talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:yubipi
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
..
compare: talexander:8eb3c459bd6ad2094ac79d0f7dacf47b2ae6340d
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

47 Commits
yubipi ... 8eb3c459bd

Author SHA1 Message Date
Tom Alexander
8eb3c459bd Run nix daemon with idle priority on end-user devices. 2025-11-29 18:29:22 -05:00
Tom Alexander
1523e691d5 Build everything from source on steam deck. 2025-11-29 15:50:51 -05:00
Tom Alexander
c4ff96b847 Remove work-arounds. 2025-11-27 17:28:37 -05:00
Tom Alexander
aa05ab7289 Install microsoft fonts on odowork. 2025-11-27 13:20:16 -05:00
Tom Alexander
b743421749 Fix the installer image. 2025-11-27 13:20:14 -05:00
Tom Alexander
9099c4b67e Update packages. 2025-11-25 20:43:08 -05:00
Tom Alexander
b67b491efa Match extension versions for work. 2025-11-25 17:40:55 -05:00
Tom Alexander
ddd3200ca6 Add a role for gnome keyring. 2025-11-24 23:01:40 -05:00
Tom Alexander
d0968ab836 Install remote tunnels on odowork. 2025-11-24 22:55:31 -05:00
Tom Alexander
8c223a066d Add jq to the base role. 2025-11-24 20:29:35 -05:00
Tom Alexander
606b952304 Make rollback datasets configurable. 2025-11-24 20:16:47 -05:00
Tom Alexander
c542dcdee9 Use a local ssh config for odowork. 2025-11-24 19:31:56 -05:00
Tom Alexander
39997dc4d4 Recursively include inputs for all inputs in disko closure. 2025-11-24 19:06:58 -05:00
Tom Alexander
3348feb613 Add a command to launch a repl of the current flake. 2025-11-20 00:47:56 -05:00
Tom Alexander
f651241f20 Remove the pkgs-unoptimized input to instead import regular nixpkgs. 2025-11-19 23:56:26 -05:00
Tom Alexander
ff23d8ad20 Remove deprecated "system" parameter. 2025-11-19 23:37:33 -05:00
Tom Alexander
eebbf9f4aa Automatically set distributed build's supportedFeatures based on that host's actual config. 
Previously, we had two copies of the supported features for each host.
 2025-11-19 22:42:43 -05:00
Tom Alexander
3bf912f3be Trim down odowork's install. 2025-11-19 21:50:57 -05:00
Tom Alexander
331651bf23 Switch odowork to i_only_boot_zfs. 2025-11-19 20:50:45 -05:00
Tom Alexander
b16871c701 Fix rollback during boot. 2025-11-18 23:29:00 -05:00
Tom Alexander
381448b338 Switch odo to i_only_boot_zfs. 2025-11-18 23:02:40 -05:00
Tom Alexander
300dfc68cf Fix build. 2025-11-18 23:00:16 -05:00
Tom Alexander
8ccd34aba9 Add odowork. 2025-11-18 21:30:56 -05:00
Tom Alexander
a94df0944b gtkmm build failing. 2025-11-17 21:39:32 -05:00
Tom Alexander
b63df577d9 Add a role for wine. 2025-11-17 05:46:36 -05:00
Tom Alexander
73335b080f Disable rofimoji because the build is failing. 2025-11-17 05:23:01 -05:00
Tom Alexander
e01863cfc7 ffmpeg-headless tests failing. 2025-11-17 05:23:01 -05:00
Tom Alexander
fc343d7897 Switch odo and quark to i_only_boot_zfs. 2025-11-16 18:58:58 -05:00
Tom Alexander
09e36de78e Enable /boot partition. 2025-11-16 18:58:46 -05:00
Tom Alexander
f13689e2c1 Update packages. 2025-11-16 18:58:46 -05:00
Tom Alexander
57b83f7175 Switch to using i_only_boot_zfs. 2025-11-15 19:28:29 -05:00
Tom Alexander
f27aae960f Add an alias to ripgrep all files. 2025-11-15 19:28:28 -05:00
Tom Alexander
5b849c266e Enable python typechecking by default in vscode. 2025-11-08 14:41:28 -05:00
Tom Alexander
588e434b56 Add a host for testing i_only_boot_zfs. 2025-10-28 19:20:48 -04:00
Tom Alexander
09355dd927 Try to fix install. 2025-10-27 11:46:17 -04:00
Tom Alexander
4276f63c59 Install disko in the ISOs. 2025-10-27 11:25:09 -04:00
Tom Alexander
614ef2e5cf Add a minimal base role to record what is needed for a minimal useful system. 2025-10-26 17:28:09 -04:00
Tom Alexander
888613a229 Fix building many things in nix. 
Nix 2.30.0 (2025-07-07) changed the build directory from /tmp to /nix/var/nix/builds which broke a number of builds because my ZFS datasets were utf8only. This adds a role to mount tmpfs to /nix/var/nix/builds to restore the old behavior.
 2025-10-26 17:24:41 -04:00
Tom Alexander
24b089a313 Add a config for the disc recovery machine. 2025-10-26 17:24:41 -04:00
Tom Alexander
2f05b9e600 Add support for specifying a build arch. 2025-10-26 12:54:47 -04:00
Tom Alexander
e4225a82bb Add a role for jujutsu. 2025-10-26 12:54:47 -04:00
Tom Alexander
4a0f0bd8c8 Add cleanup_temporary_files script to base. 2025-10-25 20:38:41 -04:00
Tom Alexander
381eb1523e Disable more firefox AI stuff. 2025-10-25 12:18:19 -04:00
Tom Alexander
8888838457 Fix mounting CDs in qemurc. 2025-10-25 09:03:05 -04:00
Tom Alexander
3918775c1d Specify waybar config in nix. 
This is to facilitate having different waybar configs for each machine.
 2025-10-25 09:03:05 -04:00
Tom Alexander
3bf84445a3 Restructure flake.nix for a simpler config for building different images off the same NixOS config. 2025-10-25 09:03:05 -04:00
Tom Alexander
69b5cf9217 Update packages. 2025-10-10 22:03:53 -04:00
202 changed files with 5982 additions and 4360 deletions
Expand all files Collapse all files

192
nix/configuration/configuration.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
@@ -12,14 +11,19 @@
./roles/amd_s2idle ./roles/amd_s2idle
./roles/ansible ./roles/ansible
./roles/ares ./roles/ares
./roles/base
./roles/bluetooth ./roles/bluetooth
./roles/boot ./roles/boot
./roles/build_in_ram
./roles/chromecast ./roles/chromecast
./roles/chromium ./roles/chromium
./roles/d2 ./roles/d2
./roles/direnv ./roles/direnv
./roles/disko
./roles/distributed_build ./roles/distributed_build
./roles/doas
./roles/docker ./roles/docker
./roles/dont_use_substituters
./roles/ecc ./roles/ecc
./roles/emacs ./roles/emacs
./roles/emulate_isa ./roles/emulate_isa
@@ -30,12 +34,15 @@
./roles/gcloud ./roles/gcloud
./roles/git ./roles/git
./roles/global_options ./roles/global_options
./roles/gnome_keyring
./roles/gnuplot ./roles/gnuplot
./roles/gpg ./roles/gpg
./roles/graphics ./roles/graphics
./roles/hydra ./roles/hydra
./roles/image_based_appliance
./roles/iso ./roles/iso
./roles/iso_mount ./roles/iso_mount
./roles/jujutsu
./roles/kanshi ./roles/kanshi
./roles/kodi ./roles/kodi
./roles/kubernetes ./roles/kubernetes
@@ -44,6 +51,7 @@
./roles/lvfs ./roles/lvfs
./roles/media ./roles/media
./roles/memtest86 ./roles/memtest86
./roles/minimal_base
./roles/network ./roles/network
./roles/nix_index ./roles/nix_index
./roles/nix_worker ./roles/nix_worker
@@ -54,6 +62,7 @@
./roles/podman ./roles/podman
./roles/python ./roles/python
./roles/qemu ./roles/qemu
./roles/recovery
./roles/reset ./roles/reset
./roles/rpcs3 ./roles/rpcs3
./roles/rust ./roles/rust
@@ -66,17 +75,20 @@
./roles/sound ./roles/sound
./roles/spaghettikart ./roles/spaghettikart
./roles/ssh ./roles/ssh
./roles/sshd
./roles/steam ./roles/steam
./roles/steam_run_free ./roles/steam_run_free
./roles/sway ./roles/sway
./roles/tekton ./roles/tekton
./roles/terraform ./roles/terraform
./roles/thunderbolt ./roles/thunderbolt
./roles/user
./roles/uutils ./roles/uutils
./roles/vnc_client ./roles/vnc_client
./roles/vscode ./roles/vscode
./roles/wasm ./roles/wasm
./roles/waybar ./roles/waybar
./roles/wine
./roles/wireguard ./roles/wireguard
./roles/yubikey ./roles/yubikey
./roles/zfs ./roles/zfs
@@ -86,55 +98,23 @@
./util/unfree_polyfill ./util/unfree_polyfill
]; ];
config = {
nix.settings.experimental-features = [ nix.settings.experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
]; ];
nix.settings.trusted-users = [ "@wheel" ]; nix.settings.trusted-users = [ "@wheel" ];
# boot.kernelPackages = pkgs.linuxPackages_6_11;
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
# Use nixos-rebuild-ng
# system.rebuild.enableNg = true;
# Keep outputs so we can build offline. # Keep outputs so we can build offline.
nix.extraOptions = '' nix.extraOptions = ''
keep-outputs = true keep-outputs = true
keep-derivations = true keep-derivations = true
substitute = false
''; '';
# Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
boot.supportedFilesystems.zfs = true;
# TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?
services.getty = {
autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant.
autologinOnce = true;
};
users.mutableUsers = false;
users.users.talexander = {
isNormalUser = true;
createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
group = "talexander";
extraGroups = [ "wheel" ];
uid = 11235;
packages = with pkgs; [
tree
];
# Generate with `mkpasswd -m scrypt`
hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
];
};
users.groups.talexander.gid = 11235;
# Automatic garbage collection # Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingIso) { nix.gc = lib.mkIf (!config.me.buildingPortable) {
# Runs nix-collect-garbage --delete-older-than 5d # Runs nix-collect-garbage --delete-older-than 5d
automatic = true; automatic = true;
persistent = true; persistent = true;
@@ -142,116 +122,28 @@
# randomizedDelaySec = "14m"; # randomizedDelaySec = "14m";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
nix.settings.auto-optimise-store = !config.me.buildingIso; nix.settings.auto-optimise-store = !config.me.buildingPortable;
nix.settings.substituters = lib.mkForce [ ];
# Use doas instead of sudo environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
security.doas.enable = true;
security.doas.wheelNeedsPassword = false;
security.sudo.enable = false;
security.doas.extraRules = [
{
# Retain environment (for example NIX_PATH)
keepEnv = true;
persist = true; # Only ask for a password the first time.
}
];
environment.systemPackages = with pkgs; [
wget
mg
rsync
libinput
htop
tmux
file
usbutils # for lsusb
pciutils # for lspci
ripgrep
strace
# ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
trace-cmd # ftrace
tcpdump
git-crypt
gnumake
ncdu
nix-tree
libarchive # bsdtar
lsof
doas-sudo-shim # To support --sudo for remote builds
dmidecode # Read SMBIOS information.
ipcalc
gptfdisk # for cgdisk
nix-output-monitor # For better view into nixos-rebuild
nix-serve-ng # Serve nix store over http
];
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
hostKeys = [
{
path = "/persist/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/lib/iwd" # Wifi settings
"/var/lib/nixos" # Contains user information (uids/gids) "/var/lib/nixos" # Contains user information (uids/gids)
"/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
"/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
]; ];
files = [ files = [
"/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc" "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
]; ];
users.talexander = {
directories = [
{
directory = "persist";
user = "talexander";
group = "talexander";
mode = "0700";
}
];
};
}; };
# Write a list of the currently installed packages to /etc/current-system-packages # Write a list of the currently installed packages to /etc/current-system-packages
environment.etc."current-system-packages".text = # environment.etc."current-system-packages".text =
let # let
packages = builtins.map (p: "${p.name}") config.environment.systemPackages; # packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); # sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
formatted = builtins.concatStringsSep "\n" sortedUnique; # formatted = builtins.concatStringsSep "\n" sortedUnique;
in # in
formatted; # formatted;
# environment.etc."system-packages-with-source".text = builtins.concatStringsSep "\n\n" (
# builtins.map (
# x: x.file + "\n" + builtins.concatStringsSep "\n" (builtins.map (s: " " + s) x.value)
# ) config.environment.systemPackages.definitionsWithLocations
# );
# nixpkgs.overlays = [
# (final: prev: {
# nix = pkgs-unstable.nix;
# })
# ];
# nixpkgs.overlays = [ # nixpkgs.overlays = [
# (final: prev: { # (final: prev: {
@@ -259,10 +151,36 @@
# }) # })
# ]; # ];
# Copy the NixOS configuration file and link it from the resulting system nixpkgs.overlays =
# (/run/current-system/configuration.nix). This is useful in case you let
# accidentally delete configuration.nix. disableTests = (
# system.copySystemConfiguration = true; package_name:
(final: prev: {
"${package_name}" = prev."${package_name}".overrideAttrs (old: {
doCheck = false;
doInstallCheck = false;
});
})
);
in
[
(final: prev: {
imagemagick = prev.imagemagick.overrideAttrs (old: rec {
# 7.1.2-6 seems to no longer exist, so use 7.1.2-7
version = "7.1.2-7";
src = final.fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = version;
hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
};
});
})
(final: prev: {
grub2 = (final.callPackage ./package/grub { });
})
];
# This option defines the first version of NixOS you have installed on this particular machine, # This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
@@ -282,5 +200,5 @@
# #
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
};
} }

48
nix/configuration/flake.lock generated
View File

@@ -22,11 +22,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758287904, "lastModified": 1764110879,
"narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", "narHash": "sha256-xanUzIb0tf3kJ+PoOFmXEXV1jM3PjkDT/TQ5DYeNYRc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "67ff9807dd148e704baadbd4fd783b54282ca627", "rev": "aecba248f9a7d68c5d1ed15de2d1c8a4c994a3c5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -137,11 +137,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1759381078, "lastModified": 1763966396,
"narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -151,22 +151,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-dda3dcd3f": {
"locked": {
"lastModified": 1746663147,
"narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
"type": "github"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1730741070, "lastModified": 1730741070,
@@ -183,22 +167,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unoptimized": {
"locked": {
"lastModified": 1759381078,
"narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": { "pre-commit-hooks-nix": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@@ -231,9 +199,7 @@
"disko": "disko", "disko": "disko",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs"
"nixpkgs-dda3dcd3f": "nixpkgs-dda3dcd3f",
"nixpkgs-unoptimized": "nixpkgs-unoptimized"
} }
}, },
"rust-overlay": { "rust-overlay": {

