feat: srvOS things

2024-12-04 22:47:40 +01:00 · 2024-12-04 22:47:40 +01:00 · 048aa1cfc4
parent d3a3c21412
commit 048aa1cfc4
11 changed files with 95 additions and 188 deletions
--- a/config/basic/net.nix
+++ b/config/basic/net.nix
@ -16,8 +16,17 @@
  };
  systemd.network = {
    enable = true;
-    wait-online.anyInterface = true;
+    wait-online.enable = false;
  };
  systemd.services.NetworkManager-wait-online.enable = false;
  # Do not take down the network for too long when upgrading,
  # This also prevents failures of services that are restarted instead of stopped.
  # It will use `systemctl restart` rather than stopping it with `systemctl stop`
  # followed by a delayed `systemctl start`.
  systemd.services.systemd-networkd.stopIfChanged = false;
  # Services that are only restarted might be not able to resolve when resolved is stopped before
  systemd.services.systemd-resolved.stopIfChanged = false;
  system.nssDatabases.hosts = lib.mkMerge [
    (lib.mkBefore [ "mdns_minimal [NOTFOUND=return]" ])
    (lib.mkAfter [ "mdns" ])
--- a/config/basic/nix.nix
+++ b/config/basic/nix.nix
@ -1,6 +1,7 @@
 { inputs, stateVersion, ... }:
 {
  nix = {
    channel.enable = false;
    settings = {
      auto-optimise-store = true;
      allowed-users = [ "@wheel" ];
@ -29,9 +30,12 @@
      max-jobs = "auto";
      # make agenix rekey find the secrets even without trusted user
      extra-sandbox-paths = [ "/var/tmp/agenix-rekey?" ];
      log-lines = 25;
    };
    daemonCPUSchedPolicy = "batch";
    daemonIOSchedClass = "idle";
    daemonIOSchedPriority = 5;
    distributedBuilds = true;
    extraOptions = ''
      builders-use-substitutes = true
@ -60,4 +64,15 @@
  };
  programs.nix-ld.enable = true;
  system.stateVersion = stateVersion;
  systemd.services.nix-gc.serviceConfig = {
    CPUSchedulingPolicy = "batch";
    IOSchedulingClass = "idle";
    IOSchedulingPriority = 7;
  };
  # Make builds to be more likely killed than important services.
  # 100 is the default for user slices and 500 is systemd-coredumpd@
  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
 }
--- a/config/basic/system.nix
+++ b/config/basic/system.nix
@ -63,11 +63,14 @@
    kitty.terminfo
    nvd
    unzip
    bat
    # fix pcscd
    pcscliteWithPolkit.out
    wireguard-tools
  ];
  environment.ldso32 = null;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  secrets.secretFiles =
--- a/flake.lock
+++ b/flake.lock
@ -1334,11 +1334,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1733259424,
+        "lastModified": 1733265436,
-        "narHash": "sha256-4TYf+5OmJr76f8PH9+G34BuDI8o2dAwcTucmgnvR4kI=",
+        "narHash": "sha256-zxBh56jKE6AXhiUoktY6cOHPUTyqXWbI/Pyh5sSC5B4=",
        "owner": "patrickdag",
        "repo": "microvm.nix",
-        "rev": "68c4ab8d096b3b283e1f4e4695230885eab8efa1",
+        "rev": "799370e27eb8643e860a5df5cd168da72219a684",
        "type": "github"
      },
      "original": {
@ -1641,13 +1641,13 @@
        "treefmt-nix": "treefmt-nix_3"
      },
      "locked": {
-        "lastModified": 1733088671,
+        "lastModified": 1733348187,
-        "narHash": "sha256-glAsc7l4pnnVPiC5UbxJ7SnuvFzwchg755Qe7hrM4GY=",
+        "narHash": "sha256-B0PMTlkWm5o+Fi1Z4XO35zbU2k9NUMDq3g02EbPbXm4=",
        "ref": "refs/heads/main",
-        "rev": "ac55ccd2f5c3715d04a3909e3b5650b23a562884",
+        "rev": "803f8ba1f252220a4016b04a90862369d8e242f2",
-        "revCount": 18,
+        "revCount": 21,
        "type": "git",
-        "url": "https://forge.lel.lol/patrick/nixp-meta.git"
+        "url": "file:///home/patrick/repos/nixp-meta"
      },
      "original": {
        "type": "git",
--- a/hosts/elisabeth/default.nix
+++ b/hosts/elisabeth/default.nix
@ -27,4 +27,62 @@
    };
  };
  nixpkgs.hostPlatform = "x86_64-linux";
