chore(gengetsu): common nixos.hw.c4130

2026-02-09 04:19:19 -08:00 · 2024-11-24 13:51:35 -08:00 · 2024-11-24 13:51:35 -08:00 · 3c5e7179bb
commit 3c5e7179bb
parent 64efbaf503
18 changed files with 217 additions and 132 deletions
--- a/modules/extern/nixos/kyuuto.nix
+++ b/modules/extern/nixos/kyuuto.nix
@ -104,7 +104,8 @@
      ];
      nfs.fstabOptions = [
        "noauto"
-        "lazytime" "noatime"
+        "lazytime"
+        "noatime"
        #"nfsvers=4"
        "soft"
        "nocto"
@ -116,7 +117,8 @@
      ];
      smb.fstabOptions = [
        "noauto"
-        "lazytime" "noatime"
+        "lazytime"
+        "noatime"
        (mkIf (config.smb.user != null) "user=${config.smb.user}")
      ];
      automount.fstabOptions = [
@ -129,28 +131,30 @@
          cfg,
          nfsSubpath,
          smbSubpath,
-        }: mkIf cfg.enable {
-          device = mkMerge [
-            (mkIf config.nfs.enable "nfs.${config.domain}:/srv/fs/${nfsSubpath}")
-            (mkIf config.smb.enable ''\\smb.${config.domain}\${smbSubpath}'')
-          ];
-          fsType = mkMerge [
-            (mkIf config.nfs.enable "nfs4")
-            (mkIf config.smb.enable "smb3")
-          ];
-          options = mkMerge (setFilesystemOptions
-            ++ [
-              (mkIf cfg.krb5.enable [
-                "sec=krb5"
-                (mkIf config.nfs.enable "nfsvers=4")
-              ])
-            ]);
-        };
+        }:
+          mkIf cfg.enable {
+            device = mkMerge [
+              (mkIf config.nfs.enable "nfs.${config.domain}:/srv/fs/${nfsSubpath}")
+              (mkIf config.smb.enable ''\\smb.${config.domain}\${smbSubpath}'')
+            ];
+            fsType = mkMerge [
+              (mkIf config.nfs.enable "nfs4")
+              (mkIf config.smb.enable "smb3")
+            ];
+            options = mkMerge (setFilesystemOptions
+              ++ [
+                (mkIf cfg.krb5.enable [
+                  "sec=krb5"
+                  (mkIf config.nfs.enable "nfsvers=4")
+                ])
+              ]);
+          };
      in {
        "/mnt/kyuuto-media" = mkKyuutoFs {
          cfg = config.media;
          nfsSubpath = "kyuuto/media";
-          smbSubpath = if config.smb.user != null && access.local.enable
+          smbSubpath =
+            if config.smb.user != null && access.local.enable
            then "kyuuto-media"
            else if config.smb.user != null
            then "kyuuto-library-net"
--- a/nixos/base/access.nix
+++ b/nixos/base/access.nix
@ -2,11 +2,20 @@
  config,
  pkgs,
  meta,
+  lib,
  ...
-}: {
-  security.sudo.wheelNeedsPassword = false;
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.users
+  ];

-  security.polkit.extraConfig = ''
+  security.sudo.wheelNeedsPassword = mkDefault false;
+
+  security.polkit.extraConfig = mkIf (!config.security.sudo.wheelNeedsPassword) ''
    polkit.addRule(function(action, subject) {
      if (subject.isInGroup("wheel")) {
        return polkit.Result.YES;
@ -14,12 +23,6 @@
    });
  '';

-  imports = let
-    inherit (meta) nixos;
-  in [
-    nixos.users
-  ];
-
  users.motd = ''
    [0m[1;35m${config.networking.hostName}.${config.networking.domain}[0m

@ -27,7 +30,7 @@
  users.defaultUserShell = pkgs.zsh;

  users.users.root = {
-    hashedPassword = "$6$SLue7utn4qXtW1TE$yQOliCPKgkiFST5H6iqCCwT2dn3o4e/h39MaCbhOXVreFQrkWe7ZzJUOzC0u28/0.Hzs6xKSiJnGjbLXvGstr1";
+    hashedPassword = mkDefault "$6$SLue7utn4qXtW1TE$yQOliCPKgkiFST5H6iqCCwT2dn3o4e/h39MaCbhOXVreFQrkWe7ZzJUOzC0u28/0.Hzs6xKSiJnGjbLXvGstr1";
    openssh.authorizedKeys.keys = with pkgs.lib; (concatLists (mapAttrsToList
      (name: user:
        if elem "wheel" user.extraGroups
--- a/nixos/base/ssh.nix
+++ b/nixos/base/ssh.nix
@ -1,10 +1,11 @@
 {
  config,
  lib,
-  pkgs,
  ...
 }: let
-  inherit (lib.modules) mkDefault;
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.lists) head;
+  cfg = config.services.openssh;
  publicPort = 62954;
 in {
  /*
@ -33,4 +34,8 @@ in {
  };