302
nix/configuration/flake.nix
View File

@@ -1,39 +1,18 @@
# Build ISO image
# nix build --extra-experimental-features nix-command --extra-experimental-features flakes .#iso.odo
# output: result/iso/nixos.iso
# Run the ISO image
# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
# -accel kvm \
# -cpu host \
# -smp cores=8 \
# -m 32768 \
# -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
# -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" \
# -nic user,hostfwd=tcp::60022-:22 \
# -boot order=d \
# -cdrom "$(readlink -f ./result/iso/nixos*.iso)" \
# -display vnc=127.0.0.1:0
#
# doas cp "$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF_VARS.fd" /tmp/OVMF_VARS.fd
# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" -accel kvm -cpu host -smp cores=8 -m 32768 -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" -drive if=pflash,format=raw,file="/tmp/OVMF_VARS.fd" -nic user,hostfwd=tcp::60022-:22 -boot order=d -cdrom /persist/machine_setup/nix/configuration/result/iso/nixos*.iso -display vnc=127.0.0.1:0
# Get a repl for this flake # Get a repl for this flake
# nix repl --expr "builtins.getFlake \"$PWD\"" # nix repl --expr "builtins.getFlake \"$PWD\""
# TODO maybe use `nix eval --raw .#iso.odo.outPath` # TODO maybe use `nix eval --raw .#odo.iso.outPath`
# iso.odo.isoName == "nixos.iso"
# full path = <outPath> / iso / <isoName>
# #
# Install on a new machine: # Install on a new machine:
# #
# Set
# me.disko.enable = true;
# me.disko.offline.enable = true;
# #
# doas nix --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/odo/disk-config.nix # Run
# doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
# for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done # doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
# nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#vm_ionlybootzfs"
#
{ {
description = "My system configuration"; description = "My system configuration";
@@ -41,12 +20,8 @@
inputs = { inputs = {
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-dda3dcd3f.url = "github:NixOS/nixpkgs/dda3dcd3fe03e991015e9a74b22d35950f264a54";
nixpkgs-unoptimized.url = "github:NixOS/nixpkgs/nixos-unstable";
lanzaboote = { lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2"; url = "github:nix-community/lanzaboote/v0.4.2";
# Optional but recommended to limit the size of your system closure.
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
disko = { disko = {
@@ -59,184 +34,139 @@
{ {
self, self,
nixpkgs, nixpkgs,
nixpkgs-unoptimized, disko,
nixpkgs-dda3dcd3f,
impermanence, impermanence,
lanzaboote, lanzaboote,
... ...
}@inputs: }:
let let
base_x86_64_linux = rec { forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
nodes = {
odo = {
system = "x86_64-linux"; system = "x86_64-linux";
};
odowork = {
system = "x86_64-linux";
};
quark = {
system = "x86_64-linux";
};
recovery = {
system = "x86_64-linux";
};
i_only_boot_zfs = {
system = "x86_64-linux";
};
};
nixosConfigs = builtins.mapAttrs (
hostname: nodeConfig: format:
nixpkgs.lib.nixosSystem {
specialArgs = { specialArgs = {
pkgs-dda3dcd3f = import nixpkgs-dda3dcd3f { inherit self;
inherit system;
}; this_nixos_config = self.nixosConfigurations."${hostname}";
pkgs-unoptimized = import nixpkgs-unoptimized {
inherit system; all_nixos_configs = self.nixosConfigurations;
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
}; };
modules = [ modules = [
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
inputs.disko.nixosModules.disko disko.nixosModules.disko
./configuration.nix ./configuration.nix
(./. + "/hosts/${hostname}")
(./. + "/formats/${format}.nix")
{
config = {
nixpkgs.hostPlatform.system = nodeConfig.system;
nixpkgs.overlays = [
(final: prev: {
# stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
unoptimized = import nixpkgs {
system = prev.stdenv.hostPlatform.system;
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
})
]; ];
}; };
systems = }
(
{
config,
lib,
pkgs,
...
}:
let let
additional_iso_modules = [ repl_path = toString ./.;
(nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix") nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
# TODO: Figure out how to do image based appliances source /etc/set-environment
# (nixpkgs + "/nixos/modules/profiles/image-based-appliance.nix") nix repl "${repl_path}/repl.nix" "$@"
{ '';
isoImage.makeEfiBootable = true; # If we wanted the current version of a flake then we'd just launch
isoImage.makeUsbBootable = true; # nix repl
me.buildingIso = true; # and then run:
me.optimizations.enable = nixpkgs.lib.mkForce false; # :lf /path/to/flake
}
{
# These are big space hogs. The chance that I need them on an ISO is slim.
me.steam.enable = nixpkgs.lib.mkForce false;
me.pcsx2.enable = nixpkgs.lib.mkForce false;
}
];
additional_vm_modules = [
(nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
{
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.optimizations.enable = nixpkgs.lib.mkForce false;
}
{
# I don't need games on a virtual machine.
me.steam.enable = nixpkgs.lib.mkForce false;
me.pcsx2.enable = nixpkgs.lib.mkForce false;
me.sm64ex.enable = nixpkgs.lib.mkForce false;
me.shipwright.enable = nixpkgs.lib.mkForce false;
me.ship2harkinian.enable = nixpkgs.lib.mkForce false;
}
];
in in
{ {
odo = rec { config = {
main = base_x86_64_linux // { environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
modules = base_x86_64_linux.modules ++ [ };
./hosts/odo }
)
]; ];
}
) nodes;
installerConfig =
hostname: nodeConfig:
nixpkgs.lib.nixosSystem {
specialArgs = {
targetSystem = self.nixosConfigurations."${hostname}";
}; };
iso = main // { modules = [
modules = main.modules ++ additional_iso_modules; ./formats/installer.nix
}; (
vm = main // { {
modules = main.modules ++ additional_vm_modules; config,
}; lib,
vm_iso = main // { pkgs,
modules = main.modules ++ additional_vm_modules ++ additional_iso_modules; ...
}; }:
};
quark = rec {
main = base_x86_64_linux // {
modules = base_x86_64_linux.modules ++ [
./hosts/quark
];
};
iso = main // {
modules = main.modules ++ additional_iso_modules;
};
vm = main // {
modules = main.modules ++ additional_vm_modules;
};
vm_iso = main // {
modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
};
};
neelix = rec {
main = base_x86_64_linux // {
modules = base_x86_64_linux.modules ++ [
./hosts/neelix
];
};
iso = main // {
modules = main.modules ++ additional_iso_modules;
};
vm = main // {
modules = main.modules ++ additional_vm_modules;
};
vm_iso = main // {
modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
};
};
hydra =
let let
hydra_additional_iso_modules = additional_iso_modules ++ [ repl_path = toString ./.;
nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
source /etc/set-environment
nix repl "${repl_path}/repl.nix" "$@"
'';
# If we wanted the current version of a flake then we'd just launch
# nix repl
# and then run:
# :lf /path/to/flake
in
{ {
me.optimizations.enable = true; config = {
environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
};
} }
)
({ nixpkgs.hostPlatform.system = nodeConfig.system; })
]; ];
in
rec {
main = base_x86_64_linux // {
modules = base_x86_64_linux.modules ++ [
./hosts/hydra
];
};
iso = main // {
modules = main.modules ++ hydra_additional_iso_modules;
};
vm = main // {
modules = main.modules ++ additional_vm_modules;
};
vm_iso = main // {
modules = main.modules ++ additional_vm_modules ++ hydra_additional_iso_modules;
};
};
ionlybootzfs = rec {
main = base_x86_64_linux // {
modules = base_x86_64_linux.modules ++ [
./hosts/ionlybootzfs
];
};
iso = main // {
modules = main.modules ++ additional_iso_modules;
};
vm = main // {
modules = main.modules ++ additional_vm_modules;
};
vm_iso = main // {
modules = main.modules ++ additional_vm_modules ++ additional_iso_modules;
};
};
}; };
in in
{ {
nixosConfigurations.odo = nixpkgs.lib.nixosSystem systems.odo.main; nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
iso.odo = (nixpkgs.lib.nixosSystem systems.odo.iso).config.system.build.isoImage; }
nixosConfigurations.vm_odo = nixpkgs.lib.nixosSystem systems.odo.vm; // {
vm_iso.odo = (nixpkgs.lib.nixosSystem systems.odo.vm_iso).config.system.build.isoImage; packages = (
forAllSystems (
nixosConfigurations.quark = nixpkgs.lib.nixosSystem systems.quark.main; system:
iso.quark = (nixpkgs.lib.nixosSystem systems.quark.iso).config.system.build.isoImage; (builtins.mapAttrs (hostname: nodeConfig: {
nixosConfigurations.vm_quark = nixpkgs.lib.nixosSystem systems.quark.vm; iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
vm_iso.quark = (nixpkgs.lib.nixosSystem systems.quark.vm_iso).config.system.build.isoImage; vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
nixosConfigurations.neelix = nixpkgs.lib.nixosSystem systems.neelix.main; installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.iso).config.system.build.isoImage; }) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
nixosConfigurations.vm_neelix = nixpkgs.lib.nixosSystem systems.neelix.vm; )
vm_iso.neelix = (nixpkgs.lib.nixosSystem systems.neelix.vm_iso).config.system.build.isoImage; );
nixosConfigurations.hydra = nixpkgs.lib.nixosSystem systems.hydra.main;
iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.iso).config.system.build.isoImage;
nixosConfigurations.vm_hydra = nixpkgs.lib.nixosSystem systems.hydra.vm;
vm_iso.hydra = (nixpkgs.lib.nixosSystem systems.hydra.vm_iso).config.system.build.isoImage;
nixosConfigurations.ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.main;
iso.ionlybootzfs = (nixpkgs.lib.nixosSystem systems.ionlybootzfs.iso).config.system.build.isoImage;
nixosConfigurations.vm_ionlybootzfs = nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm;
vm_iso.ionlybootzfs =
(nixpkgs.lib.nixosSystem systems.ionlybootzfs.vm_iso).config.system.build.isoImage;
}; };
} }

73
nix/configuration/formats/installer.nix Normal file
View File

@@ -0,0 +1,73 @@
{
config,
pkgs,
lib,
modulesPath,
targetSystem,
...
}:
let
installer = pkgs.writeShellApplication {
name = "installer";
runtimeInputs = with pkgs; [
# clevis
dosfstools
e2fsprogs
gawk
nixos-install-tools
util-linux
config.nix.package
];
text = ''
set -euo pipefail
${targetSystem.config.system.build.diskoScript}
nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
'';
};
installerFailsafe = pkgs.writeShellScript "failsafe" ''
${lib.getExe installer} || echo "ERROR: Installation failure!"
sleep 3600
'';
in
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/all-hardware.nix")
];
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
boot.zfs.package = pkgs.zfs_unstable;
boot.kernelParams = [
"quiet"
"systemd.unit=getty.target"
];
boot.supportedFilesystems.zfs = true;
boot.initrd.systemd.enable = true;
networking.hostId = "04581ecf";
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
environment.systemPackages = [
installer
];
systemd.services."getty@tty1" = {
overrideStrategy = "asDropin";
serviceConfig = {
ExecStart = [
""
installerFailsafe
];
Restart = "no";
StandardInput = "null";
};
};
# system.stateVersion = lib.mkDefault lib.trivial.release;
system.stateVersion = "24.11";
}

36
nix/configuration/formats/iso.nix Normal file
View File

@@ -0,0 +1,36 @@
{
config,
lib,
modulesPath,
pkgs,
...
}:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.buildingPortable = true;
me.disko.enable = true;
me.disko.offline.enable = true;
me.mountPersistence = lib.mkForce false;
# me.optimizations.enable = lib.mkForce false;
# Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
# me.image_based_appliance.enable = true;
# TODO: Should I use this instead of doing a mkIf for the disk config?
# disko.enableConfig = false;
# Faster image generation for testing/development.
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
};
}

32
nix/configuration/formats/sd.nix Normal file
View File

@@ -0,0 +1,32 @@
{
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/sd-card/sd-image.nix")
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# TODO: image based appliance?
# TODO: Maybe this?
# fileSystems = {
# "/" = {
# device = "/dev/disk/by-label/NIXOS_SD";
# fsType = "ext4";
# options = [
# "noatime"
# "norelatime"
# ];
# };
# };
};
}

1
nix/configuration/formats/toplevel.nix Normal file
View File

@@ -0,0 +1 @@
{ }

22
nix/configuration/formats/vm_iso.nix Normal file
View File

@@ -0,0 +1,22 @@
{
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.image_based_appliance.enable = true;
};
}

25
nix/configuration/hosts/hydra/default.nix
View File

@@ -14,12 +14,6 @@
# -display vnc=127.0.0.1:0 # -display vnc=127.0.0.1:0
# #
{
config,
lib,
pkgs,
...
}:
{ {
imports = [ imports = [
./disk-config.nix ./disk-config.nix
@@ -27,6 +21,7 @@
./vm_disk.nix ./vm_disk.nix
]; ];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4` # Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "fbd233d8"; networking.hostId = "fbd233d8";
@@ -35,7 +30,8 @@
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
me.secureBoot.enable = false; me.boot.secure = false;
me.mountPersistence = true;
me.optimizations = { me.optimizations = {
enable = true; enable = true;
@@ -43,6 +39,7 @@
system_features = [ system_features = [
"gccarch-znver4" "gccarch-znver4"
"gccarch-skylake" "gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG # "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3" "gccarch-x86-64-v3"
"gccarch-x86-64-v4" "gccarch-x86-64-v4"
@@ -56,12 +53,26 @@
# Mount tmpfs at /tmp # Mount tmpfs at /tmp
boot.tmp.useTmpfs = true; boot.tmp.useTmpfs = true;
me.base.enable = true;
me.boot.enable = true;
me.doas.enable = true;
me.emacs_flavor = "plainmacs"; me.emacs_flavor = "plainmacs";
me.firewall.enable = true;
me.font.enable = true;
me.git.enable = true;
me.graphical = false; me.graphical = false;
me.hydra.enable = false; me.hydra.enable = false;
me.memtest.enable = true;
me.network.enable = true;
me.nix_worker.enable = true; me.nix_worker.enable = true;
me.nvme.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.user.enable = true;
me.vm_disk.enable = true; me.vm_disk.enable = true;
me.wireguard.activated = [ ]; me.wireguard.activated = [ ];
me.wireguard.deactivated = [ ]; me.wireguard.deactivated = [ ];
me.zfs.enable = true;
me.zsh.enable = true; me.zsh.enable = true;
};
} }

