talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:381448b3388192807b006600824aa65b6bb152f0
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
...
compare: talexander:mt7927
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

83 Commits
381448b338 ... mt7927

Author SHA1 Message Date
Tom Alexander
5c2b0d8c2f Add mt7927 driver to quark. 2026-04-11 11:24:05 -04:00
Tom Alexander
9550032c08 Support hardware accelerated RNG in qemurc. 2026-04-10 09:08:20 -04:00
Tom Alexander
d46c2a0225 Revert "Update packages." 
This reverts commit ee4794859a.
 2026-04-09 20:25:12 -04:00
Tom Alexander
6430b1cc77 Sync to the store before registering paths. 2026-04-08 20:51:20 -04:00
Tom Alexander
157d4e4c94 New VPN address for home server. 2026-04-08 20:51:20 -04:00
Tom Alexander
075a4b8262 Use direct paths for hydra's nix store. 
I was getting corrupted builds, so as a test I am using the direct path where the drive is mounted rather than going through bind mounts.
 2026-04-08 20:51:20 -04:00
Tom Alexander
d62b3d8a62 Add a build of nixbsd to nix_builder. 2026-04-08 08:45:07 -04:00
Tom Alexander
ee4794859a Update packages. 2026-04-08 08:45:07 -04:00
Tom Alexander
791f67eb82 Update nix_builder. 2026-04-02 22:03:45 -04:00
Tom Alexander
bf27504a5a Add repair flag to build scripts. 2026-04-02 14:14:11 -04:00
Tom Alexander
620c12eaa7 Add auto-formatting for d2. 2026-04-02 14:04:04 -04:00
Tom Alexander
e2658412ab Fix stuttery zoom on google maps. 2026-03-29 19:40:51 -04:00
Tom Alexander
a86e8c3a18 Fix rga alias. 2026-03-29 19:40:51 -04:00
Tom Alexander
299185970d Add stream to /etc/hosts 2026-03-19 18:16:57 -04:00
Tom Alexander
6670fdbe73 Merge branch 'family_disks' into nix 2026-03-08 13:01:20 -04:00
Tom Alexander
ed4eead5c0 Add a config for the machine to recover the family disks. 2026-03-08 13:01:11 -04:00
Tom Alexander
7f9f010217 Add support for a portable monitor. 2026-03-07 16:39:21 -05:00
Tom Alexander
ea133ded21 Add the next_hop script. 
This script determines the next hop for a packet leaving this machine destined for the given address.
 2026-03-04 21:13:40 -05:00
Tom Alexander
04ede4bfee Add a role for loading esims onto standalone sim cards. 2026-03-01 16:51:34 -05:00
Tom Alexander
2529ca4510 Disable some stuff in firefox. 2026-02-22 13:21:01 -05:00
Tom Alexander
69384f6cad Use rust nix-builder instead of bash script. 2026-02-22 13:21:01 -05:00
Tom Alexander
3df022ab3f Move org custom faces to a use-package :custom-face block. 
This prevent the faces from being written to custom.el.
 2026-02-22 13:21:01 -05:00
Tom Alexander
bf006a968b Update jujutsu config. 2026-02-22 13:21:01 -05:00
Tom Alexander
b1b2ea2109 Add git hide and git unhide scripts. 2026-02-14 12:33:06 -05:00
Tom Alexander
1211bc1c44 Remove programs.adb.enable. 2026-02-14 12:33:06 -05:00
Tom Alexander
776ed67675 Set up hydra as a remote build machine. 2026-02-13 10:37:29 -05:00
Tom Alexander
24e03ed8f7 Update packages in nix. 2026-02-13 10:36:49 -05:00
Tom Alexander
e75c4087c3 Add keep-alive to ssh connections. 2026-02-13 10:36:49 -05:00
Tom Alexander
43f3c1f955 Add some nix settings. 2026-02-13 10:36:47 -05:00
Tom Alexander
7ab1d4b9e1 Add the v4l utilities to control webcam settings. 2026-02-06 11:24:05 -05:00
Tom Alexander
ad88a526bc Add support for the android debug bridge. 2026-02-03 18:15:35 -05:00
Tom Alexander
b0cebc7973 Add a work monitor to shikane. 2026-02-03 11:10:45 -05:00
Tom Alexander
c90513cbea Install beamer with LaTeX. 2026-01-08 22:18:38 -05:00
Tom Alexander
07a8882766 Install graphviz. 2026-01-02 10:11:39 -05:00
Tom Alexander
e106a9fad1 Add nftables-mode to emacs. 2026-01-01 22:00:14 -05:00
Tom Alexander
70f3ae6894 Add a nix-flake-repl script. 2026-01-01 11:01:13 -05:00
Tom Alexander
d883dda34c Remove old TODO. 2025-12-27 20:45:20 -05:00
Tom Alexander
05a0459e5a Add toml2nix. 2025-12-16 18:43:37 -05:00
Tom Alexander
641c21c77f Add C/C++ debugging to personal vscode. 2025-12-13 23:15:59 -05:00
Tom Alexander
88634655d0 Fix firmware updating now that my UEFI system partition is mounted at /efi 2025-12-13 23:15:33 -05:00
Tom Alexander
0bd5931013 Fix the self repl script. 2025-12-10 21:35:50 -05:00
Tom Alexander
dc28b9a112 Inject the password-store flag to vscode. 2025-12-10 20:57:26 -05:00
Tom Alexander
d8d466e737 Update steam deck packages. 2025-12-09 20:38:18 -05:00
Tom Alexander
f94278e96d Re-enable rofimoji. 2025-12-09 13:52:45 -05:00
Tom Alexander
6452d591a7 Install yaml2nix. 2025-12-08 23:21:59 -05:00
Tom Alexander
4fbbec96c0 Another fix for screen scaling when sharing screen. 2025-12-08 13:01:42 -05:00
Tom Alexander
412c6d7220 Another fix for screen scaling when sharing screen. 2025-12-04 15:26:51 -05:00
Tom Alexander
519354fd2c Install pgformatter. 2025-12-03 16:12:36 -05:00
Tom Alexander
6d976d8319 Force cascadia mono. 2025-12-03 12:58:02 -05:00
Tom Alexander
910652e98c Fix scaling monitor when entering screen sharing. 2025-12-02 12:21:53 -05:00
Tom Alexander
e218973f1b Remove local copy of grub package. 2025-11-30 15:02:03 -05:00
Tom Alexander
b48d2b7b25 Disable the binary cache. 2025-11-30 14:16:48 -05:00
Tom Alexander
144d8fab6c Fix quark's updating. 2025-11-30 12:22:03 -05:00
Tom Alexander
15c99bc0b5 Remove the deprecated --fast flag. 2025-11-30 09:24:14 -05:00
Tom Alexander
a547b3b04b Enable content-addressed derivations. 
ref: https://www.tweag.io/blog/2020-09-10-nix-cas/
 2025-11-30 08:22:14 -05:00
Tom Alexander
5de1c0cb56 Remove an unnecessary line. 2025-11-29 23:00:25 -05:00
Tom Alexander
906741bfcf Remove uses of nix.extraOptions. 
This lets me override individual variables using nix's module system.
 2025-11-29 20:53:41 -05:00
Tom Alexander
568440f3f1 Trust odowork. 2025-11-29 19:59:10 -05:00
Tom Alexander
e428bd2f00 Add a note about ssh serve. 
Ref: https://nix.dev/manual/nix/2.26/package-management/ssh-substituter
 2025-11-29 18:57:33 -05:00
Tom Alexander
9bd896ff4b Install htop on hydra. 2025-11-29 18:43:12 -05:00
Tom Alexander
f663f794d0 Trust quark. 2025-11-29 18:40:37 -05:00
Tom Alexander
782253a557 Merge branch 'hydra' into nix 2025-11-29 18:36:38 -05:00
Tom Alexander
4ca486d7f8 Add a host for hydra. 2025-11-29 18:35:56 -05:00
Tom Alexander
8eb3c459bd Run nix daemon with idle priority on end-user devices. 2025-11-29 18:29:22 -05:00
Tom Alexander
1523e691d5 Build everything from source on steam deck. 2025-11-29 15:50:51 -05:00
Tom Alexander
c4ff96b847 Remove work-arounds. 2025-11-27 17:28:37 -05:00
Tom Alexander
aa05ab7289 Install microsoft fonts on odowork. 2025-11-27 13:20:16 -05:00
Tom Alexander
b743421749 Fix the installer image. 2025-11-27 13:20:14 -05:00
Tom Alexander
9099c4b67e Update packages. 2025-11-25 20:43:08 -05:00
Tom Alexander
b67b491efa Match extension versions for work. 2025-11-25 17:40:55 -05:00
Tom Alexander
ddd3200ca6 Add a role for gnome keyring. 2025-11-24 23:01:40 -05:00
Tom Alexander
d0968ab836 Install remote tunnels on odowork. 2025-11-24 22:55:31 -05:00
Tom Alexander
8c223a066d Add jq to the base role. 2025-11-24 20:29:35 -05:00
Tom Alexander
606b952304 Make rollback datasets configurable. 2025-11-24 20:16:47 -05:00
Tom Alexander
c542dcdee9 Use a local ssh config for odowork. 2025-11-24 19:31:56 -05:00
Tom Alexander
39997dc4d4 Recursively include inputs for all inputs in disko closure. 2025-11-24 19:06:58 -05:00
Tom Alexander
3348feb613 Add a command to launch a repl of the current flake. 2025-11-20 00:47:56 -05:00
Tom Alexander
f651241f20 Remove the pkgs-unoptimized input to instead import regular nixpkgs. 2025-11-19 23:56:26 -05:00
Tom Alexander
ff23d8ad20 Remove deprecated "system" parameter. 2025-11-19 23:37:33 -05:00
Tom Alexander
eebbf9f4aa Automatically set distributed build's supportedFeatures based on that host's actual config. 
Previously, we had two copies of the supported features for each host.
 2025-11-19 22:42:43 -05:00
Tom Alexander
3bf912f3be Trim down odowork's install. 2025-11-19 21:50:57 -05:00
Tom Alexander
331651bf23 Switch odowork to i_only_boot_zfs. 2025-11-19 20:50:45 -05:00
Tom Alexander
b16871c701 Fix rollback during boot. 2025-11-18 23:29:00 -05:00
139 changed files with 2961 additions and 1576 deletions
Expand all files Collapse all files

97
nix/configuration/configuration.nix
View File

@@ -9,6 +9,7 @@
./roles/2ship2harkinian
./roles/alacritty
./roles/amd_s2idle
./roles/android
./roles/ansible
./roles/ares
./roles/base
@@ -27,18 +28,21 @@
./roles/ecc
./roles/emacs
./roles/emulate_isa
./roles/esim
./roles/firefox
./roles/firewall
./roles/flux
./roles/fonts
./roles/image_based_appliance
./roles/gcloud
./roles/git
./roles/global_options
./roles/gnome_keyring
./roles/gnuplot
./roles/gpg
./roles/graphics
./roles/graphviz
./roles/hydra
./roles/image_based_appliance
./roles/iso
./roles/iso_mount
./roles/jujutsu
@@ -53,12 +57,15 @@
./roles/minimal_base
./roles/network
./roles/nix_index
./roles/nix_repl
./roles/nix_worker
./roles/nixdev
./roles/nvme
./roles/openpgp_card_tools
./roles/optimized_build
./roles/pcsx2
./roles/podman
./roles/postgresql_client
./roles/python
./roles/qemu
./roles/recovery
@@ -87,6 +94,7 @@
./roles/vscode
./roles/wasm
./roles/waybar
./roles/webcam
./roles/wine
./roles/wireguard
./roles/yubikey
@@ -101,16 +109,25 @@
nix.settings.experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
# "blake3-hashes"
# "git-hashing"
];
nix.settings.trusted-users = [ "@wheel" ];
nix.settings.connect-timeout = 5;
nix.settings.min-free = 128000000;
nix.settings.max-free = 1000000000;
nix.settings.fallback = true;
nix.settings.warn-dirty = false;
nix.settings.fsync-metadata = true;
# Ensure store paths are durably written to disk before registering the paths so a crash mid-build does not leave us in a corrupted state.
nix.settings.fsync-store-paths = true;
hardware.enableRedistributableFirmware = true;
# Keep outputs so we can build offline.
nix.extraOptions = ''
keep-outputs = true
keep-derivations = true
'';
nix.settings.keep-outputs = true;
nix.settings.keep-derivations = true;
# Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingPortable) {
@@ -153,6 +170,7 @@
nixpkgs.overlays =
let
disableTests = (
# Example: (disableTests "coreutils")
package_name:
(final: prev: {
"${package_name}" = prev."${package_name}".overrideAttrs (old: {
@@ -161,29 +179,66 @@
});
})
);
in
[
disableTestsPython = (
# Example: (disableTestsPython "scipy")
package_name:
(final: prev: {
imagemagick = prev.imagemagick.overrideAttrs (old: rec {
# 7.1.2-6 seems to no longer exist, so use 7.1.2-7
version = "7.1.2-7";
src = final.fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = version;
hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
};
pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
(python-final: python-prev: {
"${package_name}" = python-prev."${package_name}".overridePythonAttrs (oldAttrs: {
doCheck = false;
});
})
(final: prev: {
grub2 = (final.callPackage ./package/grub { });
];
})
);
disableOptimizations = (
# Example: (disableOptimizations "coreutils")
package_name:
(final: prev: {
rpcs3 = prev.rpcs3.override {
ffmpeg = final.ffmpeg_7;
"${package_name}" = final.unoptimized."${package_name}";
})
);
disableOptimizationsScope = (
# Example: (disableOptimizationsScope "kdePackages" "qtbase")
scope: package_name:
(final: prev: {
"${scope}" = prev."${scope}".overrideScope (
scopeFinal: scopePrev: {
"${package_name}" = final.unoptimized."${scope}"."${package_name}";
}
);
})
);
disableOptimizationsPython3 = (
# Example: (disableOptimizationsPython3 "scipy")
package_name:
(final: prev: {
python3Packages = prev.python3Packages.override {
overrides = python-final: python-prev: {
"${package_name}" = final.unoptimized.python3.pkgs."${package_name}";
};
};
})
);
in
[
(disableTests "coreutils")
(disableTests "coreutils-full")
(disableTests "libuv")
(final: prev: {
inherit (final.unoptimized) libtpms libjxl;
})
(disableOptimizationsPython3 "scipy")
# Works but probably sets python2's scipy to be python3:
#
# (final: prev: {
# pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
# (python-final: python-prev: {
# scipy = final.unoptimized.python3Packages.scipy;
# })
# ];
# })
];
# This option defines the first version of NixOS you have installed on this particular machine,

