From ff3d1e9bba5ee0f7b3c6ac5a5971b59e59fc0af5 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Fri, 4 Nov 2022 15:53:06 +0100
Subject: [PATCH] nix: revamp nixos defaults
---
flake.nix | 34 ++++---------
home-manager/profiles/bash.nix | 76 +++++++++++++++++++---------
home-manager/profiles/essential.nix | 1 +
hosts/aubergine.nix | 2 -
hosts/aubergine/networking.nix | 3 +-
hosts/oignon.nix | 2 -
hosts/oignon/networking.nix | 1 -
hosts/patate.nix | 3 --
nixos/default.nix | 12 +++++
nixos/profiles/bash.nix | 33 ------------
nixos/profiles/graphical.nix | 20 ++++----
nixos/profiles/networking.nix | 44 +++++++++-------
nixos/profiles/networking/remote.nix | 19 +++++++
nixos/profiles/system.nix | 50 ++++++++++++------
14 files changed, 168 insertions(+), 132 deletions(-)
create mode 100644 nixos/default.nix
delete mode 100644 nixos/profiles/bash.nix
create mode 100644 nixos/profiles/networking/remote.nix
diff --git a/flake.nix b/flake.nix
index 23a86bb..d8fc84d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,10 @@
});
in
{
+ # nix -L build .#nixosConfigurations.oignon.config.system.build.toplevel
+ # nix -L build .#nixosConfigurations.oignon.config.boot.kernelPackages.kernel.configfile
+ # nix -L build .#nixosConfigurations.oignon.pkgs.hello
+ # nix eval --raw .#nixosConfigurations.oignon.config.networking.nftables.rulese
nixosConfigurations = lib.genAttrs
(builtins.attrNames (lib.filterAttrs (_n: v: v == "directory") (builtins.readDir (inputs.self + "/hosts"))))
(hostName: nixosSystem {
@@ -52,6 +56,7 @@
inherit inputs;
};
modules = [
+ nixos/default.nix
(import (./hosts + "/${hostName}.nix"))
{
_module.args = {
@@ -62,29 +67,6 @@
nixpkgs.overlays = import nixpkgs/overlays.nix;
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "hplip" "geogebra" ];
}
- (import nixos/modules.nix)
- (import nixos/options.nix)
- inputs.nixpkgs.nixosModules.notDetected
- ({ pkgs, ... }: {
- nix.registry.nixpkgs = lib.mkDefault { flake = inputs.nixpkgs; };
- nix.package = pkgs.nixFlakes;
- nix.extraOptions = "experimental-features = nix-command flakes";
- #nixpkgs.overlays = import nixpkgs/overlays.nix;
- /*
- system.nixos.versionSuffix = ".${
- lib.substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
- inputs.self.shortRev or "dirty"}";
- system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
- */
- # Let 'nixos-version --json' know about the Git revision of this flake.
- system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
- /*
- system.configurationRevision =
- if inputs.self ? rev
- then inputs.self.rev
- else throw "Refusing to build from a dirty Git tree!";
- */
- })
inputs.home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
@@ -97,12 +79,14 @@
}
];
});
+
# nix -L develop or direnv allow
devShell = forAllSystems ({ pkgs, system, ... }: pkgs.callPackage ./shell.nix
{
inherit pkgs inputs system nixpkgsPath;
inherit (inputs.self.checks.${system}.pre-commit-check) shellHook;
});
+
# nix -L run .#oignon.switch
apps = forAllSystems ({ pkgs, system, ... }:
with builtins;
@@ -120,7 +104,7 @@
'').outPath;
};
in
- rec {
+ {
# Example: nix run .#aubergine.switch
"switch" = scriptApp "switch" [ ] ''
shopt -s globstar
@@ -152,6 +136,7 @@
'';
})
inputs.self.nixosConfigurations);
+
# nix flake check
checks = forAllSystems (args: with args; {
pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
@@ -161,6 +146,7 @@
};
};
});
+
# nix fmt
formatter = forAllSystems ({ pkgs, ... }:
inputs.nix-formatter-pack.lib.mkFormatter {
