Configure kernel preemption.

1.5 came out recently, so no gateway providers support it.

nix/configuration/configuration.nix

@@ -54,6 +54,7 @@ in
     ./roles/iso_mount
     ./roles/jujutsu
     ./roles/kanshi
+    ./roles/kernel
     ./roles/kodi
     ./roles/kubernetes
     ./roles/latex
@@ -137,14 +138,15 @@ in
     nix.settings.keep-derivations = true;
 
     # Automatic garbage collection
-    # nix.gc = lib.mkIf (!config.me.buildingPortable) {
-    #   # Runs nix-collect-garbage --delete-older-than 5d
-    #   automatic = true;
-    #   persistent = true;
-    #   dates = "monthly";
-    #   # randomizedDelaySec = "14m";
-    #   options = "--delete-older-than 30d";
-    # };
+    nix.gc = lib.mkIf (!config.me.buildingPortable) {
+      # Runs nix-collect-garbage --delete-older-than 5d
+      # automatic = true;
+      automatic = false;
+      persistent = true;
+      dates = "monthly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 30d";
+    };
     nix.settings.auto-optimise-store = !config.me.buildingPortable;
 
     environment.systemPackages = [
@@ -234,20 +236,30 @@ in
         );
       in
       [
-        (disableTests "coreutils")
-        (disableTests "coreutils-full")
         (disableTests "deno") # Tests use too much disk space
-        (disableTests "libuv")
-        (final: prev: {
-          inherit (final.unoptimized)
-            libtpms
-            libjxl
-            ddrescueview
-            deno
-            mesa
-            ;
-        })
+        (disableOptimizations "libtpms")
         (disableOptimizationsPython3 "scipy")
+        (disableOptimizations "assimp")
+        (disableOptimizations "gsl")
+        (final: prev: {
+          rpcs3 = prev.rpcs3.override {
+            glew = (final.glew.override { enableEGL = false; });
+          };
+        })
+        (final: prev: {
+          fwupd = prev.fwupd.overrideAttrs (
+            finalAttrs: prevAttrs: {
+              version = "2.1.5";
+              src = final.fetchFromGitHub {
+                owner = "fwupd";
+                repo = "fwupd";
+                tag = finalAttrs.version;
+                hash = "sha256-DzQ+N99ZmFRqZc2rN6PSqmoIMXUyrE8Kkn+KnT/AWPc=";
+              };
+            }
+          );
+        })
+
         # Works but probably sets python2's scipy to be python3:
         #
         # (final: prev: {

nix/configuration/flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776613567,
-        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
+        "lastModified": 1780894562,
+        "narHash": "sha256-c3430xwxwhHipl3jigUGMMBfpaMylDqytW/kdmB3ZGs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
+        "rev": "24fed06cac83bcc44ac8efbb57cab1a82fa0bedc",
         "type": "github"
       },
       "original": {
@@ -164,11 +164,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777268161,
-        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
         "type": "github"
       },
       "original": {
@@ -178,6 +178,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-google": {
+      "locked": {
+        "lastModified": 1779893571,
+        "narHash": "sha256-wiwMyVCtmjRjlFCe2zaumCE6LRV9GzzN0ZH25NQkbAU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1730741070,
@@ -226,7 +242,8 @@
         "disko": "disko",
         "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-google": "nixpkgs-google"
       }
     },
     "rust-overlay": {

nix/configuration/flake.nix

@@ -20,6 +20,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-google.url = "github:NixOS/nixpkgs/45f6cfaa4605b706c870e75bd74bdb5e97eee11e";
     lanzaboote = {
       url = "github:nix-community/lanzaboote/v0.4.2";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -34,6 +35,7 @@
     {
       self,
       nixpkgs,
+      nixpkgs-google,
       disko,
       impermanence,
       lanzaboote,
@@ -92,6 +94,9 @@
                       hostPlatform.gcc.arch = "default";
                       hostPlatform.gcc.tune = "default";
                     };
+                    google = import nixpkgs-google {
+                      system = prev.stdenv.hostPlatform.system;
+                    };
                   })
                 ];
               };

nix/configuration/hosts/odo/default.nix

@@ -110,6 +110,7 @@
     me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
     me.kanshi.enable = false;
+    me.kernel.enable = true;
     me.kubernetes.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;