1
nix/configuration/hosts/hydra/disk-config.nix
View File

@@ -4,7 +4,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:

8
nix/configuration/hosts/hydra/hardware-configuration.nix
View File

@@ -1,10 +1,5 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ {
config,
lib, lib,
pkgs,
modulesPath, modulesPath,
... ...
}: }:
@@ -14,6 +9,7 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
config = {
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"xhci_pci" "xhci_pci"
"nvme" "nvme"
@@ -35,5 +31,5 @@
networking.interfaces.enp0s2.useDHCP = lib.mkForce true; networking.interfaces.enp0s2.useDHCP = lib.mkForce true;
# systemd.network.enable = true; # systemd.network.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; };
} }

9
nix/configuration/hosts/hydra/vm_disk.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
@@ -17,9 +16,7 @@
}; };
}; };
config = lib.mkIf config.me.vm_disk.enable ( config = lib.mkIf config.me.vm_disk.enable {
lib.mkMerge [
{
# Mount the local disk # Mount the local disk
fileSystems = { fileSystems = {
"/.disk" = lib.mkForce { "/.disk" = lib.mkForce {
@@ -71,7 +68,5 @@
]; ];
}; };
}; };
} };
]
);
} }

13
nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=i_only_boot_zfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=i_only_boot_zfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/i_only_boot_zfs/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

63
nix/configuration/hosts/i_only_boot_zfs/default.nix Normal file
View File

@@ -0,0 +1,63 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./wrapped-disk-config.nix
./distributed_build.nix
./power_management.nix
];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "6a05d86e";
networking.hostName = "i_only_boot_zfs"; # Define your hostname.
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
# Toggle to start writing the extlinux config which will be used by zfsbootmenu
# boot.loader.generic-extlinux-compatible.enable = true;
# boot.loader.systemd-boot.enable = lib.mkForce false;
me.optimizations = {
# enable = true;
# arch = "kabylake";
# build_arch = "x86-64-v3";
system_features = [
# "gccarch-kabylake"
"gccarch-x86-64-v3"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Early KMS
# boot.initrd.kernelModules = [ "amdgpu" ];
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# Even when installed, we want to dhcp because this is for a VM.
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.build_in_ram.enable = true;
me.dont_use_substituters.enable = true;
me.minimal_base.enable = true;
};
}

155
nix/configuration/hosts/i_only_boot_zfs/disk-config.nix Normal file
View File

@@ -0,0 +1,155 @@
# Manual Step:
# Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
# Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/efi";
mountOptions = [
"umask=0077"
"noatime"
"discard"
];
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
# mode = "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
options = {
ashift = "12";
compatibility = "openzfs-2.2-freebsd";
autotrim = "on";
};
rootFsOptions = {
acltype = "posixacl";
atime = "off";
relatime = "off";
xattr = "sa";
mountpoint = "none";
compression = "lz4";
canmount = "off";
utf8only = "on";
dnodesize = "auto";
normalization = "formD";
};
datasets = {
"linux/nix" = {
type = "zfs_fs";
options.mountpoint = "none";
options = {
# encryption = "aes-256-gcm";
# keyformat = "passphrase";
# keylocation = "file:///tmp/secret.key";
};
};
"linux/nix/root" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
};
"linux/nix/boot" = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"org.zfsbootmenu:active" = "on";
};
mountpoint = "/boot";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
};
"linux/nix/nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/nix";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
options = {
recordsize = "16MiB";
compression = "zstd-19";
};
};
"linux/nix/home" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/home";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
};
"linux/nix/persist" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/persist";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
};
"linux/nix/state" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/state";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
};
};
};
};
};
# Make sure all persistent volumes are marked as neededForBoot
#
# Also mounts /home so it is mounted before the user home directories are created.
fileSystems."/persist".neededForBoot = true;
fileSystems."/state".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/".options = [
"noatime"
"norelatime"
];
fileSystems."/boot".options = [
"noatime"
"norelatime"
];
fileSystems."/nix".options = [
"noatime"
"norelatime"
];
fileSystems."/persist".options = [
"noatime"
"norelatime"
];
fileSystems."/state".options = [
"noatime"
"norelatime"
];
fileSystems."/home".options = [
"noatime"
"norelatime"
];
# Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
# boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
}

13
nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [ ];
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.quark = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
};
}

33
nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

63
nix/configuration/hosts/i_only_boot_zfs/power_management.nix Normal file
View File

@@ -0,0 +1,63 @@
{
pkgs,
...
}:
{
imports = [ ];
config = {
environment.systemPackages = with pkgs; [
powertop
];
# pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
# nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
boot.kernelParams = [
"pcie_aspm=force"
# "pcie_aspm.policy=powersupersave"
"nowatchdog"
];
systemd.tmpfiles.rules = [
"w- /sys/firmware/acpi/platform_profile - - - - low-power"
"w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
];
boot.extraModprobeConfig = ''
# Sound power-saving was causing chat notifications to be inaudible.
# options snd_hda_intel power_save=1
'';
};
}

7
nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix Normal file
View File

@@ -0,0 +1,7 @@
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

17
nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT
View File

@@ -1,17 +0,0 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
#TARGET=10.216.1.14
# TARGET=192.168.211.250
TARGET="ionlybootzfs"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'

17
nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH
View File

@@ -1,17 +0,0 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
#TARGET=10.216.1.14
# TARGET=192.168.211.250
TARGET=ionlybootzfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'

63
nix/configuration/hosts/ionlybootzfs/default.nix
View File

@@ -1,63 +0,0 @@
#
# Testing:
# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
# -accel kvm \
# -cpu host \
# -smp cores=8 \
# -m 32768 \
# -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
# -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
# -device nvme,serial=deadbeef,drive=nvm \
# -nic user,hostfwd=tcp::60022-:22 \
# -boot order=d \
# -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
# -display vnc=127.0.0.1:0
#
{
config,
lib,
pkgs,
...
}:
{
imports = [
./wrapped-disk-config.nix
./hardware-configuration.nix
];
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "fbd233d8";
networking.hostName = "ionlybootzfs"; # Define your hostname.
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.secureBoot.enable = true;
me.optimizations = {
enable = false;
arch = "znver4";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
me.emacs_flavor = "plainmacs";
me.graphical = false;
me.wireguard.activated = [ ];
me.wireguard.deactivated = [ ];
me.zsh.enable = true;
}

38
nix/configuration/hosts/ionlybootzfs/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.dhcpcd.enable = lib.mkForce true;
networking.useDHCP = lib.mkForce true;
# systemd.network.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

131
nix/configuration/hosts/ionlybootzfs/optimized_build.nix
View File

@@ -1,131 +0,0 @@
{
config,
lib,
pkgs,
pkgs-unoptimized,
...
}:
{
imports = [ ];
config = lib.mkMerge [
{ }
(lib.mkIf (!config.me.optimizations.enable) {
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14;
})
(lib.mkIf (config.me.optimizations.enable) {
nixpkgs.hostPlatform = {
gcc.arch = "znver4";
gcc.tune = "znver4";
system = "x86_64-linux";
};
nixpkgs.overlays = [
(
final: prev:
let
addConfig =
additionalConfig: pkg:
pkg.override (oldconfig: {
structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
});
in
{
linux_me = addConfig {
# Full preemption
PREEMPT = lib.mkOverride 60 lib.kernel.yes;
PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
# Google's BBRv3 TCP congestion Control
TCP_CONG_BBR = lib.kernel.yes;
DEFAULT_BBR = lib.kernel.yes;
# Preemptive Full Tickless Kernel at 300Hz
HZ = lib.kernel.freeform "300";
HZ_300 = lib.kernel.yes;
HZ_1000 = lib.kernel.no;
} prev.linux_6_14;
# gsl = prev.gsl.overrideAttrs (old: {
# # gsl tests fails when optimizations are enabled.
# # > FAIL: cholesky_invert unscaled hilbert ( 4, 4)[0,2]: 2.55795384873636067e-13 0
# # > (2.55795384873636067e-13 observed vs 0 expected) [28259614]
# doCheck = false;
# });
}
)
(final: prev: {
haskellPackages = prev.haskellPackages.extend (
final': prev': {
inherit (pkgs-unoptimized.haskellPackages)
crypton
crypton-connection
crypton-x509
crypton-x509-store
crypton-x509-system
crypton-x509-validation
hspec-wai
http-client-tls
http2
pandoc
pandoc-cli
pandoc-lua-engine
pandoc-server
servant-server
tls
wai-app-static
wai-extra
warp
;
}
);
})
(final: prev: {
inherit (pkgs-unoptimized)
gsl
redis
valkey
;
})
];
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
})
(lib.mkIf (!config.me.buildingIso) {
nix.settings.system-features = lib.mkForce [
"gccarch-znver4"
"gccarch-skylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
# Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap.
# system.includeBuildDependencies = true;
# This also should enable building offline? TODO: test.
nix.extraOptions = ''
keep-outputs = true
keep-derivations = true
'';
# # building ON
# nixpkgs.localSystem = { system = "aarch64-linux"; };
# # building FOR
# nixpkgs.crossSystem = { system = "aarch64-linux"; };
# nixpkgs.config = {
# replaceStdenv = ({ pkgs }: pkgs.clangStdenv);
# };
# or maybe an overlay
# stdenv = prev.clangStdenv;
})
(lib.mkIf (config.me.buildingIso) {
boot.supportedFilesystems.zfs = true;
})
];
}

8
nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix
View File

@@ -1,8 +0,0 @@
{
config,
lib,
pkgs,
...
}:
lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)

19
nix/configuration/hosts/neelix/default.nix
View File

@@ -6,6 +6,7 @@
./power_management.nix ./power_management.nix
]; ];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4` # Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "bca9d0a5"; networking.hostId = "bca9d0a5";
@@ -14,7 +15,8 @@
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
me.secureBoot.enable = false; me.boot.secure = false;
me.mountPersistence = true;
me.optimizations = { me.optimizations = {
enable = false; enable = false;
@@ -36,16 +38,29 @@
# Mount tmpfs at /tmp # Mount tmpfs at /tmp
# boot.tmp.useTmpfs = true; # boot.tmp.useTmpfs = true;
me.base.enable = true;
me.bluetooth.enable = true; me.bluetooth.enable = true;
me.boot.enable = true;
me.doas.enable = true;
me.emacs_flavor = "plainmacs"; me.emacs_flavor = "plainmacs";
me.firewall.enable = true;
me.font.enable = true;
me.git.enable = true;
me.graphical = true; me.graphical = true;
me.graphics_card_type = "intel"; me.graphics_card_type = "intel";
me.kodi.enable = true; me.kodi.enable = true;
me.lvfs.enable = true; me.lvfs.enable = true;
me.memtest.enable = true;
me.network.enable = true;
me.nvme.enable = true;
me.sound.enable = true; me.sound.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.user.enable = true;
me.wireguard.activated = [ "wgh" ]; me.wireguard.activated = [ "wgh" ];
me.wireguard.deactivated = [ "wgf" ]; me.wireguard.deactivated = [ "wgf" ];
me.zfs.enable = true;
me.zrepl.enable = true; me.zrepl.enable = true;
me.zsh.enable = true; me.zsh.enable = true;
};
} }

7
nix/configuration/hosts/neelix/hardware-configuration.nix
View File

@@ -1,10 +1,6 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ {
config, config,
lib, lib,
pkgs,
modulesPath, modulesPath,
... ...
}: }:
@@ -14,6 +10,7 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
config = {
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"xhci_pci" "xhci_pci"
"nvme" "nvme"
@@ -34,6 +31,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true; # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
} }

4
nix/configuration/hosts/neelix/power_management.nix
View File

@@ -1,6 +1,4 @@
{ {
config,
lib,
pkgs, pkgs,
... ...
}: }:
@@ -8,6 +6,7 @@
{ {
imports = [ ]; imports = [ ];
config = {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
powertop powertop
]; ];
@@ -32,4 +31,5 @@
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''
options snd_hda_intel power_save=1 options snd_hda_intel power_save=1
''; '';
};
} }

4
nix/configuration/hosts/odo/DEPLOY_BOOT
View File

@@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
# TARGET=10.216.1.15
# TARGET=192.168.211.250
TARGET=odo TARGET=odo
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#odo'

4
nix/configuration/hosts/odo/DEPLOY_SWITCH
View File

@@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
#TARGET=10.216.1.14
# TARGET=192.168.211.250
TARGET=odo TARGET=odo
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#odo'

2
nix/configuration/hosts/odo/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.odo" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

