chore(gengetsu): common nixos.hw.c4130

nixos/base/access.nix

@@ -2,11 +2,20 @@
   config,
   pkgs,
   meta,
+  lib,
   ...
-}: {
-  security.sudo.wheelNeedsPassword = false;
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.users
+  ];
 
-  security.polkit.extraConfig = ''
+  security.sudo.wheelNeedsPassword = mkDefault false;
+
+  security.polkit.extraConfig = mkIf (!config.security.sudo.wheelNeedsPassword) ''
     polkit.addRule(function(action, subject) {
       if (subject.isInGroup("wheel")) {
         return polkit.Result.YES;
@@ -14,12 +23,6 @@
     });
   '';
 
-  imports = let
-    inherit (meta) nixos;
-  in [
-    nixos.users
-  ];
-
   users.motd = ''
     ${config.networking.hostName}.${config.networking.domain}
 
@@ -27,7 +30,7 @@
   users.defaultUserShell = pkgs.zsh;
 
   users.users.root = {
-    hashedPassword = "$6$SLue7utn4qXtW1TE$yQOliCPKgkiFST5H6iqCCwT2dn3o4e/h39MaCbhOXVreFQrkWe7ZzJUOzC0u28/0.Hzs6xKSiJnGjbLXvGstr1";
+    hashedPassword = mkDefault "$6$SLue7utn4qXtW1TE$yQOliCPKgkiFST5H6iqCCwT2dn3o4e/h39MaCbhOXVreFQrkWe7ZzJUOzC0u28/0.Hzs6xKSiJnGjbLXvGstr1";
     openssh.authorizedKeys.keys = with pkgs.lib; (concatLists (mapAttrsToList
       (name: user:
         if elem "wheel" user.extraGroups

nixos/base/ssh.nix

@@ -1,10 +1,11 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }: let
-  inherit (lib.modules) mkDefault;
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.lists) head;
+  cfg = config.services.openssh;
   publicPort = 62954;
 in {
   /*
@@ -33,4 +34,8 @@ in {
   };
 
   programs.mosh.enable = true;
+
+  boot.initrd.network.ssh = mkIf cfg.enable {
+    port = mkDefault (head cfg.ports);
+  };
 }

nixos/base/system.nix

@@ -1,9 +1,11 @@
 {
   config,
+  gensokyo-zone,
   lib,
   pkgs,
   ...
 }: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
   inherit (lib.modules) mkDefault;
 in {
   hardware.enableRedistributableFirmware = mkDefault true;
@@ -23,7 +25,8 @@ in {
   services.journald.extraConfig = "SystemMaxUse=512M";
   users.mutableUsers = mkDefault false;
   boot.tmp = {
-    useTmpfs = mkDefault true;
-    tmpfsSize = mkDefault "80%";
+    cleanOnBoot = mkAlmostOptionDefault true;
+    useTmpfs = mkAlmostOptionDefault true;
+    tmpfsSize = mkAlmostOptionDefault "80%";
   };
 }

nixos/hw/c4130.nix

@@ -4,16 +4,14 @@
   lib,
   ...
 }: let
-  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.modules) mkIf mkMerge;
 in {
   imports = [
+    ./headless.nix
     ./metal.nix
   ];
 
   boot = {
-    loader = {
-      systemd-boot.enable = mkDefault true;
-    };
     initrd = {
       systemd.network = mkIf config.networking.useNetworkd {
         networks."40-eno1" = {

nixos/hw/headless.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  boot = {
+    initrd.systemd.emergencyAccess = mkDefault true;
+    consoleLogLevel = mkDefault 5;
+  };
+  services.getty.autologinUser = mkDefault "root";
+  documentation.enable = mkDefault false;
+}

nixos/hw/metal.nix

@@ -1,9 +1,19 @@
 {
   pkgs,
   config,
+  gensokyo-zone,
   lib,
   ...
-}: {
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+in {
+  boot = {
+    loader = {
+      systemd-boot.enable = mkAlmostOptionDefault true;
+      efi.canTouchEfiVariables = mkAlmostOptionDefault true;
+    };
+  };
+
   environment.systemPackages = [
     pkgs.pciutils
     pkgs.usbutils