nix/configuration/hosts/odowork/default.nix

@@ -111,6 +111,7 @@
     me.iso_mount.enable = true;
     me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
+    me.kernel.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
     me.lvfs.enable = true;

nix/configuration/hosts/quark/default.nix

@@ -104,6 +104,7 @@
     me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
     me.kanshi.enable = false;
+    me.kernel.enable = true;
     me.kubernetes.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;

nix/configuration/roles/base/default.nix

@@ -14,6 +14,12 @@ let
   cleanup_temporary_files = (
     patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
   );
+  decode_jwt = (patchScriptBin "decode_jwt" (builtins.readFile ./files/decode_jwt.bash));
+  git_find_merged_branches = (
+    patchScriptBin "git_find_merged_branches" (builtins.readFile ./files/git_find_merged_branches.bash)
+  );
+  git_fix_author = (patchScriptBin "git_fix_author" (builtins.readFile ./files/git_fix_author.bash));
+  rsync_clone = (patchScriptBin "rsync_clone" (builtins.readFile ./files/rsync_clone.bash));
   alias_rga = pkgs.writeShellScriptBin "rga" ''
     exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
   '';
@@ -59,8 +65,12 @@ in
       nix-output-monitor # For better view into nixos-rebuild
       # nix-serve-ng # Serve nix store over http
       cleanup_temporary_files
+      decode_jwt
       jq
       inetutils # For whois
+      git_find_merged_branches
+      git_fix_author
+      rsync_clone
     ];
   };
 }

nix/configuration/roles/base/files/cleanup_temporary_files.bash

@@ -1,4 +1,7 @@
 #!/usr/bin/env bash
 #
 # Delete temporary files on entire disk
-find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null
+set -euo pipefail
+IFS=$'\n\t'
+
+exec find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

nix/configuration/roles/base/files/decode_jwt.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

nix/configuration/roles/base/files/git_find_merged_branches.bash

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+# Find local branches that have been merged
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: ${MAIN_BRANCH:="main"}
+
+git checkout -q ${MAIN_BRANCH} && git for-each-ref refs/heads/ "--format=%(refname:short)" | while read branch; do mergeBase=$(git merge-base ${MAIN_BRANCH} $branch) && [[ $(git cherry ${MAIN_BRANCH} $(git commit-tree $(git rev-parse "$branch^{tree}") -p $mergeBase -m _)) == "-"* ]] && echo "$branch"; done

nix/configuration/roles/base/files/git_fix_author.bash

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+git filter-branch --env-filter '
+WRONG_EMAIL="old@email.foo"
+NEW_NAME="New Name"
+NEW_EMAIL="new@email.bar"
+
+if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_COMMITTER_NAME="$NEW_NAME"
+    export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
+fi
+if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_AUTHOR_NAME="$NEW_NAME"
+    export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
+fi
+' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags

nix/configuration/roles/base/files/rsync_clone.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Wrapper to set rsync flags for cloning a folder preserving attributes
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec rsync -aHAXS "$@"

nix/configuration/roles/firewall/default.nix

@@ -24,7 +24,16 @@
     networking.firewall.allowedUDPPorts = [
       5353 # mDNS
     ];
+
+    # networking.firewall.enable = true;
+    # networking.nftables.enable = true;
+
     # Or disable the firewall altogether.
-    # networking.firewall.enable = false;
+    networking.firewall.enable = false;
+
+    # Debugging
+    # networking.firewall.logRefusedConnections = true;
+    # networking.firewall.logRefusedPackets = true;
+    # networking.firewall.logReversePathDrops = true;
   };
 }

nix/configuration/roles/gcloud/default.nix

@@ -18,7 +18,7 @@
   };
 
   config = lib.mkIf config.me.gcloud.enable {
-    environment.systemPackages = with pkgs; [
+    environment.systemPackages = with pkgs.google; [
       (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
     ];
 