diff --git a/home-manager/profiles/bash.nix b/home-manager/profiles/bash.nix
index 02d4f92..85cb858 100644
--- a/home-manager/profiles/bash.nix
+++ b/home-manager/profiles/bash.nix
@@ -1,7 +1,8 @@
{ pkgs, lib, ... }:
+with lib;
{
programs.bash = {
- enable = lib.mkDefault true;
+ enable = mkDefault true;
shellAliases = {
black-on-white = "echo -e '\\033]11;black\\007\\033]10;white\\007'";
c = "bat";
@@ -42,12 +43,18 @@
yt = "yt-dlp";
zfs-umount = "zfs-unmount";
};
+ sessionVariables = {
+ HISTCONTROL = "erasedups:ignorespace";
+ HISTSIZE = "42000";
+ PS1 = ''\[\033[1;32m\]\[\e]0;\u@\h: \w\a\]\W\[\033[0m\] \$(e=\$?; if [ \$e != 0 ]; then echo '\[\e[0;91m\]'\$e'\[\e[0m\]'; fi)\$ '';
+ };
initExtra = ''
# Alias completion
. ${pkgs.complete-alias}/bin/complete_alias
complete -F _complete_alias "''${!BASH_ALIASES[@]}"
shopt -s globstar
+ shopt -s histappend
shopt -s histreedit
shopt -s histverify
# Disable ctrl-s/ctrl-q flow control
@@ -85,6 +92,9 @@
sed -e "s\$^\$$device @ \$" |
column -ts@
}
+ stress-mem() { fac="$1"; stress-ng --vm 1 --vm-keep --vm-bytes $(awk "/MemAvailable/{ printf \"%d\n\", \$2 * $fac; }" </proc/meminfo)k; }
+ sysenter() { srv="$1"; shift; nsenter -a -t "$(systemctl show --property MainPID --value "$srv")" "$@"; }
+ systrace() { srv="$1"; shift; strace -f -p "$(systemctl show --property MainPID --value "$srv")" "$@"; }
swaplist () {
lastpid=
swap=0
@@ -117,43 +127,61 @@
zfs-unmount () { sudo zfs unmount -u "$@"; }
'';
profileExtra = ''
- '';
+ '';
};
programs.direnv.enableBashIntegration = true;
#programs.broot.enableBashIntegration = true;
- home.sessionVariables = {
- PS1 = ''\[\033[1;32m\]\[\e]0;\u@\h: \w\a\]\W\[\033[0m\] \$(e=\$?; if [ \$e != 0 ]; then echo '\[\e[0;91m\]'\$e'\[\e[0m\]'; fi)\$ '';
- };
programs.readline = {
- enable = lib.mkDefault true;
+ enable = mkDefault true;
includeSystemConfig = true;
bindings = {
- "\\eOF" = "end-of-line";
- "\\eOH" = "beginning-of-line";
+ # Up/Down
+ "\\e[A" = "history-search-backward";
+ "\\e[B" = "history-search-forward";
+
+ # Ctrl-Left/Ctrl-Right
"\\e[1;5C" = "forward-word";
"\\e[1;5D" = "backward-word";
- "\\e[1~" = "beginning-of-line";
- "\\e[4~" = "end-of-line";
"\\e[5C" = "forward-word";
"\\e[5D" = "backward-word";
- "\\e[7~" = "beginning-of-line";
- "\\e[8~" = "end-of-line";
- "\\e[A" = "history-search-backward";
- "\\e[B" = "history-search-forward";
- "\\e[F" = "end-of-line";
- "\\e[H" = "beginning-of-line";
"\\e\\e[C" = "forward-word";
"\\e\\e[D" = "backward-word";
+
+ # Home/End
+ "\\e[1~" = "beginning-of-line";
+ "\\e[4~" = "end-of-line";
+
+ # Delete/Insert
+ "\\e[3~" = "delete-char";
+ "\\e[2~" = "quoted-insert";
+
+ # For non RH/Debian xterm, can't hurt for RH/Debian xterm
+ "\\eOF" = "end-of-line";
+ "\\eOH" = "beginning-of-line";
+
+ # For freebsd console
+ "\\e[F" = "end-of-line";
+ "\\e[H" = "beginning-of-line";
+
+ # $if term=rxvt
+ "\\e[7~" = "beginning-of-line";
+ "\\e[8~" = "end-of-line";
+ "\\eOc" = "forward-word";
+ "\\eOd" = "backward-word";
+ # $endif
};
variables = {
- colored-completion-prefix = lib.mkDefault true;
- colored-stats = lib.mkDefault true; # Note that this may cause completion text blink in some terminals (e.g. xterm).
- echo-control-characters = lib.mkDefault true;
- mark-symlinked-directories = lib.mkDefault true;
- menu-complete-display-prefix = lib.mkDefault true;
- show-all-if-ambiguous = lib.mkDefault true;
- show-all-if-unmodified = lib.mkDefault true;
- visible-stats = lib.mkDefault false; # Append char to indicate type
+ # Be 8 bit clean.