37
nix/configuration/hosts/odo/default.nix
View File

@@ -24,14 +24,27 @@
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
me.secureBoot.enable = true; me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
# Toggle to start writing the extlinux config which will be used by zfsbootmenu
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nix/root@blank"
"zroot/linux/nix/home@blank"
];
me.optimizations = { me.optimizations = {
enable = true; enable = true;
arch = "znver4"; arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [ system_features = [
"gccarch-znver4" "gccarch-znver4"
"gccarch-skylake" "gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG # "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3" "gccarch-x86-64-v3"
"gccarch-x86-64-v4" "gccarch-x86-64-v4"
@@ -59,59 +72,78 @@
# Enable TRIM # Enable TRIM
# services.fstrim.enable = lib.mkDefault true; # services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
me.alacritty.enable = true; me.alacritty.enable = true;
me.amd_s2idle.enable = true; me.amd_s2idle.enable = true;
me.ansible.enable = true; me.ansible.enable = true;
me.ares.enable = true; me.ares.enable = true;
me.base.enable = true;
me.bluetooth.enable = true; me.bluetooth.enable = true;
me.build_in_ram.enable = true;
me.chromecast.enable = true; me.chromecast.enable = true;
me.chromium.enable = true; me.chromium.enable = true;
me.d2.enable = true; me.d2.enable = true;
me.direnv.enable = true; me.direnv.enable = true;
me.doas.enable = true;
me.docker.enable = false; me.docker.enable = false;
me.dont_use_substituters.enable = true;
me.ecc.enable = false; me.ecc.enable = false;
me.emacs_flavor = "full"; me.emacs_flavor = "full";
me.emulate_isa.enable = true; me.emulate_isa.enable = true;
me.firefox.enable = true; me.firefox.enable = true;
me.firewall.enable = true;
me.flux.enable = true; me.flux.enable = true;
me.font.enable = true;
me.gcloud.enable = true; me.gcloud.enable = true;
me.git.config = ../../roles/git/files/gitconfig_home; me.git.config = ../../roles/git/files/gitconfig_home;
me.git.enable = true;
me.gnuplot.enable = true; me.gnuplot.enable = true;
me.gpg.enable = true; me.gpg.enable = true;
me.graphical = true; me.graphical = true;
me.graphics_card_type = "amd"; me.graphics_card_type = "amd";
me.iso_mount.enable = true; me.iso_mount.enable = true;
me.jujutsu.enable = true;
me.kanshi.enable = false; me.kanshi.enable = false;
me.kubernetes.enable = true; me.kubernetes.enable = true;
me.latex.enable = true; me.latex.enable = true;
me.launch_keyboard.enable = true; me.launch_keyboard.enable = true;
me.lvfs.enable = true; me.lvfs.enable = true;
me.media.enable = true; me.media.enable = true;
me.memtest.enable = true;
me.network.enable = true;
me.nix_index.enable = true; me.nix_index.enable = true;
me.nvme.enable = true;
me.openpgp_card_tools.enable = true; me.openpgp_card_tools.enable = true;
me.pcsx2.enable = true; me.pcsx2.enable = true;
me.podman.enable = true; me.podman.enable = true;
me.python.enable = true; me.python.enable = true;
me.qemu.enable = true; me.qemu.enable = true;
me.recovery.enable = true;
me.rpcs3.enable = true; me.rpcs3.enable = true;
me.rust.enable = true; me.rust.enable = true;
me.sequoia.enable = true; me.sequoia.enable = true;
me.shadps4.enable = true; me.shadps4.enable = false;
me.shikane.enable = true; me.shikane.enable = true;
me.sops.enable = true; me.sops.enable = true;
me.sound.enable = true; me.sound.enable = true;
me.spaghettikart.enable = true; me.spaghettikart.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.steam.enable = true; me.steam.enable = true;
me.steam_run_free.enable = true; me.steam_run_free.enable = true;
me.sway.enable = true; me.sway.enable = true;
me.tekton.enable = true; me.tekton.enable = true;
me.terraform.enable = true; me.terraform.enable = true;
me.thunderbolt.enable = true; me.thunderbolt.enable = true;
me.user.enable = true;
me.uutils.enable = false; me.uutils.enable = false;
me.vnc_client.enable = true; me.vnc_client.enable = true;
me.vscode.enable = true; me.vscode.enable = true;
me.wasm.enable = true; me.wasm.enable = true;
me.waybar.enable = true; me.waybar.enable = true;
me.wine.enable = false;
me.wireguard.activated = [ me.wireguard.activated = [
"drmario" "drmario"
"wgh" "wgh"
@@ -119,6 +151,7 @@
]; ];
me.wireguard.deactivated = [ "wgf" ]; me.wireguard.deactivated = [ "wgf" ];
me.yubikey.enable = true; me.yubikey.enable = true;
me.zfs.enable = true;
me.zrepl.enable = true; me.zrepl.enable = true;
me.zsh.enable = true; me.zsh.enable = true;

15
nix/configuration/hosts/odo/disk-config.nix
View File

@@ -17,7 +17,7 @@
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
mountpoint = "/boot"; mountpoint = "/efi";
mountOptions = [ mountOptions = [
"umask=0077" "umask=0077"
"noatime" "noatime"
@@ -76,6 +76,15 @@
mountpoint = "/"; mountpoint = "/";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank"; postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
}; };
"linux/nix/boot" = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"org.zfsbootmenu:active" = "on";
};
mountpoint = "/boot";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/boot@blank$' || zfs snapshot zroot/linux/nix/boot@blank";
};
"linux/nix/nix" = { "linux/nix/nix" = {
type = "zfs_fs"; type = "zfs_fs";
options.mountpoint = "legacy"; options.mountpoint = "legacy";
@@ -120,6 +129,10 @@
"noatime" "noatime"
"norelatime" "norelatime"
]; ];
fileSystems."/boot".options = [
"noatime"
"norelatime"
];
fileSystems."/nix".options = [ fileSystems."/nix".options = [
"noatime" "noatime"
"norelatime" "norelatime"

18
nix/configuration/hosts/odo/distributed_build.nix
View File

@@ -1,27 +1,13 @@
{
config,
lib,
pkgs,
...
}:
{ {
imports = [ ]; imports = [ ];
config = lib.mkMerge [ config = {
{
me.distributed_build.enable = true; me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.quark = { me.distributed_build.machines.quark = {
enable = true; enable = true;
additional_config = { additional_config = {
speedFactor = 2; speedFactor = 2;
}; };
}; };
} };
];
} }

8
nix/configuration/hosts/odo/framework_module.nix
View File

@@ -1,15 +1,12 @@
{ {
config, config,
lib,
pkgs,
... ...
}: }:
{ {
imports = [ ]; imports = [ ];
config = lib.mkMerge [ config = {
{
boot.extraModulePackages = with config.boot.kernelPackages; [ boot.extraModulePackages = with config.boot.kernelPackages; [
framework-laptop-kmod framework-laptop-kmod
]; ];
@@ -18,6 +15,5 @@
"cros_ec" "cros_ec"
"cros_ec_lpcs" "cros_ec_lpcs"
]; ];
} };
];
} }

7
nix/configuration/hosts/odo/hardware-configuration.nix
View File

@@ -1,10 +1,6 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ {
config, config,
lib, lib,
pkgs,
modulesPath, modulesPath,
... ...
}: }:
@@ -14,6 +10,7 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
config = {
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"nvme" "nvme"
"xhci_pci" "xhci_pci"
@@ -31,6 +28,6 @@
# networking.interfaces.eno1.useDHCP = lib.mkDefault true; # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
} }

4
nix/configuration/hosts/odo/power_management.nix
View File

@@ -1,6 +1,4 @@
{ {
config,
lib,
pkgs, pkgs,
... ...
}: }:
@@ -8,6 +6,7 @@
{ {
imports = [ ]; imports = [ ];
config = {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
powertop powertop
]; ];
@@ -72,4 +71,5 @@
# Sound power-saving was causing chat notifications to be inaudible. # Sound power-saving was causing chat notifications to be inaudible.
# options snd_hda_intel power_save=1 # options snd_hda_intel power_save=1
''; '';
};
} }

11
nix/configuration/hosts/odo/screen_brightness.nix
View File

@@ -1,14 +1,9 @@
{
config,
lib,
pkgs,
...
}:
{ {
imports = [ ]; imports = [ ];
config = {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 21845" "w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 32767"
]; ];
};
} }

12
nix/configuration/hosts/odo/wifi.nix
View File

@@ -1,19 +1,7 @@
{
config,
lib,
pkgs,
...
}:
{ {
imports = [ ]; imports = [ ];
config = { config = {
# Doesn't seem necessary starting with 6.13
# environment.loginShellInit = lib.mkIf (!config.me.buildingIso) ''
# doas iw dev wlan0 set power_save off
# '';
# Enable debug logging for ath12k wifi card. # Enable debug logging for ath12k wifi card.
boot.kernelParams = [ boot.kernelParams = [
"ath12k.debug_mask=0xffffffff" "ath12k.debug_mask=0xffffffff"

3
nix/configuration/hosts/odo/wrapped-disk-config.nix
View File

@@ -1,8 +1,7 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix) lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

11
nix/configuration/hosts/odowork/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=odowork
nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

11
nix/configuration/hosts/odowork/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=odowork
nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

9
nix/configuration/hosts/odowork/INSTALLER Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

2
nix/yubipi/hosts/yubipi/ISO → nix/configuration/hosts/odowork/ISO
View File

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#nixosConfigurations.yubipi.config.system.build.sdImage" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

9
nix/configuration/hosts/odowork/SELF_BOOT Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json

9
nix/configuration/hosts/odowork/SELF_BUILD Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json

9
nix/configuration/hosts/odowork/SELF_SWITCH Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json

149
nix/configuration/hosts/odowork/default.nix Normal file
View File

@@ -0,0 +1,149 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./wrapped-disk-config.nix
./distributed_build.nix
./power_management.nix
./screen_brightness.nix
./wifi.nix
./framework_module.nix
./ssh_config.nix
];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "133cb66e";
networking.hostName = "odowork"; # Define your hostname.
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
# Toggle to start writing the extlinux config which will be used by zfsbootmenu
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nixwork/root@blank"
"zroot/linux/nixwork/home@blank"
];
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Early KMS
boot.initrd.kernelModules = [ "amdgpu" ];
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
environment.systemPackages = with pkgs; [
fw-ectool
framework-tool
];
# Enable light sensor
# hardware.sensor.iio.enable = lib.mkDefault true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
fonts.enableDefaultPackages = lib.mkForce true;
fonts.packages = with pkgs; [
corefonts
];
allowedUnfree = [ "corefonts" ];
me.alacritty.enable = true;
me.amd_s2idle.enable = true;
me.ansible.enable = true;
me.base.enable = true;
me.bluetooth.enable = true;
me.build_in_ram.enable = true;
me.chromium.enable = true;
me.d2.enable = true;
me.direnv.enable = true;
me.doas.enable = true;
me.docker.enable = false;
me.dont_use_substituters.enable = true;
me.emacs_flavor = "full";
me.firefox.enable = true;
me.firewall.enable = true;
me.font.enable = true;
me.gcloud.enable = true;
me.git.config = ../../roles/git/files/gitconfig_work;
me.git.enable = true;
me.gnome_keyring.enable = true;
me.gnuplot.enable = true;
me.gpg.enable = true;
me.graphical = true;
me.graphics_card_type = "amd";
me.iso_mount.enable = true;
me.jujutsu.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;
me.lvfs.enable = true;
me.media.enable = true;
me.memtest.enable = true;
me.network.enable = true;
me.nix_index.enable = true;
me.nvme.enable = true;
me.openpgp_card_tools.enable = true;
me.podman.enable = true;
me.python.enable = true;
me.rust.enable = true;
me.sequoia.enable = true;
me.shikane.enable = true;
me.sops.enable = true;
me.sound.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.steam_run_free.enable = true;
me.sway.enable = true;
me.terraform.enable = true;
me.thunderbolt.enable = true;
me.user.enable = true;
me.vscode.enable = true;
me.vscode.enable_work_profile = true;
me.waybar.enable = true;
me.wireguard.activated = [
"wgh"
];
me.wireguard.deactivated = [
"wgf"
"colo"
];
me.yubikey.enable = true;
me.zfs.enable = true;
me.zrepl.enable = true;
me.zsh.enable = true;
};
}

155
nix/configuration/hosts/odowork/disk-config.nix Normal file
View File

@@ -0,0 +1,155 @@
# Manual Step:
# Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
# Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/efi";
mountOptions = [
"umask=0077"
"noatime"
"discard"
];
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
# mode = "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
options = {
ashift = "12";
compatibility = "openzfs-2.2-freebsd";
autotrim = "on";
};
rootFsOptions = {
acltype = "posixacl";
atime = "off";
relatime = "off";
xattr = "sa";
mountpoint = "none";
compression = "lz4";
canmount = "off";
utf8only = "on";
dnodesize = "auto";
normalization = "formD";
};
datasets = {
"linux/nixwork" = {
type = "zfs_fs";
options.mountpoint = "none";
options = {
encryption = "aes-256-gcm";
keyformat = "passphrase";
# keylocation = "file:///tmp/secret.key";
};
};
"linux/nixwork/root" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/root@blank$' || zfs snapshot zroot/linux/nixwork/root@blank";
};
"linux/nixwork/boot" = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"org.zfsbootmenu:active" = "on";
};
mountpoint = "/boot";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/boot@blank$' || zfs snapshot zroot/linux/nixwork/boot@blank";
};
"linux/nixwork/nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/nix";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/nix@blank$' || zfs snapshot zroot/linux/nixwork/nix@blank";
options = {
recordsize = "16MiB";
compression = "zstd-19";
};
};
"linux/nixwork/home" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/home";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/home@blank$' || zfs snapshot zroot/linux/nixwork/home@blank";
};
"linux/nixwork/persist" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/persist";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/persist@blank$' || zfs snapshot zroot/linux/nixwork/persist@blank";
};
"linux/nixwork/state" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/state";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nixwork/state@blank$' || zfs snapshot zroot/linux/nixwork/state@blank";
};
};
};
};
};
# Make sure all persistent volumes are marked as neededForBoot
#
# Also mounts /home so it is mounted before the user home directories are created.
fileSystems."/persist".neededForBoot = true;
fileSystems."/state".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/".options = [
"noatime"
"norelatime"
];
fileSystems."/boot".options = [
"noatime"
"norelatime"
];
fileSystems."/nix".options = [
"noatime"
"norelatime"
];
fileSystems."/persist".options = [
"noatime"
"norelatime"
];
fileSystems."/state".options = [
"noatime"
"norelatime"
];
fileSystems."/home".options = [
"noatime"
"norelatime"
];
# Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nixwork" ];
}

13
nix/configuration/hosts/odowork/distributed_build.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [ ];
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.quark = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
};
}

19
nix/configuration/hosts/odowork/framework_module.nix Normal file
View File

@@ -0,0 +1,19 @@
{
config,
...
}:
{
imports = [ ];
config = {
boot.extraModulePackages = with config.boot.kernelPackages; [
framework-laptop-kmod
];
# https://github.com/DHowett/framework-laptop-kmod?tab=readme-ov-file#usage
boot.kernelModules = [
"cros_ec"
"cros_ec_lpcs"
];
};
}

33
nix/configuration/hosts/odowork/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

75
nix/configuration/hosts/odowork/power_management.nix Normal file
View File

@@ -0,0 +1,75 @@
{
pkgs,
...
}:
{
imports = [ ];
config = {
environment.systemPackages = with pkgs; [
powertop
];
# amdgpu.abmlevel=3 :: Automatically reduce screen brightness but tweak colors to compensate for power reduction.
# pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
# nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
# amd_pstate=passive :: Fully automated hardware pstate control.
# amd_pstate=active :: Same as passive except we can set the energy performance preference (EPP) to suggest how much we prefer performance or energy efficiency.
# amd_pstate=guided :: Same as passive except we can set upper and lower frequency bounds.
# amdgpu.dcdebugmask=0x10 :: Allegedly disables Panel Replay from https://community.frame.work/t/tracking-freezing-arch-linux-amd/39495/32
boot.kernelParams = [
"amdgpu.abmlevel=2"
"pcie_aspm=force"
# "pcie_aspm.policy=powersupersave"
"nowatchdog"
# I don't see a measurable benefit from these two:
# "cpufreq.default_governor=powersave"
# "initcall_blacklist=cpufreq_gov_userspace_init"
];
systemd.tmpfiles.rules = [
"w- /sys/firmware/acpi/platform_profile - - - - low-power"
"w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
];
boot.extraModprobeConfig = ''
# Disable the hardware watchdog inside AMD 700 chipset series for power savings.
blacklist sp5100_tco
# Sound power-saving was causing chat notifications to be inaudible.
# options snd_hda_intel power_save=1
'';
};
}

