diff --git a/flake.lock b/flake.lock index 1dfaa72b..9569b403 100644 --- a/flake.lock +++ b/flake.lock @@ -628,23 +628,6 @@ "type": "github" } }, - "mesa-panfork": { - "flake": false, - "locked": { - "lastModified": 1670633863, - "narHash": "sha256-4eZHMiYS+sRDHNBtLZTA8ELZnLns7yT3USU5YQswxQ0=", - "owner": "panfork", - "repo": "mesa", - "rev": "120202c675749c5ef81ae4c8cdc30019b4de08f4", - "type": "gitlab" - }, - "original": { - "owner": "panfork", - "ref": "csf", - "repo": "mesa", - "type": "gitlab" - } - }, "mysecrets": { "flake": false, "locked": { @@ -775,16 +758,15 @@ "nixos-rk3588": { "inputs": { "flake-utils": "flake-utils_4", - "mesa-panfork": "mesa-panfork", "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { - "lastModified": 1703010942, - "narHash": "sha256-YYNCF1cnVyQk6OPVnwyvpeg3brwS/ICRGAvFwe2RCZc=", + "lastModified": 1709478567, + "narHash": "sha256-cfY5vuB9B5KdiVIzdHelldxfOcag/wPPTcbERQpzULs=", "owner": "ryan4yin", "repo": "nixos-rk3588", - "rev": "fce637ae61bc0fce3c68c39c117d08bcc8e2bedf", + "rev": "0eea4e4cf05f997833e5cd7c48847c83e0c5b193", "type": "github" }, "original": { @@ -975,16 +957,16 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1691486536, - "narHash": "sha256-W2jYTn6rNiJEpjXkOiZxNltgxxwgeZE5cQ967NgsrHU=", + "lastModified": 1709309926, + "narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8fa39adf946a4470610b38fd7aff0a73ad4356c3", + "rev": "79baff8812a0d68e24a836df0a364c678089e2c7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05-small", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } diff --git a/modules/nixos/base/core.nix b/modules/nixos/base/core.nix new file mode 100644 index 00000000..7f4bc4e1 --- /dev/null +++ b/modules/nixos/base/core.nix @@ -0,0 +1,16 @@ +{lib, ...}: { + boot.loader.systemd-boot = { + # we use Git for version control, so we don't need to keep too many generations. + configurationLimit = lib.mkDefault 10; + # pick the highest resolution for systemd-boot's console. + consoleMode = lib.mkDefault "max"; + }; + + # for power management + services = { + power-profiles-daemon = { + enable = true; + }; + upower.enable = true; + }; +} diff --git a/modules/nixos/base/misc.nix b/modules/nixos/base/misc.nix deleted file mode 100644 index 394b17a3..00000000 --- a/modules/nixos/base/misc.nix +++ /dev/null @@ -1,112 +0,0 @@ -{ - lib, - pkgs, - ... -}: { - ################################################################################### - # - # NixOS's core configuration suitable for all my machines - # - ################################################################################### - - # to install chrome, you need to enable unfree packages - nixpkgs.config.allowUnfree = lib.mkForce true; - - boot.loader.systemd-boot = { - # we use Git for version control, so we don't need to keep too many generations. - configurationLimit = lib.mkDefault 10; - # pick the highest resolution for systemd-boot's console. - consoleMode = lib.mkDefault "max"; - }; - - # do garbage collection weekly to keep disk usage low - nix.gc = { - automatic = lib.mkDefault true; - dates = lib.mkDefault "weekly"; - options = lib.mkDefault "--delete-older-than 7d"; - }; - - # Add terminfo database of all known terminals to the system profile. - # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/config/terminfo.nix - environment.enableAllTerminfo = true; - - # Manual optimise storage: nix-store --optimise - # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store - nix.settings.auto-optimise-store = true; - - # Enable in-memory compressed devices and swap space provided by the zram kernel module. - # By enable this, we can store more data in memory instead of fallback to disk-based swap devices directly, - # and thus improve I/O performance when we have a lot of memory. - # - # https://www.kernel.org/doc/Documentation/blockdev/zram.txt - zramSwap = { - enable = true; - # one of "lzo", "lz4", "zstd" - algorithm = "zstd"; - # Priority of the zram swap devices. - # It should be a number higher than the priority of your disk-based swap devices - # (so that the system will fill the zram swap devices before falling back to disk swap). - priority = 5; - # Maximum total amount of memory that can be stored in the zram swap devices (as a percentage of your total memory). - # Defaults to 1/2 of your total RAM. Run zramctl to check how good memory is compressed. - # This doesn’t define how much memory will be used by the zram swap devices. - memoryPercent = 50; - }; - - # for