+ input-meta = mkDefault true;
+ output-meta = mkDefault true;
+ colored-completion-prefix = mkDefault true;
+ colored-stats = mkDefault true; # Note that this may cause completion text blink in some terminals (e.g. xterm).
+ echo-control-characters = mkDefault true;
+ mark-symlinked-directories = mkDefault true;
+ menu-complete-display-prefix = mkDefault true;
+ show-all-if-ambiguous = mkDefault true;
+ show-all-if-unmodified = mkDefault true;
+ visible-stats = mkDefault false; # Append char to indicate type
};
};
}
diff --git a/home-manager/profiles/essential.nix b/home-manager/profiles/essential.nix
index 26b858c..2dc6520 100644
--- a/home-manager/profiles/essential.nix
+++ b/home-manager/profiles/essential.nix
@@ -25,6 +25,7 @@
pkgs.hdparm
pkgs.hwinfo
pkgs.iotop
+ pkgs.iperf
pkgs.lm_sensors
pkgs.lsof
pkgs.lsscsi
diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix
index 328139f..02a525c 100644
--- a/hosts/aubergine.nix
+++ b/hosts/aubergine.nix
@@ -3,8 +3,6 @@
imports = [
#../nixos/profiles/debug.nix
../nixos/profiles/lang-fr.nix
- ../nixos/profiles/security.nix
- ../nixos/profiles/system.nix
#../nixos/profiles/tor.nix
aubergine/hardware.nix
aubergine/networking.nix
diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 47df732..5042349 100644
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -7,7 +7,6 @@ with (import networking/names-and-numbers.nix);
networking/wifi.nix
networking/lte.nix
networking/nftables.nix
- ../../nixos/profiles/networking.nix
../../nixos/profiles/dnscrypt-proxy2.nix
../../nixos/profiles/wireguard/wg-intra.nix
];
@@ -32,7 +31,9 @@ with (import networking/names-and-numbers.nix);
}
'';
+ services.avahi.enable = true;
services.avahi.openFirewall = true;
+ services.avahi.publish.enable = true;
services.dnscrypt-proxy2.settings.listen_addresses = [
"127.0.0.1:53"
"[::1]:53"
diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index 762d01e..7a1dcf7 100644
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -6,8 +6,6 @@
../nixos/profiles/graphical.nix
../nixos/profiles/lang-fr.nix
../nixos/profiles/printing.nix
- ../nixos/profiles/security.nix
- ../nixos/profiles/system.nix
../nixos/profiles/tor.nix
../nixos/profiles/irssi.nix
oignon/backup.nix
diff --git a/hosts/oignon/networking.nix b/hosts/oignon/networking.nix
index 9949057..7df4154 100644
--- a/hosts/oignon/networking.nix
+++ b/hosts/oignon/networking.nix
@@ -1,7 +1,6 @@
{ pkgs, lib, ... }:
{
imports = [
- ../../nixos/profiles/networking.nix
../../nixos/profiles/dnscrypt-proxy2.nix
../../nixos/profiles/wireguard/wg-intra.nix
networking/nftables.nix
diff --git a/hosts/patate.nix b/hosts/patate.nix
index 8d42a4b..ea448a4 100644
--- a/hosts/patate.nix
+++ b/hosts/patate.nix
@@ -4,10 +4,7 @@
../nixos/profiles/dnscrypt-proxy2.nix
../nixos/profiles/graphical.nix
../nixos/profiles/lang-fr.nix
- ../nixos/profiles/networking.nix
../nixos/profiles/printing.nix
- ../nixos/profiles/security.nix
- ../nixos/profiles/system.nix
../nixos/profiles/wireguard/wg-intra.nix
patate/backup.nix
patate/hardware.nix
diff --git a/nixos/default.nix b/nixos/default.nix
new file mode 100644
index 0000000..166ba7e
--- /dev/null
+++ b/nixos/default.nix
@@ -0,0 +1,12 @@
+{ pkgs, lib, inputs, ... }:
+with lib;
+{
+ imports = [
+ inputs.nixpkgs.nixosModules.notDetected
+ ./options.nix
+ ./modules.nix
+ ./profiles/networking.nix
+ ./profiles/security.nix
+ ./profiles/system.nix
+ ];
+}
diff --git a/nixos/profiles/bash.nix b/nixos/profiles/bash.nix
deleted file mode 100644
index ae9d215..0000000
--- a/nixos/profiles/bash.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{
- programs.bash = {
- interactiveShellInit = ''
- bind '"\e[A":history-search-backward'
- bind '"\e[B":history-search-forward'
-
- # Ignore duplicate commands, ignore commands starting with a space
- export HISTCONTROL=erasedups:ignorespace
- export HISTSIZE=42000
- # Append to the history instead of overwriting (good for multiple connections)
- shopt -s histappend
-
- # Utilities
- mkcd () { mkdir -p "$1"; cd "$1"; }
- '';
- shellAliases = {
- cl = "clear";
- grep = "grep --color";
- l = "ls -alh";
- ll = "ls -al";
- ls = "ls --color=tty";
- mem = "ps -e -orss=,user=,args= | sort -b -k1,1n";
-
- s = "sudo systemctl";
- st = "sudo systemctl status";
- j = "sudo journalctl -u";
- jb = "sudo journalctl -b";
-
- nix-history = "sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
- mv = "mv -i";
- };
- };
-}
diff --git a/nixos/profiles/graphical.nix b/nixos/profiles/graphical.nix
index 429b75e..356f8d8 100644
--- a/nixos/profiles/graphical.nix
+++ b/nixos/profiles/graphical.nix
@@ -1,21 +1,23 @@
{ pkgs, lib, ... }:
+with lib;
{
- console.useXkbConfig = lib.mkDefault true;
+ console.useXkbConfig = mkDefault true;
environment.systemPackages = [
pkgs.paprefs
];
- hardware.pulseaudio.enable = lib.mkDefault true;
+ hardware.pulseaudio.enable = mkDefault true;
