From 588e434b56dec5c3b4ad164edbfd2a043cdb07a8 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Mon, 27 Oct 2025 14:56:27 -0400 Subject: [PATCH] Add a host for testing i_only_boot_zfs. --- nix/configuration/configuration.nix | 4 +- nix/configuration/flake.nix | 3 + nix/configuration/formats/iso.nix | 3 + .../hosts/i_only_boot_zfs/DEPLOY_BOOT | 13 ++ .../hosts/i_only_boot_zfs/DEPLOY_SWITCH | 13 ++ .../{ionlybootzfs => i_only_boot_zfs}/ISO | 2 +- .../hosts/i_only_boot_zfs/SELF_BOOT | 10 ++ .../hosts/i_only_boot_zfs/SELF_BUILD | 10 ++ .../hosts/i_only_boot_zfs/SELF_SWITCH | 10 ++ .../hosts/i_only_boot_zfs/default.nix | 63 +++++++++ .../disk-config.nix | 6 +- .../i_only_boot_zfs/distributed_build.nix | 19 +++ .../hardware-configuration.nix | 15 +- .../i_only_boot_zfs/power_management.nix | 63 +++++++++ .../i_only_boot_zfs/wrapped-disk-config.nix | 7 + .../hosts/ionlybootzfs/DEPLOY_BOOT | 17 --- .../hosts/ionlybootzfs/DEPLOY_SWITCH | 17 --- .../hosts/ionlybootzfs/default.nix | 74 ---------- .../hosts/ionlybootzfs/optimized_build.nix | 132 ------------------ .../ionlybootzfs/wrapped-disk-config.nix | 7 - nix/configuration/hosts/odo/default.nix | 1 + nix/configuration/hosts/quark/default.nix | 1 + nix/configuration/hosts/recovery/default.nix | 1 + nix/configuration/roles/base/default.nix | 1 - nix/configuration/roles/boot/default.nix | 1 + nix/configuration/roles/disko/default.nix | 14 +- nix/configuration/roles/doas/default.nix | 4 + .../roles/dont_use_substituters/default.nix | 28 ++++ .../roles/minimal_base/default.nix | 2 + nix/configuration/roles/ssh/files/ssh_config | 2 +- 30 files changed, 273 insertions(+), 270 deletions(-) create mode 100755 nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT create mode 100755 nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH rename nix/configuration/hosts/{ionlybootzfs => i_only_boot_zfs}/ISO (68%) create mode 100755 nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT create mode 100755 nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD create mode 100755 nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH create mode 100644 nix/configuration/hosts/i_only_boot_zfs/default.nix rename nix/configuration/hosts/{ionlybootzfs => i_only_boot_zfs}/disk-config.nix (96%) create mode 100644 nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix rename nix/configuration/hosts/{ionlybootzfs => i_only_boot_zfs}/hardware-configuration.nix (70%) create mode 100644 nix/configuration/hosts/i_only_boot_zfs/power_management.nix create mode 100644 nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix delete mode 100755 nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT delete mode 100755 nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH delete mode 100644 nix/configuration/hosts/ionlybootzfs/default.nix delete mode 100644 nix/configuration/hosts/ionlybootzfs/optimized_build.nix delete mode 100644 nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix create mode 100644 nix/configuration/roles/dont_use_substituters/default.nix diff --git a/nix/configuration/configuration.nix b/nix/configuration/configuration.nix index 376e1a6..7cd7045 100644 --- a/nix/configuration/configuration.nix +++ b/nix/configuration/configuration.nix @@ -23,6 +23,7 @@ ./roles/distributed_build ./roles/doas ./roles/docker + ./roles/dont_use_substituters ./roles/ecc ./roles/emacs ./roles/emulate_isa @@ -105,13 +106,10 @@ hardware.enableRedistributableFirmware = true; # Keep outputs so we can build offline. - # Disable substituters to avoid risk of cache poisoning. nix.extraOptions = '' keep-outputs = true keep-derivations = true - substitute = false ''; - nix.settings.substituters = lib.mkForce [ ]; # Automatic garbage collection nix.gc = lib.mkIf (!config.me.buildingPortable) { diff --git a/nix/configuration/flake.nix b/nix/configuration/flake.nix index 54671aa..31645b3 100644 --- a/nix/configuration/flake.nix +++ b/nix/configuration/flake.nix @@ -53,6 +53,9 @@ recovery = { system = "x86_64-linux"; }; + i_only_boot_zfs = { + system = "x86_64-linux"; + }; }; nixosConfigs = builtins.mapAttrs ( hostname: nodeConfig: format: diff --git a/nix/configuration/formats/iso.nix b/nix/configuration/formats/iso.nix index c911623..0c8bb2e 100644 --- a/nix/configuration/formats/iso.nix +++ b/nix/configuration/formats/iso.nix @@ -13,6 +13,9 @@ isoImage.makeEfiBootable = true; isoImage.makeUsbBootable = true; + networking.dhcpcd.enable = true; + networking.useDHCP = true; + me.buildingPortable = true; me.disko.enable = true; me.disko.offline.enable = true; diff --git a/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT b/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT new file mode 100755 index 0000000..9122150 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +TARGET=i_only_boot_zfs + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done + +nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH b/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH new file mode 100755 index 0000000..829a304 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +TARGET=i_only_boot_zfs + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done + +nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/ionlybootzfs/ISO b/nix/configuration/hosts/i_only_boot_zfs/ISO similarity index 68% rename from nix/configuration/hosts/ionlybootzfs/ISO rename to nix/configuration/hosts/i_only_boot_zfs/ISO index c817925..6ca5b92 100755 --- a/nix/configuration/hosts/ionlybootzfs/ISO +++ b/nix/configuration/hosts/i_only_boot_zfs/ISO @@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : "${JOBS:="1"}" for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done -nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json +nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT b/nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT new file mode 100755 index 0000000..b976f8d --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD b/nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD new file mode 100755 index 0000000..cc10bfe --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH b/nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH new file mode 100755 index 0000000..1915408 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/i_only_boot_zfs/default.nix b/nix/configuration/hosts/i_only_boot_zfs/default.nix new file mode 100644 index 0000000..49d99a5 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/default.nix @@ -0,0 +1,63 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + imports = [ + ./hardware-configuration.nix + ./wrapped-disk-config.nix + ./distributed_build.nix + ./power_management.nix + ]; + + config = { + # Generate with `head -c4 /dev/urandom | od -A none -t x4` + networking.hostId = "6a05d86e"; + + networking.hostName = "i_only_boot_zfs"; # Define your hostname. + + time.timeZone = "America/New_York"; + i18n.defaultLocale = "en_US.UTF-8"; + + me.boot.enable = true; + me.boot.secure = false; + me.mountPersistence = true; + + # Toggle to start writing the extlinux config which will be used by zfsbootmenu + # boot.loader.generic-extlinux-compatible.enable = true; + # boot.loader.systemd-boot.enable = lib.mkForce false; + + me.optimizations = { + # enable = true; + arch = "kabylake"; + # build_arch = "x86-64-v3"; + system_features = [ + "gccarch-kabylake" + "gccarch-x86-64-v3" + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + }; + + # Early KMS + # boot.initrd.kernelModules = [ "amdgpu" ]; + + # Mount tmpfs at /tmp + boot.tmp.useTmpfs = true; + + # Enable TRIM + # services.fstrim.enable = lib.mkDefault true; + + # Even when installed, we want to dhcp because this is for a VM. + networking.dhcpcd.enable = true; + networking.useDHCP = true; + + me.build_in_ram.enable = true; + me.dont_use_substituters.enable = true; + me.minimal_base.enable = true; + }; +} diff --git a/nix/configuration/hosts/ionlybootzfs/disk-config.nix b/nix/configuration/hosts/i_only_boot_zfs/disk-config.nix