66
nix/configuration/flake.lock generated
View File

@@ -22,11 +22,11 @@
]
},
"locked": {
"lastModified": 1762276996,
"narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
"lastModified": 1769524058,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"owner": "nix-community",
"repo": "disko",
"rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"type": "github"
},
"original": {
@@ -94,13 +94,40 @@
"type": "github"
}
},
"impermanence": {
"home-manager": {
"inputs": {
"nixpkgs": [
"impermanence",
"nixpkgs"
]
},
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"lastModified": 1768598210,
"narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"inputs": {
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769548169,
"narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
"type": "github"
},
"original": {
@@ -137,11 +164,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1762977756,
"narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
"lastModified": 1770197578,
"narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
"rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
"type": "github"
},
"original": {
@@ -167,22 +194,6 @@
"type": "github"
}
},
"nixpkgs-unoptimized": {
"locked": {
"lastModified": 1762977756,
"narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
@@ -215,8 +226,7 @@
"disko": "disko",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"nixpkgs-unoptimized": "nixpkgs-unoptimized"
"nixpkgs": "nixpkgs"
}
},
"rust-overlay": {

53
nix/configuration/flake.nix
View File

@@ -1,6 +1,3 @@
# Get a repl for this flake
# nix repl --expr "builtins.getFlake \"$PWD\""
# TODO maybe use `nix eval --raw .#odo.iso.outPath`
#
@@ -18,9 +15,11 @@
description = "My system configuration";
inputs = {
impermanence.url = "github:nix-community/impermanence";
impermanence = {
url = "github:nix-community/impermanence";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
@@ -29,16 +28,17 @@
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
mt7927.url = "github:cmspam/mt7927-nixos";
};
outputs =
{
self,
nixpkgs,
nixpkgs-unoptimized,
disko,
impermanence,
lanzaboote,
mt7927,
...
}:
let
@@ -59,32 +59,60 @@
i_only_boot_zfs = {
system = "x86_64-linux";
};
hydra = {
system = "x86_64-linux";
};
family_disks = {
system = "x86_64-linux";
};
};
nixosConfigs = builtins.mapAttrs (
hostname: nodeConfig: format:
nixpkgs.lib.nixosSystem {
inherit (nodeConfig) system;
specialArgs = {
inherit self;
this_nixos_config = self.nixosConfigurations."${hostname}";
pkgs-unoptimized = import nixpkgs-unoptimized {
inherit (nodeConfig) system;
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
all_nixos_configs = self.nixosConfigurations;
};
modules = [
impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
mt7927.nixosModules.default
./configuration.nix
(./. + "/hosts/${hostname}")
(./. + "/formats/${format}.nix")
{
config = {
nixpkgs.hostPlatform.system = nodeConfig.system;
nixpkgs.overlays = [
(final: prev: {
# stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
unoptimized = import nixpkgs {
system = prev.stdenv.hostPlatform.system;
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
})
];
};
}
];
}
) nodes;
installerConfig =
hostname: nodeConfig:
nixpkgs.lib.nixosSystem {
specialArgs = {
targetSystem = self.nixosConfigurations."${hostname}";
};
modules = [
./formats/installer.nix
({ nixpkgs.hostPlatform.system = nodeConfig.system; })
];
};
in
{
nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
@@ -97,6 +125,7 @@
iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
}) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
)
);

74
nix/configuration/formats/installer.nix Normal file
View File

@@ -0,0 +1,74 @@
{
config,
pkgs,
lib,
modulesPath,
targetSystem,
...
}:
let
installer = pkgs.writeShellApplication {
name = "installer";
runtimeInputs = with pkgs; [
# clevis
dosfstools
e2fsprogs
gawk
nixos-install-tools
util-linux
config.nix.package
];
text = ''
set -euo pipefail
${targetSystem.config.system.build.diskoScript}
nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
'';
};
installerFailsafe = pkgs.writeShellScript "failsafe" ''
${lib.getExe installer} || echo "ERROR: Installation failure!"
sleep 3600
'';
in
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/all-hardware.nix")
];
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
# boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
boot.zfs.package = pkgs.zfs_unstable;
boot.kernelParams = [
"quiet"
"systemd.unit=getty.target"
];
boot.supportedFilesystems.zfs = true;
boot.initrd.systemd.enable = true;
networking.hostId = "04581ecf";
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
environment.systemPackages = [
installer
];
systemd.services."getty@tty1" = {
overrideStrategy = "asDropin";
serviceConfig = {
ExecStart = [
""
installerFailsafe
];
Restart = "no";
StandardInput = "null";
};
};
# system.stateVersion = lib.mkDefault lib.trivial.release;
system.stateVersion = "24.11";
}

7
nix/configuration/formats/iso.nix
View File

@@ -1,6 +1,8 @@
{
config,
lib,
modulesPath,
pkgs,
...
}:
@@ -20,12 +22,15 @@
me.disko.enable = true;
me.disko.offline.enable = true;
me.mountPersistence = lib.mkForce false;
me.optimizations.enable = lib.mkForce false;
# me.optimizations.enable = lib.mkForce false;
# Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
# me.image_based_appliance.enable = true;
# TODO: Should I use this instead of doing a mkIf for the disk config?
# disko.enableConfig = false;
# Faster image generation for testing/development.
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
};
}

13
nix/configuration/hosts/family_disks/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=family_disks
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

13
nix/configuration/hosts/family_disks/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=family_disks
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/family_disks/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#family_disks.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/family_disks/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

12
nix/configuration/hosts/family_disks/SELF_BUILD Executable file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
: "${NOM:="true"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/family_disks/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

75
nix/configuration/hosts/family_disks/default.nix Normal file
View File

@@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./wrapped-disk-config.nix
./distributed_build.nix
./power_management.nix
];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "908cbf04";
networking.hostName = "family_disks"; # Define your hostname.
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
# Toggle to start writing the extlinux config which will be used by zfsbootmenu
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nix/root@blank"
"zroot/linux/nix/home@blank"
];
me.optimizations = {
enable = true;
arch = "skylake";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Early KMS
# boot.initrd.kernelModules = [ "amdgpu" ];
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable light sensor
# hardware.sensor.iio.enable = lib.mkDefault true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
me.build_in_ram.enable = true;
me.dont_use_substituters.enable = true;
me.minimal_base.enable = true;
me.recovery.enable = true;
};
}

34
nix/configuration/hosts/hydra/disk-config.nix → nix/configuration/hosts/family_disks/disk-config.nix
View File

@@ -1,13 +1,8 @@
# Manual Step:
# Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
# Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingIso) {
{
disko.devices = {
disk = {
main = {
@@ -22,7 +17,7 @@ lib.mkIf (!config.me.buildingIso) {
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountpoint = "/efi";
mountOptions = [
"umask=0077"
"noatime"
@@ -69,6 +64,11 @@ lib.mkIf (!config.me.buildingIso) {
"linux/nix" = {
type = "zfs_fs";
options.mountpoint = "none";
options = {
# encryption = "aes-256-gcm";
# keyformat = "passphrase";
# # keylocation = "file:///tmp/secret.key";
};
};
"linux/nix/root" = {
type = "zfs_fs";
@@ -76,14 +76,23 @@ lib.mkIf (!config.me.buildingIso) {
mountpoint = "/";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
};
"linux/nix/boot" = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"org.zfsbootmenu:active" = "on";
};
mountpoint = "/boot";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
};
"linux/nix/nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/nix";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
options = {
recordsize = "1MiB";
compression = "lz4";
# recordsize = "16MiB";
# compression = "zstd-19";
};
};
"linux/nix/home" = {
@@ -120,6 +129,10 @@ lib.mkIf (!config.me.buildingIso) {
"noatime"
"norelatime"
];
fileSystems."/boot".options = [
"noatime"
"norelatime"
];
fileSystems."/nix".options = [
"noatime"
"norelatime"
@@ -136,4 +149,7 @@ lib.mkIf (!config.me.buildingIso) {
"noatime"
"norelatime"
];
# Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
}

19
nix/configuration/hosts/family_disks/distributed_build.nix Normal file
View File

@@ -0,0 +1,19 @@
{
imports = [ ];
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.quark = {
enable = false;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
};
}

33
nix/configuration/hosts/family_disks/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

75
nix/configuration/hosts/family_disks/power_management.nix Normal file
View File

@@ -0,0 +1,75 @@
{
pkgs,
...
}:
{
imports = [ ];
config = {
environment.systemPackages = with pkgs; [
powertop
];
# amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
# pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
# nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
# amd_pstate=passive :: Fully automated hardware pstate control.
# amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
# amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
# amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
boot.kernelParams = [
"amdgpu.abmlevel=2"
"pcie_aspm=force"
# "pcie_aspm.policy=powersupersave"
"nowatchdog"
# I don't see a measurable benefit from these two:
# "cpufreq.default_governor=powersave"
# "initcall_blacklist=cpufreq_gov_userspace_init"
];
systemd.tmpfiles.rules = [
"w- /sys/firmware/acpi/platform_profile - - - - low-power"
"w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
];
boot.extraModprobeConfig = ''
# Disable the hardware watchdog inside AMD 700 chipset series for power savings.
blacklist sp5100_tco
# Sound power-saving was causing chat notifications to be inaudible.
# options snd_hda_intel power_save=1
'';
};
}

7
nix/configuration/hosts/family_disks/wrapped-disk-config.nix Normal file
View File

@@ -0,0 +1,7 @@
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

6
nix/configuration/hosts/hydra/DEPLOY_BOOT
View File

@@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
#TARGET=10.216.1.14
# TARGET=192.168.211.250
TARGET=hydra
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#hydra'
nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

6
nix/configuration/hosts/hydra/DEPLOY_SWITCH
View File

@@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
#TARGET=10.216.1.14
# TARGET=192.168.211.250
TARGET=hydra
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#hydra'
nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/hydra/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/hydra/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/hydra/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

5
nix/configuration/hosts/hydra/VM_ISO
View File

@@ -7,7 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#vm_iso.hydra" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
install -m 0644 result/iso/nixos-*-x86_64-linux.iso ~/hydra.iso
unlink ./result
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

134
nix/configuration/hosts/hydra/default.nix
View File

@@ -1,41 +1,73 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Testing:
# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
# -accel kvm \
# -cpu host \
# -smp cores=8 \
# -m 32768 \
# -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
# -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
# -device nvme,serial=deadbeef,drive=nvm \
# -nic user,hostfwd=tcp::60022-:22 \
# -boot order=d \
# -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
# -display vnc=127.0.0.1:0
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./disk-config.nix
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "fbd233d8";
hostId = "6fbf418b";
networking.hostName = "hydra"; # Define your hostname.
hostName = "hydra"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.219";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01db";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
@@ -53,26 +85,54 @@
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
me.base.enable = true;
me.boot.enable = true;
me.doas.enable = true;
me.emacs_flavor = "plainmacs";
me.firewall.enable = true;
me.font.enable = true;
me.git.enable = true;
me.graphical = false;
me.hydra.enable = false;
me.memtest.enable = true;
me.network.enable = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
me.image_based_appliance.enable = lib.mkForce false;
environment.systemPackages = with pkgs; [
htop
git # for building on hydra
tmux # for building on hydra
nix-output-monitor # for building on hydra
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
# Override garbage collection to keep things longer
# Automatic garbage collection
nix.gc = lib.mkForce {
automatic = true;
persistent = true;
dates = "weekly";
# randomizedDelaySec = "14m";
options = "--delete-older-than 60d";
};
# The default limit of files is 1024 which is too low for some nix builds.
#
# Check with `ulimit -n`
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = "8192";
}
];
# systemd.user.extraConfig = "DefaultLimitNOFILE=8192";
# systemd.services."user@11400".serviceConfig.LimitNOFILE = "8192";
me.build_in_ram.enable = true;
me.dont_use_substituters.enable = true;
me.hydra.enable = true;
me.minimal_base.enable = true;
me.nix_worker.enable = true;
me.nvme.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.user.enable = true;
me.vm_disk.enable = true;
me.wireguard.activated = [ ];
me.wireguard.deactivated = [ ];
me.zfs.enable = true;
me.zsh.enable = true;
};
}

