From 048aa1cfc46e048aab6cb7f648e0ebe03a0326e7 Mon Sep 17 00:00:00 2001 From: Patrick Date: Wed, 4 Dec 2024 22:47:40 +0100 Subject: [PATCH] feat: srvOS things --- config/basic/net.nix | 11 +++- config/basic/nix.nix | 15 ++++++ config/basic/system.nix | 3 ++ flake.lock | 16 +++--- hosts/elisabeth/default.nix | 58 ++++++++++++++++++++ nix/devshell.nix | 9 ---- patches/PR/339370.diff | 2 +- pkgs/scripts/build.sh | 53 ------------------ pkgs/scripts/default.nix | 10 ---- pkgs/scripts/deploy.sh | 105 ------------------------------------ users/patrick/patrick.nix | 1 - 11 files changed, 95 insertions(+), 188 deletions(-) delete mode 100644 pkgs/scripts/build.sh delete mode 100644 pkgs/scripts/deploy.sh diff --git a/config/basic/net.nix b/config/basic/net.nix index ec38ca7..0588783 100644 --- a/config/basic/net.nix +++ b/config/basic/net.nix @@ -16,8 +16,17 @@ }; systemd.network = { enable = true; - wait-online.anyInterface = true; + wait-online.enable = false; }; + systemd.services.NetworkManager-wait-online.enable = false; + + # Do not take down the network for too long when upgrading, + # This also prevents failures of services that are restarted instead of stopped. + # It will use `systemctl restart` rather than stopping it with `systemctl stop` + # followed by a delayed `systemctl start`. + systemd.services.systemd-networkd.stopIfChanged = false; + # Services that are only restarted might be not able to resolve when resolved is stopped before + systemd.services.systemd-resolved.stopIfChanged = false; system.nssDatabases.hosts = lib.mkMerge [ (lib.mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) (lib.mkAfter [ "mdns" ]) diff --git a/config/basic/nix.nix b/config/basic/nix.nix index 2729536..110e855 100644 --- a/config/basic/nix.nix +++ b/config/basic/nix.nix @@ -1,6 +1,7 @@ { inputs, stateVersion, ... }: { nix = { + channel.enable = false; settings = { auto-optimise-store = true; allowed-users = [ "@wheel" ]; @@ -29,9 +30,12 @@ max-jobs = "auto"; # make agenix rekey find the secrets even without trusted user extra-sandbox-paths = [ "/var/tmp/agenix-rekey?" ]; + log-lines = 25; }; daemonCPUSchedPolicy = "batch"; + daemonIOSchedClass = "idle"; daemonIOSchedPriority = 5; + distributedBuilds = true; extraOptions = '' builders-use-substitutes = true @@ -60,4 +64,15 @@ }; programs.nix-ld.enable = true; system.stateVersion = stateVersion; + + systemd.services.nix-gc.serviceConfig = { + CPUSchedulingPolicy = "batch"; + IOSchedulingClass = "idle"; + IOSchedulingPriority = 7; + }; + + # Make builds to be more likely killed than important services. + # 100 is the default for user slices and 500 is systemd-coredumpd@ + # We rather want a build to be killed than our precious user sessions as builds can be easily restarted. + systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250; } diff --git a/config/basic/system.nix b/config/basic/system.nix index d2db6ab..cb0ded1 100644 --- a/config/basic/system.nix +++ b/config/basic/system.nix @@ -63,11 +63,14 @@ kitty.terminfo nvd unzip + bat # fix pcscd pcscliteWithPolkit.out wireguard-tools ]; + environment.ldso32 = null; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; secrets.secretFiles = diff --git a/flake.lock b/flake.lock index 8ffde9c..4455fea 100644 --- a/flake.lock +++ b/flake.lock @@ -1334,11 +1334,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1733259424, - "narHash": "sha256-4TYf+5OmJr76f8PH9+G34BuDI8o2dAwcTucmgnvR4kI=", + "lastModified": 1733265436, + "narHash": "sha256-zxBh56jKE6AXhiUoktY6cOHPUTyqXWbI/Pyh5sSC5B4=", "owner": "patrickdag", "repo": "microvm.nix", - "rev": "68c4ab8d096b3b283e1f4e4695230885eab8efa1", + "rev": "799370e27eb8643e860a5df5cd168da72219a684", "type": "github" }, "original": { @@ -1641,13 +1641,13 @@ "treefmt-nix": "treefmt-nix_3" }, "locked": { - "lastModified": 1733088671, - "narHash": "sha256-glAsc7l4pnnVPiC5UbxJ7SnuvFzwchg755Qe7hrM4GY=", + "lastModified": 