  # Given that our systems are headless, emergency mode is useless.
  # We prefer the system to attempt to continue booting so
  # that we can hopefully still access it remotely.
  boot.initrd.systemd.suppressedUnits = [
    "emergency.service"
    "emergency.target"
  ];
  environment = {
    # Print the URL instead on servers
    variables.BROWSER = "echo";
    # Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2
    # stubs. Server users should know what they are doing.
    stub-ld.enable = false;
  };
  # Given that our systems are headless, emergency mode is useless.
  # We prefer the system to attempt to continue booting so
  # that we can hopefully still access it remotely.
  systemd.enableEmergencyMode = false;
  # Restrict the number of boot entries to prevent full /boot partition.
  # Servers don't need too many generations.
  boot.loader.systemd-boot.configurationLimit = 5;
  documentation.nixos.enable = false;
  # No need for fonts on a server
  fonts.fontconfig.enable = false;
  programs.command-not-found.enable = false;
  # freedesktop xdg files
  xdg.autostart.enable = false;
  xdg.icons.enable = false;
  xdg.menus.enable = false;
  xdg.mime.enable = false;
  xdg.sounds.enable = false;
  systemd = {
    # For more detail, see:
    #   https://0pointer.de/blog/projects/watchdog.html
    watchdog = {
      # systemd will send a signal to the hardware watchdog at half
      # the interval defined here, so every 7.5s.
      # If the hardware watchdog does not get a signal for 15s,
      # it will forcefully reboot the system.
      runtimeTime = "15s";
      # Forcefully reboot if the final stage of the reboot
      # hangs without progress for more than 30s.
      # For more info, see:
      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
      rebootTime = "30s";
      # Forcefully reboot when a host hangs after kexec.
      # This may be the case when the firmware does not support kexec.
      kexecTime = "1m";
    };
  };
 }
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@ -31,10 +31,6 @@
          nix-update
        ];
        commands = [
          {
            package = pkgs.scripts.deploy;
            help = "deploy nix configurations";
          }
          {
            package = pkgs.symlinkJoin {
              name = "locker";
@ -43,11 +39,6 @@
                pkgs.scripts.lock
              ];
            };
            help = "build nix configurations";
          }
          {
            package = pkgs.scripts.build;
            help = "build nix configurations";
          }
          {
            package = pkgs.scripts.update;
--- a/patches/PR/339370.diff
+++ b/patches/PR/339370.diff
@ -238,7 +238,7 @@ index 42e1f738e470f..6ebea28bb187b 100644
 }:
 -buildDotnetModule rec {
-+buildDotnetModule {
+buildDotnetModule rec  {
   pname = "beatsabermodmanager";
 -  version = "0.0.5";
 +  version = "0.0.7";
--- a/pkgs/scripts/build.sh
+++ b/pkgs/scripts/build.sh
@ -1,53 +0,0 @@
 function die {
  echo "error: $*" >&2
  exit 1
 }
 function show_help() {
  echo ' Usage: build [OPTIONS] <host,...>'
  echo 'Build the toplevel nixos configuration for hosts'
 }
 USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) ||
 die "Could not determine current directory"
 cd "$USER_FLAKE_DIR"
 [[ $# -gt 0 ]] || {
  show_help
  exit 1
 }
 OPTIONS=()
 POSITIONAL_ARGS=()
 while [[ $# -gt 0 ]]; do
  case "$1" in
    "help" | "--help" | "-h")
      show_help
      exit 1
      ;;
    -*)
      OPTIONS+=("$1")
      ;;
    *)
      POSITIONAL_ARGS+=("$1")
      ;;
  esac
  shift
 done
 [[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] ||
 die "Missing argument: <hosts,...>"
 [[ ! ${#POSITIONAL_ARGS[@]} -gt 1 ]] ||
 die "Too many arguments"
 shopt -s lastpipe
 tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
 NIXOS_CONFIGS=()