9
nix/configuration/hosts/odowork/screen_brightness.nix Normal file
View File

@@ -0,0 +1,9 @@
{
imports = [ ];
config = {
systemd.tmpfiles.rules = [
"w- /sys/class/backlight/amdgpu_bl1/brightness - - - - 32767"
];
};
}

15
nix/configuration/hosts/odowork/ssh_config.nix Normal file
View File

@@ -0,0 +1,15 @@
{
lib,
...
}:
{
imports = [ ];
config = {
me.install.user.talexander.file = {
".ssh/config" = {
source = lib.mkForce "/persist/manual/ssh/talexander/config";
};
};
};
}

10
nix/configuration/hosts/odowork/wifi.nix Normal file
View File

@@ -0,0 +1,10 @@
{
imports = [ ];
config = {
# Enable debug logging for ath12k wifi card.
boot.kernelParams = [
"ath12k.debug_mask=0xffffffff"
];
};
}

7
nix/configuration/hosts/odowork/wrapped-disk-config.nix Normal file
View File

@@ -0,0 +1,7 @@
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

4
nix/configuration/hosts/quark/DEPLOY_BOOT
View File

@@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
#TARGET=10.216.1.15
# TARGET=192.168.211.250
TARGET=quark TARGET=quark
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#quark'

4
nix/configuration/hosts/quark/DEPLOY_SWITCH
View File

@@ -6,12 +6,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
#TARGET=10.216.1.14
# TARGET=192.168.211.250
TARGET=quark TARGET=quark
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#quark'

2
nix/configuration/hosts/quark/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.quark" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

40
nix/configuration/hosts/quark/default.nix
View File

@@ -6,10 +6,11 @@
}: }:
{ {
imports = [ imports = [
./disk-config.nix ./wrapped-disk-config.nix
./distributed_build.nix ./distributed_build.nix
./hardware-configuration.nix ./hardware-configuration.nix
./power_management.nix ./power_management.nix
./waybar.nix
]; ];
config = { config = {
@@ -21,15 +22,28 @@
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
me.secureBoot.enable = true; me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
# Toggle to start writing the extlinux config which will be used by zfsbootmenu
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
me.rollback.dataset = [
"zroot/linux/nix/root@blank"
"zroot/linux/nix/home@blank"
];
me.optimizations = { me.optimizations = {
enable = true; enable = true;
arch = "znver4"; arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [ system_features = [
"gccarch-znver4" "gccarch-znver4"
"gccarch-znver5" "gccarch-znver5"
"gccarch-skylake" "gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG # "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3" "gccarch-x86-64-v3"
"gccarch-x86-64-v4" "gccarch-x86-64-v4"
@@ -49,6 +63,9 @@
# Enable TRIM # Enable TRIM
# services.fstrim.enable = lib.mkDefault true; # services.fstrim.enable = lib.mkDefault true;
# Only run nix builders at idle priority for a more responsive system. Do not set on servers, just end-user devices.
nix.daemonCPUSchedPolicy = "idle";
# RPCS3 has difficulty with znver5 # RPCS3 has difficulty with znver5
me.rpcs3.config.Core."Use LLVM CPU" = "znver4"; me.rpcs3.config.Core."Use LLVM CPU" = "znver4";
@@ -56,56 +73,72 @@
me.amd_s2idle.enable = true; me.amd_s2idle.enable = true;
me.ansible.enable = true; me.ansible.enable = true;
me.ares.enable = true; me.ares.enable = true;
me.base.enable = true;
me.bluetooth.enable = true; me.bluetooth.enable = true;
me.build_in_ram.enable = true;
me.chromecast.enable = true; me.chromecast.enable = true;
me.chromium.enable = true; me.chromium.enable = true;
me.d2.enable = true; me.d2.enable = true;
me.direnv.enable = true; me.direnv.enable = true;
me.doas.enable = true;
me.docker.enable = false; me.docker.enable = false;
me.dont_use_substituters.enable = true;
me.ecc.enable = true; me.ecc.enable = true;
me.emacs_flavor = "full"; me.emacs_flavor = "full";
me.emulate_isa.enable = true; me.emulate_isa.enable = true;
me.firefox.enable = true; me.firefox.enable = true;
me.firewall.enable = true;
me.flux.enable = true; me.flux.enable = true;
me.font.enable = true;
me.gcloud.enable = true; me.gcloud.enable = true;
me.git.config = ../../roles/git/files/gitconfig_home; me.git.config = ../../roles/git/files/gitconfig_home;
me.git.enable = true;
me.gnuplot.enable = true; me.gnuplot.enable = true;
me.gpg.enable = true; me.gpg.enable = true;
me.graphical = true; me.graphical = true;
me.graphics_card_type = "amd"; me.graphics_card_type = "amd";
me.iso_mount.enable = true; me.iso_mount.enable = true;
me.jujutsu.enable = true;
me.kanshi.enable = false; me.kanshi.enable = false;
me.kubernetes.enable = true; me.kubernetes.enable = true;
me.latex.enable = true; me.latex.enable = true;
me.launch_keyboard.enable = true; me.launch_keyboard.enable = true;
me.lvfs.enable = true; me.lvfs.enable = true;
me.media.enable = true; me.media.enable = true;
me.memtest.enable = true;
me.network.enable = true;
me.nix_index.enable = true; me.nix_index.enable = true;
me.nix_worker.enable = true; me.nix_worker.enable = true;
me.nvme.enable = true;
me.openpgp_card_tools.enable = true; me.openpgp_card_tools.enable = true;
me.pcsx2.enable = true; me.pcsx2.enable = true;
me.podman.enable = true; me.podman.enable = true;
me.python.enable = true; me.python.enable = true;
me.qemu.enable = true; me.qemu.enable = true;
me.recovery.enable = true;
me.rpcs3.enable = true; me.rpcs3.enable = true;
me.rust.enable = true; me.rust.enable = true;
me.sequoia.enable = true; me.sequoia.enable = true;
me.shadps4.enable = true; me.shadps4.enable = false;
me.shikane.enable = true; me.shikane.enable = true;
me.sops.enable = true; me.sops.enable = true;
me.sound.enable = true; me.sound.enable = true;
me.spaghettikart.enable = true; me.spaghettikart.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.steam.enable = true; me.steam.enable = true;
me.steam_run_free.enable = true; me.steam_run_free.enable = true;
me.sway.enable = true; me.sway.enable = true;
me.tekton.enable = true; me.tekton.enable = true;
me.terraform.enable = true; me.terraform.enable = true;
me.thunderbolt.enable = true; me.thunderbolt.enable = true;
me.user.enable = true;
me.uutils.enable = false; me.uutils.enable = false;
me.vnc_client.enable = true; me.vnc_client.enable = true;
me.vscode.enable = true; me.vscode.enable = true;
me.wasm.enable = true; me.wasm.enable = true;
me.waybar.enable = true; me.waybar.enable = true;
me.wine.enable = false;
me.wireguard.activated = [ me.wireguard.activated = [
"drmario" "drmario"
"wgh" "wgh"
@@ -113,6 +146,7 @@
]; ];
me.wireguard.deactivated = [ "wgf" ]; me.wireguard.deactivated = [ "wgf" ];
me.yubikey.enable = true; me.yubikey.enable = true;
me.zfs.enable = true;
me.zrepl.enable = true; me.zrepl.enable = true;
me.zsh.enable = true; me.zsh.enable = true;

9
nix/configuration/hosts/quark/disk-config.nix
View File

@@ -2,13 +2,6 @@
# Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1 # Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
# Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1 # Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
{ {
config,
lib,
pkgs,
...
}:
lib.mkIf (!config.me.buildingIso) {
disko.devices = { disko.devices = {
disk = { disk = {
main = { main = {
@@ -23,7 +16,7 @@ lib.mkIf (!config.me.buildingIso) {
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
mountpoint = "/boot"; mountpoint = "/efi";
mountOptions = [ mountOptions = [
"umask=0077" "umask=0077"
"noatime" "noatime"

16
nix/configuration/hosts/quark/distributed_build.nix
View File

@@ -1,21 +1,7 @@
{
config,
lib,
pkgs,
...
}:
{ {
imports = [ ]; imports = [ ];
config = lib.mkMerge [ config = {
{
me.distributed_build.enable = true; me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;
}; };
};
}
];
} }

6
nix/configuration/hosts/quark/hardware-configuration.nix
View File

@@ -1,10 +1,6 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ {
config, config,
lib, lib,
pkgs,
modulesPath, modulesPath,
... ...
}: }:
@@ -14,6 +10,7 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
config = {
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"nvme" "nvme"
"xhci_pci" "xhci_pci"
@@ -32,4 +29,5 @@
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
} }

2
nix/configuration/hosts/quark/power_management.nix
View File

@@ -8,6 +8,7 @@
{ {
imports = [ ]; imports = [ ];
config = {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
powertop powertop
]; ];
@@ -45,4 +46,5 @@
# destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules"; # destination = "/etc/udev/rules.d/30-amdgpu-low-power.rules";
# }) # })
# ]; # ];
};
} }

75
nix/configuration/hosts/quark/waybar.nix Normal file
View File

@@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
me.waybar.config = lib.mkForce {
# "height": 10, # Waybar height (to be removed for auto height)
"modules-left" = [
"sway/workspaces"
"sway/mode"
];
"modules-center" = [ "sway/window" ];
"modules-right" = [
"custom/night_mode"
# "custom/temperature" # /sys/class/thermal/thermal_zone* does not currently exist on quark
"custom/sound"
"custom/available_memory"
"idle_inhibitor"
"custom/clock"
"tray"
];
"sway/workspaces" = {
"disable-scroll" = true;
};
"sway/mode" = {
"format" = "<span style=\"italic\">{}</span>";
};
"sway/window" = {
"format" = "{title}";
};
"idle_inhibitor" = {
"format" = "{icon}";
"format-icons" = {
"activated" = ""; # ☕
"deactivated" = "💤"; # ☾☁⛾⛔⏾⌛⏳💤
};
};
"tray" = {
# "icon-size" = 21;
"spacing" = 10;
};
"custom/clock" = {
"exec" = "waybar_custom_clock";
"return-type" = "json";
"restart-interval" = 30;
};
"custom/available_memory" = {
"exec" = "waybar_custom_available_memory";
"return-type" = "json";
"restart-interval" = 30;
};
"custom/sound" = {
"exec" = "waybar_custom_sound";
"return-type" = "json";
"restart-interval" = 30;
};
# "custom/temperature" = {
# "exec" = "waybar_custom_temperature";
# "return-type" = "json";
# "restart-interval" = 30;
# };
"custom/night_mode" = {
"exec" = "waybar_night_mode";
"return-type" = "json";
"restart-interval" = 30;
"on-click" = "pkill -USR1 -f waybar_night_mode";
};
};
};
}

7
nix/configuration/hosts/quark/wrapped-disk-config.nix Normal file
View File

@@ -0,0 +1,7 @@
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

13
nix/configuration/hosts/recovery/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/configuration/hosts/recovery/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/ionlybootzfs/ISO → nix/configuration/hosts/recovery/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}" : "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json

56
nix/configuration/hosts/recovery/default.nix Normal file
View File

@@ -0,0 +1,56 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./wrapped-disk-config.nix
./distributed_build.nix
./power_management.nix
];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "46b62d92";
networking.hostName = "recovery"; # Define your hostname.
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = true;
me.mountPersistence = true;
me.optimizations = {
# enable = true;
arch = "kabylake";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-kabylake"
"gccarch-x86-64-v3"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Early KMS
# boot.initrd.kernelModules = [ "amdgpu" ];
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
me.build_in_ram.enable = true;
me.dont_use_substituters.enable = true;
me.minimal_base.enable = true;
me.recovery.enable = true;
};
}

6
nix/configuration/hosts/ionlybootzfs/disk-config.nix → nix/configuration/hosts/recovery/disk-config.nix
View File

@@ -65,8 +65,8 @@
type = "zfs_fs"; type = "zfs_fs";
options.mountpoint = "none"; options.mountpoint = "none";
options = { options = {
encryption = "aes-256-gcm"; # encryption = "aes-256-gcm";
keyformat = "passphrase"; # keyformat = "passphrase";
# keylocation = "file:///tmp/secret.key"; # keylocation = "file:///tmp/secret.key";
}; };
}; };
@@ -138,5 +138,5 @@
]; ];
# Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used. # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ]; # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
} }

13
nix/configuration/hosts/recovery/distributed_build.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [ ];
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.quark = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
};
}

33
nix/configuration/hosts/recovery/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

63
nix/configuration/hosts/recovery/power_management.nix Normal file
View File

@@ -0,0 +1,63 @@
{
pkgs,
...
}:
{
imports = [ ];
config = {
environment.systemPackages = with pkgs; [
powertop
];
# pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
# nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
boot.kernelParams = [
"pcie_aspm=force"
# "pcie_aspm.policy=powersupersave"
"nowatchdog"
];
systemd.tmpfiles.rules = [
"w- /sys/firmware/acpi/platform_profile - - - - low-power"
"w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
];
boot.extraModprobeConfig = ''
# Sound power-saving was causing chat notifications to be inaudible.
# options snd_hda_intel power_save=1
'';
};
}

7
nix/configuration/hosts/recovery/wrapped-disk-config.nix Normal file
View File

@@ -0,0 +1,7 @@
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

204
nix/configuration/package/grub/add-hidden-menu-entries.patch Normal file
View File

