diff --git a/flake.lock b/flake.lock index dd9a5a9..dc3b1ed 100644 --- a/flake.lock +++ b/flake.lock @@ -186,11 +186,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1766524813, - "narHash": "sha256-N/sxS27+t9nGvGWqwwAceSMW/Y5ddcypS/aiTnZ7ScA=", + "lastModified": 1767028240, + "narHash": "sha256-0/fLUqwJ4Z774muguUyn5t8AQ6wyxlNbHexpje+5hRo=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "c2b36207f2c396c79dbed9d40536db221bd4e363", + "rev": "c31afa6e76da9bbc7c9295e39c7de9fca1071ea1", "type": "github" }, "original": { @@ -285,11 +285,11 @@ }, "flake-compat_4": { "locked": { - "lastModified": 1746162366, - "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=", + "lastModified": 1761640442, + "narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=", "owner": "nix-community", "repo": "flake-compat", - "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b", + "rev": "4a56054d8ffc173222d09dad23adf4ba946c8884", "type": "github" }, "original": { @@ -316,15 +316,15 @@ "flake-compat_6": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -550,11 +550,11 @@ ] }, "locked": { - "lastModified": 1766682973, - "narHash": "sha256-GKO35onS711ThCxwWcfuvbIBKXwriahGqs+WZuJ3v9E=", + "lastModified": 1767437240, + "narHash": "sha256-OA0dBHhccdupFXp+/eaFfb8K1dQxk61in4aF5ITGVX8=", "owner": "nix-community", "repo": "home-manager", - "rev": "91cdb0e2d574c64fae80d221f4bf09d5592e9ec2", + "rev": "1cfa305fba94468f665de1bd1b62dddf2e0cb012", "type": "github" }, "original": { @@ -583,11 +583,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1766723306, - "narHash": "sha256-L0Y6MWn30uU1q2/aeijOg6j2rPnLTlEJg2Dw0e3R84A=", + "lastModified": 1767458043, + "narHash": "sha256-9wRKvEog4Ed3gCfxiDviXUlgH4l5iljc5B9I4yQU/RQ=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "fdd2bf75092e7ddfeac67415e9fc4cedd41855d9", + "rev": "d8970b9f4b6b72992b7e4e3c6a7047c403ade76a", "type": "github" }, "original": { @@ -599,11 +599,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1766724309, - "narHash": "sha256-LfqQoAdpIuOJQRrI9n9NCjp6zKdQh9yIU4sHaQWycD0=", + "lastModified": 1767452389, + "narHash": "sha256-ZVzK1Zd00XeUHbTLNOU3KQtCEbP20xfj0HdP8yN78CQ=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "ad0f4af25123c68dd03dac10f179d3d68ef288ee", + "rev": "806bf4b26f47cdc6c2e53c5fbaf344d2a744f165", "type": "github" }, "original": { @@ -633,11 +633,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1766561058, - "narHash": "sha256-VFqsBWqFFBTBqKFw0fGw2a2mJjPP9HPW8nXEW2A5zJM=", + "lastModified": 1767082077, + "narHash": "sha256-2tL1mRb9uFJThUNfuDm/ehrnPvImL/QDtCxfn71IEz4=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "9d0abe57d633a6e08d72865a761891a8c81e740f", + "rev": "efd4b22e6fdc6d7fb4e186ae333a4b74e03da440", "type": "github" }, "original": { @@ -821,11 +821,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1766714990, - "narHash": "sha256-vrS4gICB41cq+/nTsp6uGVJ8RiaRGr7ywoeAA9E16cw=", + "lastModified": 1767405959, + "narHash": "sha256-K9P7J2W/deP9d1aZOlIvmK+sWCQrk6kcX3T21y3Marc=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "90d526878f7b905448c331b143f37065ed509381", + "rev": "c84c57fb183f7b2318187927d3a82641e6796933", "type": "github" }, "original": { @@ -889,11 +889,11 @@ "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1766064315, - "narHash": "sha256-aMoYLYIj+yYGhDKuSromj+VZYnMyN3lRRAZ+dk1IOiE=", + "lastModified": 1767441081, + "narHash": "sha256-Y4T5OR+R4QBFvRnMsZK7Bol4yk4TLuBo8l7KhrXoGjQ=", "owner": "nix-community", "repo": "nixos-apple-silicon", - "rev": "f94f4496775f9ca6e8a9e9e83f5aa4e4210fbb5d", + "rev": "612258d7a123a727b908fb9cdbbe49182ca9a2fe", "type": "github" }, "original": { @@ -947,11 +947,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1766568855, - "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=", + "lastModified": 