From 03bcc946454efbbb397fa69ae09efcf9e2c70ec4 Mon Sep 17 00:00:00 2001 From: unexplrd Date: Sun, 4 May 2025 18:48:42 +0300 Subject: [PATCH] more work on hosts/ and modules/config Signed-off-by: unexplrd --- hosts/dunamis/configuration.nix | 35 ++++++++++++---- hosts/eldrid/boot/default.nix | 39 ------------------ hosts/eldrid/boot/loader.nix | 15 ------- hosts/eldrid/configuration.nix | 41 +++++++++++-------- hosts/eldrid/{nix => }/distributed-build.nix | 0 hosts/eldrid/hardware/default.nix | 2 - hosts/eldrid/hardware/facter.nix | 14 ------- .../hardware/vaapi/intel-media-driver.nix | 7 ---- hosts/eldrid/networking/default.nix | 9 ---- hosts/eldrid/networking/host-name-id.nix | 6 --- hosts/eldrid/networking/hosts.nix | 3 -- hosts/eldrid/nix/common.nix | 11 ----- hosts/eldrid/nix/default.nix | 7 ---- hosts/eldrid/nix/ssh-serve.nix | 10 ----- hosts/eldrid/nix/substituters.nix | 16 -------- hosts/sarien/configuration.nix | 22 ++++++---- hosts/sarien/distributed-build.nix | 30 ++++++++++++++ modules/nixos/config/boot/default.nix | 4 +- modules/nixos/config/boot/lanzaboote.nix | 2 - modules/nixos/config/boot/loader.nix | 1 - modules/nixos/config/default.nix | 34 +++++++++++---- modules/nixos/config/networking/default.nix | 16 ++++++-- .../networking/network-manager/default.nix | 15 ------- .../network-manager/wireless-iwd.nix | 15 ------- modules/nixos/config/users.nix | 1 + modules/nixos/system/wireless/default.nix | 1 - modules/nixos/system/wireless/wifi.nix | 29 ------------- 27 files changed, 136 insertions(+), 249 deletions(-) delete mode 100644 hosts/eldrid/boot/default.nix delete mode 100644 hosts/eldrid/boot/loader.nix rename hosts/eldrid/{nix => }/distributed-build.nix (100%) delete mode 100644 hosts/eldrid/hardware/facter.nix delete mode 100644 hosts/eldrid/hardware/vaapi/intel-media-driver.nix delete mode 100644 hosts/eldrid/networking/default.nix delete mode 100644 hosts/eldrid/networking/host-name-id.nix delete mode 100644 hosts/eldrid/networking/hosts.nix delete mode 100644 hosts/eldrid/nix/common.nix delete mode 100644 hosts/eldrid/nix/default.nix delete mode 100644 hosts/eldrid/nix/ssh-serve.nix delete mode 100644 hosts/eldrid/nix/substituters.nix create mode 100644 hosts/sarien/distributed-build.nix delete mode 100644 modules/nixos/config/networking/network-manager/default.nix delete mode 100644 modules/nixos/config/networking/network-manager/wireless-iwd.nix delete mode 100644 modules/nixos/system/wireless/wifi.nix diff --git a/hosts/dunamis/configuration.nix b/hosts/dunamis/configuration.nix index d71b2cf..e1ee9c1 100644 --- a/hosts/dunamis/configuration.nix +++ b/hosts/dunamis/configuration.nix @@ -1,4 +1,8 @@ -{inputs, ...}: { +{ + config, + inputs, + ... +}: { imports = with inputs; [ self.nixosModules.config self.nixosModules.desktop @@ -8,6 +12,7 @@ ]; networking = { + networkmanager.enable = true; hostId = "c7f6c4a1"; hostName = "dunamis"; }; @@ -18,13 +23,15 @@ desktop.niri.enable = true; - module.config = { - secureBoot = true; - tpmDiskUnlock = true; - }; - module.stylix = { - enable = true; - theme = "helios"; + module = { + config = { + secureBoot = true; + tpmDiskUnlock = true; + }; + stylix = { + enable = true; + theme = "helios"; + }; }; locale.ukrainian.enable = true; @@ -32,4 +39,16 @@ qmk-vial.enable = true; security.basic.enable = true; virtual.libvirt.enable = true; + + nix = let + inherit (builtins) readFile; + inherit (config.users.users) user; + in { + settings.trusted-users = ["nix-ssh"]; + sshServe = { + enable = true; + write = true; + keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles; + }; + }; } diff --git a/hosts/eldrid/boot/default.nix b/hosts/eldrid/boot/default.nix deleted file mode 100644 index 86f5df8..0000000 --- a/hosts/eldrid/boot/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - pkgs, - inputs, - ... -}: { - imports = with inputs; - [ - chaotic.nixosModules.default - lanzaboote.nixosModules.lanzaboote - ] - ++ [ - ./loader.nix - ]; - boot = { - # kernelPackages = pkgs.linuxPackages_latest; - plymouth.enable = true; - consoleLogLevel = 0; - kernelPackages = pkgs.linuxPackages_cachyos; - kernelParams = [ - "amd_iommu=force_isolation" - "debugfs=off" - "efi=disable_early_pci_dma" - "gather_data_sampling=force" - "intel_iommu=on" - "iommu.passthrough=0" - "iommu.strict=1" - "iommu=force" - "page_alloc.shuffle=1" - "vsyscall=none" - # "ia32_emulation=0" - # "lockdown=confidentiality" - # "module.sig_enforce=1" - ]; - initrd = { - systemd.enable = true; # needed for auto-unlocking with TPM - systemd.tpm2.enable = false; # no TPM - }; - }; -} diff --git a/hosts/eldrid/boot/loader.nix b/hosts/eldrid/boot/loader.nix deleted file mode 100644 index 7cd9220..0000000 --- a/hosts/eldrid/boot/loader.nix +++ /dev/null @@ -1,15 +0,0 @@ -{config, ...}: { - boot = { - lanzaboote = { - enable = false; - pkiBundle = "/var/lib/sbctl"; - }; - loader = { - efi.canTouchEfiVariables = true; - systemd-boot = { - enable = !config.boot.lanzaboote.enable; - consoleMode = "auto"; - }; - }; - }; -} diff --git a/hosts/eldrid/configuration.nix b/hosts/eldrid/configuration.nix index df6a93f..fa2128c 100644 --- a/hosts/eldrid/configuration.nix +++ b/hosts/eldrid/configuration.nix @@ -2,29 +2,38 @@ imports = with inputs; [ self.nixosModules.desktop self.nixosModules.system - ./boot ./disko ./hardware - ./networking - ./nix - ../dunamis/programs.nix - ../dunamis/services.nix - ../dunamis/sops.nix - ../dunamis/users.nix ]; + networking = { + networkmanager.enable = true; + # hostId = ""; + hostName = "eldrid"; + }; + + environment.memoryAllocator.provider = "mimalloc"; + system.stateVersion = "25.05"; + time.timeZone = "Europe/Kyiv"; + desktop.plasma.enable = true; - locale.ukrainian.enable = true; - - module.stylix = { - enable = true; - theme = "nord"; + module = { + config = { + secureBoot = true; + useIwd = true; + }; + stylix = { + enable = true; + theme = "helios"; + }; }; + locale.ukrainian.enable = true; + opentabletdriver.enable = false; + qmk-vial.enable = true; security.basic.enable = true; - - system.stateVersion = "25.05"; + virtual.libvirt.enable = false; swapDevices = [ { @@ -32,8 +41,4 @@ size = 8 * 1024; # eight gigs } ]; - - time.timeZone = "Europe/Kyiv"; - - # virtual.libvirt.enable = true; } diff --git a/hosts/eldrid/nix/distributed-build.nix b/hosts/eldrid/distributed-build.nix similarity index 100% rename from hosts/eldrid/nix/distributed-build.nix rename to hosts/eldrid/distributed-build.nix diff --git a/hosts/eldrid/hardware/default.nix b/hosts/eldrid/hardware/default.nix index 1e51875..05c884c 100644 --- a/hosts/eldrid/hardware/default.nix +++ b/hosts/eldrid/hardware/default.nix @@ -1,8 +1,6 @@ { imports = [ - ./facter.nix ./laptop - ./vaapi/intel-media-driver.nix ]; services = { logind = { diff --git a/hosts/eldrid/hardware/facter.nix b/hosts/eldrid/hardware/facter.nix deleted file mode 100644 index 38bc812..0000000 --- a/hosts/eldrid/hardware/facter.