17
nix/configuration/hosts/hydra/hardware-configuration.nix
View File

@@ -1,4 +1,5 @@
{
config,
lib,
modulesPath,
...
@@ -11,12 +12,9 @@
config = {
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
@@ -26,11 +24,8 @@
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.dhcpcd.enable = lib.mkForce true;
networking.useDHCP = lib.mkForce true;
networking.interfaces.enp0s2.useDHCP = lib.mkForce true;
# systemd.network.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

71
nix/configuration/hosts/hydra/vm_disk.nix
View File

@@ -1,24 +1,21 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
vm_disk.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to mount the local disk for persistent storage.";
};
};
config = {
# environment.systemPackages = with pkgs; [
# e2fsprogs # mkfs.ext4
# gptfdisk # cgdisk
# ];
config = lib.mkIf config.me.vm_disk.enable {
# Mount the local disk
fileSystems = {
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
@@ -29,6 +26,25 @@
neededForBoot = true;
};
# "/.persist" = lib.mkForce {
# device = "bind9p";
# fsType = "9p";
# options = [
# "noatime"
# "trans=virtio"
# "version=9p2000.L"
# "cache=mmap"
# "msize=512000"
# "uname=root"
# "dfltuid=0"
# "dfltgid=0"
# "nodevmap"
# # "noauto"
# # "x-systemd.automount"
# ];
# neededForBoot = true;
# };
"/persist" = {
fsType = "none";
device = "/.disk/persist";
@@ -39,6 +55,7 @@
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
"/state" = {
@@ -51,22 +68,28 @@
depends = [
"/.disk/state"
];
neededForBoot = true;
};
"/nix/store" = lib.mkForce {
fsType = "overlay";
device = "overlay";
options = [
"lowerdir=/nix/.ro-store"
"upperdir=/.disk/persist/store"
"workdir=/.disk/state/work"
];
depends = [
"/nix/.ro-store"
"/.disk/persist/store"
"/.disk/state/work"
];
};
# "/nix/store" = lib.mkForce {
# overlay = {
# lowerdir = [ "/nix/.ro-store" ];
# upperdir = "/.disk/persist/store";
# workdir = "/.disk/state/work";
# };
# # fsType = "overlay";
# # device = "overlay";
# # options = [
# # "lowerdir=/nix/.ro-store"
# # "upperdir=/.disk/persist/store"
# # "workdir=/.disk/state/work"
# # ];
# depends = [
# "/nix/.ro-store"
# "/.disk/persist/store"
# "/.disk/state/work"
# ];
# };
};
};
}

2
nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=i_only_boot_zfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=i_only_boot_zfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

6
nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix
View File

@@ -3,12 +3,6 @@
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.quark = {
enable = true;
additional_config = {

1
nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix
View File

@@ -28,7 +28,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

2
nix/configuration/hosts/neelix/DEPLOY_BOOT
View File

@@ -12,6 +12,6 @@ TARGET=neelix
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'

2
nix/configuration/hosts/neelix/DEPLOY_SWITCH
View File

@@ -12,6 +12,6 @@ TARGET=neelix
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'

1
nix/configuration/hosts/neelix/hardware-configuration.nix
View File

@@ -31,7 +31,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

2
nix/configuration/hosts/odo/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=odo
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=odo
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

4
nix/configuration/hosts/odo/SELF_BUILD
View File

@@ -5,6 +5,8 @@ IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
: "${NOM:="true"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

16
nix/configuration/hosts/odo/default.nix
View File

@@ -32,6 +32,11 @@
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nix/root@blank"
"zroot/linux/nix/home@blank"
];
me.optimizations = {
enable = true;
arch = "znver4";
@@ -67,8 +72,12 @@
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
me.alacritty.enable = true;
me.amd_s2idle.enable = true;
me.android.enable = true;
me.ansible.enable = true;
me.ares.enable = true;
me.base.enable = true;
@@ -84,6 +93,7 @@
me.ecc.enable = false;
me.emacs_flavor = "full";
me.emulate_isa.enable = true;
me.esim.enable = true;
me.firefox.enable = true;
me.firewall.enable = true;
me.flux.enable = true;
@@ -95,7 +105,9 @@
me.gpg.enable = true;
me.graphical = true;
me.graphics_card_type = "amd";
me.graphviz.enable = true;
me.iso_mount.enable = true;
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kubernetes.enable = true;
@@ -106,10 +118,13 @@
me.memtest.enable = true;
me.network.enable = true;
me.nix_index.enable = true;
me.nix_repl.enable = true;
me.nixdev.enable = true;
me.nvme.enable = true;
me.openpgp_card_tools.enable = true;
me.pcsx2.enable = true;
me.podman.enable = true;
me.postgresql_client.enable = true;
me.python.enable = true;
me.qemu.enable = true;
me.recovery.enable = true;
@@ -135,6 +150,7 @@
me.vscode.enable = true;
me.wasm.enable = true;
me.waybar.enable = true;
me.webcam.enable = true;
me.wine.enable = false;
me.wireguard.activated = [
"drmario"

6
nix/configuration/hosts/odo/distributed_build.nix
View File

@@ -3,13 +3,13 @@
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
me.distributed_build.machines.quark = {
enable = false;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.quark = {
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;

1
nix/configuration/hosts/odo/hardware-configuration.nix
View File

@@ -28,7 +28,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

4
nix/configuration/hosts/odowork/DEPLOY_BOOT
View File

@@ -8,6 +8,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TARGET=odowork
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

4
nix/configuration/hosts/odowork/DEPLOY_SWITCH
View File

@@ -8,6 +8,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TARGET=odowork
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

9
nix/configuration/hosts/odowork/INSTALLER Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/odowork/ISO
View File

@@ -6,5 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/odowork/SELF_BOOT
View File

@@ -6,5 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/odowork/SELF_BUILD
View File

@@ -6,5 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/odowork/SELF_SWITCH
View File

@@ -6,5 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

58
nix/configuration/hosts/odowork/default.nix
View File

@@ -13,6 +13,7 @@
./screen_brightness.nix
./wifi.nix
./framework_module.nix
./ssh_config.nix
];
config = {
@@ -29,8 +30,13 @@
me.mountPersistence = true;
# Toggle to start writing the extlinux config which will be used by zfsbootmenu
# boot.loader.generic-extlinux-compatible.enable = true;
# boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nixwork/root@blank"
"zroot/linux/nixwork/home@blank"
];
me.optimizations = {
enable = true;
@@ -67,38 +73,44 @@
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
fonts.enableDefaultPackages = lib.mkForce true;
fonts.packages = with pkgs; [
corefonts
];
allowedUnfree = [ "corefonts" ];
me.alacritty.enable = true;
me.amd_s2idle.enable = true;
me.android.enable = true;
me.ansible.enable = true;
me.ares.enable = true;
me.base.enable = true;
me.bluetooth.enable = true;
me.build_in_ram.enable = true;
me.chromecast.enable = true;
me.chromium.enable = true;
me.d2.enable = true;
me.direnv.enable = true;
me.doas.enable = true;
me.docker.enable = false;
me.dont_use_substituters.enable = true;
me.ecc.enable = false;
me.emacs_flavor = "full";
me.emulate_isa.enable = true;
me.firefox.enable = true;
me.firewall.enable = true;
me.flux.enable = true;
me.font.enable = true;
me.gcloud.enable = true;
me.git.config = ../../roles/git/files/gitconfig_home;
me.git.config = ../../roles/git/files/gitconfig_work;
me.git.enable = true;
me.gnome_keyring.enable = true;
me.gnuplot.enable = true;
me.gpg.enable = true;
me.graphical = true;
me.graphics_card_type = "amd";
me.graphviz.enable = true;
me.iso_mount.enable = true;
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kubernetes.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;
me.lvfs.enable = true;
@@ -106,47 +118,39 @@
me.memtest.enable = true;
me.network.enable = true;
me.nix_index.enable = true;
me.nix_repl.enable = true;
me.nixdev.enable = true;
me.nvme.enable = true;
me.openpgp_card_tools.enable = true;
me.pcsx2.enable = true;
me.podman.enable = true;
me.postgresql_client.enable = true;
me.python.enable = true;
me.qemu.enable = true;
me.recovery.enable = true;
me.rpcs3.enable = true;
me.rust.enable = true;
me.sequoia.enable = true;
me.shadps4.enable = false;
me.shikane.enable = true;
me.sops.enable = true;
me.sound.enable = true;
me.spaghettikart.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.steam.enable = true;
me.steam_run_free.enable = true;
me.sway.enable = true;
me.tekton.enable = true;
me.terraform.enable = true;
me.thunderbolt.enable = true;
me.user.enable = true;
me.uutils.enable = false;
me.vnc_client.enable = true;
me.vscode.enable = true;
me.wasm.enable = true;
me.vscode.enable_work_profile = true;
me.waybar.enable = true;
me.wine.enable = false;
me.webcam.enable = true;
me.wireguard.activated = [
"wgh"
];
me.wireguard.deactivated = [ "wgf" ];
me.wireguard.deactivated = [
"wgf"
"colo"
];
me.yubikey.enable = true;
me.zfs.enable = true;
me.zrepl.enable = true;
me.zsh.enable = true;
me.sm64ex.enable = true;
me.shipwright.enable = true;
me.ship2harkinian.enable = true;
};
}

6
nix/configuration/hosts/odowork/distributed_build.nix
View File

@@ -3,13 +3,13 @@
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
me.distributed_build.machines.quark = {
enable = false;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.quark = {
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;

1
nix/configuration/hosts/odowork/hardware-configuration.nix
View File

@@ -28,7 +28,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

15
nix/configuration/hosts/odowork/ssh_config.nix Normal file
View File

@@ -0,0 +1,15 @@
{
lib,
...
}:
{
imports = [ ];
config = {
me.install.user.talexander.file = {
".ssh/config" = {
source = lib.mkForce "/persist/manual/ssh/talexander/config";
};
};
};
}

2
nix/configuration/hosts/quark/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=quark
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=quark
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

19
nix/configuration/hosts/quark/default.nix
View File

@@ -11,6 +11,7 @@
./hardware-configuration.nix
./power_management.nix
./waybar.nix
./wifi.nix
];
config = {
@@ -30,6 +31,11 @@
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nix/root@blank"
"zroot/linux/nix/home@blank"
];
me.optimizations = {
enable = true;
arch = "znver4";
@@ -58,12 +64,16 @@
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
# RPCS3 has difficulty with znver5
me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
me.alacritty.enable = true;
me.amd_s2idle.enable = true;
me.ansible.enable = true;
me.android.enable = true;
me.ares.enable = true;
me.base.enable = true;
me.bluetooth.enable = true;
@@ -78,6 +88,7 @@
me.ecc.enable = true;
me.emacs_flavor = "full";
me.emulate_isa.enable = true;
me.esim.enable = true;
me.firefox.enable = true;
me.firewall.enable = true;
me.flux.enable = true;
@@ -89,7 +100,9 @@
me.gpg.enable = true;
me.graphical = true;
me.graphics_card_type = "amd";
me.graphviz.enable = true;
me.iso_mount.enable = true;
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kubernetes.enable = true;
@@ -100,15 +113,18 @@
me.memtest.enable = true;
me.network.enable = true;
me.nix_index.enable = true;
me.nix_repl.enable = true;
me.nix_worker.enable = true;
me.nixdev.enable = true;
me.nvme.enable = true;
me.openpgp_card_tools.enable = true;
me.pcsx2.enable = true;
me.podman.enable = true;
me.postgresql_client.enable = true;
me.python.enable = true;
me.qemu.enable = true;
me.recovery.enable = true;
me.rpcs3.enable = false;
me.rpcs3.enable = true;
me.rust.enable = true;
me.sequoia.enable = true;
me.shadps4.enable = false;
@@ -130,6 +146,7 @@
me.vscode.enable = true;
me.wasm.enable = true;
me.waybar.enable = true;
me.webcam.enable = true;
me.wine.enable = false;
me.wireguard.activated = [
"drmario"

9
nix/configuration/hosts/quark/disk-config.nix
View File

@@ -75,6 +75,15 @@
mountpoint = "/";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
};
"linux/nix/boot" = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"org.zfsbootmenu:active" = "on";
};
mountpoint = "/boot";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
};
"linux/nix/nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";

20
nix/configuration/hosts/quark/wifi.nix Normal file
View File

@@ -0,0 +1,20 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
hardware.mediatek-mt7927 = {
enable = true;
enableWifi = true;
enableBluetooth = true;
# Highly recommended to fix upload speed issues
disableAspm = true;
};
};
}

2
nix/configuration/hosts/recovery/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

6
nix/configuration/hosts/recovery/distributed_build.nix
View File

@@ -3,12 +3,6 @@
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.quark = {
enable = true;
additional_config = {