1767185284, + "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80", + "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe", "type": "github" }, "original": { @@ -1059,11 +1059,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1766622938, - "narHash": "sha256-Eovt/DOCYjFFBZuYbbG9j5jhklzxdNbUGVYYxh3lG3s=", + "lastModified": 1767325753, + "narHash": "sha256-yA/CuWyqm+AQo2ivGy6PlYrjZBQm7jfbe461+4HF2fo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5900a0a8850cbba98e16d5a7a6ed389402dfcf4f", + "rev": "64049ca74d63e971b627b5f3178d95642e61cedd", "type": "github" }, "original": { @@ -1075,11 +1075,11 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", + "lastModified": 1767116409, + "narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", + "rev": "cad22e7d996aea55ecab064e84834289143e44a0", "type": "github" }, "original": { @@ -1091,11 +1091,11 @@ }, "nixpkgs_11": { "locked": { - "lastModified": 1766651565, - "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", + "lastModified": 1767116409, + "narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", + "rev": "cad22e7d996aea55ecab064e84834289143e44a0", "type": "github" }, "original": { @@ -1107,11 +1107,11 @@ }, "nixpkgs_12": { "locked": { - "lastModified": 1766125104, - "narHash": "sha256-l/YGrEpLromL4viUo5GmFH3K5M1j0Mb9O+LiaeCPWEM=", + "lastModified": 1766840161, + "narHash": "sha256-Ss/LHpJJsng8vz1Pe33RSGIWUOcqM1fjrehjUkdrWio=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7d853e518814cca2a657b72eeba67ae20ebf7059", + "rev": "3edc4a30ed3903fdf6f90c837f961fa6b49582d1", "type": "github" }, "original": { @@ -1309,11 +1309,11 @@ ] }, "locked": { - "lastModified": 1765911976, - "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=", + "lastModified": 1767281941, + "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27", + "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa", "type": "github" }, "original": { @@ -1473,11 +1473,11 @@ "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1766289575, - "narHash": "sha256-BOKCwOQQIP4p9z8DasT5r+qjri3x7sPCOq+FTjY8Z+o=", + "lastModified": 1766894905, + "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "9836912e37aef546029e48c8749834735a6b9dad", + "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7", "type": "github" }, "original": { @@ -1530,11 +1530,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1766603026, - "narHash": "sha256-J2DDdRqSU4w9NNgkMfmMeaLIof5PXtS9RG7y6ckDvQE=", + "lastModified": 1767397606, + "narHash": "sha256-QA1d/6XzxK3lsMiJ+xiJf340cpNeJs/xIM6D0/yLqs4=", "owner": "nix-community", "repo": "stylix", - "rev": "551df12ee3ebac52c5712058bd97fd9faa4c3430", + "rev": "6850ad2e9f3f7ff6116e9e6fb73a9cca2d9b1a35", "type": "github" }, "original": { @@ -1691,11 +1691,11 @@ ] }, "locked": { - "lastModified": 1766000401, - "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=", + "lastModified": 1767122417, + "narHash": "sha256-yOt/FTB7oSEKQH9EZMFMeuldK1HGpQs2eAzdS9hNS/o=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd", + "rev": "dec15f37015ac2e774c84d0952d57fcdf169b54d", "type": "github" }, "original": { diff --git a/modules/nixos/headless/default.nix b/modules/nixos/headless/default.nix new file mode 100644 index 0000000..994351a --- /dev/null +++ b/modules/nixos/headless/default.nix @@ -0,0 +1,55 @@ +{ + config, + pkgs, + system, + lib, + namespace, + ... +}: +with lib; +let + inherit (lib.${namespace}) mkOpt mkBoolOpt; + cfg = config.${namespace}.headless; + isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system); +in +{ + options.