lock update

modules/nixos/headless/default.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  pkgs,
+  system,
+  lib,
+  namespace,
+  ...
+}:
+with lib;
+let
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+  cfg = config.${namespace}.headless;
+  isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
+in
+{
+  options.${namespace}.boot.headless = {
+    enable = mkBoolOpt true "Enable headless stuff";
+  };
+
+  config = mkIf cfg.enable {
+    boot.initrd.systemd.suppressedUnits = lib.mkIf config.systemd.enableEmergencyMode [
+      "emergency.service"
+      "emergency.target"
+    ];
+    systemd = {
+      # Given that our systems are headless, emergency mode is useless.
+      # We prefer the system to attempt to continue booting so
+      # that we can hopefully still access it remotely.
+      enableEmergencyMode = false;
+
+      sleep.extraConfig = ''
+        AllowSuspend=no
+        AllowHibernation=no
+      '';
+
+      # For more detail, see:
+      #   https://0pointer.de/blog/projects/watchdog.html
+      settings.Manager = {
+        # systemd will send a signal to the hardware watchdog at half
+        # the interval defined here, so every 7.5s.
+        # If the hardware watchdog does not get a signal for 15s,
+        # it will forcefully reboot the system.
+        RuntimeWatchdogSec = lib.mkDefault "15s";
+        # Forcefully reboot if the final stage of the reboot
+        # hangs without progress for more than 30s.
+        # For more info, see:
+        #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+        RebootWatchdogSec = lib.mkDefault "30s";
+        # Forcefully reboot when a host hangs after kexec.
+        # This may be the case when the firmware does not support kexec.
+        KExecWatchdogSec = lib.mkDefault "1m";
+      };
+    };
+  };
+}

modules/nixos/network/default.nix

@@ -56,6 +56,15 @@ in
   ];
 
   config = {
+    systemd = {
+      services = {
+        NetworkManager-wait-online.enable = false;
+        systemd-networkd.stopIfChanged = false;
+        systemd-resolved.stopIfChanged = false;
+      };
+      network.wait-online.enable = false;
+    };
+
     networking = {
       hostName = lib.mkForce cfg.hostName;
 

modules/nixos/network/options.nix

@@ -24,7 +24,7 @@ in
       dns = mkOpt types.str "10.0.1.1" "IPv4 DNS server.";
     };
 
-    useNetworkd = mkBoolOpt false "Whether to use systemd-networkd for networking.";
+    useNetworkd = mkBoolOpt true "Whether to use systemd-networkd for networking.";
 
     nat = {
       enable = mkBoolOpt false "Whether to enable NAT.";

modules/nixos/nix/default.nix

@@ -251,15 +251,35 @@
         "flakes"
       ];
       trusted-users = [ "@wheel" ];
+
+      builders-use-substitutes = true;
+      connect-timeout = lib.mkDefault 5;
+      fallback = true;
+      log-lines = lib.mkDefault 25;
+    
+      max-free = lib.mkDefault (3000 * 1024 * 1024);
+      min-free = lib.mkDefault (512 * 1024 * 1024);
     };
 
+    daemonCPUSchedPolicy = lib.mkDefault "idle";
+    daemonIOSchedClass = lib.mkDefault "idle";
+    daemonIOSchedPriority = lib.mkDefault 7;
+
     # Garbage collect automatically every week
-    gc.automatic = lib.mkDefault true;
-    gc.options = lib.mkDefault "--delete-older-than 30d";
+    gc = {
+      automatic = lib.mkDefault true;
+      options = lib.mkDefault "--delete-older-than 30d";
+    };
 
     optimise.automatic = lib.mkDefault true;
   };
 
+  systemd.services.nix-gc.serviceConfig = {
+    CPUSchedulingPolicy = "batch";
+    IOSchedulingClass = "idle";
+    IOSchedulingPriority = 7;
+  };
+
   nixpkgs = {
     config = {
       cudaSupport = lib.mkDefault config.${namespace}.hardware.nvidia.enable;

modules/nixos/security/common/default.nix

@@ -24,6 +24,7 @@ in
     sudo.enable = lib.mkForce false;
     sudo-rs = {
       enable = lib.mkForce true;
+      execWheelOnly = true;
       extraRules = [
         {
           commands = [