@@ -0,0 +1,204 @@
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
index e9e9d94ef..54e08a1b4 100644
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@@ -143,7 +143,7 @@ legacy_file (const char *filename)
args[0] = oldname;
grub_normal_add_menu_entry (1, args, NULL, NULL, "legacy",
NULL, NULL,
- entrysrc, 0);
+ entrysrc, 0, 0);
grub_free (args);
entrysrc[0] = 0;
grub_free (oldname);
@@ -205,7 +205,7 @@ legacy_file (const char *filename)
}
args[0] = entryname;
grub_normal_add_menu_entry (1, args, NULL, NULL, NULL,
- NULL, NULL, entrysrc, 0);
+ NULL, NULL, entrysrc, 0, 0);
grub_free (args);
}
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
index 720e6d8ea..50632ccce 100644
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@@ -78,7 +78,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
char **classes, const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu)
+ int submenu, int hidden)
{
int menu_hotkey = 0;
char **menu_args = NULL;
@@ -188,8 +188,11 @@ grub_normal_add_menu_entry (int argc, const char **args,
(*last)->args = menu_args;
(*last)->sourcecode = menu_sourcecode;
(*last)->submenu = submenu;
+ (*last)->hidden = hidden;
+
+ if (!hidden)
+ menu->size++;
- menu->size++;
return GRUB_ERR_NONE;
fail:
@@ -286,7 +289,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
users,
ctxt->state[2].arg, 0,
ctxt->state[3].arg,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src = args[argc - 1];
args[argc - 1] = NULL;
@@ -303,7 +307,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
ctxt->state[0].args, ctxt->state[4].arg,
users,
ctxt->state[2].arg, prefix, src + 1,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src[len - 1] = ch;
args[argc - 1] = src;
@@ -311,7 +316,7 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
return r;
}
-static grub_extcmd_t cmd, cmd_sub;
+static grub_extcmd_t cmd, cmd_sub, cmd_hidden;
void
grub_menu_init (void)
@@ -327,6 +332,12 @@ grub_menu_init (void)
| GRUB_COMMAND_FLAG_EXTRACTOR,
N_("BLOCK"), N_("Define a submenu."),
options);
+ cmd_hidden = grub_register_extcmd ("hiddenentry", grub_cmd_menuentry,
+ GRUB_COMMAND_FLAG_BLOCKS
+ | GRUB_COMMAND_ACCEPT_DASH
+ | GRUB_COMMAND_FLAG_EXTRACTOR,
+ N_("BLOCK"), N_("Define a hidden menu entry."),
+ options);
}
void
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 6a90e091f..4236f55bc 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -37,6 +37,8 @@
entry failing to boot. */
#define DEFAULT_ENTRY_ERROR_DELAY_MS 2500
+#define MENU_INCLUDE_HIDDEN 0x10000
+
grub_err_t (*grub_gfxmenu_try_hook) (int entry, grub_menu_t menu,
int nested) = NULL;
@@ -80,8 +82,20 @@ grub_menu_get_entry (grub_menu_t menu, int no)
{
grub_menu_entry_t e;
- for (e = menu->entry_list; e && no > 0; e = e->next, no--)
- ;
+ if (no & MENU_INCLUDE_HIDDEN) {
+ no &= ~MENU_INCLUDE_HIDDEN;
+
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--)
+ ;
+ } else {
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--) {
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+ }
+ while (e && e->hidden)
+ e = e->next;
+ }
return e;
}
@@ -93,10 +107,10 @@ get_entry_index_by_hotkey (grub_menu_t menu, int hotkey)
grub_menu_entry_t entry;
int i;
- for (i = 0, entry = menu->entry_list; i < menu->size;
+ for (i = 0, entry = menu->entry_list; entry;
i++, entry = entry->next)
if (entry->hotkey == hotkey)
- return i;
+ return i | MENU_INCLUDE_HIDDEN;
return -1;
}
@@ -509,6 +523,10 @@ get_entry_number (grub_menu_t menu, const char *name)
grub_menu_entry_t e = menu->entry_list;
int i;
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+
grub_errno = GRUB_ERR_NONE;
for (i = 0; e; i++)
@@ -520,6 +538,10 @@ get_entry_number (grub_menu_t menu, const char *name)
break;
}
e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
if (! e)
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index b1321eb26..d2e46cac8 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -289,7 +289,11 @@ print_entries (grub_menu_t menu, const struct menu_viewer_data *data)
print_entry (data->geo.first_entry_y + i, data->offset == i,
e, data);
if (e)
- e = e->next;
+ e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
grub_term_gotoxy (data->term,
diff --git a/include/grub/menu.h b/include/grub/menu.h
index ee2b5e910..eb8a86ba9 100644
--- a/include/grub/menu.h
+++ b/include/grub/menu.h
@@ -58,6 +58,8 @@ struct grub_menu_entry
int submenu;
+ int hidden;
+
/* The next element. */
struct grub_menu_entry *next;
};
diff --git a/include/grub/normal.h b/include/grub/normal.h
index 218cbabcc..bcb412466 100644
--- a/include/grub/normal.h
+++ b/include/grub/normal.h
@@ -145,7 +145,7 @@ grub_normal_add_menu_entry (int argc, const char **args, char **classes,
const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu);
+ int submenu, int hidden);
grub_err_t
grub_normal_set_password (const char *user, const char *password);