1
nix/configuration/hosts/recovery/hardware-configuration.nix
View File

@@ -28,7 +28,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

204
nix/configuration/package/grub/add-hidden-menu-entries.patch
View File

@@ -1,204 +0,0 @@
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
index e9e9d94ef..54e08a1b4 100644
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@@ -143,7 +143,7 @@ legacy_file (const char *filename)
args[0] = oldname;
grub_normal_add_menu_entry (1, args, NULL, NULL, "legacy",
NULL, NULL,
- entrysrc, 0);
+ entrysrc, 0, 0);
grub_free (args);
entrysrc[0] = 0;
grub_free (oldname);
@@ -205,7 +205,7 @@ legacy_file (const char *filename)
}
args[0] = entryname;
grub_normal_add_menu_entry (1, args, NULL, NULL, NULL,
- NULL, NULL, entrysrc, 0);
+ NULL, NULL, entrysrc, 0, 0);
grub_free (args);
}
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
index 720e6d8ea..50632ccce 100644
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@@ -78,7 +78,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
char **classes, const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu)
+ int submenu, int hidden)
{
int menu_hotkey = 0;
char **menu_args = NULL;
@@ -188,8 +188,11 @@ grub_normal_add_menu_entry (int argc, const char **args,
(*last)->args = menu_args;
(*last)->sourcecode = menu_sourcecode;
(*last)->submenu = submenu;
+ (*last)->hidden = hidden;
+
+ if (!hidden)
+ menu->size++;
- menu->size++;
return GRUB_ERR_NONE;
fail:
@@ -286,7 +289,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
users,
ctxt->state[2].arg, 0,
ctxt->state[3].arg,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src = args[argc - 1];
args[argc - 1] = NULL;
@@ -303,7 +307,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
ctxt->state[0].args, ctxt->state[4].arg,
users,
ctxt->state[2].arg, prefix, src + 1,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src[len - 1] = ch;
args[argc - 1] = src;
@@ -311,7 +316,7 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
return r;
}
-static grub_extcmd_t cmd, cmd_sub;
+static grub_extcmd_t cmd, cmd_sub, cmd_hidden;
void
grub_menu_init (void)
@@ -327,6 +332,12 @@ grub_menu_init (void)
| GRUB_COMMAND_FLAG_EXTRACTOR,
N_("BLOCK"), N_("Define a submenu."),
options);
+ cmd_hidden = grub_register_extcmd ("hiddenentry", grub_cmd_menuentry,
+ GRUB_COMMAND_FLAG_BLOCKS
+ | GRUB_COMMAND_ACCEPT_DASH
+ | GRUB_COMMAND_FLAG_EXTRACTOR,
+ N_("BLOCK"), N_("Define a hidden menu entry."),
+ options);
}
void
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 6a90e091f..4236f55bc 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -37,6 +37,8 @@
entry failing to boot. */
#define DEFAULT_ENTRY_ERROR_DELAY_MS 2500
+#define MENU_INCLUDE_HIDDEN 0x10000
+
grub_err_t (*grub_gfxmenu_try_hook) (int entry, grub_menu_t menu,
int nested) = NULL;
@@ -80,8 +82,20 @@ grub_menu_get_entry (grub_menu_t menu, int no)
{
grub_menu_entry_t e;
- for (e = menu->entry_list; e && no > 0; e = e->next, no--)
- ;
+ if (no & MENU_INCLUDE_HIDDEN) {
+ no &= ~MENU_INCLUDE_HIDDEN;
+
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--)
+ ;
+ } else {
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--) {
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+ }
+ while (e && e->hidden)
+ e = e->next;
+ }
return e;
}
@@ -93,10 +107,10 @@ get_entry_index_by_hotkey (grub_menu_t menu, int hotkey)
grub_menu_entry_t entry;
int i;
- for (i = 0, entry = menu->entry_list; i < menu->size;
+ for (i = 0, entry = menu->entry_list; entry;
i++, entry = entry->next)
if (entry->hotkey == hotkey)
- return i;
+ return i | MENU_INCLUDE_HIDDEN;
return -1;
}
@@ -509,6 +523,10 @@ get_entry_number (grub_menu_t menu, const char *name)
grub_menu_entry_t e = menu->entry_list;
int i;
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+
grub_errno = GRUB_ERR_NONE;
for (i = 0; e; i++)
@@ -520,6 +538,10 @@ get_entry_number (grub_menu_t menu, const char *name)
break;
}
e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
if (! e)
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index b1321eb26..d2e46cac8 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -289,7 +289,11 @@ print_entries (grub_menu_t menu, const struct menu_viewer_data *data)
print_entry (data->geo.first_entry_y + i, data->offset == i,
e, data);
if (e)
- e = e->next;
+ e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
grub_term_gotoxy (data->term,
diff --git a/include/grub/menu.h b/include/grub/menu.h
index ee2b5e910..eb8a86ba9 100644
--- a/include/grub/menu.h
+++ b/include/grub/menu.h
@@ -58,6 +58,8 @@ struct grub_menu_entry
int submenu;
+ int hidden;
+
/* The next element. */
struct grub_menu_entry *next;
};
diff --git a/include/grub/normal.h b/include/grub/normal.h
index 218cbabcc..bcb412466 100644
--- a/include/grub/normal.h
+++ b/include/grub/normal.h
@@ -145,7 +145,7 @@ grub_normal_add_menu_entry (int argc, const char **args, char **classes,
const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu);
+ int submenu, int hidden);
grub_err_t
grub_normal_set_password (const char *user, const char *password);

