. This makes it impractical to combine with multiple configurations that employ the same strategy.
2024-04-05 16:09:51 +02:00
{ nix-config, pkgs, lib, config, ... }:
meta: Merge nix and systemd modules with system These are simple enough configurations that have benefits across many different systems.
2024-04-03 14:05:28 +02:00
let
system: Only add phone groups when necessary
2024-06-20 19:18:39 +02:00
inherit (lib) mkOption mkEnableOption mkIf singleton optionals;
system: Add option to specify hashedPassword It may be useful to add hashedPasswordFile in the future, although from my testing it was possible to rebuild a VM that used a cached derivation with the old password. Ideally your main form of authentication is through LUKS encryption or SSH keys anyway, and this password should solely be used for sudo purposes.
2024-04-06 14:11:58 +02:00
inherit (lib.types) nullOr str listOf;
system: Add phone support
2024-06-19 08:00:34 +02:00
inherit (cfg) username iHaveLotsOfRam hashedPassword mullvad allowSRB2Port allowDevPort noRoot postgres phone;
feat: Pass nix-config as self to avoid infinite recursion This change makes it possible to use this nix-config in all the different ways imaginable (containers, bare metal, tests, and as a separate flake input) *without* running into infinite recursion issues with self. It does this by using a trick similar to JavaScript in which `var self = this;`, thus enabling the usage of "this" (or self, in Nix's case) where it wouldn't otherwise be possible. Note that this *only* works if the input for this repository is named nix-config. This makes it impractical to combine with multiple configurations that employ the same strategy.
2024-04-05 16:09:51 +02:00
inherit (builtins) attrValues;
meta: Begin making system module customizable These options are pretty important so it'd be cool to be able to change them. Current strategy is to assume that configuration through the module is preferred over overriding the NixOS option directly.
2024-04-03 15:43:02 +02:00
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
cfg = config.modules.system;
meta: Merge nix and systemd modules with system These are simple enough configurations that have benefits across many different systems.
2024-04-03 14:05:28 +02:00
in
modules: Add system
2023-06-22 17:54:12 +02:00
{
feat: Pass nix-config as self to avoid infinite recursion This change makes it possible to use this nix-config in all the different ways imaginable (containers, bare metal, tests, and as a separate flake input) *without* running into infinite recursion issues with self. It does this by using a trick similar to JavaScript in which `var self = this;`, thus enabling the usage of "this" (or self, in Nix's case) where it wouldn't otherwise be possible. Note that this *only* works if the input for this repository is named nix-config. This makes it impractical to combine with multiple configurations that employ the same strategy.
2024-04-05 16:09:51 +02:00
imports = attrValues {
inherit (nix-config.inputs.home-manager.nixosModules) home-manager;
};
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
options.modules.system = {
feat: Make username customizable Now it's possible to use whatever username you want for your system. The default value of "user" is good if you're concerned about information disclosure attacks through things like the username being visible in logs or other output.
2024-04-04 22:36:08 +02:00
username = mkOption {
type = str;
default = "user";
};
system: Add option to specify hashedPassword It may be useful to add hashedPasswordFile in the future, although from my testing it was possible to rebuild a VM that used a cached derivation with the old password. Ideally your main form of authentication is through LUKS encryption or SSH keys anyway, and this password should solely be used for sudo purposes.
2024-04-06 14:11:58 +02:00
hashedPassword = mkOption {
type = nullOr str;
default = null;
};
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
timeZone = mkOption {
type = str;
default = "America/New_York";
};
system: Clean /tmp on boot Necessary since /tmp is no longer a tmpfs.
2024-04-04 03:28:50 +02:00
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
defaultLocale = mkOption {
type = str;
default = "ja_JP.UTF-8";
meta: Merge boot module with system This seems like it could fit with the hardware module as well, however time will tell if we're able to keep this in system when importing it into containers and virtual machines. Note that boot.loader.efi.canTouchEfiVariables gets set to true during the nixos-install process, so it should be okay to keep here.
2024-04-03 13:30:40 +02:00
};
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
supportedLocales = mkOption {
type = listOf str;
default = [ "ja_JP.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "fr_FR.UTF-8/UTF-8" ];
};
stateVersion = mkOption {
type = str;
default = "22.11";
};
system: Add option to avoid cleaning /tmp on boot This increases boot times quite a bit so I'd rather use tmpfs as /tmp where possible. Note that this defaults to cleaning /tmp anyway since I'd rather clean /tmp than not do so at all. For future reference, the message that gets shown is the following: "A start job is running for Create Volatile Files and Directories"
2024-04-05 16:59:48 +02:00
iHaveLotsOfRam = mkEnableOption "tmpfs on /tmp";
system: Add phone support
2024-06-19 08:00:34 +02:00
phone = mkEnableOption "Phone support";
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
hostName = mkOption {
type = str;
default = "nixos";
};
feat: Add option to disable root at the system level Reduces complexity in the containers module.