681
nix/configuration/package/grub/default.nix Normal file
View File

@@ -0,0 +1,681 @@
{
lib,
stdenv,
fetchgit,
flex,
bison,
python3,
autoconf,
automake,
libtool,
bash,
gettext,
ncurses,
libusb-compat-0_1,
freetype,
qemu,
lvm2,
unifont,
pkg-config,
help2man,
fetchzip,
fetchpatch,
buildPackages,
nixosTests,
fuse, # only needed for grub-mount
runtimeShell,
zfs ? null,
efiSupport ? false,
zfsSupport ? false,
xenSupport ? false,
xenPvhSupport ? false,
kbdcompSupport ? false,
ckbcomp,
}:
let
pcSystems = {
i686-linux.target = "i386";
x86_64-linux.target = "i386";
};
efiSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "aarch64";
loongarch64-linux.target = "loongarch64";
riscv32-linux.target = "riscv32";
riscv64-linux.target = "riscv64";
};
# For aarch64, we need to use '--target=aarch64-efi' when building,
# but '--target=arm64-efi' when installing. Insanity!
efiSystemsInstall = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "arm64";
loongarch64-linux.target = "loongarch64";
riscv32-linux.target = "riscv32";
riscv64-linux.target = "riscv64";
};
xenSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
};
xenPvhSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "i386"; # Xen PVH is only i386 on x86.
};
inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.attrNames pcSystems);
gnulib = fetchgit {
url = "https://git.savannah.gnu.org/git/gnulib.git";
# NOTE: keep in sync with bootstrap.conf!
rev = "9f48fb992a3d7e96610c4ce8be969cff2d61a01b";
hash = "sha256-mzbF66SNqcSlI+xmjpKpNMwzi13yEWoc1Fl7p4snTto=";
};
# The locales are fetched from translationproject.org at build time,
# but those translations are not versioned/stable. For that reason
# we take them from the nearest release tarball instead:
locales = fetchzip {
url = "https://ftp.gnu.org/gnu/grub/grub-2.12.tar.gz";
hash = "sha256-IoRiJHNQ58y0UhCAD0CrpFiI8Mz1upzAtyh5K4Njh/w=";
};
in
assert zfsSupport -> zfs != null;
assert !(efiSupport && (xenSupport || xenPvhSupport));
assert !(xenSupport && xenPvhSupport);
stdenv.mkDerivation rec {
pname = "grub";
version = "2.12";
src = fetchgit {
url = "https://git.savannah.gnu.org/git/grub.git";
tag = "grub-${version}";
hash = "sha256-lathsBb2f7urh8R86ihpTdwo3h1hAHnRiHd5gCLVpBc=";
};
patches = [
./fix-bash-completion.patch
./add-hidden-menu-entries.patch
# https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
(fetchpatch {
name = "01_implement_grub_strlcpy.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f";
hash = "sha256-MSMgu1vMG83HRImUUsTyA1YQaIhgEreGGPd+ZDWSI2I=";
})
(fetchpatch {
name = "02_CVE-2024-45781.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba";
hash = "sha256-q8ErK+cQzaqwSuhLRFL3AfYBkpgJq1IQmadnlmlz2yw=";
})
(fetchpatch {
name = "03_CVE-2024-45782_CVE-2024-56737.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=417547c10410b714e43f08f74137c24015f8f4c3";
hash = "sha256-mRinw27WZ2d1grzyzFGO18yXx72UVBM6Lf5cR8XJfs8=";
})
(fetchpatch {
name = "04_fs_tar_initialize_name_in_grub_cpio_find_file.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c8ac08c99466c0697f704242363fc687f492a0d";
hash = "sha256-EMGF0B+Fw6tSmllWUJAp1ynzWk+w2C/XM1LmXSReHWg=";
})
(fetchpatch {
name = "05_CVE-2024-45780.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3";
hash = "sha256-IlW5i4EJVoUYPu9/lb0LeytTpzltQuu5fpkFPQNIhls=";
})
(fetchpatch {
name = "06_fs_f2fs_grub_errno_mount_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=563436258cde64da6b974880abff1bf0959f4da3";
hash = "sha256-Iu0RPyB+pAnqMT+MTX+TrJbYJsvYPn7jbMgE1jcLh/Q=";
})
(fetchpatch {
name = "07_CVE-2024-45783.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898";
hash = "sha256-V1wh2dPeTazmad61jFtOjhq2MdoD+txPWY/AfwwyTZM=";
})
(fetchpatch {
name = "08_fs_iso9660_grub_errno_mount_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=965db5970811d18069b34f28f5f31ddadde90a97";
hash = "sha256-6eN1AvZwXkJOQVcjgymy/E7QiAxzL/d0W3KlAZRqUzI=";
})
(fetchpatch {
name = "09_fs_iso9660_fix_invalid_free.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1443833a9535a5873f7de3798cf4d8389f366611";
hash = "sha256-Gt5yMy5Vg9zrDggj3o/TLNt2vT9/6IuHg4Se2p8e8pI=";
})
(fetchpatch {
name = "10_fs_jfs_fix_oob_read_jfs_getent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66175696f3a385b14bdf1ebcda7755834bd2d5fb";
hash = "sha256-ETbzbc5gvf55sTLjmJOXXC9VH3qcP1Gv5seR/U9NRiY=";
})
(fetchpatch {
name = "11_fs_jfs_fix_oob_read_caused_by_invalid_dir_slot_index.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ab09fd0531f3523ac0ef833404526c98c08248f7";
hash = "sha256-wE6niiIx4BdN800/Eegb6IbBRoMFpXq9kPvatwhWNXY=";
})
(fetchpatch {
name = "12_fs_jfs_use_full_40_bits_offset_and_address_for_data_extent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bd999310fe67f35a66de3bfa2836da91589d04ef";
hash = "sha256-fbC4oTEIoGWJASzJI5RXfoanrMLTfjFOI51LCUU7Ctg=";
})
(fetchpatch {
name = "13_fs_jfs_inconsistent_signed_unsigned_types_usage.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=edd995a26ec98654d907a9436a296c2d82bc4b28";
hash = "sha256-aa1G1vi4bPZejfKEqZokAZTzY9Ea2lyxTrP4drDV9tk=";
})
(fetchpatch {
name = "14_fs_ext2_fix_out-of-bounds_read_for_inline_extent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7e2f750f0a795c4d64ec7dc7591edac8da2e978c";
hash = "sha256-PtPqZHMU2fy7btRRaaswLyHizplxnygCzDfcg5ievOQ=";
})
(fetchpatch {
name = "15_fs_ntfs_fix_out-of-bounds_read.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aff26318783a135562b904ff09e2359893885732";
hash = "sha256-znN6lkAB9aAhTGKR1038DzOz5nzuTp+7ylHVqRM7HeI=";
})
(fetchpatch {
name = "16_fs_ntfs_track_the_end_of_the_MFT_attribute_buffer.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=237a71184a32d1ef7732f5f49ed6a89c5fe1c99a";
hash = "sha256-0I/g0qHkWY6PArPn1UaYRhCrrh9bHknADh34v5eSjjM=";
})
(fetchpatch {
name = "17_fs_ntfs_use_a_helper_function_to_access_attributes.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=048777bc29043403d077d41a81d0183767b8bc71";
hash = "sha256-Mm49MSLqCq143r8ruLJm1QoyCoLtOlCBfqoAPwPlv8E=";
})
# Patch 18 (067b6d225d482280abad03944f04e30abcbdafa1) has been removed because it causes regressions
# https://lists.gnu.org/archive/html/grub-devel/2025-03/msg00067.html
(fetchpatch {
name = "19_fs_xfs_fix_out-of-bounds_read.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a";
hash = "sha256-FvTzFvfEi3oyxPC/dUHreyzzeVCskaUlYUjpKY/l0DE=";
})
(fetchpatch {
name = "20_fs_xfs_ensuring_failing_to_mount_sets_a_grub_errno.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d1d6b7ea58aa5a80a4c4d0666b49460056c8ef0a";
hash = "sha256-SLdXMmYHq/gRmWrjRrOu5ZYFod84EllUL6hk+gnr3kg=";
})
(fetchpatch {
name = "21_kern_file_ensure_file_data_is_set.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a7910687294b29288ac649e71b47493c93294f17";
hash = "sha256-DabZK9eSToEmSA9dEwtEN+URiVyS9qf6e2Y2UiMuy8Q=";
})
(fetchpatch {
name = "22_kern_file_implement_filesystem_reference_counting.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=16f196874fbe360a1b3c66064ec15adadf94c57b";
excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12
hash = "sha256-yGU//1tPaxi+xFKZrsbUAnvgFpwtrIMG+8cPbSud4+U=";
})
(fetchpatch {
name = "23_prerequisite_1_key_protector_add_key_protectors_framework.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5d260302da672258444b01239803c8f4d753e3f3";
hash = "sha256-5aFHzc5qXBNLEc6yzI17AH6J7EYogcXdLxk//1QgumY=";
})
(fetchpatch {
name = "23_prerequisite_2_disk_cryptodisk_allow_user_to_retry_failed_passphrase.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=386b59ddb42fa3f86ddfe557113b25c8fa16f88c";
hash = "sha256-e1kGQB7wGWvEb2bY3xIpZxE1uzTt9JOKi05jXyUm+bI=";
})
(fetchpatch {
name = "23_prerequisite_3_cryptodisk_support_key_protectors.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ad0c52784a375cecaa8715d7deadcf5d65baf173";
hash = "sha256-+YIvUYA3fLiOFFsXDrQjqjWFluzLa7N1tv0lwq8BqCs=";
})
(fetchpatch {
name = "23_prerequisite_4_cryptodisk_fallback_to_passphrase.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6abf8af3c54abc04c4ec71c75d10fcfbc190e181";
hash = "sha256-eMu9rW4iJucDAsTQMJD1XE6dDIcUmn02cGqIaqBbO3o=";
})
(fetchpatch {
name = "23_prerequisite_5_cryptodisk_wipe_out_the_cached_keys_from_protectors.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b35480b48e6f9506d8b7ad8a3b5206d29c24ea95";
hash = "sha256-5L6Rr+X5Z+Ip91z8cpLcatDW1vyEoZa1icL2oMXPXuI=";
})
(fetchpatch {
name = "23_prerequisite_6_cli_lock_add_build_option_to_block_command_line_interface.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bb65d81fe320e4b20d0a9b32232a7546eb275ecc";
hash = "sha256-HxXgtvEhtaIjXbOcxJHNpD9/NVOv3uXPnue7cagEMu8=";
})
# (fetchpatch {
# name = "23_CVE-2024-49504.patch";
# url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13febd78db3cd85dcba67d8ad03ad4d42815f11e";
# hash = "sha256-U7lNUb4iVAyQ1yEg5ECHCQGE51tKvY13T9Ji09Q1W9Y=";
# })
(fetchpatch {
name = "24_disk_loopback_reference_tracking_for_the_loopback.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=67f70f70a36b6e87a65f928fe1e840a12eafb7ae";
hash = "sha256-sWBnSF3rAuY1A/IIK1Pc+BqTvyK3j7+lLEhvImtBQMA=";
})
(fetchpatch {
name = "25_kern_disk_limit_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=18212f0648b6de7d71d4c8f41eb4d8b78b3a299b";
hash = "sha256-HiVzXUNs45Fxh4DSqO8wAxSBM7CaYU/bix0PVBcIHGw=";
})
(fetchpatch {
name = "26_kern_partition_limit_recursion_in_part_iterate.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8a7103fddfd6664f41081f3bb88eebbf2871da2a";
hash = "sha256-Nw1VFRVww1VSDSBkRrnTGeaA2PKCitugM12XH6X/2YI=";
})
(fetchpatch {
name = "27_script_execute_limit_the_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8a937ccae5c6d86dc4375698afca5cefdcd01e1";
hash = "sha256-YOAdPMZ2iBNMzIwAXFkkyTMKh4ptZUQ0J3v9EjnRlbo=";
})
(fetchpatch {
name = "28_net_unregister_net_default_ip_and_net_default_mac_variables_hooks_on_unload.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a1dd8e59da26f1a9608381d3a1a6c0f465282b1d";
hash = "sha256-7fqdkhFqLECzhz1OLavkHrE9ktDAEmx9ZxZayNr/Eo4=";
})
(fetchpatch {
name = "29_net_remove_variables_hooks_when_interface_is_unregisted.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aa8b4d7facef7b75a2703274b1b9d4e0e734c401";
hash = "sha256-m3VLDbJlwchV5meEpU4LJrDxBtA80qvYcVMJinHLnac=";
})
(fetchpatch {
name = "30_CVE-2025-0624.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5eef88152833062a3f7e017535372d64ac8ef7e1";
hash = "sha256-DvhzHnenAmO9SZpi4kU+0GhyKZB4q4xQYuNJgEhJmn0=";
})
(fetchpatch {
name = "31_net_tftp_fix_stack_buffer_overflow_in_tftp_open.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0707accab1b9be5d3645d4700dde3f99209f9367";
hash = "sha256-16NrpWFSE4jFT2uxmJg16jChw8HiGRTol25XQXNQ5l4=";
})
(fetchpatch {
name = "32_CVE-2024-45774.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c34af908ebf4856051ed29e46d88abd2b20387f";
hash = "sha256-OWmF+fp2TmetQjV4EWMcESW8u52Okkb5C5IPLfczyv4=";
})
(fetchpatch {
name = "33_kern_dl_fix_for_an_integer_overflow_in_grub_dl_ref.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=500e5fdd82ca40412b0b73f5e5dda38e4a3af96d";
hash = "sha256-FNqOWo+oZ4/1sCbTi2uaeKchUxwAKXtbzhScezm0yxk=";
})
# Patch 34 (https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d72208423dcabf9eb4a3bcb17b6b31888396bd49)
# is skipped, grub_dl_set_mem_attrs() does not exist on 2.12
(fetchpatch {
name = "35_kern_dl_check_for_the_SHF_INFO_LINK_flag_in_grub_dl_relocate_symbols.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=98ad84328dcabfa603dcf5bd217570aa6b4bdd99";
hash = "sha256-Zi4Pj2NbodL0VhhO5MWhvErb8xmA7Li0ur0MxpgQjzg=";
})
(fetchpatch {
name = "36_CVE-2024-45775.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872";
hash = "sha256-T6DO8iuImQTP7hPaCAHMtFnheQoCkZ6w+kfNolLPmrY=";
})
(fetchpatch {
name = "37_commands_ls_fix_NULL_dereference.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0bf56bce47489c059e50e61a3db7f682d8c44b56";
hash = "sha256-h5okwqv4ZFahP3ANUbsk1fiSV4pwEnxUExeBgQ4tiTI=";
})
(fetchpatch {
name = "38_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2123c5bca7e21fbeb0263df4597ddd7054700726";
hash = "sha256-tFE7VgImGZWDICyvHbrI1hqW6/XohgdTmk21MzljMGw=";
})
(fetchpatch {
name = "39_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9c16197734ada8d0838407eebe081117799bfe67";
hash = "sha256-tTeuEvadKbXVuY0m0dKtTr11Lpb3yQi4zk0bpwrMOeA=";
})
(fetchpatch {
name = "40_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637";
hash = "sha256-khRLpWqE7hzzoqssVkGFMjAv09T+uHn13Q9pCpogMms=";
})
(fetchpatch {
name = "41_CVE-2024-45776.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91";
hash = "sha256-yrl/6XUdKQg/MLe8KFuFoRRbQSyOhDmyvnWBV+sr3EY=";
})
(fetchpatch {
name = "42_CVE-2024-45777.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b970a5ed967816bbca8225994cd0ee2557bad515";
hash = "sha256-Vl5Emw3O3Ba2hD1GCWune4PGduDDPO0gM5u+zx/OwKo=";
})
(fetchpatch {
name = "43_CVE-2025-0690.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc";
hash = "sha256-DeWOncndX2VM8w1lb5fd5wHAZrI+ChB5Pj9XbUIfDWY=";
})
(fetchpatch {
name = "44_commands_test_stack_overflow_due_to_unlimited_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c68b7d23628a19da67ebe2e06f84165ee04961af";
hash = "sha256-aputM9KqkB/cK8hBiU9VXbu0LpLNlNCMVIeE9h2pMgY=";
})
(fetchpatch {
name = "45_CVE-2025-1118.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=34824806ac6302f91e8cabaa41308eaced25725f";
hash = "sha256-PKQs+fCwj4a9p4hbMqAT3tFNoAOw4xnbKmCwjPUgEOc=";
})
(fetchpatch {
name = "46_commands_memrw_disable_memory_reading_in_lockdown_mode.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=340e4d058f584534f4b90b7dbea2b64a9f8c418c";
hash = "sha256-NiMIUnfRreDBw+k4yxUzoRNMFL8pkJhVtkINVgmv5XA=";
})
(fetchpatch {
name = "47_commands_hexdump_disable_memory_reading_in_lockdown_mode.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5f31164aed51f498957cdd6ed733ec71a8592c99";
hash = "sha256-NA7QjxZ9FP+WwiOveqLkbZqsF7hULIyaVS3gNaSUXJE=";
})
(fetchpatch {
name = "48_CVE-2024-45778_CVE-2024-45779.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630";
hash = "sha256-1+ImwkF/qsejWs2lpyO6xbcqVo2NJGv32gjrP8mEPnI=";
})
(fetchpatch {
name = "49_CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c4bc55da28543d2522a939ba4ee0acde45f2fa74";
hash = "sha256-qrlErSImMX8eXJHkXjOe5GZ6lWOya5SVpNoiqyEM1lE=";
})
(fetchpatch {
name = "50_disk_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c407724dad6c3e2fc1571e57adbda71cc03f82aa";
hash = "sha256-kkAjxXvCdzwqh+oWtEF3qSPiUX9cGWO6eSFVeo7WJzQ=";
})
(fetchpatch {
name = "51_disk_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8151f98331ee4d15fcca59edffa59246d8fc15f";
hash = "sha256-2U+gMLigOCCg3P1GB615xQ0B9PDA6j92tt1ba3Tqg+E=";
})
(fetchpatch {
name = "52_disk_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=33bd6b5ac5c77b346769ab5284262f94e695e464";
hash = "sha256-+BaJRskWP/YVEdvIxMvEydjQx2LpLlGphRtZjiOUxJ0=";
})
(fetchpatch {
name = "53_disk_ieee1275_ofdisk_call_grub_ieee1275_close_when_grub_malloc_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=fbaddcca541805c333f0fc792b82772594e73753";
hash = "sha256-9sGA41HlB/8rtT/fMfkDo4ZJMXBSr+EyN92l/0gDfl4=";
})
(fetchpatch {
name = "54_fs_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6608163b08a7a8be4b0ab2a5cd4593bba07fe2b7";
excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12
hash = "sha256-mW4MH5VH5pDxCaFhNh/4mEcYloga56p8vCi7X4kSaek=";
})
(fetchpatch {
name = "55_CVE-2025-0678_CVE-2025-1125.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=84bc0a9a68835952ae69165c11709811dae7634e";
hash = "sha256-rCliqM2+k7rTGNpdHFkg3pHvuISjoG0MQr6/8lIvwK4=";
})
(fetchpatch {
name = "56_fs_prevent_overflows_when_assigning_returned_values_from_read_number.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=cde9f7f338f8f5771777f0e7dfc423ddf952ad31";
hash = "sha256-dN3HJXNIYtaUZL0LhLabC4VKK6CVC8km9UTw/ln/6ys=";
})
(fetchpatch {
name = "57_fs_zfs_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=88e491a0f744c6b19b6d4caa300a576ba56db7c9";
hash = "sha256-taSuKyCf9+TiQZcF26yMWpDDQqCfTdRuZTqB9aEz3aA=";
})
(fetchpatch {
name = "58_fs_zfs_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7f38e32c7ebeaebb79e2c71e3c7d5ea367d3a39c";
hash = "sha256-E5VmP7I4TAEXxTz3j7mi/uIr9kOSzMoPHAYAbyu56Xk=";
})
(fetchpatch {
name = "59_fs_zfs_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13065f69dae0eeb60813809026de5bd021051892";
hash = "sha256-1W//rHUspDS+utdNc069J8lX1ONfoBKiJYnUt46C/D0=";
})
(fetchpatch {
name = "60_fs_zfs_add_missing_NULL_check_after_grub_strdup_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dd6a4c8d10e02ca5056681e75795041a343636e4";
hash = "sha256-iFLEkz5G6aQ8FXGuY7/wgN4d4o0+sUxWMKYIFcQ/H+o=";
})
(fetchpatch {
name = "61_net_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4beeff8a31c4fb4071d2225533cfa316b5a58391";
hash = "sha256-/gs5ZhplQ1h7PWw0p+b5+0OxmRcvDRKWHj39ezhivcg=";
})
(fetchpatch {
name = "62_net_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dee2c14fd66bc497cdc74c69fde8c9b84637c8eb";
hash = "sha256-cO02tCGEeQhQF0TmgtNOgUwRLnNgmxhEefo1gtSlFOk=";
})
(fetchpatch {
name = "63_net_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1c06ec900591d1fab6fbacf80dc010541d0a5ec8";
hash = "sha256-oSRhWWVraitoVDqGlFOVzdCkaNqFGOHLjJu75CSc388=";
})
(fetchpatch {
name = "64_fs_sfs_check_if_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e3c578a56f9294e286b6028ca7c1def997a17b15";
hash = "sha256-7tvFbmjWmWmmRykQjMvZV6IYlhSS8oNR7YfaO5XXAfU=";
})
(fetchpatch {
name = "65_script_execute_fix_potential_underflow_and_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d13b6e8ebd10b4eb16698a002aa40258cf6e6f0e";
hash = "sha256-paMWaAIImzxtufUrVF5v4T4KnlDAJIPhdaHznu5CyZ8=";
})
(fetchpatch {
name = "66_osdep_unix_getroot_fix_potential_underflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66733f7c7dae889861ea3ef3ec0710811486019e";
hash = "sha256-/14HC1kcW7Sy9WfJQFfC+YnvS/GNTMP+Uy6Dxd3zkwc=";
})
(fetchpatch {
name = "67_misc_ensure_consistent_overflow_error_messages.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f8795cde217e21539c2f236bcbb1a4bf521086b3";
hash = "sha256-4X7wr1Tg16xDE9FO6NTlgkfLV5zFKmajeaOspIqcCuI=";
})
(fetchpatch {
name = "68_bus_usb_ehci_define_GRUB_EHCI_TOGGLE_as_grub_uint32_t.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9907d9c2723304b42cf6da74f1cc6c4601391956";
hash = "sha256-D8xaI8g7ffGGmZqqeS8wxWIFLUWUBfmHwMVOHkYTc2I=";
})
(fetchpatch {
name = "69_normal_menu_use_safe_math_to_avoid_an_integer_overflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5b36a5210e21bee2624f8acc36aefd8f10266adb";
hash = "sha256-UourmM0Zlaj4o+SnYi5AtjfNujDOt+2ez2XH/uWyiaM=";
})
(fetchpatch {
name = "70_kern_partition_add_sanity_check_after_grub_strtoul_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8e6e87e7923ca2ae880021cb42a35cc9bb4c8fe2";
hash = "sha256-4keMUu6ZDKmuSQlFnldV15dDGUibsnSvoEWhLsqWieI=";
})
(fetchpatch {
name = "71_kern_misc_add_sanity_check_after_grub_strtoul_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a8d6b06331a75d75b46f3dd6cc6fcd40dcf604b7";
hash = "sha256-2Mpe1sqyuoUPyMAKGZTNzG/ig3G3K8w0gia7lc508Rg=";
})
(fetchpatch {
name = "72_loader_i386_linux_cast_left_shift_to_grub_uint32_t.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=490a6ab71cebd96fae7a1ceb9067484f5ccbec2a";
hash = "sha256-e49OC1EBaX0/nWTTXT5xE5apTJPQV0myP5Ohxn9Wwa8=";
})
(fetchpatch {
name = "73_loader_i386_bsd_use_safe_math_to_avoid_underflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4dc6166571645780c459dde2cdc1b001a5ec844c";
hash = "sha256-e8X+oBvejcFNOY1Tp/f6QqCDwrgK7f9u1F8SdO/dhy4=";
})
(fetchpatch {
# Fixes 7e2f750f0a (security patch 14/73)
name = "fs_ext2_rework_out-of-bounds_read_for_inline_and_external_extents.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=348cd416a3574348f4255bf2b04ec95938990997";
hash = "sha256-WBLYQxv8si2tvdPAvbm0/4NNqYWBMJpFV4GC0HhN/kE=";
})
];
postPatch =
if kbdcompSupport then
''
sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
''
else
''
echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
'';
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [
bison
flex
python3
pkg-config
gettext
freetype
autoconf
automake
help2man
];
buildInputs = [
ncurses
libusb-compat-0_1
freetype
lvm2
fuse
libtool
bash
]
++ lib.optional doCheck qemu
++ lib.optional zfsSupport zfs;
strictDeps = true;
hardeningDisable = [ "all" ];
separateDebugInfo = !xenSupport;
preConfigure = ''
for i in "tests/util/"*.in
do
sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
done
# Apparently, the QEMU executable is no longer called
# `qemu-system-i386', even on i386.
#
# In addition, use `-nodefaults' to avoid errors like:
#
# chardev: opening backend "stdio" failed
# qemu: could not open serial device 'stdio': Invalid argument
#
# See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
sed -i "tests/util/grub-shell.in" \
-e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
unset CPP # setting CPP intereferes with dependency calculation
patchShebangs .
GNULIB_REVISION=$(. bootstrap.conf; echo $GNULIB_REVISION)
if [ "$GNULIB_REVISION" != ${gnulib.rev} ]; then
echo "This version of GRUB requires a different gnulib revision!"
echo "We have: ${gnulib.rev}"
echo "GRUB needs: $GNULIB_REVISION"
exit 1
fi
cp -f --no-preserve=mode ${locales}/po/LINGUAS ${locales}/po/*.po po
./bootstrap --no-git --gnulib-srcdir=${gnulib}
substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
'';
postConfigure = ''
# make sure .po files are up to date to workaround
# parallel `msgmerge --update` on autogenerated .po files:
# https://github.com/NixOS/nixpkgs/pull/248747#issuecomment-1676301670
make dist
'';
configureFlags = [
"--enable-grub-mount" # dep of os-prober
]
++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
# grub doesn't do cross-compilation as usual and tries to use unprefixed
# tools to target the host. Provide toolchain information explicitly for
# cross builds.
#
# Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
"TARGET_CC=${stdenv.cc.targetPrefix}cc"
"TARGET_NM=${stdenv.cc.targetPrefix}nm"
"TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
"TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
"TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
]
++ lib.optional zfsSupport "--enable-libzfs"
++ lib.optionals efiSupport [
"--with-platform=efi"
"--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"
"--program-prefix="
]
++ lib.optionals xenSupport [
"--with-platform=xen"
"--target=${xenSystemsBuild.${stdenv.hostPlatform.system}.target}"
]
++ lib.optionals xenPvhSupport [
"--with-platform=xen_pvh"
"--target=${xenPvhSystemsBuild.${stdenv.hostPlatform.system}.target}"
];
# save target that grub is compiled for
grubTarget =
if efiSupport then
"${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
else
lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";
doCheck = false;
enableParallelBuilding = true;
postInstall = ''
# Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
# just adding bash to buildInputs wasn't enough to fix the shebang
substituteInPlace $out/lib/grub/*/modinfo.sh \
--replace ${buildPackages.bash} "/usr/bin/bash"
'';
passthru.tests = {
nixos-grub = nixosTests.grub;
nixos-install-simple = nixosTests.installer.simple;
nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
};
meta = with lib; {
description = "GNU GRUB, the Grand Unified Boot Loader";
longDescription = ''
GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
Unified Bootloader, which was originally designed and implemented by
Erich Stefan Boleyn.
Briefly, the boot loader is the first software program that runs when a
computer starts. It is responsible for loading and transferring
control to the operating system kernel software (such as the Hurd or
the Linux). The kernel, in turn, initializes the rest of the
operating system (e.g., GNU).
'';
homepage = "https://www.gnu.org/software/grub/";
license = licenses.gpl3Plus;
platforms =
if efiSupport then
lib.attrNames efiSystemsBuild
else if xenSupport then
lib.attrNames xenSystemsBuild
else if xenPvhSupport then
lib.attrNames xenPvhSystemsBuild
else
platforms.gnu ++ platforms.linux;
maintainers = [ ];
};
}