681
nix/configuration/package/grub/default.nix
View File

@@ -1,681 +0,0 @@
{
lib,
stdenv,
fetchgit,
flex,
bison,
python3,
autoconf,
automake,
libtool,
bash,
gettext,
ncurses,
libusb-compat-0_1,
freetype,
qemu,
lvm2,
unifont,
pkg-config,
help2man,
fetchzip,
fetchpatch,
buildPackages,
nixosTests,
fuse, # only needed for grub-mount
runtimeShell,
zfs ? null,
efiSupport ? false,
zfsSupport ? false,
xenSupport ? false,
xenPvhSupport ? false,
kbdcompSupport ? false,
ckbcomp,
}:
let
pcSystems = {
i686-linux.target = "i386";
x86_64-linux.target = "i386";
};
efiSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "aarch64";
loongarch64-linux.target = "loongarch64";
riscv32-linux.target = "riscv32";
riscv64-linux.target = "riscv64";
};
# For aarch64, we need to use '--target=aarch64-efi' when building,
# but '--target=arm64-efi' when installing. Insanity!
efiSystemsInstall = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "arm64";
loongarch64-linux.target = "loongarch64";
riscv32-linux.target = "riscv32";
riscv64-linux.target = "riscv64";
};
xenSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
};
xenPvhSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "i386"; # Xen PVH is only i386 on x86.
};
inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.attrNames pcSystems);
gnulib = fetchgit {
url = "https://git.savannah.gnu.org/git/gnulib.git";
# NOTE: keep in sync with bootstrap.conf!
rev = "9f48fb992a3d7e96610c4ce8be969cff2d61a01b";
hash = "sha256-mzbF66SNqcSlI+xmjpKpNMwzi13yEWoc1Fl7p4snTto=";
};
# The locales are fetched from translationproject.org at build time,
# but those translations are not versioned/stable. For that reason
# we take them from the nearest release tarball instead:
locales = fetchzip {
url = "https://ftp.gnu.org/gnu/grub/grub-2.12.tar.gz";
hash = "sha256-IoRiJHNQ58y0UhCAD0CrpFiI8Mz1upzAtyh5K4Njh/w=";
};
in
assert zfsSupport -> zfs != null;
assert !(efiSupport && (xenSupport || xenPvhSupport));
assert !(xenSupport && xenPvhSupport);
stdenv.mkDerivation rec {
pname = "grub";
version = "2.12";
src = fetchgit {
url = "https://git.savannah.gnu.org/git/grub.git";
tag = "grub-${version}";
hash = "sha256-lathsBb2f7urh8R86ihpTdwo3h1hAHnRiHd5gCLVpBc=";
};
patches = [
./fix-bash-completion.patch
./add-hidden-menu-entries.patch
# https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
(fetchpatch {
name = "01_implement_grub_strlcpy.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f";
hash = "sha256-MSMgu1vMG83HRImUUsTyA1YQaIhgEreGGPd+ZDWSI2I=";
})
(fetchpatch {
name = "02_CVE-2024-45781.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba";
hash = "sha256-q8ErK+cQzaqwSuhLRFL3AfYBkpgJq1IQmadnlmlz2yw=";
})
(fetchpatch {
name = "03_CVE-2024-45782_CVE-2024-56737.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=417547c10410b714e43f08f74137c24015f8f4c3";
hash = "sha256-mRinw27WZ2d1grzyzFGO18yXx72UVBM6Lf5cR8XJfs8=";
})
(fetchpatch {
name = "04_fs_tar_initialize_name_in_grub_cpio_find_file.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c8ac08c99466c0697f704242363fc687f492a0d";
hash = "sha256-EMGF0B+Fw6tSmllWUJAp1ynzWk+w2C/XM1LmXSReHWg=";
})
(fetchpatch {
name = "05_CVE-2024-45780.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3";
hash = "sha256-IlW5i4EJVoUYPu9/lb0LeytTpzltQuu5fpkFPQNIhls=";
})
(fetchpatch {
name = "06_fs_f2fs_grub_errno_mount_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=563436258cde64da6b974880abff1bf0959f4da3";
hash = "sha256-Iu0RPyB+pAnqMT+MTX+TrJbYJsvYPn7jbMgE1jcLh/Q=";
})
(fetchpatch {
name = "07_CVE-2024-45783.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898";
hash = "sha256-V1wh2dPeTazmad61jFtOjhq2MdoD+txPWY/AfwwyTZM=";
})
(fetchpatch {
name = "08_fs_iso9660_grub_errno_mount_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=965db5970811d18069b34f28f5f31ddadde90a97";
hash = "sha256-6eN1AvZwXkJOQVcjgymy/E7QiAxzL/d0W3KlAZRqUzI=";
})
(fetchpatch {
name = "09_fs_iso9660_fix_invalid_free.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1443833a9535a5873f7de3798cf4d8389f366611";
hash = "sha256-Gt5yMy5Vg9zrDggj3o/TLNt2vT9/6IuHg4Se2p8e8pI=";
})
(fetchpatch {
name = "10_fs_jfs_fix_oob_read_jfs_getent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66175696f3a385b14bdf1ebcda7755834bd2d5fb";
hash = "sha256-ETbzbc5gvf55sTLjmJOXXC9VH3qcP1Gv5seR/U9NRiY=";
})
(fetchpatch {
name = "11_fs_jfs_fix_oob_read_caused_by_invalid_dir_slot_index.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ab09fd0531f3523ac0ef833404526c98c08248f7";
hash = "sha256-wE6niiIx4BdN800/Eegb6IbBRoMFpXq9kPvatwhWNXY=";
})
(fetchpatch {
name = "12_fs_jfs_use_full_40_bits_offset_and_address_for_data_extent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bd999310fe67f35a66de3bfa2836da91589d04ef";
hash = "sha256-fbC4oTEIoGWJASzJI5RXfoanrMLTfjFOI51LCUU7Ctg=";
})
(fetchpatch {
name = "13_fs_jfs_inconsistent_signed_unsigned_types_usage.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=edd995a26ec98654d907a9436a296c2d82bc4b28";
hash = "sha256-aa1G1vi4bPZejfKEqZokAZTzY9Ea2lyxTrP4drDV9tk=";
})
(fetchpatch {
name = "14_fs_ext2_fix_out-of-bounds_read_for_inline_extent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7e2f750f0a795c4d64ec7dc7591edac8da2e978c";
hash = "sha256-PtPqZHMU2fy7btRRaaswLyHizplxnygCzDfcg5ievOQ=";
})
(fetchpatch {
name = "15_fs_ntfs_fix_out-of-bounds_read.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aff26318783a135562b904ff09e2359893885732";
hash = "sha256-znN6lkAB9aAhTGKR1038DzOz5nzuTp+7ylHVqRM7HeI=";
})
(fetchpatch {
name = "16_fs_ntfs_track_the_end_of_the_MFT_attribute_buffer.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=237a71184a32d1ef7732f5f49ed6a89c5fe1c99a";
hash = "sha256-0I/g0qHkWY6PArPn1UaYRhCrrh9bHknADh34v5eSjjM=";
})
(fetchpatch {
name = "17_fs_ntfs_use_a_helper_function_to_access_attributes.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=048777bc29043403d077d41a81d0183767b8bc71";
hash = "sha256-Mm49MSLqCq143r8ruLJm1QoyCoLtOlCBfqoAPwPlv8E=";
})
# Patch 18 (067b6d225d482280abad03944f04e30abcbdafa1) has been removed because it causes regressions
# https://lists.gnu.org/archive/html/grub-devel/2025-03/msg00067.html
(fetchpatch {
name = "19_fs_xfs_fix_out-of-bounds_read.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a";
hash = "sha256-FvTzFvfEi3oyxPC/dUHreyzzeVCskaUlYUjpKY/l0DE=";
})
(fetchpatch {
name = "20_fs_xfs_ensuring_failing_to_mount_sets_a_grub_errno.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d1d6b7ea58aa5a80a4c4d0666b49460056c8ef0a";
hash = "sha256-SLdXMmYHq/gRmWrjRrOu5ZYFod84EllUL6hk+gnr3kg=";
})
(fetchpatch {
name = "21_kern_file_ensure_file_data_is_set.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a7910687294b29288ac649e71b47493c93294f17";
hash = "sha256-DabZK9eSToEmSA9dEwtEN+URiVyS9qf6e2Y2UiMuy8Q=";
})
(fetchpatch {
name = "22_kern_file_implement_filesystem_reference_counting.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=16f196874fbe360a1b3c66064ec15adadf94c57b";
excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12
hash = "sha256-yGU//1tPaxi+xFKZrsbUAnvgFpwtrIMG+8cPbSud4+U=";
})
(fetchpatch {
name = "23_prerequisite_1_key_protector_add_key_protectors_framework.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5d260302da672258444b01239803c8f4d753e3f3";
hash = "sha256-5aFHzc5qXBNLEc6yzI17AH6J7EYogcXdLxk//1QgumY=";
})
(fetchpatch {
name = "23_prerequisite_2_disk_cryptodisk_allow_user_to_retry_failed_passphrase.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=386b59ddb42fa3f86ddfe557113b25c8fa16f88c";
hash = "sha256-e1kGQB7wGWvEb2bY3xIpZxE1uzTt9JOKi05jXyUm+bI=";
})
(fetchpatch {
name = "23_prerequisite_3_cryptodisk_support_key_protectors.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ad0c52784a375cecaa8715d7deadcf5d65baf173";
hash = "sha256-+YIvUYA3fLiOFFsXDrQjqjWFluzLa7N1tv0lwq8BqCs=";
})
(fetchpatch {
name = "23_prerequisite_4_cryptodisk_fallback_to_passphrase.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6abf8af3c54abc04c4ec71c75d10fcfbc190e181";
hash = "sha256-eMu9rW4iJucDAsTQMJD1XE6dDIcUmn02cGqIaqBbO3o=";
})
(fetchpatch {
name = "23_prerequisite_5_cryptodisk_wipe_out_the_cached_keys_from_protectors.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b35480b48e6f9506d8b7ad8a3b5206d29c24ea95";
hash = "sha256-5L6Rr+X5Z+Ip91z8cpLcatDW1vyEoZa1icL2oMXPXuI=";
})
(fetchpatch {
name = "23_prerequisite_6_cli_lock_add_build_option_to_block_command_line_interface.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bb65d81fe320e4b20d0a9b32232a7546eb275ecc";
hash = "sha256-HxXgtvEhtaIjXbOcxJHNpD9/NVOv3uXPnue7cagEMu8=";
})
# (fetchpatch {
# name = "23_CVE-2024-49504.patch";
# url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13febd78db3cd85dcba67d8ad03ad4d42815f11e";
# hash = "sha256-U7lNUb4iVAyQ1yEg5ECHCQGE51tKvY13T9Ji09Q1W9Y=";
# })
(fetchpatch {
name = "24_disk_loopback_reference_tracking_for_the_loopback.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=67f70f70a36b6e87a65f928fe1e840a12eafb7ae";
hash = "sha256-sWBnSF3rAuY1A/IIK1Pc+BqTvyK3j7+lLEhvImtBQMA=";
})
(fetchpatch {
name = "25_kern_disk_limit_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=18212f0648b6de7d71d4c8f41eb4d8b78b3a299b";
hash = "sha256-HiVzXUNs45Fxh4DSqO8wAxSBM7CaYU/bix0PVBcIHGw=";
})
(fetchpatch {
name = "26_kern_partition_limit_recursion_in_part_iterate.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8a7103fddfd6664f41081f3bb88eebbf2871da2a";
hash = "sha256-Nw1VFRVww1VSDSBkRrnTGeaA2PKCitugM12XH6X/2YI=";
})
(fetchpatch {
name = "27_script_execute_limit_the_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8a937ccae5c6d86dc4375698afca5cefdcd01e1";
hash = "sha256-YOAdPMZ2iBNMzIwAXFkkyTMKh4ptZUQ0J3v9EjnRlbo=";
})
(fetchpatch {
name = "28_net_unregister_net_default_ip_and_net_default_mac_variables_hooks_on_unload.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a1dd8e59da26f1a9608381d3a1a6c0f465282b1d";
hash = "sha256-7fqdkhFqLECzhz1OLavkHrE9ktDAEmx9ZxZayNr/Eo4=";
})
(fetchpatch {
name = "29_net_remove_variables_hooks_when_interface_is_unregisted.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aa8b4d7facef7b75a2703274b1b9d4e0e734c401";
hash = "sha256-m3VLDbJlwchV5meEpU4LJrDxBtA80qvYcVMJinHLnac=";
})
(fetchpatch {
name = "30_CVE-2025-0624.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5eef88152833062a3f7e017535372d64ac8ef7e1";
hash = "sha256-DvhzHnenAmO9SZpi4kU+0GhyKZB4q4xQYuNJgEhJmn0=";
})
(fetchpatch {
name = "31_net_tftp_fix_stack_buffer_overflow_in_tftp_open.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0707accab1b9be5d3645d4700dde3f99209f9367";
hash = "sha256-16NrpWFSE4jFT2uxmJg16jChw8HiGRTol25XQXNQ5l4=";
})
(fetchpatch {
name = "32_CVE-2024-45774.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c34af908ebf4856051ed29e46d88abd2b20387f";
hash = "sha256-OWmF+fp2TmetQjV4EWMcESW8u52Okkb5C5IPLfczyv4=";
})
(fetchpatch {
name = "33_kern_dl_fix_for_an_integer_overflow_in_grub_dl_ref.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=500e5fdd82ca40412b0b73f5e5dda38e4a3af96d";
hash = "sha256-FNqOWo+oZ4/1sCbTi2uaeKchUxwAKXtbzhScezm0yxk=";
})
# Patch 34 (https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d72208423dcabf9eb4a3bcb17b6b31888396bd49)
# is skipped, grub_dl_set_mem_attrs() does not exist on 2.12
(fetchpatch {
name = "35_kern_dl_check_for_the_SHF_INFO_LINK_flag_in_grub_dl_relocate_symbols.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=98ad84328dcabfa603dcf5bd217570aa6b4bdd99";
hash = "sha256-Zi4Pj2NbodL0VhhO5MWhvErb8xmA7Li0ur0MxpgQjzg=";
})
(fetchpatch {
name = "36_CVE-2024-45775.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872";
hash = "sha256-T6DO8iuImQTP7hPaCAHMtFnheQoCkZ6w+kfNolLPmrY=";
})
(fetchpatch {
name = "37_commands_ls_fix_NULL_dereference.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0bf56bce47489c059e50e61a3db7f682d8c44b56";
hash = "sha256-h5okwqv4ZFahP3ANUbsk1fiSV4pwEnxUExeBgQ4tiTI=";
})
(fetchpatch {
name = "38_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2123c5bca7e21fbeb0263df4597ddd7054700726";
hash = "sha256-tFE7VgImGZWDICyvHbrI1hqW6/XohgdTmk21MzljMGw=";
})
(fetchpatch {
name = "39_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9c16197734ada8d0838407eebe081117799bfe67";
hash = "sha256-tTeuEvadKbXVuY0m0dKtTr11Lpb3yQi4zk0bpwrMOeA=";
})
(fetchpatch {
name = "40_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637";
hash = "sha256-khRLpWqE7hzzoqssVkGFMjAv09T+uHn13Q9pCpogMms=";
})
(fetchpatch {
name = "41_CVE-2024-45776.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91";
hash = "sha256-yrl/6XUdKQg/MLe8KFuFoRRbQSyOhDmyvnWBV+sr3EY=";
})
(fetchpatch {
name = "42_CVE-2024-45777.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b970a5ed967816bbca8225994cd0ee2557bad515";
hash = "sha256-Vl5Emw3O3Ba2hD1GCWune4PGduDDPO0gM5u+zx/OwKo=";
})
(fetchpatch {
name = "43_CVE-2025-0690.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc";
hash = "sha256-DeWOncndX2VM8w1lb5fd5wHAZrI+ChB5Pj9XbUIfDWY=";
})
(fetchpatch {
name = "44_commands_test_stack_overflow_due_to_unlimited_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c68b7d23628a19da67ebe2e06f84165ee04961af";
hash = "sha256-aputM9KqkB/cK8hBiU9VXbu0LpLNlNCMVIeE9h2pMgY=";
})
(fetchpatch {
name = "45_CVE-2025-1118.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=34824806ac6302f91e8cabaa41308eaced25725f";
hash = "sha256-PKQs+fCwj4a9p4hbMqAT3tFNoAOw4xnbKmCwjPUgEOc=";
})
(fetchpatch {
name = "46_commands_memrw_disable_memory_reading_in_lockdown_mode.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=340e4d058f584534f4b90b7dbea2b64a9f8c418c";
hash = "sha256-NiMIUnfRreDBw+k4yxUzoRNMFL8pkJhVtkINVgmv5XA=";
})
(fetchpatch {
name = "47_commands_hexdump_disable_memory_reading_in_lockdown_mode.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5f31164aed51f498957cdd6ed733ec71a8592c99";
hash = "sha256-NA7QjxZ9FP+WwiOveqLkbZqsF7hULIyaVS3gNaSUXJE=";
})
(fetchpatch {
name = "48_CVE-2024-45778_CVE-2024-45779.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630";
hash = "sha256-1+ImwkF/qsejWs2lpyO6xbcqVo2NJGv32gjrP8mEPnI=";
})
(fetchpatch {
name = "49_CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c4bc55da28543d2522a939ba4ee0acde45f2fa74";
hash = "sha256-qrlErSImMX8eXJHkXjOe5GZ6lWOya5SVpNoiqyEM1lE=";
})
(fetchpatch {
name = "50_disk_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c407724dad6c3e2fc1571e57adbda71cc03f82aa";
hash = "sha256-kkAjxXvCdzwqh+oWtEF3qSPiUX9cGWO6eSFVeo7WJzQ=";
})
(fetchpatch {
name = "51_disk_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8151f98331ee4d15fcca59edffa59246d8fc15f";
hash = "sha256-2U+gMLigOCCg3P1GB615xQ0B9PDA6j92tt1ba3Tqg+E=";
})
(fetchpatch {
name = "52_disk_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=33bd6b5ac5c77b346769ab5284262f94e695e464";
hash = "sha256-+BaJRskWP/YVEdvIxMvEydjQx2LpLlGphRtZjiOUxJ0=";
})
(fetchpatch {
name = "53_disk_ieee1275_ofdisk_call_grub_ieee1275_close_when_grub_malloc_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=fbaddcca541805c333f0fc792b82772594e73753";
hash = "sha256-9sGA41HlB/8rtT/fMfkDo4ZJMXBSr+EyN92l/0gDfl4=";
})
(fetchpatch {
name = "54_fs_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6608163b08a7a8be4b0ab2a5cd4593bba07fe2b7";
excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12
hash = "sha256-mW4MH5VH5pDxCaFhNh/4mEcYloga56p8vCi7X4kSaek=";
})
(fetchpatch {
name = "55_CVE-2025-0678_CVE-2025-1125.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=84bc0a9a68835952ae69165c11709811dae7634e";
hash = "sha256-rCliqM2+k7rTGNpdHFkg3pHvuISjoG0MQr6/8lIvwK4=";
})
(fetchpatch {
name = "56_fs_prevent_overflows_when_assigning_returned_values_from_read_number.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=cde9f7f338f8f5771777f0e7dfc423ddf952ad31";
hash = "sha256-dN3HJXNIYtaUZL0LhLabC4VKK6CVC8km9UTw/ln/6ys=";
})
(fetchpatch {
name = "57_fs_zfs_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=88e491a0f744c6b19b6d4caa300a576ba56db7c9";
hash = "sha256-taSuKyCf9+TiQZcF26yMWpDDQqCfTdRuZTqB9aEz3aA=";
})
(fetchpatch {
name = "58_fs_zfs_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7f38e32c7ebeaebb79e2c71e3c7d5ea367d3a39c";
hash = "sha256-E5VmP7I4TAEXxTz3j7mi/uIr9kOSzMoPHAYAbyu56Xk=";
})
(fetchpatch {
name = "59_fs_zfs_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13065f69dae0eeb60813809026de5bd021051892";
hash = "sha256-1W//rHUspDS+utdNc069J8lX1ONfoBKiJYnUt46C/D0=";
})
(fetchpatch {
name = "60_fs_zfs_add_missing_NULL_check_after_grub_strdup_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dd6a4c8d10e02ca5056681e75795041a343636e4";
hash = "sha256-iFLEkz5G6aQ8FXGuY7/wgN4d4o0+sUxWMKYIFcQ/H+o=";
})
(fetchpatch {
name = "61_net_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4beeff8a31c4fb4071d2225533cfa316b5a58391";
hash = "sha256-/gs5ZhplQ1h7PWw0p+b5+0OxmRcvDRKWHj39ezhivcg=";
})
(fetchpatch {
name = "62_net_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dee2c14fd66bc497cdc74c69fde8c9b84637c8eb";
hash = "sha256-cO02tCGEeQhQF0TmgtNOgUwRLnNgmxhEefo1gtSlFOk=";
})
(fetchpatch {
name = "63_net_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1c06ec900591d1fab6fbacf80dc010541d0a5ec8";
hash = "sha256-oSRhWWVraitoVDqGlFOVzdCkaNqFGOHLjJu75CSc388=";
})
(fetchpatch {
name = "64_fs_sfs_check_if_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e3c578a56f9294e286b6028ca7c1def997a17b15";
hash = "sha256-7tvFbmjWmWmmRykQjMvZV6IYlhSS8oNR7YfaO5XXAfU=";
})
(fetchpatch {
name = "65_script_execute_fix_potential_underflow_and_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d13b6e8ebd10b4eb16698a002aa40258cf6e6f0e";
hash = "sha256-paMWaAIImzxtufUrVF5v4T4KnlDAJIPhdaHznu5CyZ8=";
})
(fetchpatch {
name = "66_osdep_unix_getroot_fix_potential_underflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66733f7c7dae889861ea3ef3ec0710811486019e";
hash = "sha256-/14HC1kcW7Sy9WfJQFfC+YnvS/GNTMP+Uy6Dxd3zkwc=";
})
(fetchpatch {
name = "67_misc_ensure_consistent_overflow_error_messages.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f8795cde217e21539c2f236bcbb1a4bf521086b3";
hash = "sha256-4X7wr1Tg16xDE9FO6NTlgkfLV5zFKmajeaOspIqcCuI=";
})
(fetchpatch {
name = "68_bus_usb_ehci_define_GRUB_EHCI_TOGGLE_as_grub_uint32_t.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9907d9c2723304b42cf6da74f1cc6c4601391956";
hash = "sha256-D8xaI8g7ffGGmZqqeS8wxWIFLUWUBfmHwMVOHkYTc2I=";
})
(fetchpatch {
name = "69_normal_menu_use_safe_math_to_avoid_an_integer_overflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5b36a5210e21bee2624f8acc36aefd8f10266adb";
hash = "sha256-UourmM0Zlaj4o+SnYi5AtjfNujDOt+2ez2XH/uWyiaM=";
})
(fetchpatch {
name = "70_kern_partition_add_sanity_check_after_grub_strtoul_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8e6e87e7923ca2ae880021cb42a35cc9bb4c8fe2";
hash = "sha256-4keMUu6ZDKmuSQlFnldV15dDGUibsnSvoEWhLsqWieI=";
})
(fetchpatch {
name = "71_kern_misc_add_sanity_check_after_grub_strtoul_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a8d6b06331a75d75b46f3dd6cc6fcd40dcf604b7";
hash = "sha256-2Mpe1sqyuoUPyMAKGZTNzG/ig3G3K8w0gia7lc508Rg=";
})
(fetchpatch {
name = "72_loader_i386_linux_cast_left_shift_to_grub_uint32_t.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=490a6ab71cebd96fae7a1ceb9067484f5ccbec2a";
hash = "sha256-e49OC1EBaX0/nWTTXT5xE5apTJPQV0myP5Ohxn9Wwa8=";
})
(fetchpatch {
name = "73_loader_i386_bsd_use_safe_math_to_avoid_underflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4dc6166571645780c459dde2cdc1b001a5ec844c";
hash = "sha256-e8X+oBvejcFNOY1Tp/f6QqCDwrgK7f9u1F8SdO/dhy4=";
})
(fetchpatch {
# Fixes 7e2f750f0a (security patch 14/73)
name = "fs_ext2_rework_out-of-bounds_read_for_inline_and_external_extents.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=348cd416a3574348f4255bf2b04ec95938990997";
hash = "sha256-WBLYQxv8si2tvdPAvbm0/4NNqYWBMJpFV4GC0HhN/kE=";
})
];
postPatch =
if kbdcompSupport then
''
sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
''
else
''
echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
'';
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [
bison
flex
python3
pkg-config
gettext
freetype
autoconf
automake
help2man
];
buildInputs = [
ncurses
libusb-compat-0_1
freetype
lvm2
fuse
libtool
bash
]
++ lib.optional doCheck qemu
++ lib.optional zfsSupport zfs;
strictDeps = true;
hardeningDisable = [ "all" ];
separateDebugInfo = !xenSupport;
preConfigure = ''
for i in "tests/util/"*.in
do
sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
done
# Apparently, the QEMU executable is no longer called
# `qemu-system-i386', even on i386.
#
# In addition, use `-nodefaults' to avoid errors like:
#
# chardev: opening backend "stdio" failed
# qemu: could not open serial device 'stdio': Invalid argument
#
# See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
sed -i "tests/util/grub-shell.in" \
-e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
unset CPP # setting CPP intereferes with dependency calculation
patchShebangs .
GNULIB_REVISION=$(. bootstrap.conf; echo $GNULIB_REVISION)
if [ "$GNULIB_REVISION" != ${gnulib.rev} ]; then
echo "This version of GRUB requires a different gnulib revision!"
echo "We have: ${gnulib.rev}"
echo "GRUB needs: $GNULIB_REVISION"
exit 1
fi
cp -f --no-preserve=mode ${locales}/po/LINGUAS ${locales}/po/*.po po
./bootstrap --no-git --gnulib-srcdir=${gnulib}
substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
'';
postConfigure = ''
# make sure .po files are up to date to workaround
# parallel `msgmerge --update` on autogenerated .po files:
# https://github.com/NixOS/nixpkgs/pull/248747#issuecomment-1676301670
make dist
'';
configureFlags = [
"--enable-grub-mount" # dep of os-prober
]
++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
# grub doesn't do cross-compilation as usual and tries to use unprefixed
# tools to target the host. Provide toolchain information explicitly for
# cross builds.
#
# Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
"TARGET_CC=${stdenv.cc.targetPrefix}cc"
"TARGET_NM=${stdenv.cc.targetPrefix}nm"
"TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
"TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
"TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
]
++ lib.optional zfsSupport "--enable-libzfs"
++ lib.optionals efiSupport [
"--with-platform=efi"
"--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"
"--program-prefix="
]
++ lib.optionals xenSupport [
"--with-platform=xen"
"--target=${xenSystemsBuild.${stdenv.hostPlatform.system}.target}"
]
++ lib.optionals xenPvhSupport [
"--with-platform=xen_pvh"
"--target=${xenPvhSystemsBuild.${stdenv.hostPlatform.system}.target}"
];
# save target that grub is compiled for
grubTarget =
if efiSupport then
"${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
else
lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";
doCheck = false;
enableParallelBuilding = true;
postInstall = ''
# Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
# just adding bash to buildInputs wasn't enough to fix the shebang
substituteInPlace $out/lib/grub/*/modinfo.sh \
--replace ${buildPackages.bash} "/usr/bin/bash"
'';
passthru.tests = {
nixos-grub = nixosTests.grub;
nixos-install-simple = nixosTests.installer.simple;
nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
};
meta = with lib; {
description = "GNU GRUB, the Grand Unified Boot Loader";
longDescription = ''
GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
Unified Bootloader, which was originally designed and implemented by
Erich Stefan Boleyn.
Briefly, the boot loader is the first software program that runs when a
computer starts. It is responsible for loading and transferring
control to the operating system kernel software (such as the Hurd or
the Linux). The kernel, in turn, initializes the rest of the
operating system (e.g., GNU).
'';
homepage = "https://www.gnu.org/software/grub/";
license = licenses.gpl3Plus;
platforms =
if efiSupport then
lib.attrNames efiSystemsBuild
else if xenSupport then
lib.attrNames xenSystemsBuild
else if xenPvhSupport then
lib.attrNames xenPvhSystemsBuild
else
platforms.gnu ++ platforms.linux;
maintainers = [ ];
};
}