# Allow members of the "adbusers" group to mount Android devices via MTP.
programs.adb.enable = true;
programs.dconf.enable = true;
services.dbus.packages = [ pkgs.dconf ];
- services.gvfs.enable = lib.mkDefault true;
- sound.enable = lib.mkDefault true;
+ services.gvfs.enable = mkDefault true;
+ services.avahi.enable = mkDefault true;
+ sound.enable = mkDefault true;
services.xserver = {
- enable = lib.mkDefault true;
- libinput.enable = lib.mkDefault true;
- exportConfiguration = lib.mkDefault true; # link /usr/share/X11/ properly
+ enable = mkDefault true;
+ libinput.enable = mkDefault true;
+ exportConfiguration = mkDefault true; # link /usr/share/X11/ properly
desktopManager = {
session = [
# Let the session be generated by home-manager
@@ -27,8 +29,8 @@
'';
}
];
- xterm.enable = lib.mkDefault false;
+ xterm.enable = mkDefault false;
};
- displayManager.autoLogin.enable = lib.mkDefault true;
+ displayManager.autoLogin.enable = mkDefault true;
};
}
diff --git a/nixos/profiles/networking.nix b/nixos/profiles/networking.nix
index 20a6335..c69b29e 100644
--- a/nixos/profiles/networking.nix
+++ b/nixos/profiles/networking.nix
@@ -1,48 +1,56 @@
{ config, pkgs, lib, hostName, ... }:
+with lib;
{
imports = [
networking/nftables.nix
];
+
+ boot.kernel.sysctl = {
+ # Improve MTU detection
+ # This can thaw TCP connections stalled by a host
+ # requiring a lower MTU along the path,
+ # though it would do so after a little delay
+ # so it's better to set a low MTU when possible.
+ "net/ipv4/tcp_mtu_probing" = 1;
+ };
+
networking = {
inherit hostName;
- domain = lib.mkDefault "wg";
+ domain = mkDefault "wg";
#search = [ "sourcephile.fr" ];
firewall = {
- enable = lib.mkDefault true;
- allowPing = lib.mkDefault true;
+ enable = mkDefault true;
+ allowPing = mkDefault true;
};
networkmanager = {
- enable = lib.mkDefault config.services.xserver.enable;
+ enable = mkDefault config.services.xserver.enable;
#dhcp = "dhcpcd";
- logLevel = lib.mkDefault "INFO";
+ logLevel = mkDefault "INFO";
wifi = {
#backend = "iwd";
#backend = "wpa_supplicant";
- powersave = lib.mkDefault false;
+ powersave = mkDefault false;
};
};
usePredictableInterfaceNames = true;
};
programs.mtr.enable = true;
+ programs.traceroute.enable = mkDefault true;
programs.usbtop.enable = true;
- environment.systemPackages = [
- pkgs.iperf
- ];
services.avahi = {
- enable = lib.mkDefault true;
- nssmdns = lib.mkDefault true;
- openFirewall = lib.mkDefault false;
- publish.enable = lib.mkDefault false;
+ nssmdns = mkDefault true;
+ openFirewall = mkDefault false;
+ publish.enable = mkDefault false;
};
- networking.nftables.ruleset = lib.mkIf config.services.avahi.enable (''
+ networking.nftables.ruleset = mkIf config.services.avahi.enable (''
table inet filter {
chain output-lan {
skuid root udp sport mdns udp dport mdns comment "avahi: multicast DNS"
}
}
- '' + lib.optionalString config.services.avahi.openFirewall ''
+ '' + optionalString config.services.avahi.openFirewall ''
table inet filter {
chain input-lan {
udp dport mdns comment "avahi: multicast DNS"
@@ -51,9 +59,9 @@
'');
services.openssh = {
- enable = lib.mkDefault true;
- forwardX11 = lib.mkDefault true;
- openFirewall = lib.mkDefault false;
+ enable = mkDefault true;
+ forwardX11 = mkDefault true;
+ openFirewall = mkDefault false;
# Enable to switch-to-configuration
# with the same ssh call remotely and locally
listenAddresses = [
diff --git a/nixos/profiles/networking/remote.nix b/nixos/profiles/networking/remote.nix
new file mode 100644
index 0000000..0430669
--- /dev/null
+++ b/nixos/profiles/networking/remote.nix
@@ -0,0 +1,19 @@
+{
+ # On a remote headless server: always reboot on a kernel panic,
+ # to not have to physically go power cycle the server.