  programs.mosh.enable = true;
+
+  boot.initrd.network.ssh = mkIf cfg.enable {
+    port = mkDefault (head cfg.ports);
+  };
 }
--- a/nixos/base/system.nix
+++ b/nixos/base/system.nix
@ -1,9 +1,11 @@
 {
  config,
+  gensokyo-zone,
  lib,
  pkgs,
  ...
 }: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
  inherit (lib.modules) mkDefault;
 in {
  hardware.enableRedistributableFirmware = mkDefault true;
@ -23,7 +25,8 @@ in {
  services.journald.extraConfig = "SystemMaxUse=512M";
  users.mutableUsers = mkDefault false;
  boot.tmp = {
-    useTmpfs = mkDefault true;
-    tmpfsSize = mkDefault "80%";
+    cleanOnBoot = mkAlmostOptionDefault true;
+    useTmpfs = mkAlmostOptionDefault true;
+    tmpfsSize = mkAlmostOptionDefault "80%";
  };
 }
--- a/nixos/hw/c4130.nix
+++ b/nixos/hw/c4130.nix
@ -4,16 +4,14 @@
  lib,
  ...
 }: let
-  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.modules) mkIf mkMerge;
 in {
  imports = [
+    ./headless.nix
    ./metal.nix
  ];

  boot = {
-    loader = {
-      systemd-boot.enable = mkDefault true;
-    };
    initrd = {
      systemd.network = mkIf config.networking.useNetworkd {
        networks."40-eno1" = {
--- a/nixos/hw/headless.nix
+++ b/nixos/hw/headless.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  boot = {
+    initrd.systemd.emergencyAccess = mkDefault true;
+    consoleLogLevel = mkDefault 5;
+  };
+  services.getty.autologinUser = mkDefault "root";
+  documentation.enable = mkDefault false;
+}
--- a/nixos/hw/metal.nix
+++ b/nixos/hw/metal.nix
@ -1,9 +1,19 @@
 {
  pkgs,
  config,
+  gensokyo-zone,
  lib,
  ...
-}: {
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+in {
+  boot = {
+    loader = {
+      systemd-boot.enable = mkAlmostOptionDefault true;
+      efi.canTouchEfiVariables = mkAlmostOptionDefault true;
+    };
+  };
+
  environment.systemPackages = [
    pkgs.pciutils
    pkgs.usbutils
--- a/nixos/kyuuto/nfs.nix
+++ b/nixos/kyuuto/nfs.nix
@ -15,7 +15,13 @@
    data = "${nfsRoot}/kyuuto/data";
    systems = "${nfsRoot}/kyuuto/systems";
  };
-  mkSystemExport = { name, fsid, machine, flags ? ["async"], machineFlags ? flagSets.metal }: {
+  mkSystemExport = {
+    name,
+    fsid,
+    machine,
+    flags ? ["async"],
+    machineFlags ? flagSets.metal,
+  }: {
    flags = flagSets.common ++ ["fsid=${toString fsid}"] ++ flags;
    clients = {
      ${name} = {
@ -28,12 +34,18 @@
      };
    };
  };
-  mkSystemExports = name: { machine, fileSystems }: let
+  mkSystemExports = name: {
+    machine,
+    fileSystems,
+  }: let
    systemRoot = "${nfsRoot.systems}/${name}";
-    mapSystemExport = fsName: fs: nameValuePair "${systemRoot}/${fsName}" (mkSystemExport ({
-      inherit name machine;
-    } // fs));
-  in mapAttrs' mapSystemExport fileSystems;
+    mapSystemExport = fsName: fs:
+      nameValuePair "${systemRoot}/${fsName}" (mkSystemExport ({
+          inherit name machine;
+        }
+        // fs));
+  in
+    mapAttrs' mapSystemExport fileSystems;
  exportedSystems = {
    gengetsu = {
      machine = flagSets.gengetsuClients;
@ -105,21 +117,33 @@ in {
      "nfs-mountd.service"
    ];
    before = wantedBy;
-    mkMount = { what, where, ... }@args: {
-      inherit type options wantedBy before;
-    } // args;
-    mkSystemMount = { name, fsName }: let
+    mkMount = {
+      what,
+      where,
+      ...
+    } @ args:
+      {
+        inherit type options wantedBy before;
+      }
+      // args;
+    mkSystemMount = {
+      name,
+      fsName,
+    }: let
      systemRoot = "${nfsRoot.systems}/${name}";
-    in mkMount {
-      what = "${kyuuto.dataDir}/systems/${name}/fs/${fsName}";
-      where = "${systemRoot}/${fsName}";
-    };
-    mapSystemMounts = name: { fileSystems, ... }: let
-      mapFileSystem = fsName: fs: mkSystemMount { inherit name fsName; };
-    in mapAttrsToList mapFileSystem fileSystems;
+    in
+      mkMount {
+        what = "${kyuuto.dataDir}/systems/${name}/fs/${fsName}";