nix/configuration/roles/kernel/default.nix

@@ -0,0 +1,194 @@
+# Check current config:
+#   nix build '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile'
+#   cat $(nix eval --raw '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile') | less
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  preemption_type = with lib.kernel; {
+    full = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = yes;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    lazy = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = yes;
+      PREEMPT_NONE = no;
+    };
+    voluntary = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = yes;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    none = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = yes;
+    };
+  };
+  tick_hz =
+    with lib.kernel;
+    {
+      "1000" = {
+        HZ_1000 = yes;
+        HZ = freeform "1000";
+      };
+    }
+    // lib.genAttrs [ "100" "250" "300" "500" "600" "750" ] (hz: {
+      HZ_1000 = no;
+      "HZ_${hz}" = yes;
+      HZ = freeform hz;
+    });
+  performance_governor = with lib.kernel; {
+    default = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
+    };
+    performance = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = no;
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+    };
+  };
+  tick_rate = with lib.kernel; {
+    # Always tick at the hz frequency.
+    periodic = {
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = no;
+      NO_HZ = no;
+      NO_HZ_COMMON = no;
+      HZ_PERIODIC = yes;
+    };
+    # Idle - Do not disturb the CPU when idle. This can save power but increase latency.
+    idle = {
+      HZ_PERIODIC = no;
+      NO_HZ_FULL = no;
+      NO_HZ_IDLE = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+    };
+    # Full dyntick system (tickless) - The kernel tries to shut down the tick whenever possible.
+    tickless = {
+      HZ_PERIODIC = no;
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+      CONTEXT_TRACKING = yes;
+    };
+  };
+  huge_page = with lib.kernel; {
+    always = {
+      TRANSPARENT_HUGEPAGE_MADVISE = no;
+      TRANSPARENT_HUGEPAGE_ALWAYS = yes;
+    };
+    madvise = {
+      TRANSPARENT_HUGEPAGE_ALWAYS = no;
+      TRANSPARENT_HUGEPAGE_MADVISE = yes;
+    };
+  };
+  common_config =
+    with lib.kernel;
+    {
+      # Google's BBRv3 TCP congestion Control
+      TCP_CONG_BBR = yes;
+      DEFAULT_BBR = yes;
+    };
+  flavors = {
+    server = lib.mkMerge [
+      preemption_type.none
+      tick_hz."300"
+      performance_governor.default
+      tick_rate.tickless
+      huge_page.madvise
+    ];
+    interactive =
+      with lib.kernel;
+      lib.mkMerge [
+        {
+          # Enable RCU Lazy - Reduces power consumption when idle or lightly loaded. Useful for battery-powered devices like laptops.
+          RCU_LAZY = yes;
+        }
+        preemption_type.lazy
+        tick_hz."300"
+        performance_governor.default
+        tick_rate.tickless
+        huge_page.madvise
+      ];
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    kernel.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install kernel.";
+    };
+
+    kernel.version = lib.mkOption {
+      type = lib.types.str;
+      default = "linux"; # LTS
+      example = "linux_6_18";
+      description = "What version of the kernl should we use.";
+    };
+
+    kernel.flavor = lib.mkOption {
+      type = lib.types.str;
+      default = "interactive";
+      example = "server";
+      description = "What type of kernel should be built.";
+    };
+  };
+
+  config = lib.mkIf config.me.kernel.enable (
+    lib.mkMerge [
+      {
+        boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
+      }
+      (lib.mkIf (!config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (final: prev: {
+            linux_me = final."${config.me.kernel.version}";
+          })
+        ];
+      })
+      (lib.mkIf (config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (
+            final: prev:
+            let
+              addConfig =
+                additionalConfig: pkg:
+                pkg.override (oldconfig: {
+                  structuredExtraConfig = lib.mkMerge ([ pkg.structuredExtraConfig ] ++ additionalConfig);
+                  # stdenv = pkgs.llvmPackages_latest.stdenv;
+                  # stdenv = pkgs.clangStdenv;
+                });
+            in
+            {
+              linux_me = addConfig ([
+                common_config
+                flavors."${config.me.kernel.flavor}"
+              ]) final."${config.me.kernel.version}";
+            }
+          )
+        ];
+      })
+    ]
+  );
+}

nix/configuration/roles/minimal_base/default.nix

@@ -19,6 +19,7 @@
 
   config = lib.mkIf config.me.minimal_base.enable {
     me.doas.enable = true;
+    me.kernel.enable = true;
     me.network.enable = true;
     me.nvme.enable = true;
     me.ssh.enable = true;

nix/configuration/roles/optimized_build/default.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }:
 