1733348187, + "narHash": "sha256-B0PMTlkWm5o+Fi1Z4XO35zbU2k9NUMDq3g02EbPbXm4=", "ref": "refs/heads/main", - "rev": "ac55ccd2f5c3715d04a3909e3b5650b23a562884", - "revCount": 18, + "rev": "803f8ba1f252220a4016b04a90862369d8e242f2", + "revCount": 21, "type": "git", - "url": "https://forge.lel.lol/patrick/nixp-meta.git" + "url": "file:///home/patrick/repos/nixp-meta" }, "original": { "type": "git", diff --git a/hosts/elisabeth/default.nix b/hosts/elisabeth/default.nix index 1e41cf9..35e5d93 100644 --- a/hosts/elisabeth/default.nix +++ b/hosts/elisabeth/default.nix @@ -27,4 +27,62 @@ }; }; nixpkgs.hostPlatform = "x86_64-linux"; + + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + boot.initrd.systemd.suppressedUnits = [ + "emergency.service" + "emergency.target" + ]; + environment = { + # Print the URL instead on servers + variables.BROWSER = "echo"; + # Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2 + # stubs. Server users should know what they are doing. + stub-ld.enable = false; + }; + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + systemd.enableEmergencyMode = false; + + # Restrict the number of boot entries to prevent full /boot partition. + # Servers don't need too many generations. + boot.loader.systemd-boot.configurationLimit = 5; + + documentation.nixos.enable = false; + + # No need for fonts on a server + fonts.fontconfig.enable = false; + + programs.command-not-found.enable = false; + + # freedesktop xdg files + xdg.autostart.enable = false; + xdg.icons.enable = false; + xdg.menus.enable = false; + xdg.mime.enable = false; + xdg.sounds.enable = false; + + systemd = { + + # For more detail, see: + # https://0pointer.de/blog/projects/watchdog.html + watchdog = { + # systemd will send a signal to the hardware watchdog at half + # the interval defined here, so every 7.5s. + # If the hardware watchdog does not get a signal for 15s, + # it will forcefully reboot the system. + runtimeTime = "15s"; + # Forcefully reboot if the final stage of the reboot + # hangs without progress for more than 30s. + # For more info, see: + # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog + rebootTime = "30s"; + # Forcefully reboot when a host hangs after kexec. + # This may be the case when the firmware does not support kexec. + kexecTime = "1m"; + }; + }; } diff --git a/nix/devshell.nix b/nix/devshell.nix index b54bf6a..f5edf7f 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -31,10 +31,6 @@ nix-update ]; commands = [ - { - package = pkgs.scripts.deploy; - help = "deploy nix configurations"; - } { package = pkgs.symlinkJoin { name = "locker"; @@ -43,11 +39,6 @@ pkgs.scripts.lock ]; }; - help = "build nix configurations"; - } - { - package = pkgs.scripts.build; - help = "build nix configurations"; } { package = pkgs.scripts.update; diff --git a/patches/PR/339370.diff b/patches/PR/339370.diff index 9f73602..17f8de6 100644 --- a/patches/PR/339370.diff +++ b/patches/PR/339370.diff @@ -238,7 +238,7 @@ index 42e1f738e470f..6ebea28bb187b 100644 }: -buildDotnetModule rec { -+buildDotnetModule { ++buildDotnetModule rec { pname = "beatsabermodmanager"; - version = "0.0.5"; + version = "0.0.7"; diff --git a/pkgs/scripts/build.sh b/pkgs/scripts/build.sh deleted file mode 100644 index cd1b733..0000000 --- a/pkgs/scripts/build.sh +++ /dev/null @@ -1,53 +0,0 @@ -function die { - echo "error: $*" >&2 - exit 1 -} -function show_help() { - echo ' Usage: build [OPTIONS] ' - echo 'Build the toplevel nixos configuration for hosts' -} - -USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) || -die "Could not determine current directory" - -cd "$USER_FLAKE_DIR" - -[[ $# -gt 0 ]] || { - show_help - exit 1 -} - -OPTIONS=() -POSITIONAL_ARGS=() -while [[ $# -gt 0 ]]; do - case "$1" in - "help" | "--help" | "-h") - show_help - exit 1 - ;; - -*) - OPTIONS+=("$1") - ;; - *) - POSITIONAL_ARGS+=("$1") - ;; - esac - shift -done - -[[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] || -die "Missing argument: " -[[ ! ${#POSITIONAL_ARGS[@]} -gt 1 ]] || -die "Too many arguments" - -shopt -s lastpipe -tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS - -NIXOS_CONFIGS=() -for host in "${HOSTS[@]}"; do - NIXOS_CONFIGS+=(".