2024-04-07 01:28:20 +02:00
noRoot = mkEnableOption "disable access to root";
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
mullvad = mkEnableOption "mullvad vpn";
meta: Handle postgres at the system level This makes sense since postgres is a service that runs on the system.
2024-04-09 15:25:30 +02:00
postgres = mkEnableOption "postgres database for containers";
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
allowSRB2Port = mkEnableOption "port for srb2";
system: Change allowZolaPort option to allowDevPort Makes things a bit more generic.
2024-05-20 17:53:12 +02:00
allowDevPort = mkEnableOption "port for development server";
meta: Merge nix and systemd modules with system These are simple enough configurations that have benefits across many different systems.
2024-04-03 14:05:28 +02:00
};
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
config = {
system: Add phone support
2024-06-19 08:00:34 +02:00
boot = mkIf (!phone) {
chore: Format with nixpkgs-fmt Note that we will continue to use nixpkgs-fmt for the time being here since nixfmt-rfc-style breaks string syntax highlighting and comments like `/* this */` get turned into `# this`. The conversion from lisp-like formatting to something else in flake.nix is a bit unfortunate, but I'd rather have a singular style for the entire code base to make things easier.
2024-04-05 17:26:22 +02:00
tmp =
if iHaveLotsOfRam
system: Add option to avoid cleaning /tmp on boot This increases boot times quite a bit so I'd rather use tmpfs as /tmp where possible. Note that this defaults to cleaning /tmp anyway since I'd rather clean /tmp than not do so at all. For future reference, the message that gets shown is the following: "A start job is running for Create Volatile Files and Directories"
2024-04-05 16:59:48 +02:00
then { useTmpfs = true; }
else { cleanOnBoot = true; };
meta: Merge nix and systemd modules with system These are simple enough configurations that have benefits across many different systems.
2024-04-03 14:05:28 +02:00
system: Enable aarch64-linux emulation This makes it possible to build the phone on the laptop, useful to significantly reduce build times.
2024-06-16 13:43:51 +02:00
binfmt.emulatedSystems = [ "aarch64-linux" ];
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
loader = {
systemd-boot = {
enable = true;
editor = false;
configurationLimit = 10;
};
timeout = 0;
efi.canTouchEfiVariables = true;
};
system: Blacklist floppy kernel module Fixes an issue where the QEMU VM attempted to load a floppy at /dev/fd0.
2024-04-11 04:56:48 +02:00
blacklistedKernelModules = [
"floppy"
];
meta: Merge nix and systemd modules with system These are simple enough configurations that have benefits across many different systems.
2024-04-03 14:05:28 +02:00
};
system: Add phone support
2024-06-19 08:00:34 +02:00
systemd = mkIf (!phone) {
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
extraConfig = "DefaultTimeoutStopSec=10s";
services.NetworkManager-wait-online.enable = false;
};
meta: Merge zram module with system Self-explanatory since zram is system-related. Doesn't seem to affect containers which is good.
2024-04-03 15:16:18 +02:00
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
nix = {
settings = {
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
auto-optimise-store = true;
warn-dirty = false;
system(nix): Forbid import from derivation Helps prevent issues where we accidentally use an import from derivation and cause flakes with multiple platforms to fail when running things like `nix flake check`.
2024-06-21 04:32:42 +02:00
allow-import-from-derivation = false;
system: Add wheel group to trusted users Should prevent issues we ran into previously with things like nixos-rebuild on remote hosts through ssh with non-root accounts.
2024-06-17 17:24:51 +02:00
trusted-users = [
"root"
"@wheel"
];
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
};
};
phone: Enable 100% zram Shouldn't break anything. This is mostly a safeguard to ensure that systemd didn't SIGSEGV and freeze last time due to memory concerns.
2024-06-23 15:45:09 +02:00
zramSwap = {
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
enable = true;
memoryPercent = 100;
};
meta: Merge timezone and locale with system Usually one would want to define all of these options at the same time, so it doesn't make sense to require importing several different modules. For values that aren't needed, users can either override the configuration in their own module or use an option that has been written upstream for the module.