@@ -49,71 +48,13 @@
   };
 
   config = lib.mkMerge [
-    (lib.mkIf (!config.me.optimizations.enable) (
-      lib.mkMerge [
-        {
-          boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
-          # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
-        }
-      ]
-    ))
     (lib.mkIf config.me.optimizations.enable (
       lib.mkMerge [
         {
-          boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
-
           nixpkgs.hostPlatform = {
             gcc.arch = config.me.optimizations.arch;
             gcc.tune = config.me.optimizations.arch;
           };
-
-          nixpkgs.overlays = [
-            (
-              final: prev:
-              let
-                addConfig =
-                  additionalConfig: pkg:
-                  pkg.override (oldconfig: {
-                    structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
-                  });
-              in
-              {
-                linux_me = addConfig {
-                  # Server | No preemption - Run until the next tick. Highest throughput but can cause stutter.
-                  # PREEMPT = lib.mkOverride 60 lib.kernel.no;
-                  # Desktop | Preempt kernel threads only at pre-defined places that call cond_resched().
-                  PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
-                  # Low-latency desktop | Full preemption - Kernel threads can be preempted unless they hold a spinlock or are in a no-preemption section.
-                  PREEMPT = lib.mkOverride 60 lib.kernel.yes;
-                  # RT - All kernel code is preemptible except for a few critical sections.
-                  # Middle ground | Real-time tasks preempt immediately like FULL, normal tasks run until the next tick.
-                  PREEMPT_LAZY = lib.mkOverride 90 lib.kernel.no;
-
-                  # Google's BBRv3 TCP congestion Control
-                  TCP_CONG_BBR = lib.kernel.yes;
-                  DEFAULT_BBR = lib.kernel.yes;
-
-                  # Preemptive Full Tickless Kernel at 300Hz
-                  HZ = lib.kernel.freeform "300";
-                  HZ_300 = lib.kernel.yes;
-                  HZ_1000 = lib.kernel.no;
-                } prev.linux_6_18; # or prev.linux
-              }
-            )
-            (final: prev: {
-              inherit (final.unoptimized)
-                assimp
-                binaryen
-                gsl
-                rapidjson
-                ffmpeg-headless
-                ffmpeg
-                pipewire
-                chromaprint
-                gtkmm
-                ;
-            })
-          ];
         }
       ]
     ))

nix/configuration/roles/sm64ex/default.nix

@@ -18,7 +18,10 @@
   };
 
   config = lib.mkIf (config.me.sm64ex.enable && config.me.graphical) {
-    allowedUnfree = [ "sm64ex" ];
+    allowedUnfree = [
+      "sm64ex"
+      "baserom.us.z64"
+    ];
 
     environment.systemPackages = with pkgs; [
       sm64ex

nix/configuration/roles/sound/default.nix

@@ -30,7 +30,7 @@
           # If you want to use JACK applications, uncomment this
           #jack.enable = true;
 
-          extraLv2Packages = [ pkgs.rnnoise-plugin ];
+          extraLadspaPackages = [ pkgs.rnnoise-plugin.ladspa ];
           configPackages = [
             (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/99-input-denoising.conf" ''
               context.modules = [
@@ -43,7 +43,7 @@
                               {
                                   type = ladspa
                                   name = rnnoise
-                                  plugin = "${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so"
+                                  plugin = "librnnoise_ladspa"
                                   label = noise_suppressor_mono
                                   control = {
                                       "VAD Threshold (%)" = 50.0

nix/configuration/roles/vscode/default.nix

@@ -121,6 +121,12 @@ in
             group = "talexander";
             mode = "0755";
           }
+          {
+            directory = ".vscode-shared";
+            user = "talexander";
+            group = "talexander";
+            mode = "0755";
+          }
         ];
       };
     };

nix/configuration/roles/zfs/default.nix

@@ -44,6 +44,9 @@ in
 
     boot.zfs.devNodes = "/dev/disk/by-partuuid";
 