24
nix/configuration/package/grub/fix-bash-completion.patch
View File

@@ -1,24 +0,0 @@
diff -ubr grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in grub-2.00/util/bash-completion.d/grub-completion.bash.in
--- grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:02:36.342733957 +0200
+++ grub-2.00/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:04:48.262733941 +0200
@@ -17,6 +17,12 @@
# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
# bash completion for grub
+have()
+{
+ unset -v have
+ _have $1 && have=yes
+}
+
__grub_dir() {
local i c=1 boot_dir
@@ -479,6 +485,7 @@
have ${__grub_script_check_program} && \
complete -F _grub_script_check -o filenames ${__grub_script_check_program}
+unset -f have
# Local variables:
# mode: shell-script

26
nix/configuration/roles/android/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
android.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install android.";
};
};
config = lib.mkIf config.me.android.enable {
environment.systemPackages = with pkgs; [
android-tools
];
users.users.talexander.extraGroups = [ "adbusers" ];
};
}

6
nix/configuration/roles/base/default.nix
View File

@@ -14,7 +14,7 @@ let
cleanup_temporary_files = (
patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
);
alias_rga = pkgs.writeShellScriptBin "ks" ''
alias_rga = pkgs.writeShellScriptBin "rga" ''
exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
'';
in
@@ -57,8 +57,10 @@ in
ipcalc
gptfdisk # for cgdisk
nix-output-monitor # For better view into nixos-rebuild
nix-serve-ng # Serve nix store over http
# nix-serve-ng # Serve nix store over http
cleanup_temporary_files
jq
inetutils # For whois
];
};
}

37
nix/configuration/roles/boot/default.nix
View File

@@ -23,6 +23,27 @@
example = true;
description = "Enable to use secure boot.";
};
rollback.enable = lib.mkOption {
type = lib.types.bool;
default = true;
example = true;
description = "Whether we want to enable rolling back during boot.";
};
rollback.dataset = lib.mkOption {
default = { };
example = lib.literalExpression ''
{
"zroot/linux/nix/root@blank" = true;
"zroot/linux/nix/home@blank" = lib.mkForce false;
}
'';
type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
) (lib.types.attrsOf lib.types.bool);
description = "List of ZFS datasets to rollback to during boot.";
};
};
config = lib.mkIf config.me.boot.enable (
@@ -51,7 +72,7 @@
# Check what will be lost with `zfs diff zroot/linux/root@blank`
boot.initrd.systemd.enable = lib.mkDefault true;
boot.initrd.systemd.services.zfs-rollback = {
boot.initrd.systemd.services.zfs-rollback = lib.mkIf config.me.rollback.enable {
description = "Rollback ZFS root dataset to blank snapshot";
wantedBy = [
"initrd.target"
@@ -62,16 +83,14 @@
before = [
"sysroot.mount"
];
path = with pkgs; [
zfs
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r zroot/linux/nix/root@blank
zfs rollback -r zroot/linux/nix/home@blank
echo "rollback complete"
'';
script = lib.concatStringsSep "\n" (
(builtins.map (ds: "${config.boot.zfs.package}/sbin/zfs rollback -r '${ds}'") (
builtins.attrNames config.me.rollback.dataset
))
++ [ ''echo "rollback complete"'' ]
);
};
# boot.loader.systemd-boot.extraEntries = {