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - config, - inputs, - ... -}: let - inherit (inputs) mysecrets; - inherit (config.networking) hostName; -in { - imports = with inputs; [ - nixos-facter-modules.nixosModules.facter - ]; - facter.reportPath = "${mysecrets}/facter/${hostName}.json"; - systemd.network.wait-online.enable = false; -} diff --git a/hosts/eldrid/hardware/vaapi/intel-media-driver.nix b/hosts/eldrid/hardware/vaapi/intel-media-driver.nix deleted file mode 100644 index de3af0f..0000000 --- a/hosts/eldrid/hardware/vaapi/intel-media-driver.nix +++ /dev/null @@ -1,7 +0,0 @@ -{pkgs, ...}: { - hardware.graphics.extraPackages = with pkgs; [ - intel-compute-runtime - intel-media-driver - vpl-gpu-rt - ]; -} diff --git a/hosts/eldrid/networking/default.nix b/hosts/eldrid/networking/default.nix deleted file mode 100644 index b3b9990..0000000 --- a/hosts/eldrid/networking/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - imports = [ - ./network-manager.nix - ./host-name-id.nix - ]; - networking = { - hosts = import ./hosts.nix; - }; -} diff --git a/hosts/eldrid/networking/host-name-id.nix b/hosts/eldrid/networking/host-name-id.nix deleted file mode 100644 index 7652ab0..0000000 --- a/hosts/eldrid/networking/host-name-id.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - networking = { - # hostId = ""; - hostName = "eldrid"; - }; -} diff --git a/hosts/eldrid/networking/hosts.nix b/hosts/eldrid/networking/hosts.nix deleted file mode 100644 index e45d310..0000000 --- a/hosts/eldrid/networking/hosts.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - "192.168.1.42" = ["dunamis"]; -} diff --git a/hosts/eldrid/nix/common.nix b/hosts/eldrid/nix/common.nix deleted file mode 100644 index b435541..0000000 --- a/hosts/eldrid/nix/common.nix +++ /dev/null @@ -1,11 +0,0 @@ -{pkgs, ...}: { - nix = { - package = pkgs.lixPackageSets.latest.lix; - channel.enable = false; - daemonCPUSchedPolicy = "idle"; - settings = { - experimental-features = ["nix-command" "flakes"]; - builders-use-substitutes = true; - }; - }; -} diff --git a/hosts/eldrid/nix/default.nix b/hosts/eldrid/nix/default.nix deleted file mode 100644 index 1042b61..0000000 --- a/hosts/eldrid/nix/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./common.nix - ./substituters.nix - ./distributed-build.nix - ]; -} diff --git a/hosts/eldrid/nix/ssh-serve.nix b/hosts/eldrid/nix/ssh-serve.nix deleted file mode 100644 index a730ef0..0000000 --- a/hosts/eldrid/nix/ssh-serve.nix +++ /dev/null @@ -1,10 +0,0 @@ -{config, ...}: let - inherit (builtins) readFile; - inherit (config.users.users) user; -in { - nix.sshServe = { - enable = true; - write = true; - keys = map (f: readFile f) user.openssh.authorizedKeys.keyFiles; - }; -} diff --git a/hosts/eldrid/nix/substituters.nix b/hosts/eldrid/nix/substituters.nix deleted file mode 100644 index fd4d5c1..0000000 --- a/hosts/eldrid/nix/substituters.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - nix.settings = { - substituters = [ - "https://cache.nixos.org/" - "https://chaotic-nyx.cachix.org/" - "https://cosmic.cachix.org/" - "https://nix-community.cachix.org/" - ]; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" - "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; -} diff --git a/hosts/sarien/configuration.nix b/hosts/sarien/configuration.nix index bd990f0..024b08b 100644 --- a/hosts/sarien/configuration.nix +++ b/hosts/sarien/configuration.nix @@ -5,27 +5,33 @@ self.nixosModules.config ./disko ./hardware + ./distributed-build.nix ]; networking = { + networkmanager.enable = true; hostId = "31150fae"; hostName = "sarien"; }; + environment.memoryAllocator.provider = "mimalloc"; system.stateVersion = "25.05"; time.timeZone = "Europe/Kyiv"; - module.config = { - useIwd = true; - }; - module.stylix = { - enable = true; - theme = "himalaya"; - }; - desktop.niri.enable = true; + module = { + config = { + useIwd = true; + }; + stylix = { + enable = true; + theme = "himalaya"; + }; + }; + locale.ukrainian.enable = true; + opentabletdriver.enable = false; qmk-vial.enable = true; security.basic.enable = true; virtual.libvirt.enable = true; diff --git a/hosts/sarien/distributed-build.nix b/hosts/sarien/distributed-build.nix new file mode 100644 index 0000000..b093581 --- /dev/null +++ b/hosts/sarien/distributed-build.nix @@ -0,0 +1,30 @@ +{ + config, + inputs, + ... +}: let + inherit (builtins) readFile; + inherit (config.networking) hostName; + inherit (config.sops) secrets; + inherit (inputs) mysecrets; + pubHost = readFile "${mysecrets}/ssh/ssh_host_ed25519_dunamis.base64"; +in { + nix = { + distributedBuilds = true; + buildMachines = [ + { + hostName = "dunamis"; + publicHostKey = pubHost; + sshKey = secrets."ssh-${hostName}-user".path; + sshUser = "nix-ssh"; + supportedFeatures = [ + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + system = "x86_64-linux"; + } + ]; + }; +} diff --git a/modules/nixos/config/boot/default.nix b/modules/nixos/config/boot/default.nix index 941b407..2b40eb5 100644 --- a/modules/nixos/config/boot/default.nix +++ b/modules/nixos/config/boot/default.nix @@ -29,8 +29,8 @@ # "module.sig_enforce=1" ]; initrd = { - systemd.enable = true; # needed for auto-unlocking with TPM - systemd.tpm2.enable = config.module.config.tpmDiskUnlock; + systemd.enable = true; + systemd.tpm2.enable = false; }; }; } diff --git a/modules/nixos/config/boot/lanzaboote.nix b/modules/nixos/config/boot/lanzaboote.nix index 6907357..b690032 100644 --- a/modules/nixos/config/boot/lanzaboote.nix +++ b/modules/nixos/config/boot/lanzaboote.nix @@ -1,7 +1,6 @@ { config, inputs, - lib, ... }: { imports = with inputs; [ @@ -12,6 +11,5 @@ enable = config.module.config.secureBoot; pkiBundle = "/var/lib/sbctl"; }; - loader.systemd-boot.enable = lib.mkDefault (!config.boot.lanzaboote.enable); }; } diff --git a/modules/nixos/config/boot/loader.nix b/modules/nixos/config/boot/loader.nix index 6487c29..fa80e6a 100644 --- a/modules/nixos/config/boot/loader.nix +++ b/modules/nixos/config/boot/loader.nix @@ -7,7 +7,6 @@ timeout = 3; efi.canTouchEfiVariables = true; systemd-boot = { - enable = true; consoleMode = "auto"; configurationLimit = lib.mkOverride 1337 10; }; diff --git a/modules/nixos/config/default.nix b/modules/nixos/config/default.nix index 1bef17c..fc0d2b8 100644 --- a/modules/nixos/config/default.nix +++ b/modules/nixos/config/default.nix @@ -1,10 +1,12 @@ { config, + inputs, lib, pkgs, ... }: let inherit (lib) mkDefault mkEnableOption mkIf; + inherit (config.networking) hostName; cfg = config.module.config; in { imports = [ @@ -28,12 +30,28 @@ in { }; }; }; - config = mkIf (cfg.vaapi - == "intel-media-driver") { - hardware.graphics.extraPackages = with pkgs; [ - intel-compute-runtime - intel-media-driver - vpl-gpu-rt - ]; - }; + config = + mkIf (cfg.vaapi + == "intel-media-driver") { + hardware.graphics.extraPackages = with pkgs; [ + intel-compute-runtime + intel-media-driver + vpl-gpu-rt + ]; + } + // mkIf cfg.tpmDiskUnlock { + initrd.systemd.tpm2.enable = mkDefault true; + } + // mkIf cfg.useIwd { + networking = { + networkmanager.wifi.backend = "iwd"; + wireless.iwd.enable = true; + }; + } + // { + boot.loader.systemd-boot.enable = + if cfg.secureBoot + then false + else true; + }; } diff --git a/modules/nixos/config/networking/default.nix b/modules/nixos/config/networking/default.nix index 6f7407f..9bb532f 100644 --- a/modules/nixos/config/networking/default.nix +++ b/modules/nixos/config/networking/default.nix @@ -1,8 +1,18 @@ { - imports = [ - ./network-manager - ]; networking = { hosts = import ./hosts.nix; + networkmanager = { + ethernet.macAddress = "stable"; + wifi = { + macAddress = "random"; + scanRandMacAddress = true; + }; + }; + wireless.iwd.settings = { + settings = { + General.AddressRandomization = "network"; + Settings.AlwaysRandomizeAddress = true; + }; + }; }; } diff --git a/modules/nixos/config/networking/network-manager/default.nix b/modules/nixos/config/networking/network-manager/default.nix deleted file mode 100644 index edc5e23..0000000 --- a/modules/nixos/config/networking/network-manager/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - imports = [ - ./wireless-iwd.nix - ]; - networking = { - networkmanager = { - enable = true; - ethernet.macAddress = "stable"; - wifi = { - macAddress = "random"; - scanRandMacAddress = true; - }; - }; - }; -} diff --git a/modules/nixos/config/networking/network-manager/wireless-iwd.nix b/modules/nixos/config/networking/network-manager/wireless-iwd.nix deleted file mode 100644 index 134652b..0000000 --- a/modules/nixos/config/networking/network-manager/wireless-iwd.nix +++ /dev/null @@ -1,15 +0,0 @@ -{config, ...}: { - networking = { - networkmanager.wifi.backend = - if config.module.config.useIwd - then "iwd" - else "wpa_supplicant"; - wireless.iwd = { - enable = config.module.config.useIwd; - settings = { - General.AddressRandomization = "network"; - Settings.AlwaysRandomizeAddress = true; - }; - }; - }; -} diff --git a/modules/nixos/config/users.nix b/modules/nixos/config/users.nix index 317133c..926f590 100644 --- a/modules/nixos/config/users.nix +++ b/modules/nixos/config/users.nix @@ -8,6 +8,7 @@ inherit (inputs) mysecrets; sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub"; in { + nix.settings.trusted-users = ["user"]; users.mutableUsers = false; users.users = { user = { diff --git a/modules/nixos/system/wireless/default.nix b/modules/nixos/system/wireless/default.nix index 412300c..4dcd8fa 100644 --- a/modules/nixos/system/wireless/default.nix +++ b/modules/nixos/system/wireless/default.nix @@ -1,6 +1,5 @@ { imports = [ ./bluetooth.nix - ./wifi.nix ]; } diff --git a/modules/nixos/system/wireless/wifi.nix b/modules/nixos/system/wireless/wifi.nix deleted file mode 100644 index 8c492ec..0000000 --- a/modules/nixos/system/wireless/wifi.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - config, - ... -}: -with lib; let - cfg = config.wireless.wifi; -in { - options = { - wireless.wifi.enable = - mkEnableOption "enables wifi with iwd and MAC address randomisation"; - }; - config = mkIf cfg.enable { - networking = { - networkmanager.wifi = { - backend = "iwd"; - macAddress = "random"; - scanRandMacAddress = true; - }; - wireless.iwd = { - enable = true; - settings = { - General.AddressRandomization = "network"; - Settings.AlwaysRandomizeAddress = true; - }; - }; - }; - }; -}