+ # Which may happen for instance if the wrong ZFS password is used
+ # but the boot is manually forced to continue.
+ # Using kernelParams instead of kernel.sysctl
+ # sets this up as soon as the initrd.
+ boot.kernelParams = [ "panic=10" ];
+
+ programs.gnupg.agent.pinentryFlavor = "curses";
+ programs.mosh.enable = mkDefault true;
+
+ # Always try to start all the units (default.target)
+ # because systemd's emergency shell does not try to start sshd.
+ # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
+ systemd.enableEmergencyMode = false;
+
+ services.openssh.enable = true;
+}
diff --git a/nixos/profiles/system.nix b/nixos/profiles/system.nix
index 2af4c86..a5f3206 100644
--- a/nixos/profiles/system.nix
+++ b/nixos/profiles/system.nix
@@ -1,20 +1,23 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, inputs, ... }:
+with lib;
{
- imports = [
- ./bash.nix
- ];
+ boot.cleanTmpDir = mkDefault true;
+ boot.tmpOnTmpfs = mkDefault true;
+ services.logrotate.enable = true;
+ # NOTE: mostly useless on a server, and CPU intensive.
documentation = {
- enable = lib.mkDefault true;
- dev.enable = lib.mkDefault false;
- doc.enable = lib.mkDefault true;
- info.enable = lib.mkDefault false;
- man.enable = lib.mkDefault true;
- nixos.enable = lib.mkDefault false;
+ enable = mkDefault true;
+ dev.enable = mkDefault false;
+ doc.enable = mkDefault true;
+ info.enable = mkDefault false;
+ man.enable = mkDefault true;
+ nixos.enable = mkDefault false;
};
environment.variables = {
EDITOR = "vim";
PAGER = "less -R";
SYSTEMD_LESS = "FKMRX";
+ NIXPKGS_CONFIG = mkForce "";
};
home-manager.users.root = {
imports = [
@@ -26,11 +29,14 @@
${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/root/home-manager
'';
nix = {
- settings.auto-optimise-store = lib.mkDefault true;
- gc.automatic = lib.mkDefault true;
- gc.dates = lib.mkDefault "weekly";
- gc.options = lib.mkDefault "--delete-older-than 7d";
- nixPath = lib.mkForce [ ];
+ settings.auto-optimise-store = mkDefault true;
+ gc.automatic = mkDefault true;
+ gc.dates = mkDefault "weekly";
+ gc.options = mkDefault "--delete-older-than 7d";
+ nixPath = mkForce [ ];
+ registry.nixpkgs = mkDefault { flake = inputs.nixpkgs; };
+ package = pkgs.nixFlakes;
+ extraOptions = "experimental-features = nix-command flakes";
};
security.lockKernelModules = false;
services.journald = {
@@ -41,5 +47,19 @@
SystemMaxUse=100M
'';
};
+ /*
+ system.nixos.versionSuffix = ".${
+ substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
+ inputs.self.shortRev or "dirty"}";
+ system.nixos.revision = mkIf (inputs.self ? rev) inputs.self.rev;
+ */
+ # Let 'nixos-version --json' know about the Git revision of this flake.
+ system.configurationRevision = mkIf (inputs.self ? rev) inputs.self.rev;
+ /*
+ system.configurationRevision =
+ if inputs.self ? rev
+ then inputs.self.rev
+ else throw "Refusing to build from a dirty Git tree!";
+ */
users.mutableUsers = false;
}
--
2.47.2