+        where = "${systemRoot}/${fsName}";
+      };
+    mapSystemMounts = name: {fileSystems, ...}: let
+      mapFileSystem = fsName: fs: mkSystemMount {inherit name fsName;};
+    in
+      mapAttrsToList mapFileSystem fileSystems;
    systemMounts = let
      systemMounts = mapAttrsToList mapSystemMounts exportedSystems;
-    in concatLists systemMounts;
+    in
+      concatLists systemMounts;
    exportMounts = map mkMount [
      {
        what = kyuuto.mountDir;
--- a/nixos/netboot/kyuuto.nix
+++ b/nixos/netboot/kyuuto.nix
@ -29,7 +29,8 @@ in {
        default = [
          "nolock" # required in order to mount in initrd when statd daemon isn't running
          "nocto"
-          "lazytime" "noatime"
+          "lazytime"
+          "noatime"
          "actimeo=${toString defaultCacheTimeoutMax}"
          "acregmin=${toString defaultCacheTimeoutMin}"
          "acdirmin=${toString defaultCacheTimeoutMin}"
@ -47,7 +48,8 @@ in {
          };
        };
        availableKernelModules = mkIf nfsEnabled [
-          "nfsv4" "nfsv3"
+          "nfsv4"
+          "nfsv3"
        ];
        extraUtilsCommands = mkIf (nfsEnabled && !config.boot.initrd.systemd.enable) ''
          copy_bin_and_libs ${cfg.nfs.package}/sbin/mount.nfs
@ -60,7 +62,7 @@ in {
            (mkIf config.boot.initrd.network.enable [
              pkgs.iproute2
            ])
-            [ pkgs.util-linux pkgs.gnugrep ]
+            [pkgs.util-linux pkgs.gnugrep]
          ];
          network = mkIf config.networking.useNetworkd {
            enable = mkDefault true;
@ -69,20 +71,24 @@ in {
      };
      loader = {
        systemd-boot.enable = true;
-        efi.canTouchEfiVariables = false;
+        efi.canTouchEfiVariables = mkIf cfg.boot.enable false;
      };
    };
    fileSystems = let
-      nfsUrl = access.proxyUrlFor {
-        serviceName = "nfs";
-        scheme = "";
-        defaultPort = 2049;
-        # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?)
-        getAddressFor = "getAddress4For";
-      } + ":/srv/fs/kyuuto/systems/${systemConfig.name}";
-      nfsOpts = [
-        "sec=${cfg.nfs.security}"
-      ] ++ cfg.nfs.flags;
+      nfsUrl =
+        access.proxyUrlFor {
+          serviceName = "nfs";
+          scheme = "";
+          defaultPort = 2049;
+          # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?)
+          getAddressFor = "getAddress4For";
+        }
+        + ":/srv/fs/kyuuto/systems/${systemConfig.name}";
+      nfsOpts =
+        [
+          "sec=${cfg.nfs.security}"
+        ]
+        ++ cfg.nfs.flags;
    in {
      "/" = {
        device = "${nfsUrl}/root";
--- a/nixos/nfs.nix
+++ b/nixos/nfs.nix
@ -63,9 +63,11 @@ in {
            optional (local.enable or false && local.address4 != null) "${local.address4}/32"
            ++ optional (local.enable or false && local.address6 != null) "${local.address6}/128";
          allowed =
-            if addrs != [] then addrs
+            if addrs != []
+            then addrs
            else lib.warn "${name} NFS: falling back to all LAN" cidrForNetwork.allLan.all;
-        in allowed;
+        in
+          allowed;
        mkC4130Client = name: mkMetalClient name ++ mkMetalClient "idrac-${name}";
      in {
        common = [
@ -91,7 +93,9 @@ in {
          "ro"
        ];
        metal = [
-          "sec=sys" "no_root_squash" "rw"
+          "sec=sys"
+          "no_root_squash"
+          "rw"
        ];
        # client machines
        clientGroups = [
--- a/nixos/reisen-ct/proxmox.nix
+++ b/nixos/reisen-ct/proxmox.nix
@ -3,6 +3,7 @@
  gensokyo-zone,
  lib,
  modulesPath,
+  meta,
  ...
 }: let
  inherit (gensokyo-zone.lib) unmerged;
@ -10,17 +11,20 @@
  inherit (lib.attrsets) mapAttrsToList;
  inherit (systemConfig) proxmox;
 in {
-  imports = [
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.hw.headless
    (modulesPath + "/virtualisation/proxmox-lxc.nix")
  ];