 for host in "${HOSTS[@]}"; do
  NIXOS_CONFIGS+=(".#nixosConfigurations.$host.config.system.build.toplevel")
 done
 echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m"
 nom build --print-out-paths --no-link "${OPTIONS[@]}" "${NIXOS_CONFIGS[@]}" ||
 die "Failed building derivations"
--- a/pkgs/scripts/default.nix
+++ b/pkgs/scripts/default.nix
@ -1,16 +1,6 @@
 _final: prev: {
  scripts = {
    clone-term = prev.callPackage ./clone-term.nix { };
    deploy = prev.writeShellApplication {
      name = "deploy";
      runtimeInputs = [ prev.nvd ];
      text = builtins.readFile ./deploy.sh;
    };
    build = prev.writeShellApplication {
      name = "build";
      runtimeInputs = [ prev.nix-output-monitor ];
      text = builtins.readFile ./build.sh;
    };
    unlock = prev.writeShellApplication {
      name = "unlock-builders";
      runtimeInputs = [ ];
--- a/pkgs/scripts/deploy.sh
+++ b/pkgs/scripts/deploy.sh
@ -1,105 +0,0 @@
 function die {
  echo "error: $*" >&2
  exit 1
 }
 function show_help() {
  echo ' Usage: deploy [OPTIONS] <system[@host],...> [ACTION]'
  echo ' Deploy a system as defined in the current flakes nixosSystem'
  echo ' If host is not given use the system name as host'
  echo ""
  echo 'ACTION:'
  echo '  switch			[default] build, push and switch to the new configuration'
  echo '  boot			switch on next boot'
  echo '  test			switch to config but do not make it the boot default'
  echo '  dry-activate	just show what an activation would do'
  echo ""
  echo 'OPTIONS:'
  echo '  --help		show this help menu'
 }
 USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) ||
 die "Could not determine current directory"
 cd "$USER_FLAKE_DIR"
 [[ $# -gt 0 ]] || {
  show_help
  exit 1
 }
 OPTIONS=()
 POSITIONAL_ARGS=()
 while [[ $# -gt 0 ]]; do
  case "$1" in
    "help" | "--help" | "-h")
      show_help
      exit 1
      ;;
    -*)
      OPTIONS+=("$1")
      ;;
    *)
      POSITIONAL_ARGS+=("$1")
      ;;
  esac
  shift
 done
 [[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] ||
 die "Missing argument: <hosts,...>"
 [[ ! ${#POSITIONAL_ARGS[@]} -gt 2 ]] ||
 die "Too many arguments"
 shopt -s lastpipe
 tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
 ACTION="${POSITIONAL_ARGS[1]-switch}"
 function main() {
  local system
  local host
  if [[ $1 == *"@"* ]]; then
    arr=()
    echo -n "$1" | readarray -d "@" -t arr
    system="${arr[0]}"
    host="root@${arr[1]}"
  else
    system=$1
    host=$system
  fi
  local config
  config=".#nixosConfigurations.$system.config.system.build.toplevel"
  local top_level
  exec > >(
    trap "" INT TERM
    sed "s/^/[0;32m$system:[0m /"
  )
  exec 2> >(
    trap "" INT TERM
    sed "s/^/[0;32m$system:[0m /" >&2
  )
  top_level=$(nix build --no-link --print-out-paths "${OPTIONS[@]}" "$config" || die "Failed building derivation for $system")
  echo -e "Copying toplevel for \033[0;32m$system\033[0m"
  nix copy --to "ssh://$host" "$top_level" ||
  die "Failed copying closure to $system"
  echo -e "Applying toplevel for \033[0;32m$system\033[0m"
  (
    prev_system=$(ssh "$host" -- readlink -e /nix/var/nix/profiles/system)
    ssh "$host" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" ||
    die "Error registering toplevel $system"
    ssh "$host" -- "$top_level/bin/switch-to-configuration" "$ACTION" ||
    die "Error activating toplevel for $system"
    if [[ -n "$prev_system" ]]; then
      ssh "$host" -- nvd --color always diff "$prev_system" "$top_level"
    fi
  )
 }
 echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m"
 for host in "${HOSTS[@]}"; do
  main "$host" &
 done
 wait
--- a/users/patrick/patrick.nix
+++ b/users/patrick/patrick.nix
@ -6,7 +6,6 @@
  hm.home = {
    packages = with pkgs; [
      bashInteractive
      beatsabermodmanager
      chatterino2
      chromium
      cmatrix