2024-04-03 13:14:47 +02:00
meta: Make system module customizable
2024-04-04 15:41:32 +02:00
time = {
inherit (cfg) timeZone;
};
i18n = {
inherit (cfg) defaultLocale supportedLocales;
};
system = {
inherit (cfg) stateVersion;
};
meta: Merge home-manager and user module with system Makes it easier to create a working and pre-configured system with minimal configuration.
2024-04-04 22:00:09 +02:00
users = {
mutableUsers = false;
feat: Add option to disable root at the system level Reduces complexity in the containers module.
2024-04-07 01:28:20 +02:00
allowNoPasswordLogin = mkIf noRoot true;
meta: Merge home-manager and user module with system Makes it easier to create a working and pre-configured system with minimal configuration.
2024-04-04 22:00:09 +02:00
feat: Make username customizable Now it's possible to use whatever username you want for your system. The default value of "user" is good if you're concerned about information disclosure attacks through things like the username being visible in logs or other output.
2024-04-04 22:36:08 +02:00
users.${username} = {
system: Add option to specify hashedPassword It may be useful to add hashedPasswordFile in the future, although from my testing it was possible to rebuild a VM that used a cached derivation with the old password. Ideally your main form of authentication is through LUKS encryption or SSH keys anyway, and this password should solely be used for sudo purposes.
2024-04-06 14:11:58 +02:00
inherit hashedPassword;
feat: Make username customizable Now it's possible to use whatever username you want for your system. The default value of "user" is good if you're concerned about information disclosure attacks through things like the username being visible in logs or other output.
2024-04-04 22:36:08 +02:00
isNormalUser = true;
uid = 1000;
feat: Add option to disable root at the system level Reduces complexity in the containers module.
2024-04-07 01:28:20 +02:00
password = mkIf (hashedPassword == null && !noRoot) username;
system: Add groups from phone Might reduce this later.
2024-06-19 08:04:46 +02:00
extraGroups =
if noRoot
then [ ]
else [
system: Only add phone groups when necessary
2024-06-20 19:18:39 +02:00
"wheel"
"networkmanager"
] ++ (optionals (phone) [
system: Add groups from phone Might reduce this later.
2024-06-19 08:04:46 +02:00
"dialout"
"feedbackd"
"video"
system: Only add phone groups when necessary
2024-06-20 19:18:39 +02:00
]);
meta: Merge home-manager and user module with system Makes it easier to create a working and pre-configured system with minimal configuration.
2024-04-04 22:00:09 +02:00
};
};
system: Don't generate man cache on mobile Significantly improves build times with aarch64 emulation.
2024-06-20 18:15:59 +02:00
documentation.man.generateCaches = mkIf (phone) false;
meta: Merge home-manager and user module with system Makes it easier to create a working and pre-configured system with minimal configuration.
2024-04-04 22:00:09 +02:00
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
chore(nix): Use singleton where possible
2024-04-08 10:11:19 +02:00
sharedModules = singleton {
system(home): Inherit stateVersion
2024-04-08 10:15:46 +02:00
home = {
inherit (cfg) stateVersion;
};
system: Don't generate man cache on mobile Significantly improves build times with aarch64 emulation.
2024-06-20 18:15:59 +02:00
programs.man.generateCaches = mkIf (!phone) true;
chore(nix): Use singleton where possible
2024-04-08 10:11:19 +02:00
};
meta: Merge home-manager and user module with system Makes it easier to create a working and pre-configured system with minimal configuration.
2024-04-04 22:00:09 +02:00
feat: Make username customizable Now it's possible to use whatever username you want for your system. The default value of "user" is good if you're concerned about information disclosure attacks through things like the username being visible in logs or other output.
2024-04-04 22:36:08 +02:00
users.${username}.home = {
inherit username;
homeDirectory = "/home/${username}";
meta: Merge home-manager and user module with system Makes it easier to create a working and pre-configured system with minimal configuration.
2024-04-04 22:00:09 +02:00
};
};
meta: Merge virtualization with system The check VMs still work as expected with this change.
2024-04-06 01:38:56 +02:00
virtualisation.vmVariant = {
virtualisation = {
memorySize = 4096;
cores = 4;
virtualization: Mount /tmp as /mnt This isn't *perfect*, but it does make it possible to share files between the guest and the host without having to imperatively create a directory that may or may not exist on other systems.
2024-04-06 14:21:27 +02:00
sharedDirectories = {
tmp = {
source = "/tmp";
target = "/mnt";
};
};
meta: Merge virtualization with system The check VMs still work as expected with this change.