24
nix/configuration/package/grub/fix-bash-completion.patch Normal file
View File

@@ -0,0 +1,24 @@
diff -ubr grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in grub-2.00/util/bash-completion.d/grub-completion.bash.in
--- grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:02:36.342733957 +0200
+++ grub-2.00/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:04:48.262733941 +0200
@@ -17,6 +17,12 @@
# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
# bash completion for grub
+have()
+{
+ unset -v have
+ _have $1 && have=yes
+}
+
__grub_dir() {
local i c=1 boot_dir
@@ -479,6 +485,7 @@
have ${__grub_script_check_program} && \
complete -F _grub_script_check -o filenames ${__grub_script_check_program}
+unset -f have
# Local variables:
# mode: shell-script

5
nix/configuration/repl.nix Normal file
View File

@@ -0,0 +1,5 @@
let
flake = builtins.getFlake (toString ./.);
nixpkgs = import <nixpkgs> { };
in
{ inherit flake; } // flake // builtins // nixpkgs // nixpkgs.lib // flake.nixosConfigurations

13
nix/configuration/roles/2ship2harkinian/default.nix
View File

@@ -17,19 +17,16 @@
}; };
}; };
config = lib.mkIf config.me.ship2harkinian.enable ( config = lib.mkIf (config.me.ship2harkinian.enable && config.me.graphical) {
lib.mkMerge [
{
allowedUnfree = [ "2ship2harkinian" ]; allowedUnfree = [ "2ship2harkinian" ];
}
(lib.mkIf config.me.graphical {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
_2ship2harkinian _2ship2harkinian
]; ];
# TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json # TODO perhaps install ~/.local/share/2ship/2ship2harkinian.json
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true; hideMounts = true;
users.talexander = { users.talexander = {
directories = [ directories = [
@@ -42,7 +39,5 @@
]; ];
}; };
}; };
}) };
]
);
} }

9
nix/configuration/roles/alacritty/default.nix
View File

@@ -7,6 +7,7 @@
{ {
imports = [ ]; imports = [ ];
options.me = { options.me = {
alacritty.enable = lib.mkOption { alacritty.enable = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
@@ -16,9 +17,7 @@
}; };
}; };
config = lib.mkIf config.me.alacritty.enable ( config = lib.mkIf (config.me.alacritty.enable && config.me.graphical) {
lib.mkMerge [
(lib.mkIf config.me.graphical {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
alacritty alacritty
xdg-utils # for xdg-open xdg-utils # for xdg-open
@@ -29,8 +28,6 @@
source = ./files/alacritty.toml; source = ./files/alacritty.toml;
}; };
}; };
}) };
]
);
} }

8
nix/configuration/roles/amd_s2idle/default.nix
View File

@@ -17,9 +17,7 @@
}; };
}; };
config = lib.mkIf config.me.amd_s2idle.enable ( config = lib.mkIf config.me.amd_s2idle.enable {
lib.mkMerge [
{
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
amd-debug-tools amd-debug-tools
]; ];
@@ -41,7 +39,5 @@
]; ];
}) })
]; ];
} };
]
);
} }

8
nix/configuration/roles/ansible/default.nix
View File

@@ -17,9 +17,7 @@
}; };
}; };
config = lib.mkIf config.me.ansible.enable ( config = lib.mkIf config.me.ansible.enable {
lib.mkMerge [
{
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ansible ansible
]; ];
@@ -83,7 +81,5 @@
}; };
}) })
]; ];
} };
]
);
} }

11
nix/configuration/roles/ares/default.nix
View File

@@ -17,15 +17,12 @@
}; };
}; };
config = lib.mkIf config.me.ares.enable ( config = lib.mkIf (config.me.ares.enable && config.me.graphical) {
lib.mkMerge [
{ }
(lib.mkIf config.me.graphical {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ares ares
]; ];
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true; hideMounts = true;
users.talexander = { users.talexander = {
directories = [ directories = [
@@ -38,7 +35,5 @@
]; ];
}; };
}; };
}) };
]
);
} }

65
nix/configuration/roles/base/default.nix Normal file
View File

@@ -0,0 +1,65 @@
{
config,
lib,
pkgs,
...
}:
let
patchScriptBin =
filename: contents:
((pkgs.writeScriptBin filename contents).overrideAttrs (old: {
buildCommand = "${old.buildCommand}\n patchShebangs $out";
}));
cleanup_temporary_files = (
patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
);
alias_rga = pkgs.writeShellScriptBin "ks" ''
exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
'';
in
{
imports = [ ];
options.me = {
base.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install base.";
};
};
config = lib.mkIf config.me.base.enable {
environment.systemPackages = with pkgs; [
wget
mg
rsync
libinput
htop
tmux
file
usbutils # for lsusb
pciutils # for lspci
ripgrep
alias_rga
strace
# ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
trace-cmd # ftrace
tcpdump
git-crypt
gnumake
ncdu
nix-tree
libarchive # bsdtar
lsof
dmidecode # Read SMBIOS information.
ipcalc
gptfdisk # for cgdisk
nix-output-monitor # For better view into nixos-rebuild
nix-serve-ng # Serve nix store over http
cleanup_temporary_files
jq
];
};
}

4
nix/configuration/roles/base/files/cleanup_temporary_files.bash Normal file
View File

@@ -0,0 +1,4 @@
#!/usr/bin/env bash
#
# Delete temporary files on entire disk
find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

14
nix/configuration/roles/bluetooth/default.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
@@ -17,12 +16,7 @@
}; };
}; };
config = lib.mkIf config.me.bluetooth.enable ( config = lib.mkIf config.me.bluetooth.enable {
lib.mkMerge [
{
environment.systemPackages = with pkgs; [
];
hardware.bluetooth = { hardware.bluetooth = {
enable = true; enable = true;
powerOnBoot = true; powerOnBoot = true;
@@ -34,13 +28,11 @@
}; };
}; };
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/lib/bluetooth" # Bluetooth pairing information. "/var/lib/bluetooth" # Bluetooth pairing information.
]; ];
}; };
} };
]
);
} }

68
nix/configuration/roles/boot/default.nix
View File

@@ -9,28 +9,55 @@
{ {
imports = [ ]; imports = [ ];
options = { options.me = {
me.secureBoot = { boot.enable = lib.mkOption {
enable = lib.mkOption {
default = false;
type = lib.types.bool; type = lib.types.bool;
description = '' default = false;
Enable to use secure boot. example = true;
''; description = "Whether we want to install boot.";
}; };
boot.secure = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Enable to use secure boot.";
};
rollback.enable = lib.mkOption {
type = lib.types.bool;
default = true;
example = true;
description = "Whether we want to enable rolling back during boot.";
};
rollback.dataset = lib.mkOption {
default = { };
example = lib.literalExpression ''
{
"zroot/linux/nix/root@blank" = true;
"zroot/linux/nix/home@blank" = lib.mkForce false;
}
'';
type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
) (lib.types.attrsOf lib.types.bool);
description = "List of ZFS datasets to rollback to during boot.";
}; };
}; };
config = lib.mkMerge [ config = lib.mkIf config.me.boot.enable (
lib.mkMerge [
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
tpm2-tools # For tpm2_eventlog to check for OptionRoms tpm2-tools # For tpm2_eventlog to check for OptionRoms
# cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
# tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER" # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
sbctl # For debugging and troubleshooting Secure Boot. sbctl # For debugging and troubleshooting Secure Boot.
efibootmgr # To set EFI boot order.
]; ];
} }
(lib.mkIf (!config.me.buildingIso) { (lib.mkIf (!config.me.buildingPortable) {
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@@ -45,7 +72,7 @@
# Check what will be lost with `zfs diff zroot/linux/root@blank` # Check what will be lost with `zfs diff zroot/linux/root@blank`
boot.initrd.systemd.enable = lib.mkDefault true; boot.initrd.systemd.enable = lib.mkDefault true;
boot.initrd.systemd.services.zfs-rollback = { boot.initrd.systemd.services.zfs-rollback = lib.mkIf config.me.rollback.enable {
description = "Rollback ZFS root dataset to blank snapshot"; description = "Rollback ZFS root dataset to blank snapshot";
wantedBy = [ wantedBy = [
"initrd.target" "initrd.target"
@@ -56,16 +83,14 @@
before = [ before = [
"sysroot.mount" "sysroot.mount"
]; ];
path = with pkgs; [
zfs
];
unitConfig.DefaultDependencies = "no"; unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = lib.concatStringsSep "\n" (
zfs rollback -r zroot/linux/nix/root@blank (builtins.map (ds: "${config.boot.zfs.package}/sbin/zfs rollback -r '${ds}'") (
zfs rollback -r zroot/linux/nix/home@blank builtins.attrNames config.me.rollback.dataset
echo "rollback complete" ))
''; ++ [ ''echo "rollback complete"'' ]
);
}; };
# boot.loader.systemd-boot.extraEntries = { # boot.loader.systemd-boot.extraEntries = {
@@ -75,14 +100,14 @@
# options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa # options root=PARTUUID=17e325bf-a378-4d1d-be6a-f6df5476f0fa
# ''; # '';
# }; # };
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/lib/sbctl" # Secure Boot Keys "/var/lib/sbctl" # Secure Boot Keys
]; ];
}; };
}) })
(lib.mkIf (config.me.secureBoot.enable) { (lib.mkIf (config.me.boot.secure) {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
sbctl sbctl
]; ];
@@ -92,7 +117,8 @@
pkiBundle = "/var/lib/sbctl"; pkiBundle = "/var/lib/sbctl";
}; };
}) })
]; ]
);
} }
# efibootmgr -c -d /dev/sda -p 1 -L NixOS-boot -l '\EFI\NixOS-boot\grubx64.efi' # efibootmgr -c -d /dev/sda -p 1 -L NixOS-boot -l '\EFI\NixOS-boot\grubx64.efi'

35
nix/configuration/roles/build_in_ram/default.nix Normal file
View File

@@ -0,0 +1,35 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
build_in_ram.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install build_in_ram.";
};
};
config = lib.mkIf config.me.build_in_ram.enable (
lib.mkMerge [
{
# Nix 2.30.0 (2025-07-07) changed the build directory from /tmp to /nix/var/nix/builds which broke a number of builds because my ZFS datasets were utf8only.
fileSystems."/nix/var/nix/builds" = {
device = "tmpfs";
fsType = "tmpfs";
options = [
"size=40G" # adjust for your situation and needs
"mode=700"
];
};
}
]
);
}

10
nix/configuration/roles/chromecast/default.nix
View File

@@ -17,15 +17,9 @@
}; };
}; };
config = lib.mkIf config.me.chromecast.enable ( config = lib.mkIf config.me.chromecast.enable {
lib.mkMerge [
{
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
catt catt
]; ];
} };
(lib.mkIf config.me.graphical {
})
]
);
} }

13
nix/configuration/roles/chromium/default.nix
View File

@@ -17,10 +17,7 @@
}; };
}; };
config = lib.mkIf config.me.chromium.enable ( config = lib.mkIf (config.me.chromium.enable && config.me.graphical) {
lib.mkMerge [
{ }
(lib.mkIf config.me.graphical {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
chromium chromium
]; ];
@@ -30,7 +27,7 @@
"widevine-cdm" "widevine-cdm"
]; ];
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true; hideMounts = true;
users.talexander = { users.talexander = {
directories = [ directories = [
@@ -43,7 +40,7 @@
]; ];
}; };
}; };
environment.persistence."/state" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/state" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true; hideMounts = true;
users.talexander = { users.talexander = {
directories = [ directories = [
@@ -69,7 +66,5 @@
}; };
}) })
]; ];
}) };
]
);
} }

Some files were not shown because too many files have changed in this diff Show More