+    # Do not force import your root pool during boot. Force importing would be useful if the pool had been imported by a different machine most recently.
+    boot.zfs.forceImportRoot = false;
+
     services.zfs = {
       autoScrub = {
         enable = true;

nix/kubernetes/configuration.nix

@@ -17,6 +17,7 @@
     ./roles/firewall
     ./roles/image_based_appliance
     ./roles/iso
+    ./roles/kernel
     ./roles/kube_apiserver
     ./roles/kube_controller_manager
     ./roles/kube_proxy

nix/kubernetes/flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769524058,
-        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
+        "lastModified": 1780290312,
+        "narHash": "sha256-eTAlX0CwgB84Ts3GaBd944A3DRXVMzgA0EqroZBISUo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
+        "rev": "115e5211780054d8a890b41f0b7734cafad54dfe",
         "type": "github"
       },
       "original": {
@@ -164,11 +164,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1770197578,
-        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
         "type": "github"
       },
       "original": {

nix/kubernetes/keys/package/bootstrap-script/package.nix

@@ -54,22 +54,23 @@ let
   gateway_crds_repo = fetchFromGitHub {
     owner = "kubernetes-sigs";
     repo = "gateway-api";
-    rev = "v1.4.1";
-    sha256 = "sha256-/GHyikcC2QGDN0ndpY6/xvSEEnpSsLrNU+lFElCKBs8=";
+    rev = "v1.5.1";
+    sha256 = "sha256-mWMvJG6esOqDBSbhExvt7L3ZTiQUOfeRBohew/m67A0=";
   };
   gateway_crds = [
     "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml"
     "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml"
     "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.x-k8s.io_xlistenersets.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml"
-    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml"
     "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_listenersets.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.k8s.io_vap_safeupgrades.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.x-k8s.io_xbackendtrafficpolicies.yaml"
+    "${gateway_crds_repo}/config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml"
   ];
 in
 stdenv.mkDerivation (finalAttrs: {

nix/kubernetes/roles/kernel/default.nix

@@ -0,0 +1,192 @@
+# Check current config:
+#   nix build '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile'
+#   cat $(nix eval --raw '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile') | less
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  preemption_type = with lib.kernel; {
+    full = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = yes;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    lazy = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = yes;
+      PREEMPT_NONE = no;
+    };
+    voluntary = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = yes;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    none = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = yes;
+    };
+  };
+  tick_hz =
+    with lib.kernel;
+    {
+      "1000" = {
+        HZ_1000 = yes;
+        HZ = freeform "1000";
+      };
+    }
+    // lib.genAttrs [ "100" "250" "300" "500" "600" "750" ] (hz: {
+      HZ_1000 = no;
+      "HZ_${hz}" = yes;
+      HZ = freeform hz;
+    });
+  performance_governor = with lib.kernel; {
+    default = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
+    };
+    performance = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = no;
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+    };
+  };
+  tick_rate = with lib.kernel; {
+    # Always tick at the hz frequency.
+    periodic = {
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = no;
+      NO_HZ = no;
+      NO_HZ_COMMON = no;
+      HZ_PERIODIC = yes;
+    };
+    # Idle - Do not disturb the CPU when idle. This can save power but increase latency.
+    idle = {
+      HZ_PERIODIC = no;
+      NO_HZ_FULL = no;
+      NO_HZ_IDLE = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+    };
+    # Full dyntick system (tickless) - The kernel tries to shut down the tick whenever possible.
+    tickless = {
+      HZ_PERIODIC = no;
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+      CONTEXT_TRACKING = yes;
+    };
+  };
+  huge_page = with lib.kernel; {
+    always = {
+      TRANSPARENT_HUGEPAGE_MADVISE = no;
+      TRANSPARENT_HUGEPAGE_ALWAYS = yes;
+    };
+    madvise = {
+      TRANSPARENT_HUGEPAGE_ALWAYS = no;
+      TRANSPARENT_HUGEPAGE_MADVISE = yes;
+    };
+  };
+  common_config = with lib.kernel; {
+    # Google's BBRv3 TCP congestion Control
+    TCP_CONG_BBR = yes;
+    DEFAULT_BBR = yes;
+  };
+  flavors = {
+    server = lib.mkMerge [
+      preemption_type.none
+      tick_hz."300"
+      performance_governor.default
+      tick_rate.tickless
+      huge_page.madvise
+    ];
+    interactive =
+      with lib.kernel;
+      lib.mkMerge [
+        {
+          # Enable RCU Lazy - Reduces power consumption when idle or lightly loaded. Useful for battery-powered devices like laptops.
+          RCU_LAZY = yes;
+        }
+        preemption_type.lazy
+        tick_hz."300"
+        performance_governor.default
+        tick_rate.tickless
+        huge_page.madvise
+      ];
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    kernel.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install kernel.";
+    };
+
+    kernel.version = lib.mkOption {
+      type = lib.types.str;
+      default = "linux"; # LTS
+      example = "linux_6_18";
+      description = "What version of the kernl should we use.";
+    };
+
+    kernel.flavor = lib.mkOption {
+      type = lib.types.str;
+      default = "server";
+      example = "interactive";
+      description = "What type of kernel should be built.";
+    };
+  };
+
+  config = lib.mkIf config.me.kernel.enable (
+    lib.mkMerge [
+      {
+        boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
+      }
+      (lib.mkIf (!config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (final: prev: {
+            linux_me = final."${config.me.kernel.version}";
+          })
+        ];
+      })
+      (lib.mkIf (config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (
+            final: prev:
+            let
+              addConfig =
+                additionalConfig: pkg:
+                pkg.override (oldconfig: {
+                  structuredExtraConfig = lib.mkMerge ([ pkg.structuredExtraConfig ] ++ additionalConfig);
+                  # stdenv = pkgs.llvmPackages_latest.stdenv;
+                  # stdenv = pkgs.clangStdenv;
+                });
+            in
+            {
+              linux_me = addConfig ([
+                common_config
+                flavors."${config.me.kernel.flavor}"
+              ]) final."${config.me.kernel.version}";
+            }
+          )
+        ];
+      })
+    ]
+  );
+}