-  services.getty.autologinUser = mkDefault "root";
-  documentation.enable = mkDefault false;
-
  environment.variables = {
    # nix default is way too big
    GC_INITIAL_HEAP_SIZE = mkDefault "8M";
  };
+  # XXX: this might be okay if the nix daemon's tmp is overridden
+  # (but still avoid since containers are usually low on provisioned memory)
+  boot.tmp.useTmpfs = mkDefault false;

  proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;

--- a/systems/gengetsu/default.nix
+++ b/systems/gengetsu/default.nix
@ -6,12 +6,10 @@ _: {
  modules = [
    ./nixos.nix
  ];
-  deploy.hostname = "10.1.1.204";
-  deploy.sshOpts = [];
-  #exports = {
-  #services = {
-  #};
-  #};
+  exports = {
+    services = {
+    };
+  };
  network.networks = {
    local = {
      macAddress = "54:48:10:f3:fe:aa";
--- a/systems/gengetsu/hardware-configuration.nix
+++ b/systems/gengetsu/hardware-configuration.nix
@ -0,0 +1,47 @@
+{
+  meta,
+  config,
+  ...
+}: {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.hw.c4130
+    #nixos.netboot.kyuuto
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/bf317f5d-ffc2-45fd-9621-b645ff7223fc";
+      fsType = "xfs";
+      options = ["lazytime" "noatime"];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-label/boot";
+      fsType = "vfat";
+      options = ["fmask=0077" "dmask=0077"];
+    };
+  };
+
+  networking.useNetworkd = true;
+  systemd.network = {
+    networks."40-eno1" = {
+      inherit (config.systemd.network.links.eno1) matchConfig;
+      address = ["10.1.1.61/24"];
+      gateway = ["10.1.1.1"];
+      DHCP = "no";
+      networkConfig = {
+        IPv6AcceptRA = true;
+      };
+      linkConfig = {
+        Multicast = true;
+      };
+    };
+    links.eno1 = {
+      matchConfig = {
+        Type = "ether";
+        MACAddress = "54:48:10:f3:fe:aa";
+      };
+    };
+  };
+}
--- a/systems/gengetsu/nixos.nix
+++ b/systems/gengetsu/nixos.nix
@ -1,47 +1,11 @@
-{
-  meta,
-  config,
-  lib,
-  modulesPath,
-  pkgs,
-  ...
-}: {
+{meta, ...}: {
  imports = let
    inherit (meta) nixos;
  in [
+    ./hardware-configuration.nix
    #nixos.sops
    nixos.base
  ];

-  boot = {
-    initrd = {
-      availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
-      kernelModules = [];
-      systemd.emergencyAccess = true;
-    };
-    kernelModules = [];
-    extraModulePackages = [];
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/bf317f5d-ffc2-45fd-9621-b645ff7223fc";
-      fsType = "xfs";
-    };
-    "/boot" = {
-      device = "/dev/disk/by-label/boot";
-      fsType = "vfat";
-      options = ["fmask=0077" "dmask=0077"];
-    };
-  };
-
-  environment.systemPackages = [
-    pkgs.ipmitool
-  ];
-
  system.stateVersion = "24.05";
 }
--- a/systems/logistics/hardware-configuration.nix
+++ b/systems/logistics/hardware-configuration.nix
@ -2,12 +2,19 @@
  config,
  pkgs,
  lib,
+  meta,
  ...
 }: let
  inherit (lib.modules) mkIf;
  opengl32 = false;
  opencl = false;
 in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.hw.metal
+  ];
+
  boot = {
    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
    kernelModules = ["kvm-intel"];
@ -41,4 +48,6 @@ in {
      ];
    };
  };
+
+  networking.networkmanager.enable = true;
 }
--- a/systems/logistics/nixos.nix
+++ b/systems/logistics/nixos.nix
@ -21,11 +21,6 @@ in {
    ./hardware-configuration.nix
  ];

-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.networkmanager.enable = true;
-
  services.xserver = {
    enable = true;
    displayManager.lightdm.enable = true;
--- a/systems/mugetsu/hardware-configuration.nix
+++ b/systems/mugetsu/hardware-configuration.nix
@ -7,6 +7,7 @@
    inherit (meta) nixos;
  in [
    nixos.hw.c4130
+    nixos.netboot.kyuuto
  ];

  fileSystems = {
--- a/systems/mugetsu/nixos.nix
+++ b/systems/mugetsu/nixos.nix
@ -1,14 +1,10 @@
-{
-  meta,
-  ...
-}: {
+{meta, ...}: {
  imports = let
    inherit (meta) nixos;
  in [
    ./hardware-configuration.nix
    #nixos.sops
    nixos.base
-    nixos.netboot.kyuuto
  ];

  system.stateVersion = "24.11";