81
nix/configuration/roles/disko/default.nix
View File

@@ -7,32 +7,49 @@
...
}:
let
flakeOutPaths =
let
collector =
parent:
map (
child:
[ child.outPath ] ++ (if child ? inputs && child.inputs != { } then (collector child) else [ ])
) (lib.attrValues parent.inputs);
in
lib.unique (lib.flatten (collector self));
dependencies = [
this_nixos_config.pkgs.stdenv.drvPath
(this_nixos_config.pkgs.closureInfo { rootPaths = [ ]; }).drvPath
# let
# flakeOutPaths =
# let
# collector =
# parent:
# map (
# child:
# [ child.outPath ] ++ (if child ? inputs && child.inputs != { } then (collector child) else [ ])
# ) (lib.attrValues parent.inputs);
# in
# lib.unique (lib.flatten (collector self));
# dependencies = [
# this_nixos_config.pkgs.stdenv.drvPath
# (this_nixos_config.pkgs.closureInfo { rootPaths = [ ]; }).drvPath
# https://github.com/NixOS/nixpkgs/blob/f2fd33a198a58c4f3d53213f01432e4d88474956/nixos/modules/system/activation/top-level.nix#L342
this_nixos_config.pkgs.perlPackages.ConfigIniFiles
this_nixos_config.pkgs.perlPackages.FileSlurp
# # https://github.com/NixOS/nixpkgs/blob/f2fd33a198a58c4f3d53213f01432e4d88474956/nixos/modules/system/activation/top-level.nix#L342
# this_nixos_config.pkgs.perlPackages.ConfigIniFiles
# this_nixos_config.pkgs.perlPackages.FileSlurp
this_nixos_config.config.system.build.toplevel
this_nixos_config.config.system.build.diskoScript
]
++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
# this_nixos_config.config.system.build.toplevel
# # this_nixos_config.config.system.build.toplevel.drvPath
# this_nixos_config.config.system.build.diskoScript
# this_nixos_config.config.system.build.diskoScript.drvPath
# this_nixos_config.config.system.build.destroyScript.drvPath
# this_nixos_config.config.system.build.formatScript.drvPath
# this_nixos_config.config.system.build.mountScript.drvPath
# this_nixos_config.config.system.build.destroyScript
# this_nixos_config.config.system.build.formatScript
# this_nixos_config.config.system.build.mountScript
# # config.system.build.diskoScript
# # config.system.build.diskoScript.drvPath
# # config.system.build.destroyScript.drvPath
# # config.system.build.formatScript.drvPath
# # config.system.build.mountScript.drvPath
# # config.system.build.destroyScript
# # config.system.build.formatScript
# # config.system.build.mountScript
# ]
# ++ flakeOutPaths;
closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
in
# closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
# in
{
imports = [ ];
@@ -60,17 +77,27 @@ in
];
}
(lib.mkIf config.me.disko.offline.enable {
# exec ${pkgs.disko}/bin/disko-install --flake '${self}#${config.networking.hostName}' --disk main '/dev/nvme0n1' --write-efi-boot-entries
#${pkgs.disko}/bin/disko --mode destroy,format,mount '${self}/hosts/${config.networking.hostName}/disk-config.nix'
environment.systemPackages = with pkgs; [
(pkgs.writeShellScriptBin "install-nixos-unattended" ''
set -xeuo pipefail
IFS=$'\n\t'
# exec ${pkgs.disko}/bin/disko-install --flake '${self}#${config.networking.hostName}' --disk main '/dev/nvme0n1' --write-efi-boot-entries
${pkgs.disko}/bin/disko --mode destroy,format,mount '${self}/hosts/${config.networking.hostName}/disk-config.nix'
${pkgs.nixos-install}/bin/nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --no-channel-copy --no-root-password --flake '${self}#${config.networking.hostName}'
${this_nixos_config.config.system.build.destroyScript}
${this_nixos_config.config.system.build.formatScript}
${this_nixos_config.config.system.build.mountScript}
${pkgs.nixos-install}/bin/nixos-install --substituters "" --no-channel-copy --no-root-password --flake '${self}#${config.networking.hostName}'
#${pkgs.nixos-install}/bin/nixos-install --substituters "" --no-channel-copy --no-root-password --system '${this_nixos_config.config.system.build.toplevel}'
'')
];
environment.etc."install-closure".source = "${closureInfo}/store-paths";
# environment.etc."install-closure".source = "${closureInfo}/store-paths";
})
]
);

155
nix/configuration/roles/distributed_build/default.nix
View File

@@ -1,6 +1,8 @@
{
config,
lib,
all_nixos_configs,
pkgs,
...
}:
@@ -23,7 +25,59 @@ let
};
description = "Additional config values for the buildMachines entry. For example, speedFactor.";
};
substituter_url = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "ssh-ng://remote-host";
description = "URL to use as a substituter.";
};
};
static_host_configs = {
quark = {
# From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
systems = [
"i686-linux"
"x86_64-linux"
# "aarch64-linux"
];
};
hydra = {
# Does not work, so we have to use root's authorized keys. Not sure why. My best guess is it is related to overriding the ssh target via the ssh config.
#
# From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
# publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUNJRk9tU0NWV25xVVFFL2RKd2R0STdRQ29LTHhBNHRmWnRSYStFSG9XV0wgcm9vdEBoeWRyYQo=";
# publicHostKey = "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFDQVFDNk1nNytKMys1d2c5QkJmLzkweWJhbnhJK3ZiSXRzY1ZoTzRRVFNMT1FJM1QxbWMrNUxTK2oxdDY4a20zVmx1c2k5WWh0UmNOVk1NbmZQT3Q3ejFyZ0Q4Y05iY3UzU0xCOTNGR2hvb1ZtUktyVEMyaVE4bkxZYVoyV1lrdnZ3UjJ6b24zTjRlTlFJdWUwR0EzTEtNKy82RDN5V3didjRYV2pFeWtpa1NoVFJUVUtMTjU4aUVVOVRmcnEzeE1Ib0EvYmJZMGIxK1QzUDRkQ05wb3BFcFczaVJaYkV0NUpvNS92VFBsVjc4L3I3bnV2eHlaVjU3dWhzYjhFQlFzYUdCYTIraEt6SUhFblBHWXlPUDVRRWVCZ1ZBUzh6bFg4aktaZnZuaDA0NmdFdFoyMWJWdHNBZHNXcnVYdXNEUVQyanJ2VjJOVTYvc2cyMzZPbFZvWVU4Z1JYRHZiTXhoclVSVWNsajM1RGlzTi9wMEd2clZOckVjSktZK245MS9UMG9qU0gvVTVlRzVPclhZRXQwVzIra0NsVDk0T2kxM2JjQkVDYmVUUXJKMjJRc1hKSnVEVkVzOWhsU2RLemZkMDVaaVc3MllHaHRCRWptL015UG1nSHhxYzNTKzEwc0VvT2FIazdtRjQ0M0o1MzZoWEVHZDhGWjROMnQ3MlF3V3RuUGoyNENYOG8wbmNJN2ZIYTRHTWsybi9EWU84MlNUTEJHeVBMTkxnK040NUcyYUhaSk1NWGprWlplMUVZS0dQQm5tcTFlVUdFMVd0ZkVRSEhCTHd3Y0dDdm15aWI1NTliQ0p5NWExS2pnSGNBYlk0WVRKOTlwMWtPT2lIcVlvTnArczlhSklPZU93aE5xbkkrOUxrWnYrbEhCdXRoM3A1anRRNzA3bEJMMmVBd1E9PSByb290QGh5ZHJhCg==";
systems = [
"i686-linux"
"x86_64-linux"
# "aarch64-linux"
];
hostName = lib.mkForce "hydra?remote-store=local?root=/.disk/root";
};
};
joined_configs =
lib.genAttrs
(builtins.filter (hostname: config.me.distributed_build.machines."${hostname}".enable) (
builtins.attrNames all_nixos_configs
))
(
hostname:
(lib.mkMerge [
{
hostName = hostname;
sshUser = "nixworker";
sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
maxJobs = 1;
supportedFeatures = all_nixos_configs."${hostname}".config.me.optimizations.system_features;
}
static_host_configs."${hostname}"
config.me.distributed_build.machines."${hostname}".additional_config
])
);
in
{
imports = [ ];
@@ -36,77 +90,62 @@ in
description = "Whether we want to use multiple machines to perform a nixos-rebuild.";
};
distributed_build.machines.hydra = make_machine_config "hydra";
distributed_build.machines.quark = make_machine_config "quark";
distributed_build.machines = lib.mapAttrs (name: value: make_machine_config name) all_nixos_configs;
};
config = lib.mkIf config.me.distributed_build.enable (
lib.mkMerge [
{
nix.distributedBuilds = true;
}
(lib.mkIf config.me.distributed_build.machines.hydra.enable {
nix.buildMachines = [
(
{
hostName = "hydra";
sshUser = "nixworker";
# sshKey = "";
# publicHostKey = "";
systems = [
"i686-linux"
"x86_64-linux"
# "aarch64-linux"
];
maxJobs = 1;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
# "kvm"
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"gccarch-skylake"
"gccarch-kabylake"
"gccarch-znver4"
# Using an ssh-based substituter slows down the build because querying the remote store for paths takes ages.
#
# nix.settings.substituters = lib.mkForce [
# "ssh-ng://nixworker@ns1.fizz.buzz:65122?compress=true&ssh-key=/persist/manual/ssh/root/keys/id_ed25519&remote-store=/.disk/root"
# ];
# nix.settings.substitute = lib.mkForce true;
# nix.settings.post-build-hook = pkgs.writeShellScript "post-build-hook" ''
# set -euo pipefail
# IFS=$'\n\t'
# set -f # disable globbing
# echo "Signing and uploading paths" $OUT_PATHS
# exec nix copy --to 'ssh://hydra' $OUT_PATHS
# '';
nix.settings.secret-key-files = [ "/persist/manual/nix/nix-cache-key.sec" ];
nix.settings.trusted-public-keys = lib.mkForce [
"odo:0S/XKSFjjIrihQ7lbHEIebXk/c/xuoodhm0Gz26YhjA="
"odowork:zg3UKBAyLy3xtZkL0hMtbxHjxgn5A2QY8NNAgyRT6Yo="
"quark:Eb6ygkIiVlcUqb5hOjEVIQcfYLpCz40YVYA3/rxrgBc="
];
}
// config.me.distributed_build.machines.hydra.additional_config
)
];
})
(lib.mkIf config.me.distributed_build.machines.quark.enable {
nix.buildMachines = [
(
{
hostName = "quark";
nix.buildMachines = (
map (
hostname:
(lib.mkIf config.me.distributed_build.machines."${hostname}".enable (
lib.mkMerge [
{
hostName = hostname;
sshUser = "nixworker";
sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
# From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
systems = [
"i686-linux"
"x86_64-linux"
# "aarch64-linux"
];
maxJobs = 1;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"gccarch-skylake"
"gccarch-kabylake"
"gccarch-znver4"
"gccarch-znver5"
];
supportedFeatures = all_nixos_configs."${hostname}".config.me.optimizations.system_features;
protocol = "ssh-ng";
}
// config.me.distributed_build.machines.quark.additional_config
)
];
})
static_host_configs."${hostname}"
config.me.distributed_build.machines."${hostname}".additional_config
]
))
) (builtins.attrNames all_nixos_configs)
);
}
# {
# nix.settings.substitute = lib.mkForce true;
# nix.settings.substituters = lib.mkForce (
# lib.mapAttrsToList (hostname: joined_config: "ssh-ng://${joined_config.hostName}") joined_configs
# );
# }
]
);
}

7
nix/configuration/roles/dont_use_substituters/default.nix
View File

@@ -19,10 +19,7 @@
config = lib.mkIf config.me.dont_use_substituters.enable {
# Disable substituters to avoid risk of cache poisoning.
nix.extraOptions = ''
substitute = false
'';
nix.settings.substituters = lib.mkForce [ ];
nix.settings.substitute = false;
nix.settings.substituters = lib.mkOverride 99 [ ];
};
}

2
nix/configuration/roles/emacs/default.nix
View File

@@ -125,7 +125,7 @@ in
]
))
final.nixd # nix language server
final.nixfmt-rfc-style # auto-formatting nix files through nixd
final.nixfmt # auto-formatting nix files through nixd
final.clang # To compile tree-sitter grammars
final.shellcheck
final.cmake-language-server

23
nix/configuration/roles/emacs/files/emacs/elisp/base-functions.el
View File

@@ -27,6 +27,29 @@
)
)
(defun run-command-on-buffer-require-output (cmd &rest args)
"Run a command using the current buffer as stdin and replacing its contents if the command succeeds with the stdout from the command. This is useful for code formatters. This version only replaces the buffer contents if the command output some text."
(let (
(stdout-buffer (generate-new-buffer "tmp-stdout" t))
(full-cmd (append '(call-process-region nil nil cmd nil stdout-buffer nil) args))
)
(unwind-protect
(let ((exit-status (eval full-cmd)))
(if (eq exit-status 0)
(if (> (buffer-size stdout-buffer) 0)
(save-excursion
(replace-buffer-contents stdout-buffer)
)
(message "No output from command on buffer %s" (append (list cmd) args))
)
(message "FAILED running command on buffer %s" (append (list cmd) args))
)
)
(kill-buffer stdout-buffer)
)
)
)
(defun run-command-in-directory (dir cmd &rest args)
"Run a command in the specified directory. If the directory is nil, the directory of the file is used. The stdout result is trimmed of whitespace and returned."
(let (

23
nix/configuration/roles/emacs/files/emacs/elisp/base.el
View File

@@ -1,9 +1,19 @@
(package-initialize)
(use-package use-package)
(use-package use-package
:custom
;; Unless otherwise specified, always install packages if they are absent.
(use-package-always-ensure t)
;; Allow updating built-in packages like eglot
;; For some reason, built-in packages are still not updating so I'm just going to comment this out.
;; (package-install-upgrade-built-in t)
;; Natively compile packages
(package-native-compile t)
:config
(add-to-list 'package-archives
'("melpa" . "https://melpa.org/packages/")
)
)
(use-package auto-package-update
:ensure t
@@ -71,10 +81,11 @@
)
(setq-default
;; Unless otherwise specified, always install packages if they are absent.
use-package-always-ensure t
;; Point custom-file at /dev/null so emacs does not write any settings to my dotfiles.
custom-file "/dev/null"
;; custom-file "/dev/null"
;;
;; list-package breaks on newer versions of emacs if custom-file is set to /dev/null
custom-file (expand-file-name "custom.el" user-emacs-directory)
;; Don't pop up a small window at the bottom of emacs at launch.
inhibit-startup-screen t
inhibit-startup-message t
@@ -95,8 +106,6 @@
"%b")))
;; Use 'y' or 'n' instead of 'yes' or 'no'
use-short-answers t
;; Natively compile packages
package-native-compile t
;; Confirm when opening a file that does not exist
confirm-nonexistent-file-or-buffer t
;; Do not require double space to end a sentence.