nix/kubernetes/roles/kubernetes/default.nix

@@ -21,7 +21,7 @@
     assertions = [
       {
         # Kubernetes should only upgrade 1 minor version at a time, so this assert is here to prevent unwittingly jumping versions.
-        assertion = lib.hasPrefix "1.35." pkgs.kubernetes.version;
+        assertion = lib.hasPrefix "1.36." pkgs.kubernetes.version;
         message = "Unexpected Kubernetes package version: ${pkgs.kubernetes.version}";
       }
     ];

nix/kubernetes/roles/minimal_base/default.nix

@@ -19,6 +19,7 @@
 
   config = lib.mkIf config.me.minimal_base.enable {
     me.doas.enable = true;
+    me.kernel.enable = true;
     me.network.enable = true;
     me.nvme.enable = true;
     me.ssh.enable = true;

nix/kubernetes/roles/optimized_build/default.nix

@@ -49,65 +49,29 @@
   };
 
   config = lib.mkMerge [
-    (lib.mkIf (!config.me.optimizations.enable) (
-      lib.mkMerge [
-        {
-          # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
-          boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
-        }
-      ]
-    ))
     (lib.mkIf config.me.optimizations.enable (
       lib.mkMerge [
         {
-          boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
-
           nixpkgs.hostPlatform = {
             gcc.arch = config.me.optimizations.arch;
             gcc.tune = config.me.optimizations.arch;
           };
 
-          nixpkgs.overlays = [
-            (
-              final: prev:
-              let
-                addConfig =
-                  additionalConfig: pkg:
-                  pkg.override (oldconfig: {
-                    structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
-                  });
-              in
-              {
-                linux_me = addConfig {
-                  # Full preemption
-                  PREEMPT = lib.mkOverride 60 lib.kernel.yes;
-                  PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
-
-                  # Google's BBRv3 TCP congestion Control
-                  TCP_CONG_BBR = lib.kernel.yes;
-                  DEFAULT_BBR = lib.kernel.yes;
-
-                  # Preemptive Full Tickless Kernel at 300Hz
-                  HZ = lib.kernel.freeform "300";
-                  HZ_300 = lib.kernel.yes;
-                  HZ_1000 = lib.kernel.no;
-                } prev.linux; # or prev.linux_6_17
-              }
-            )
-            (final: prev: {
-              inherit (final.unoptimized)
-                assimp
-                binaryen
-                gsl
-                rapidjson
-                ffmpeg-headless
-                ffmpeg
-                pipewire
-                chromaprint
-                gtkmm
-                ;
-            })
-          ];
+          # nixpkgs.overlays = [
+          #   (final: prev: {
+          #     inherit (final.unoptimized)
+          #       assimp
+          #       binaryen
+          #       gsl
+          #       rapidjson
+          #       ffmpeg-headless
+          #       ffmpeg
+          #       pipewire
+          #       chromaprint
+          #       gtkmm
+          #       ;
+          #   })
+          # ];
         }
       ]
     ))