2024-04-06 01:38:56 +02:00
qemu.options = [
"-device virtio-vga-gl"
"-display sdl,gl=on,show-cursor=off"
"-audio pa,model=hda"
virtualization: Fullscreen by default Makes things easier to work with since hyprland doesn't automatically match the resolution with the VM window by default.
2024-04-06 12:44:31 +02:00
"-full-screen"
meta: Merge virtualization with system The check VMs still work as expected with this change.
2024-04-06 01:38:56 +02:00
];
};
environment.sessionVariables = {
WLR_NO_HARDWARE_CURSORS = "1";
};
services.interception-tools.enable = lib.mkForce false;
networking.resolvconf.enable = lib.mkForce true;
virtualization: Disable zram Causes errors on startup and generally isn't useful inside the VM.
2024-04-06 04:23:20 +02:00
zramSwap.enable = lib.mkForce false;
meta: Merge virtualization with system The check VMs still work as expected with this change.
2024-04-06 01:38:56 +02:00
boot.enableContainers = false;
};
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
networking = {
inherit (cfg) hostName;
networkmanager = {
enable = true;
wifi.macAddress = "random";
ethernet.macAddress = "random";
unmanaged = [ "interface-name:ve-*" ];
};
useHostResolvConf = true;
resolvconf.enable = mkIf mullvad false;
nat = mkIf mullvad {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "wg-mullvad";
};
firewall = {
allowedUDPPorts = mkIf allowSRB2Port [
5029
];
system: Change allowZolaPort option to allowDevPort Makes things a bit more generic.
2024-05-20 17:53:12 +02:00
allowedTCPPorts = mkIf allowDevPort [
3000
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
];
phone: Add mullvad support by disabling checkReversePath `networking.firewall.checkReversePath` was being set to "loose" from Mullvad VPN, which was causing an issue with the kernel used by the PinePhone with Mobile NixOS. By changing this option to `false`, we get rid of the "This kernel does not support rpfilter" error, which seems to be inaccurate due to the result of `sysctl -a | grep \\.rp_filter` on the phone being consistent with the result on the laptop.
2024-06-22 01:12:01 +02:00
checkReversePath = mkIf phone (lib.mkForce false);
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
};
};
meta: Handle postgres at the system level This makes sense since postgres is a service that runs on the system.
2024-04-09 15:25:30 +02:00
services = {
resolved.llmnr = "false";
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
meta: Handle postgres at the system level This makes sense since postgres is a service that runs on the system.
2024-04-09 15:25:30 +02:00
mullvad-vpn = mkIf mullvad {
enable = true;
enableExcludeWrapper = false;
phone: Add mullvad support by disabling checkReversePath `networking.firewall.checkReversePath` was being set to "loose" from Mullvad VPN, which was causing an issue with the kernel used by the PinePhone with Mobile NixOS. By changing this option to `false`, we get rid of the "This kernel does not support rpfilter" error, which seems to be inaccurate due to the result of `sysctl -a | grep \\.rp_filter` on the phone being consistent with the result on the laptop.
2024-06-22 01:12:01 +02:00
package = pkgs.mullvad-vpn;
meta: Handle postgres at the system level This makes sense since postgres is a service that runs on the system.
2024-04-09 15:25:30 +02:00
};
postgresql = mkIf postgres {
enable = true;
ensureUsers = singleton {
name = username;
};
ensureDatabases = [ username ];
};
meta: Merge networking with system This makes it easier to ensure that the system has our network settings such as random mac addresses. This makes sense since networking in general is related to the system.
2024-04-06 14:37:09 +02:00
};
chore: Link paths at the system level Fixes an issue where paths wouldn't be linked previously unless manually specified.
2024-04-06 16:26:02 +02:00
meta: Merge packages module into existing modules
2024-04-06 17:35:34 +02:00
environment.systemPackages = with pkgs; [
(pass.withExtensions (ext: with ext; [ pass-otp ]))
];
chore: Disable command-not-found by default Unfortunately command-not-found only works for channels and doesn't have first-class support for flakes yet, and nix-index takes forever to build the database on slower machines, so I'd rather just disable this by default.
2024-04-06 18:13:01 +02:00
programs.command-not-found.enable = false;
meta: Merge packages module into existing modules
2024-04-06 17:35:34 +02:00
environment.defaultPackages = [ ];
meta: Begin making system module customizable These options are pretty important so it'd be cool to be able to change them. Current strategy is to assume that configuration through the module is preferred over overriding the NixOS option directly.
2024-04-03 15:43:02 +02:00
};
modules: Add system
2023-06-22 17:54:12 +02:00
}
Reference in New Issue Copy Permalink