#nixosConfigurations.$host.config.system.build.toplevel") -done - -echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m" -nom build --print-out-paths --no-link "${OPTIONS[@]}" "${NIXOS_CONFIGS[@]}" || -die "Failed building derivations" diff --git a/pkgs/scripts/default.nix b/pkgs/scripts/default.nix index 65bc0a3..0f48ac1 100644 --- a/pkgs/scripts/default.nix +++ b/pkgs/scripts/default.nix @@ -1,16 +1,6 @@ _final: prev: { scripts = { clone-term = prev.callPackage ./clone-term.nix { }; - deploy = prev.writeShellApplication { - name = "deploy"; - runtimeInputs = [ prev.nvd ]; - text = builtins.readFile ./deploy.sh; - }; - build = prev.writeShellApplication { - name = "build"; - runtimeInputs = [ prev.nix-output-monitor ]; - text = builtins.readFile ./build.sh; - }; unlock = prev.writeShellApplication { name = "unlock-builders"; runtimeInputs = [ ]; diff --git a/pkgs/scripts/deploy.sh b/pkgs/scripts/deploy.sh deleted file mode 100644 index 6dedf08..0000000 --- a/pkgs/scripts/deploy.sh +++ /dev/null @@ -1,105 +0,0 @@ -function die { - echo "error: $*" >&2 - exit 1 -} -function show_help() { - echo ' Usage: deploy [OPTIONS] [ACTION]' - echo ' Deploy a system as defined in the current flakes nixosSystem' - echo ' If host is not given use the system name as host' - echo "" - echo 'ACTION:' - echo ' switch [default] build, push and switch to the new configuration' - echo ' boot switch on next boot' - echo ' test switch to config but do not make it the boot default' - echo ' dry-activate just show what an activation would do' - echo "" - echo 'OPTIONS:' - echo ' --help show this help menu' -} - -USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) || -die "Could not determine current directory" - -cd "$USER_FLAKE_DIR" - -[[ $# -gt 0 ]] || { - show_help - exit 1 -} - -OPTIONS=() -POSITIONAL_ARGS=() -while [[ $# -gt 0 ]]; do - case "$1" in - "help" | "--help" | "-h") - show_help - exit 1 - ;; - -*) - OPTIONS+=("$1") - ;; - *) - POSITIONAL_ARGS+=("$1") - ;; - esac - shift -done - -[[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] || -die "Missing argument: " -[[ ! ${#POSITIONAL_ARGS[@]} -gt 2 ]] || -die "Too many arguments" - -shopt -s lastpipe -tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS - -ACTION="${POSITIONAL_ARGS[1]-switch}" - -function main() { - local system - local host - if [[ $1 == *"@"* ]]; then - arr=() - echo -n "$1" | readarray -d "@" -t arr - system="${arr[0]}" - host="root@${arr[1]}" - else - system=$1 - host=$system - fi - local config - config=".#nixosConfigurations.$system.config.system.build.toplevel" - local top_level - exec > >( - trap "" INT TERM - sed "s/^/$system: /" - ) - exec 2> >( - trap "" INT TERM - sed "s/^/$system: /" >&2 - ) - top_level=$(nix build --no-link --print-out-paths "${OPTIONS[@]}" "$config" || die "Failed building derivation for $system") - - echo -e "Copying toplevel for \033[0;32m$system\033[0m" - nix copy --to "ssh://$host" "$top_level" || - die "Failed copying closure to $system" - - echo -e "Applying toplevel for \033[0;32m$system\033[0m" - ( - prev_system=$(ssh "$host" -- readlink -e /nix/var/nix/profiles/system) - ssh "$host" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" || - die "Error registering toplevel $system" - ssh "$host" -- "$top_level/bin/switch-to-configuration" "$ACTION" || - die "Error activating toplevel for $system" - if [[ -n "$prev_system" ]]; then - ssh "$host" -- nvd --color always diff "$prev_system" "$top_level" - fi - ) -} - -echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m" - -for host in "${HOSTS[@]}"; do - main "$host" & -done -wait diff --git a/users/patrick/patrick.nix b/users/patrick/patrick.nix index badba34..1876d83 100644 --- a/users/patrick/patrick.nix +++ b/users/patrick/patrick.nix @@ -6,7 +6,6 @@ hm.home = { packages = with pkgs; [ bashInteractive - beatsabermodmanager chatterino2 chromium cmatrix