1
nix/configuration/roles/emacs/files/emacs/elisp/common-lsp.el
View File

@@ -1,4 +1,5 @@
(use-package eglot
;; This is an emacs built-in but we're pulling the latest version
:pin gnu
:commands (eglot eglot-ensure)
:bind (:map eglot-mode-map

4
nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el
View File

@@ -1,14 +1,14 @@
(defun d2-format-buffer ()
"Run prettier."
(interactive)
(run-command-on-buffer "d2" "fmt" "-")
(run-command-on-buffer-require-output "d2" "fmt" "-")
)
(use-package d2-mode
:commands (d2-mode)
:hook (
(d2-mode . (lambda ()
;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
(add-hook 'before-save-hook 'd2-format-buffer nil 'local)
))
)
)

5
nix/configuration/roles/emacs/files/emacs/elisp/lang-nft.el Normal file
View File

@@ -0,0 +1,5 @@
(use-package nftables-mode
:commands nftables-mode
)
(provide 'lang-nft)

16
nix/configuration/roles/emacs/files/emacs/elisp/lang-org.el
View File

@@ -1,3 +1,5 @@
(require 'color)
(let ((bg (face-attribute 'default :background)))
(use-package org
:ensure nil
:commands org-mode
@@ -19,6 +21,10 @@
(org-shiftdown-final . windmove-down)
(org-shiftright-final . windmove-right)
)
:custom-face
(org-block ((t (:inherit default :background ,(color-lighten-name bg 15) :extend ,t))))
(org-block-begin-line ((t (:inherit default :background ,"#472300" :extend ,t))))
(org-block-end-line ((t (:inherit default :background ,"#472300" :extend ,t))))
:config
(require 'org-tempo)
(setq org-export-latex-listings t)
@@ -67,15 +73,7 @@
(gnuplot . t)
(sqlite . t)
))
(require 'color)
(let ((bg (face-attribute 'default :background)))
(custom-set-faces
`(org-block ((t (:inherit default :background ,(color-lighten-name bg 15) :extend ,t))))
`(org-block-begin-line ((t (:inherit default :background ,"#472300" :extend ,t))))
`(org-block-end-line ((t (:inherit default :background ,"#472300" :extend ,t))))
))
)
)
(use-package org-bullets

2
nix/configuration/roles/emacs/files/emacs/init.el
View File

@@ -42,4 +42,6 @@
(require 'lang-d2)
(require 'lang-nft)
(load-directory autoload-directory)

33
nix/configuration/roles/esim/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
esim.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install esim.";
};
};
config = lib.mkIf (config.me.esim.enable && config.me.graphical) {
environment.systemPackages = with pkgs; [
easylpac
zbar # To decode qrcodes via `zbarimg <file>`
];
nixpkgs.overlays = [
(final: prev: {
easylpac = (final.callPackage ./package/easylpac/package.nix { });
})
];
};
}

1
nix/configuration/roles/esim/package/easylpac/CONTRIB Normal file
View File

@@ -0,0 +1 @@
Package from https://github.com/nix-community/nur-combined/blob/main/repos/linyinfeng/pkgs/easylpac/default.nix

120
nix/configuration/roles/esim/package/easylpac/ci-registry.json Normal file
View File

@@ -0,0 +1,120 @@
[
{
"key-id": "81370f",
"name": "GSM Association - RSP2 Root CI1",
"crls": ["http://gsma-crl.symauth.com/offlineca/gsma-rsp2-root-ci1.crl"]
},
{
"key-id": "d7a7d0",
"name": "GSM Association - M2M31 Root CI2"
},
{
"key-id": "4c2796",
"name": "OISITE GSMA CI G1",
"crls": ["http://public.wisekey.com/crl/ogsmacig1.crl"]
},
{
"key-id": "665a14",
"name": "Symantec RSP Test Root CA",
"crls": ["http://pki-crl.symauth.com/ca_a3dc2e3fea7708a11c889386d9d3a76f/LatestCRL.crl"]
},
{
"key-id": "f54172",
"name": "GSMA Test CI (SGP.26 v1)"
},
{
"key-id": "c0bc70",
"name": "GSMA Test CI (SGP.26 v1, BRP P256r1)"
},
{
"key-id": "34eecf",
"name": "Test CI (SGP.26 v3)"
},
{
"key-id": "2209f6",
"name": "Test CI (SGP.26 v3, BRP P256r1)"
},
{
"key-id": "148030",
"country": "CN",
"name": "Taier eSIM Root CA",
"crls": ["http://111.204.176.254:18889/download/n1.crl", "http://111.204.176.254:18889/download/n2.crl"]
},
{
"key-id": "16b5d1",
"country": "CN",
"name": "MNO: China Unicom"
},
{
"key-id": "7c0e54",
"country": "CN",
"name": "MNO: China Unicom"
},
{
"key-id": "3bd3f5",
"country": "CN",
"name": "MNO: China Unicom"
},
{
"key-id": "cdf6d1",
"country": "CN",
"name": "MNO: China Mobile"
},
{
"key-id": "d3ef83",
"country": "CN",
"name": "MNO: China Telecom",
"crls": ["http://crl.cnca.net/esim/ccs/a.crl", "http://crl.cnca.net/esim/ccs/b.crl"]
},
{
"key-id": "4eb94e",
"country": "CN",
"name": "MNO: China Telecom"
},
{
"key-id": "b70ba4",
"country": "GB",
"name": "Truphone SAS-UP CA"
},
{
"key-id": "73fca0",
"country": "CN",
"name": "Redtea Mobile CI"
},
{
"key-id": "ea53ad",
"country": "DE",
"name": "SubMan V4.2 CI"
},
{
"key-id": "96524c",
"country": "DE",
"name": "SubMan V4.2 CI"
},
{
"key-id": "b60f0b",
"country": "DE",
"name": "SubMan V4.2 CI Google Pixel"
},
{
"key-id": "cd6e60",
"country": "FR",
"name": "MC4 OT ROOT CI v1"
},
{
"key-id": "066d48",
"country": "FR",
"name": "MC4 CI TEST v2"
},
{
"key-id": "16704b",
"country": "US",
"name": "Entrust eSIM CA",
"crls": ["http://crl.entrust.net/entesimca.crl"]
},
{
"key-id": "77f0bd",
"country": "FR",
"name": "Gemalto CE CI"
}
]

88
nix/configuration/roles/esim/package/easylpac/eum-registry.json Normal file
View File

@@ -0,0 +1,88 @@
[
{
"eum": "35060000",
"country": "CN",
"manufacturer": "HED"
},
{
"eum": "35840574",
"country": "CN",
"manufacturer": "Beijing Watchdata",
"accreditations": ["WD-BG"]
},
{
"eum": "89033023",
"country": "FR",
"manufacturer": "Thales",
"accreditations": ["GO-CA", "GO-PA", "GO-SI", "TS-CA", "TS-ME", "TS-NA", "TS-PA", "TS-SI"]
},
{
"eum": "89033024",
"country": "FR",
"manufacturer": "IDEMIA",
"accreditations": ["IA-FK", "IA-VE", "ID-NA", "ID-SN", "OR-SN"]
},
{
"eum": "89034011",
"country": "ES",
"manufacturer": "Valid",
"accreditations": ["VD-MD", "VD-SU"]
},
{
"eum": "89041030",
"country": "CH",
"manufacturer": "STM",
"accreditations": ["SM-CA", "SM-CT"]
},
{
"eum": "89043051",
"country": "AT",
"manufacturer": "NXP",
"accreditations": ["NP-HG", "NP-KG", "NP-TN"]
},
{
"eum": "89043052",
"country": "AT",
"manufacturer": "NXP"
},
{
"eum": "89044045",
"country": "GB",
"manufacturer": "Kigen",
"accreditations": ["KN-DN", "KN-NA"]
},
{
"eum": "89044047",
"country": "GB",
"manufacturer": "Truphone"
},
{
"eum": "89049032",
"country": "DE",
"manufacturer": "G+D",
"accreditations": ["GD-BA", "GD-CI", "GD-MM", "GD-NG"]
},
{
"eum": "89049038",
"country": "DE",
"manufacturer": "G+D"
},
{
"eum": "89086001",
"country": "CN",
"manufacturer": "Hengbao",
"accreditations": ["HO-DG"]
},
{
"eum": "89086029",
"country": "CN",
"manufacturer": "Wuhan Tianyu",
"accreditations": ["WN-HI"]
},
{
"eum": "89086030",
"country": "CN",
"manufacturer": "Eastcompeace",
"accreditations": ["ED-ZI"]
}
]

68
nix/configuration/roles/esim/package/easylpac/package.nix Normal file
View File

@@ -0,0 +1,68 @@
{
callPackage,
go,
buildGoModule,
fetchFromGitHub,
pkg-config,
gtk3,
libXxf86vm,
libglvnd,
glfw,
wrapGAppsHook3,
fontconfig,
lpac,
lib,
}:
buildGoModule rec {
pname = "easylpac";
version = "0.7.9.2";
src = fetchFromGitHub {
owner = "creamlike1024";
repo = "EasyLPAC";
rev = version;
sha256 = "sha256-8VVR8QJR6SZEvdGls3kDU9l8SdFdUVnHm2qxUzgGJuU=";
};
proxyVendor = true;
vendorHash = "sha256-tX7abWGn1f4p+7vx2gDa5/NKg5SbWqMfHT8kbPwHK14=";
postConfigure = ''
cp --verbose "${./eum-registry.json}" eum-registry.json
cp --verbose "${./ci-registry.json}" ci-registry.json
'';
env.FONTCONFIG_FILE = "${fontconfig.out}/etc/fonts/fonts.conf";
nativeBuildInputs = [
pkg-config
wrapGAppsHook3
];
buildInputs = [
gtk3
libglvnd
libXxf86vm
]
++ glfw.buildInputs;
postInstall = ''
ln -s "${lpac}/bin/lpac" "$out/bin/lpac"
'';
passthru = {
updateScriptEnabled = true;
updateScript =
let
script = callPackage ./update.nix { };
in
[ "${script}/bin/update-easylpac" ];
};
meta = with lib; {
description = "lpac GUI Frontend";
homepage = "https://github.com/creamlike1024/EasyLPAC";
mainProgram = "EasyLPAC";
license = licenses.mit;
maintainers = with maintainers; [ yinfeng ];
broken = !(lib.versionAtLeast go.version "1.24");
};
}

28
nix/configuration/roles/firefox/default.nix
View File

@@ -66,8 +66,18 @@
"privacy.fingerprintingProtection" = true;
# Allow sending dark mode preference to websites.
# Allow sending timezone to websites.
"privacy.fingerprintingProtection.overrides" =
"+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt";
"privacy.fingerprintingProtection.overrides" = (
builtins.concatStringsSep "," [
"+AllTargets" # Enable all protections
"-CSSPrefersColorScheme" # Don't hide light/dark preference
"-JSDateTimeUTC" # Allow sending timezone to websites.
"-CanvasExtractionBeforeUserInputIsBlocked" # Canvas image extraction needed by google maps to avoid names looking like barcodes.
# Google meet's auto-framing results in random flashing colored bars unless the following two are allowed:
"-CanvasImageExtractionPrompt"
"-CanvasExtractionFromThirdPartiesIsBlocked"
"-WebGLRenderCapability" # Needed for smooth zooming on google maps
]
);
# Disable weather on new tab page
"browser.newtabpage.activity-stream.showWeather" = false;
# Disable AI stuff that wastes battery life
@@ -79,6 +89,20 @@
policies = {
DisableTelemetry = true;
DisplayBookmarksToolbar = "newtab";
DisableFirefoxStudies = true;
FirefoxHome = {
SponsoredStories = false;
SponsoredTopSites = false;
Stories = false;
};
GenerativeAI = {
Enabled = false;
};
SearchEngines = {
Remove = [
"Perplexity"
];
};
# Check about:support for extension/add-on ID strings.
# Valid strings for installation_mode are "allowed", "blocked",

8
nix/configuration/roles/fonts/files/fonts.conf
View File

@@ -54,10 +54,10 @@
<!-- </match> -->
<!-- Dejavu Sans Mono keeps coming back when I query "monospace". Doesn't happen when I'm using Souce Code Pro but does happen with cascadia... force it to cascadia -->
<!-- <match target="pattern"> -->
<!-- <test qual="any" name="family"><string>monospace</string></test> -->
<!-- <edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit> -->
<!-- </match> -->
<match target="pattern">
<test qual="any" name="family"><string>monospace</string></test>
<edit name="family" mode="assign" binding="same"><string>Cascadia Mono</string></edit>
</match>
<!-- Disable ligatures in monospace fonts. -->
<match target="font">

10
nix/configuration/roles/git/default.nix
View File

@@ -16,6 +16,14 @@ let
}:$PATH"
exec ${package}/bin/${prog} "''${@}"
'';
git_hide = pkgs.writeShellScriptBin "git-hide" ''
git add --intent-to-add "''${@}"
git update-index --skip-worktree --assume-unchange "''${@}"
'';
git_unhide = pkgs.writeShellScriptBin "git-unhide" ''
git update-index --no-skip-worktree --no-assume-unchange "''${@}"
git reset "''${@}"
'';
in
{
imports = [ ];
@@ -41,6 +49,8 @@ in
{
environment.systemPackages = with pkgs; [
my_git
git_hide
git_unhide
];
}
(lib.mkIf (config.me.git.config != null) {

Some files were not shown because too many files have changed in this diff Show More