${namespace}.boot.headless = { + enable = mkBoolOpt true "Enable headless stuff"; + }; + + config = mkIf cfg.enable { + boot.initrd.systemd.suppressedUnits = lib.mkIf config.systemd.enableEmergencyMode [ + "emergency.service" + "emergency.target" + ]; + systemd = { + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + enableEmergencyMode = false; + + sleep.extraConfig = '' + AllowSuspend=no + AllowHibernation=no + ''; + + # For more detail, see: + # https://0pointer.de/blog/projects/watchdog.html + settings.Manager = { + # systemd will send a signal to the hardware watchdog at half + # the interval defined here, so every 7.5s. + # If the hardware watchdog does not get a signal for 15s, + # it will forcefully reboot the system. + RuntimeWatchdogSec = lib.mkDefault "15s"; + # Forcefully reboot if the final stage of the reboot + # hangs without progress for more than 30s. + # For more info, see: + # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog + RebootWatchdogSec = lib.mkDefault "30s"; + # Forcefully reboot when a host hangs after kexec. + # This may be the case when the firmware does not support kexec. + KExecWatchdogSec = lib.mkDefault "1m"; + }; + }; + }; +} diff --git a/modules/nixos/network/default.nix b/modules/nixos/network/default.nix index a835069..4623fac 100644 --- a/modules/nixos/network/default.nix +++ b/modules/nixos/network/default.nix @@ -56,6 +56,15 @@ in ]; config = { + systemd = { + services = { + NetworkManager-wait-online.enable = false; + systemd-networkd.stopIfChanged = false; + systemd-resolved.stopIfChanged = false; + }; + network.wait-online.enable = false; + }; + networking = { hostName = lib.mkForce cfg.hostName; diff --git a/modules/nixos/network/options.nix b/modules/nixos/network/options.nix index d2715bf..bbe55c5 100644 --- a/modules/nixos/network/options.nix +++ b/modules/nixos/network/options.nix @@ -24,7 +24,7 @@ in dns = mkOpt types.str "10.0.1.1" "IPv4 DNS server."; }; - useNetworkd = mkBoolOpt false "Whether to use systemd-networkd for networking."; + useNetworkd = mkBoolOpt true "Whether to use systemd-networkd for networking."; nat = { enable = mkBoolOpt false "Whether to enable NAT."; diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 3bc0dee..1345197 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -251,15 +251,35 @@ "flakes" ]; trusted-users = [ "@wheel" ]; + + builders-use-substitutes = true; + connect-timeout = lib.mkDefault 5; + fallback = true; + log-lines = lib.mkDefault 25; + + max-free = lib.mkDefault (3000 * 1024 * 1024); + min-free = lib.mkDefault (512 * 1024 * 1024); }; + daemonCPUSchedPolicy = lib.mkDefault "idle"; + daemonIOSchedClass = lib.mkDefault "idle"; + daemonIOSchedPriority = lib.mkDefault 7; + # Garbage collect automatically every week - gc.automatic = lib.mkDefault true; - gc.options = lib.mkDefault "--delete-older-than 30d"; + gc = { + automatic = lib.mkDefault true; + options = lib.mkDefault "--delete-older-than 30d"; + }; optimise.automatic = lib.mkDefault true; }; + systemd.services.nix-gc.serviceConfig = { + CPUSchedulingPolicy = "batch"; + IOSchedulingClass = "idle"; + IOSchedulingPriority = 7; + }; + nixpkgs = { config = { cudaSupport = lib.mkDefault config.${namespace}.hardware.nvidia.enable; diff --git a/modules/nixos/security/common/default.nix b/modules/nixos/security/common/default.nix index 3599c5b..a53d0f4 100644 --- a/modules/nixos/security/common/default.nix +++ b/modules/nixos/security/common/default.nix @@ -24,6 +24,7 @@ in sudo.enable = lib.mkForce false; sudo-rs = { enable = lib.mkForce true; + execWheelOnly = true; extraRules = [ { commands = [ diff --git a/systems/x86_64-linux/nuc-nixos/default.nix b/systems/x86_64-linux/nuc-nixos/default.nix index 8320401..694d432 100644 --- a/systems/x86_64-linux/nuc-nixos/default.nix +++ b/systems/x86_64-linux/nuc-nixos/default.nix @@ -41,7 +41,6 @@ network = { hostName = "nuc-nixos"; - useNetworkd = false; ipv4 = { method = "manual"; address = "10.0.1.4/24";