power management - services = { - power-profiles-daemon = { - enable = true; - }; - upower.enable = true; - }; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - neofetch - neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - - # system call monitoring - strace # system call monitoring - ltrace # library call monitoring - bpftrace # powerful tracing tool - tcpdump # network sniffer - lsof # list open files - - # system monitoring - sysstat - iotop - iftop - btop - nmon - - # system tools - psmisc # killall/pstree/prtstat/fuser/... - lm_sensors # for `sensors` command - ethtool - pciutils # lspci - usbutils # lsusb - hdparm # for disk performance, command - dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard - parted - - # create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos! - ( - let - base = pkgs.appimageTools.defaultFhsEnvArgs; - in - pkgs.buildFHSUserEnv (base - // { - name = "fhs"; - targetPkgs = pkgs: (base.targetPkgs pkgs) ++ [pkgs.pkg-config]; - profile = "export FHS=1"; - runScript = "bash"; - extraOutputsToInstall = ["dev"]; - }) - ) - ]; - - # replace default editor with neovim - environment.variables.EDITOR = "nvim"; -} diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix index 8667ca0c..21670c05 100644 --- a/modules/nixos/base/networking.nix +++ b/modules/nixos/base/networking.nix @@ -1,26 +1,4 @@ -{ - lib, - vars_networking, - ... -}: { - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = lib.mkDefault false; - - programs.ssh = vars_networking.ssh; - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - settings = { - X11Forwarding = true; - PermitRootLogin = "no"; # disable root login - PasswordAuthentication = false; # disable password login - }; - openFirewall = true; - }; - +_: { # Network discovery, mDNS # With this enabled, you can access your machine at .local # it's more convenient than using the IP address. diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix index 41c35031..e4371edf 100644 --- a/modules/nixos/base/nix.nix +++ b/modules/nixos/base/nix.nix @@ -3,6 +3,20 @@ nixpkgs, ... }: { + # to install chrome, you need to enable unfree packages + nixpkgs.config.allowUnfree = lib.mkForce true; + + # do garbage collection weekly to keep disk usage low + nix.gc = { + automatic = lib.mkDefault true; + dates = lib.mkDefault "weekly"; + options = lib.mkDefault "--delete-older-than 7d"; + }; + + # Manual optimise storage: nix-store --optimise + # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store + nix.settings.auto-optimise-store = true; + # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. nix.registry.nixpkgs.flake = nixpkgs; nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. diff --git a/modules/nixos/base/packages.nix b/modules/nixos/base/packages.nix new file mode 100644 index 00000000..5a04763b --- /dev/null +++ b/modules/nixos/base/packages.nix @@ -0,0 +1,50 @@ +{pkgs, ...}: { + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + neofetch + neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + + # system call monitoring + strace # system call monitoring + ltrace # library call monitoring + bpftrace # powerful tracing tool + tcpdump # network sniffer + lsof # list open files + + # system monitoring + sysstat + iotop + iftop + btop + nmon + + # system tools + psmisc # killall/pstree/prtstat/fuser/... + lm_sensors # for `sensors` command + ethtool + pciutils # lspci + usbutils # lsusb + hdparm # for disk performance, command + dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard + parted + + # create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos! + ( + let + base = pkgs.appimageTools.defaultFhsEnvArgs; + in + pkgs.buildFHSUserEnv (base + // { + name = "fhs"; + targetPkgs = pkgs: (base.targetPkgs pkgs) ++ [pkgs.pkg-config]; + profile = "export FHS=1"; + runScript = "bash"; + extraOutputsToInstall = ["dev"]; + }) + ) + ]; + + # replace default editor with neovim + environment.variables.EDITOR = "nvim"; +} diff --git a/modules/nixos/base/ssh.nix b/modules/nixos/base/ssh.nix new file mode 100644 index 00000000..d5745722 --- /dev/null +++ b/modules/nixos/base/ssh.nix @@ -0,0 +1,27 @@ +{ + lib, + vars_networking, + ... +}: { + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = lib.mkDefault false; + + programs.ssh = vars_networking.ssh; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + settings = { + X11Forwarding = true; + PermitRootLogin = "no"; # disable root login + PasswordAuthentication = false; # disable