similarity index 96% rename from nix/configuration/hosts/ionlybootzfs/disk-config.nix rename to nix/configuration/hosts/i_only_boot_zfs/disk-config.nix index 4575e94..d19e0b7 100644 --- a/nix/configuration/hosts/ionlybootzfs/disk-config.nix +++ b/nix/configuration/hosts/i_only_boot_zfs/disk-config.nix @@ -65,8 +65,8 @@ type = "zfs_fs"; options.mountpoint = "none"; options = { - encryption = "aes-256-gcm"; - keyformat = "passphrase"; + # encryption = "aes-256-gcm"; + # keyformat = "passphrase"; # keylocation = "file:///tmp/secret.key"; }; }; @@ -138,5 +138,5 @@ ]; # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used. - boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ]; + # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ]; } diff --git a/nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix b/nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix new file mode 100644 index 0000000..10755e8 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix @@ -0,0 +1,19 @@ +{ + imports = [ ]; + + config = { + me.distributed_build.enable = true; + me.distributed_build.machines.hydra = { + enable = true; + additional_config = { + speedFactor = 2; + }; + }; + me.distributed_build.machines.quark = { + enable = true; + additional_config = { + speedFactor = 2; + }; + }; + }; +} diff --git a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix b/nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix similarity index 70% rename from nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix rename to nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix index 796e2b2..05c540b 100644 --- a/nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix +++ b/nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix @@ -1,4 +1,5 @@ { + config, lib, modulesPath, ... @@ -11,12 +12,9 @@ config = { boot.initrd.availableKernelModules = [ - "xhci_pci" "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" + "xhci_pci" + "thunderbolt" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; @@ -26,10 +24,11 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.dhcpcd.enable = lib.mkForce true; - networking.useDHCP = lib.mkForce true; - # systemd.network.enable = true; + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }; } diff --git a/nix/configuration/hosts/i_only_boot_zfs/power_management.nix b/nix/configuration/hosts/i_only_boot_zfs/power_management.nix new file mode 100644 index 0000000..d2b2315 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/power_management.nix @@ -0,0 +1,63 @@ +{ + pkgs, + ... +}: + +{ + imports = [ ]; + + config = { + environment.systemPackages = with pkgs; [ + powertop + ]; + + # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction. + # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above). + boot.kernelParams = [ + "pcie_aspm=force" + # "pcie_aspm.policy=powersupersave" + "nowatchdog" + ]; + + systemd.tmpfiles.rules = [ + "w- /sys/firmware/acpi/platform_profile - - - - low-power" + "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0" + ]; + + boot.extraModprobeConfig = '' + # Sound power-saving was causing chat notifications to be inaudible. + # options snd_hda_intel power_save=1 + ''; + }; +} diff --git a/nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix b/nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix new file mode 100644 index 0000000..39e74f4 --- /dev/null +++ b/nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix @@ -0,0 +1,7 @@ +{ + config, + lib, + ... +}: + +lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix) diff --git a/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT b/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT deleted file mode 100755 index 46867d9..0000000 --- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash -# -set -euo pipefail -IFS=$'\n\t' -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -: "${JOBS:="1"}" - -#TARGET=10.216.1.14 -# TARGET=192.168.211.250 -TARGET="ionlybootzfs" - -for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done - -nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json - -# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs' diff --git a/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH b/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH deleted file mode 100755 index 59e6ff7..0000000 --- a/nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash -# -set -euo pipefail -IFS=$'\n\t' -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -: "${JOBS:="1"}" - -#TARGET=10.216.1.14 -# TARGET=192.168.211.250 -TARGET=ionlybootzfs - -for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done - -nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json - -# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs' diff --git a/nix/configuration/hosts/ionlybootzfs/default.nix b/nix/configuration/hosts/ionlybootzfs/default.nix deleted file mode 100644 index abca80d..0000000 --- a/nix/configuration/hosts/ionlybootzfs/default.nix +++ /dev/null @@ -1,74 +0,0 @@ -# -# Testing: -# doas "$(nix-build '' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \ -# -accel kvm \ -# -cpu host \ -# -smp cores=8 \ -# -m 32768 \ -# -drive "file=$(nix-build '' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \ -# -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \ -# -device nvme,serial=deadbeef,drive=nvm \ -# -nic user,hostfwd=tcp::60022-:22 \ -# -boot order=d \ -# -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \ -# -display vnc=127.0.0.1:0 -# - -{ - imports = [ - ./wrapped-disk-config.nix - ./hardware-configuration.nix - ]; - - config = { - # Generate with `head -c4 /dev/urandom | od -A none -t x4` - networking.hostId = "fbd233d8"; - - networking.hostName = "ionlybootzfs"; # Define your hostname. - - time.timeZone = "America/New_York"; - i18n.defaultLocale = "en_US.UTF-8"; - - me.boot.secure = true; - me.mountPersistence = true; - - me.optimizations = { - enable = false; - arch = "znver4"; - system_features = [ - "gccarch-znver4" - "gccarch-skylake" - "gccarch-kabylake" - # "gccarch-alderlake" missing WAITPKG - "gccarch-x86-64-v3" - "gccarch-x86-64-v4" - "benchmark" - "big-parallel" - "kvm" - "nixos-test" - ]; - }; - - # Mount tmpfs at /tmp - boot.tmp.useTmpfs = true; - - me.base.enable = true; - me.boot.enable = true; - me.doas.enable = true; - me.emacs_flavor = "plainmacs"; - me.firewall.enable = true; - me.font.enable = true; - me.git.enable = true; - me.graphical = false; - me.memtest.enable = true; - me.network.enable = true; - me.nvme.enable = true; - me.ssh.enable = true; - me.sshd.enable = true; - me.user.enable = true; - me.wireguard.activated = [ ]; - me.wireguard.deactivated = [ ]; - me.zfs.enable = true; - me.zsh.enable = true; - }; -} diff --git a/nix/configuration/hosts/ionlybootzfs/optimized_build.nix b/nix/configuration/hosts/ionlybootzfs/optimized_build.nix deleted file mode 100644 index 7eb8f5f..0000000 --- a/nix/configuration/hosts/ionlybootzfs/optimized_build.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ - config, - lib, - pkgs, - pkgs-unoptimized, - ... -}: -{ - imports = [ ]; - - config = lib.mkMerge [ - { } - (lib.mkIf (!config.me.optimizations.enable) { - boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14; - }) - (lib.mkIf (config.me.optimizations.enable) { - nixpkgs.hostPlatform = { - gcc.arch = "znver4"; - gcc.tune = "znver4"; - system = "x86_64-linux"; - }; - - nixpkgs.overlays = [ - ( - final: prev: - let - addConfig = - additionalConfig: pkg: - pkg.override (oldconfig: { - structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig; - }); - in - { - linux_me = addConfig { - # Full preemption - PREEMPT = lib.mkOverride 60 lib.kernel.yes; - PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no; - - # Google's BBRv3 TCP congestion Control - TCP_CONG_BBR = lib.kernel.yes; - DEFAULT_BBR = lib.kernel.yes; - - # Preemptive Full Tickless Kernel at 300Hz - HZ = lib.kernel.freeform "300"; - HZ_300 = lib.kernel.yes; - HZ_1000 = lib.kernel.no; - } prev.linux_6_14; - # gsl = prev.gsl.overrideAttrs (old: { - # # gsl tests fails when optimizations are enabled. - # # > FAIL: cholesky_invert unscaled hilbert ( 4, 4)[0,2]: 2.55795384873636067e-13 0 - # # > (2.55795384873636067e-13 observed vs 0 expected) [28259614] - # doCheck = false; - # }); - } - ) - (final: prev: { - haskellPackages = prev.haskellPackages.extend ( - final': prev': { - inherit (pkgs-unoptimized.haskellPackages) - crypton - crypton-connection - crypton-x509 - crypton-x509-store - crypton-x509-system - crypton-x509-validation - hspec-wai - http-client-tls - http2 - pandoc - pandoc-cli - pandoc-lua-engine - pandoc-server - servant-server - tls - wai-app-static - wai-extra - warp - ; - } - ); - }) - (final: prev: { - inherit (pkgs-unoptimized) - gsl - redis - valkey - ; - }) - ]; - - boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me; - }) - (lib.mkIf (!config.me.buildingIso) { - nix.settings.system-features = lib.mkForce [ - "gccarch-znver4" - "gccarch-skylake" - "gccarch-kabylake" - # "gccarch-alderlake" missing WAITPKG - "gccarch-x86-64-v3" - "gccarch-x86-64-v4" - "benchmark" - "big-parallel" - "kvm" - "nixos-test" - ]; - - # Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap. - # system.includeBuildDependencies = true; - - # This also should enable building offline? TODO: test. - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - ''; - - # # building ON - # nixpkgs.localSystem = { system = "aarch64-linux"; }; - # # building FOR - # nixpkgs.crossSystem = { system = "aarch64-linux"; }; - - # nixpkgs.config = { - # replaceStdenv = ({ pkgs }: pkgs.clangStdenv); - # }; - # or maybe an overlay - # stdenv = prev.clangStdenv; - - }) - (lib.mkIf (config.me.buildingIso) { - boot.supportedFilesystems.zfs = true; - }) - ]; -} diff --git a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix b/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix deleted file mode 100644 index dea0d9e..0000000 --- a/nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - config, - lib, - ... -}: - -lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix) diff --git a/nix/configuration/hosts/odo/default.nix b/nix/configuration/hosts/odo/default.nix index 124afa5..50a7fcb 100644 --- a/nix/configuration/hosts/odo/default.nix +++ b/nix/configuration/hosts/odo/default.nix @@ -76,6 +76,7 @@ me.direnv.enable = true; me.doas.enable = true; me.docker.enable = false; + me.dont_use_substituters.enable = true; me.ecc.enable = false; me.emacs_flavor = "full"; me.emulate_isa.enable = true; diff --git a/nix/configuration/hosts/quark/default.nix b/nix/configuration/hosts/quark/default.nix index 7c9310b..71305c6 100644 --- a/nix/configuration/hosts/quark/default.nix +++ b/nix/configuration/hosts/quark/default.nix @@ -70,6 +70,7 @@ me.direnv.enable = true; me.doas.enable = true; me.docker.enable = false; + me.dont_use_substituters.enable = true; me.ecc.enable = true; me.emacs_flavor = "full"; me.emulate_isa.enable = true; diff --git a/nix/configuration/hosts/recovery/default.nix b/nix/configuration/hosts/recovery/default.nix index 8510d1b..17d885e 100644 --- a/nix/configuration/hosts/recovery/default.nix +++ b/nix/configuration/hosts/recovery/default.nix @@ -49,6 +49,7 @@ # services.fstrim.enable = lib.mkDefault true; me.build_in_ram.enable = true; + me.dont_use_substituters.enable = true; me.minimal_base.enable = true; me.recovery.enable = true; }; diff --git a/nix/configuration/roles/base/default.nix b/nix/configuration/roles/base/default.nix index 2f4a8cd..9d662d7 100644 --- a/nix/configuration/roles/base/default.nix +++ b/nix/configuration/roles/base/default.nix @@ -49,7 +49,6 @@ in nix-tree libarchive # bsdtar lsof - doas-sudo-shim # To support --sudo for remote builds dmidecode # Read SMBIOS information. ipcalc gptfdisk # for cgdisk diff --git a/nix/configuration/roles/boot/default.nix b/nix/configuration/roles/boot/default.nix index 5940757..89775aa 100644 --- a/nix/configuration/roles/boot/default.nix +++ b/nix/configuration/roles/boot/default.nix @@ -33,6 +33,7 @@ # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER" sbctl # For debugging and troubleshooting Secure Boot. + efibootmgr # To set EFI boot order. ]; } (lib.mkIf (!config.me.buildingPortable) { diff --git a/nix/configuration/roles/disko/default.nix b/nix/configuration/roles/disko/default.nix index f4d2115..8251cc7 100644 --- a/nix/configuration/roles/disko/default.nix +++ b/nix/configuration/roles/disko/default.nix @@ -19,18 +19,18 @@ let in lib.unique (lib.flatten (collector self)); dependencies = [ - this_nixos_config.config.system.build.toplevel - this_nixos_config.config.system.build.diskoScript - # this_nixos_config.config.system.build.diskoScript.drvPath this_nixos_config.pkgs.stdenv.drvPath + (this_nixos_config.pkgs.closureInfo { rootPaths = [ ]; }).drvPath # https://github.com/NixOS/nixpkgs/blob/f2fd33a198a58c4f3d53213f01432e4d88474956/nixos/modules/system/activation/top-level.nix#L342 this_nixos_config.pkgs.perlPackages.ConfigIniFiles this_nixos_config.pkgs.perlPackages.FileSlurp - (this_nixos_config.pkgs.closureInfo { rootPaths = [ ]; }).drvPath + this_nixos_config.config.system.build.toplevel + this_nixos_config.config.system.build.diskoScript ] - ++ flakeOutPaths; + ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs); + # ++ flakeOutPaths; closureInfo = pkgs.closureInfo { rootPaths = dependencies; }; in { @@ -64,7 +64,9 @@ in (pkgs.writeShellScriptBin "install-nixos-unattended" '' set -xeuo pipefail IFS=$'\n\t' - exec ${pkgs.disko}/bin/disko-install --flake '${self}#${config.networking.hostName}' --disk main '/dev/nvme0n1' + # exec ${pkgs.disko}/bin/disko-install --flake '${self}#${config.networking.hostName}' --disk main '/dev/nvme0n1' --write-efi-boot-entries + ${pkgs.disko}/bin/disko --mode destroy,format,mount '${self}/hosts/${config.networking.hostName}/disk-config.nix' + ${pkgs.nixos-install}/bin/nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --no-channel-copy --no-root-password --flake '${self}#${config.networking.hostName}' '') ]; diff --git a/nix/configuration/roles/doas/default.nix b/nix/configuration/roles/doas/default.nix index 56c37ed..47e1773 100644 --- a/nix/configuration/roles/doas/default.nix +++ b/nix/configuration/roles/doas/default.nix @@ -1,6 +1,7 @@ { config, lib, + pkgs, ... }: @@ -28,5 +29,8 @@ persist = true; # Only ask for a password the first time. } ]; + environment.systemPackages = with pkgs; [ + doas-sudo-shim # To support --sudo for remote builds + ]; }; } diff --git a/nix/configuration/roles/dont_use_substituters/default.nix b/nix/configuration/roles/dont_use_substituters/default.nix new file mode 100644 index 0000000..5672b66 --- /dev/null +++ b/nix/configuration/roles/dont_use_substituters/default.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ ]; + + options.me = { + dont_use_substituters.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install dont_use_substituters."; + }; + }; + + config = lib.mkIf config.me.dont_use_substituters.enable { + # Disable substituters to avoid risk of cache poisoning. + nix.extraOptions = '' + substitute = false + ''; + + nix.settings.substituters = lib.mkForce [ ]; + }; +} diff --git a/nix/configuration/roles/minimal_base/default.nix b/nix/configuration/roles/minimal_base/default.nix index 3bcaed1..1654729 100644 --- a/nix/configuration/roles/minimal_base/default.nix +++ b/nix/configuration/roles/minimal_base/default.nix @@ -27,5 +27,7 @@ me.zfs.enable = true; me.zrepl.enable = true; me.zsh.enable = true; + + # TODO: Maybe add me.boot.enable ? }; } diff --git a/nix/configuration/roles/ssh/files/ssh_config b/nix/configuration/roles/ssh/files/ssh_config index 51870a7..6b6fa9f 100644 --- a/nix/configuration/roles/ssh/files/ssh_config +++ b/nix/configuration/roles/ssh/files/ssh_config @@ -34,7 +34,7 @@ Host hydra ProxyJump talexander@mrmanager HostName 10.215.1.219 -Host ionlybootzfs +Host i_only_boot_zfs HostName 127.0.0.1 Port 60022