nixos/kyuuto/nfs.nix

@@ -15,7 +15,13 @@
     data = "${nfsRoot}/kyuuto/data";
     systems = "${nfsRoot}/kyuuto/systems";
   };
-  mkSystemExport = { name, fsid, machine, flags ? ["async"], machineFlags ? flagSets.metal }: {
+  mkSystemExport = {
+    name,
+    fsid,
+    machine,
+    flags ? ["async"],
+    machineFlags ? flagSets.metal,
+  }: {
     flags = flagSets.common ++ ["fsid=${toString fsid}"] ++ flags;
     clients = {
       ${name} = {
@@ -28,12 +34,18 @@
       };
     };
   };
-  mkSystemExports = name: { machine, fileSystems }: let
+  mkSystemExports = name: {
+    machine,
+    fileSystems,
+  }: let
     systemRoot = "${nfsRoot.systems}/${name}";
-    mapSystemExport = fsName: fs: nameValuePair "${systemRoot}/${fsName}" (mkSystemExport ({
-      inherit name machine;
-    } // fs));
-  in mapAttrs' mapSystemExport fileSystems;
+    mapSystemExport = fsName: fs:
+      nameValuePair "${systemRoot}/${fsName}" (mkSystemExport ({
+          inherit name machine;
+        }
+        // fs));
+  in
+    mapAttrs' mapSystemExport fileSystems;
   exportedSystems = {
     gengetsu = {
       machine = flagSets.gengetsuClients;
@@ -105,21 +117,33 @@ in {
       "nfs-mountd.service"
     ];
     before = wantedBy;
-    mkMount = { what, where, ... }@args: {
-      inherit type options wantedBy before;
-    } // args;
-    mkSystemMount = { name, fsName }: let
+    mkMount = {
+      what,
+      where,
+      ...
+    } @ args:
+      {
+        inherit type options wantedBy before;
+      }
+      // args;
+    mkSystemMount = {
+      name,
+      fsName,
+    }: let
       systemRoot = "${nfsRoot.systems}/${name}";
-    in mkMount {
-      what = "${kyuuto.dataDir}/systems/${name}/fs/${fsName}";
-      where = "${systemRoot}/${fsName}";
-    };
-    mapSystemMounts = name: { fileSystems, ... }: let
-      mapFileSystem = fsName: fs: mkSystemMount { inherit name fsName; };
-    in mapAttrsToList mapFileSystem fileSystems;
+    in
+      mkMount {
+        what = "${kyuuto.dataDir}/systems/${name}/fs/${fsName}";
+        where = "${systemRoot}/${fsName}";
+      };
+    mapSystemMounts = name: {fileSystems, ...}: let
+      mapFileSystem = fsName: fs: mkSystemMount {inherit name fsName;};
+    in
+      mapAttrsToList mapFileSystem fileSystems;
     systemMounts = let
       systemMounts = mapAttrsToList mapSystemMounts exportedSystems;
-    in concatLists systemMounts;
+    in
+      concatLists systemMounts;
     exportMounts = map mkMount [
       {
         what = kyuuto.mountDir;

nixos/netboot/kyuuto.nix

@@ -29,7 +29,8 @@ in {
         default = [
           "nolock" # required in order to mount in initrd when statd daemon isn't running
           "nocto"
-          "lazytime" "noatime"
+          "lazytime"
+          "noatime"
           "actimeo=${toString defaultCacheTimeoutMax}"
           "acregmin=${toString defaultCacheTimeoutMin}"
           "acdirmin=${toString defaultCacheTimeoutMin}"
@@ -47,7 +48,8 @@ in {
           };
         };
         availableKernelModules = mkIf nfsEnabled [
-          "nfsv4" "nfsv3"
+          "nfsv4"
+          "nfsv3"
         ];
         extraUtilsCommands = mkIf (nfsEnabled && !config.boot.initrd.systemd.enable) ''
           copy_bin_and_libs ${cfg.nfs.package}/sbin/mount.nfs
@@ -60,7 +62,7 @@ in {
             (mkIf config.boot.initrd.network.enable [
               pkgs.iproute2
             ])
-            [ pkgs.util-linux pkgs.gnugrep ]
+            [pkgs.util-linux pkgs.gnugrep]
           ];
           network = mkIf config.networking.useNetworkd {
             enable = mkDefault true;
@@ -69,20 +71,24 @@ in {
       };
       loader = {
         systemd-boot.enable = true;
-        efi.canTouchEfiVariables = false;
+        efi.canTouchEfiVariables = mkIf cfg.boot.enable false;
       };
     };
     fileSystems = let
-      nfsUrl = access.proxyUrlFor {
-        serviceName = "nfs";
-        scheme = "";
-        defaultPort = 2049;
-        # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?)
-        getAddressFor = "getAddress4For";
-      } + ":/srv/fs/kyuuto/systems/${systemConfig.name}";
-      nfsOpts = [
-        "sec=${cfg.nfs.security}"
-      ] ++ cfg.nfs.flags;
+      nfsUrl =
+        access.proxyUrlFor {
+          serviceName = "nfs";
+          scheme = "";
+          defaultPort = 2049;
+          # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?)
+          getAddressFor = "getAddress4For";
+        }
+        + ":/srv/fs/kyuuto/systems/${systemConfig.name}";
+      nfsOpts =
+        [
+          "sec=${cfg.nfs.security}"
+        ]
+        ++ cfg.nfs.flags;
     in {
       "/" = {
         device = "${nfsUrl}/root";

nixos/nfs.nix

@@ -63,9 +63,11 @@ in {
             optional (local.enable or false && local.address4 != null) "${local.address4}/32"
             ++ optional (local.enable or false && local.address6 != null) "${local.address6}/128";
           allowed =
-            if addrs != [] then addrs
+            if addrs != []
+            then addrs
             else lib.warn "${name} NFS: falling back to all LAN" cidrForNetwork.allLan.all;
-        in allowed;
+        in
+          allowed;
         mkC4130Client = name: mkMetalClient name ++ mkMetalClient "idrac-${name}";
       in {
         common = [
@@ -91,7 +93,9 @@ in {
           "ro"
         ];
         metal = [
-          "sec=sys" "no_root_squash" "rw"
+          "sec=sys"
+          "no_root_squash"
+          "rw"
         ];
         # client machines
         clientGroups = [

nixos/reisen-ct/proxmox.nix

@@ -3,6 +3,7 @@
   gensokyo-zone,
   lib,
   modulesPath,
+  meta,
   ...
 }: let
   inherit (gensokyo-zone.lib) unmerged;
@@ -10,17 +11,20 @@
   inherit (lib.attrsets) mapAttrsToList;
   inherit (systemConfig) proxmox;
 in {
-  imports = [
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.hw.headless
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
   ];
 
-  services.getty.autologinUser = mkDefault "root";
-  documentation.enable = mkDefault false;
-
   environment.variables = {
     # nix default is way too big
     GC_INITIAL_HEAP_SIZE = mkDefault "8M";
   };
+  # XXX: this might be okay if the nix daemon's tmp is overridden
+  # (but still avoid since containers are usually low on provisioned memory)
+  boot.tmp.useTmpfs = mkDefault false;
 
   proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;