password login + }; + openFirewall = true; + }; + + # Add terminfo database of all known terminals to the system profile. + # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/config/terminfo.nix + environment.enableAllTerminfo = true; +} diff --git a/modules/nixos/base/zram.nix b/modules/nixos/base/zram.nix new file mode 100644 index 00000000..fbb9d47f --- /dev/null +++ b/modules/nixos/base/zram.nix @@ -0,0 +1,20 @@ +{ + # Enable in-memory compressed devices and swap space provided by the zram kernel module. + # By enable this, we can store more data in memory instead of fallback to disk-based swap devices directly, + # and thus improve I/O performance when we have a lot of memory. + # + # https://www.kernel.org/doc/Documentation/blockdev/zram.txt + zramSwap = { + enable = true; + # one of "lzo", "lz4", "zstd" + algorithm = "zstd"; + # Priority of the zram swap devices. + # It should be a number higher than the priority of your disk-based swap devices + # (so that the system will fill the zram swap devices before falling back to disk swap). + priority = 5; + # Maximum total amount of memory that can be stored in the zram swap devices (as a percentage of your total memory). + # Defaults to 1/2 of your total RAM. Run zramctl to check how good memory is compressed. + # This doesn’t define how much memory will be used by the zram swap devices. + memoryPercent = 50; + }; +} diff --git a/modules/nixos/server/security.nix b/modules/nixos/server/security.nix deleted file mode 100644 index a8e942f9..00000000 --- a/modules/nixos/server/security.nix +++ /dev/null @@ -1,6 +0,0 @@ -{username, ...}: { - # Public Keys that can be used to login to all my servers. - users.users.${username}.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzYT0Fpcp681eHY5FJV2G8Mve53iX3hMOLGbVvfL+TF ryan@romantic" - ]; -} diff --git a/modules/nixos/server/server-aarch64.nix b/modules/nixos/server/server-aarch64.nix new file mode 100644 index 00000000..edef7f4b --- /dev/null +++ b/modules/nixos/server/server-aarch64.nix @@ -0,0 +1,19 @@ +{ + lib, + pkgs, + ... +}: { + imports = [ + ../base/core.nix + ../base/i18n.nix + ../base/monitoring.nix + ../base/nix.nix + ../base/ssh.nix + ../base/user-group.nix + + ../../base.nix + ]; + + # Fix: jasper is marked as broken, refusing to evaluate. + environment.enableAllTerminfo = lib.mkForce false; +} diff --git a/modules/nixos/server/server-riscv64.nix b/modules/nixos/server/server-riscv64.nix index ba49b8cc..4b655b00 100644 --- a/modules/nixos/server/server-riscv64.nix +++ b/modules/nixos/server/server-riscv64.nix @@ -4,19 +4,16 @@ # ========================================================================= imports = [ + ../base/core.nix ../base/i18n.nix - ../base/misc.nix + ../base/monitoring.nix + ../base/nix.nix + ../base/ssh.nix ../base/user-group.nix ../../base.nix - - ./security.nix ]; - # List packages installed in system profile. To search, run: - # $ nix search wget - # - # TODO feel free to add or remove packages here. environment.systemPackages = with pkgs; [ neovim @@ -52,14 +49,4 @@ # This is required for containers which are created with the `--restart=always` flag to work. enableOnBoot = true; }; - - services.openssh = { - enable = true; - settings = { - X11Forwarding = true; - PermitRootLogin = "prohibit-password"; # disable root login with password - PasswordAuthentication = false; # disable password login - }; - openFirewall = true; - }; } diff --git a/modules/nixos/server/server.nix b/modules/nixos/server/server.nix index 90de4bc6..f3d25d78 100644 --- a/modules/nixos/server/server.nix +++ b/modules/nixos/server/server.nix @@ -2,7 +2,5 @@ imports = [ ../base ../../base.nix - - ./security.nix ]; } diff --git a/systems/colmena.nix b/systems/colmena.nix index 85882496..beab1bf0 100644 --- a/systems/colmena.nix +++ b/systems/colmena.nix @@ -38,7 +38,7 @@ with allSystemAttrs; let inherit home-manager; inherit (nixos-rk3588.inputs) nixpkgs; # or nixpkgs-unstable specialArgs = rk3588_specialArgs; - targetUser = "root"; + targetUser = "ryan"; }; in { # colmena - remote deployment via SSH diff --git a/systems/vars.nix b/systems/vars.nix index c6baf070..13f0155f 100644 --- a/systems/vars.nix +++ b/systems/vars.nix @@ -245,7 +245,7 @@ in { _12kingdoms_suzu_modules = { nixos-modules = [ ../hosts/12kingdoms_suzu - ../modules/nixos/server/server-riscv64.nix + ../modules/nixos/server/server-aarch64.nix # cross-compilation this flake. {nixpkgs.crossSystem.config = "aarch64-unknown-linux-gnu";}