feat: srvOS things

config/basic/net.nix

@@ -16,8 +16,17 @@
   };
   systemd.network = {
     enable = true;
-    wait-online.anyInterface = true;
+    wait-online.enable = false;
   };
+  systemd.services.NetworkManager-wait-online.enable = false;
+
+  # Do not take down the network for too long when upgrading,
+  # This also prevents failures of services that are restarted instead of stopped.
+  # It will use `systemctl restart` rather than stopping it with `systemctl stop`
+  # followed by a delayed `systemctl start`.
+  systemd.services.systemd-networkd.stopIfChanged = false;
+  # Services that are only restarted might be not able to resolve when resolved is stopped before
+  systemd.services.systemd-resolved.stopIfChanged = false;
   system.nssDatabases.hosts = lib.mkMerge [
     (lib.mkBefore [ "mdns_minimal [NOTFOUND=return]" ])
     (lib.mkAfter [ "mdns" ])

config/basic/nix.nix

@@ -1,6 +1,7 @@
 { inputs, stateVersion, ... }:
 {
   nix = {
+    channel.enable = false;
     settings = {
       auto-optimise-store = true;
       allowed-users = [ "@wheel" ];
@@ -29,9 +30,12 @@
       max-jobs = "auto";
       # make agenix rekey find the secrets even without trusted user
       extra-sandbox-paths = [ "/var/tmp/agenix-rekey?" ];
+      log-lines = 25;
     };
     daemonCPUSchedPolicy = "batch";
+    daemonIOSchedClass = "idle";
     daemonIOSchedPriority = 5;
+
     distributedBuilds = true;
     extraOptions = ''
       builders-use-substitutes = true
@@ -60,4 +64,15 @@
   };
   programs.nix-ld.enable = true;
   system.stateVersion = stateVersion;
+
+  systemd.services.nix-gc.serviceConfig = {
+    CPUSchedulingPolicy = "batch";
+    IOSchedulingClass = "idle";
+    IOSchedulingPriority = 7;
+  };
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
 }

config/basic/system.nix

@@ -63,11 +63,14 @@
     kitty.terminfo
     nvd
     unzip
+    bat
     # fix pcscd
     pcscliteWithPolkit.out
     wireguard-tools
   ];
 
+  environment.ldso32 = null;
+
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 
   secrets.secretFiles =

flake.lock

@@ -1334,11 +1334,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1733259424,
-        "narHash": "sha256-4TYf+5OmJr76f8PH9+G34BuDI8o2dAwcTucmgnvR4kI=",
+        "lastModified": 1733265436,
+        "narHash": "sha256-zxBh56jKE6AXhiUoktY6cOHPUTyqXWbI/Pyh5sSC5B4=",
         "owner": "patrickdag",
         "repo": "microvm.nix",
-        "rev": "68c4ab8d096b3b283e1f4e4695230885eab8efa1",
+        "rev": "799370e27eb8643e860a5df5cd168da72219a684",
         "type": "github"
       },
       "original": {
@@ -1641,13 +1641,13 @@
         "treefmt-nix": "treefmt-nix_3"
       },
       "locked": {
-        "lastModified": 1733088671,
-        "narHash": "sha256-glAsc7l4pnnVPiC5UbxJ7SnuvFzwchg755Qe7hrM4GY=",
+        "lastModified": 1733348187,
+        "narHash": "sha256-B0PMTlkWm5o+Fi1Z4XO35zbU2k9NUMDq3g02EbPbXm4=",
         "ref": "refs/heads/main",
-        "rev": "ac55ccd2f5c3715d04a3909e3b5650b23a562884",
-        "revCount": 18,
+        "rev": "803f8ba1f252220a4016b04a90862369d8e242f2",
+        "revCount": 21,
         "type": "git",
-        "url": "https://forge.lel.lol/patrick/nixp-meta.git"
+        "url": "file:///home/patrick/repos/nixp-meta"
       },
       "original": {
         "type": "git",

hosts/elisabeth/default.nix

@@ -27,4 +27,62 @@
     };
   };
   nixpkgs.hostPlatform = "x86_64-linux";
+
+  # Given that our systems are headless, emergency mode is useless.
+  # We prefer the system to attempt to continue booting so
+  # that we can hopefully still access it remotely.
+  boot.initrd.systemd.suppressedUnits = [
+    "emergency.service"
+    "emergency.target"
+  ];
+  environment = {
+    # Print the URL instead on servers
+    variables.BROWSER = "echo";
+    # Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2
+    # stubs. Server users should know what they are doing.
+    stub-ld.enable = false;
+  };
+  # Given that our systems are headless, emergency mode is useless.
+  # We prefer the system to attempt to continue booting so
+  # that we can hopefully still access it remotely.
+  systemd.enableEmergencyMode = false;
+
+  # Restrict the number of boot entries to prevent full /boot partition.
+  # Servers don't need too many generations.
+  boot.loader.systemd-boot.configurationLimit = 5;
+
+  documentation.nixos.enable = false;
+
+  # No need for fonts on a server
+  fonts.fontconfig.enable = false;
+
+  programs.command-not-found.enable = false;
+
+  # freedesktop xdg files
+  xdg.autostart.enable = false;
+  xdg.icons.enable = false;
+  xdg.menus.enable = false;
+  xdg.mime.enable = false;
+  xdg.sounds.enable = false;
+
+  systemd = {
+
+    # For more detail, see:
+    #   https://0pointer.de/blog/projects/watchdog.html
+    watchdog = {
+      # systemd will send a signal to the hardware watchdog at half
+      # the interval defined here, so every 7.5s.
+      # If the hardware watchdog does not get a signal for 15s,
+      # it will forcefully reboot the system.
+      runtimeTime = "15s";
+      # Forcefully reboot if the final stage of the reboot
+      # hangs without progress for more than 30s.
+      # For more info, see:
+      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+      rebootTime = "30s";
+      # Forcefully reboot when a host hangs after kexec.
+      # This may be the case when the firmware does not support kexec.
+      kexecTime = "1m";
+    };
+  };
 }

nix/devshell.nix

@@ -31,10 +31,6 @@
           nix-update
         ];
         commands = [
-          {
-            package = pkgs.scripts.deploy;
-            help = "deploy nix configurations";
-          }
           {
             package = pkgs.symlinkJoin {
               name = "locker";
@@ -43,11 +39,6 @@
                 pkgs.scripts.lock
               ];
             };
-            help = "build nix configurations";
-          }
-          {
-            package = pkgs.scripts.build;
-            help = "build nix configurations";
           }
           {
             package = pkgs.scripts.update;

patches/PR/339370.diff

@@ -238,7 +238,7 @@ index 42e1f738e470f..6ebea28bb187b 100644
  }:
  
 -buildDotnetModule rec {
-+buildDotnetModule {
++buildDotnetModule rec  {
    pname = "beatsabermodmanager";
 -  version = "0.0.5";
 +  version = "0.0.7";

pkgs/scripts/build.sh

@@ -1,53 +0,0 @@
-function die {
-  echo "error: $*" >&2
-  exit 1
-}
-function show_help() {
-  echo ' Usage: build [OPTIONS] <host,...>'
-  echo 'Build the toplevel nixos configuration for hosts'
-}
-
-USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) ||
-die "Could not determine current directory"
-
-cd "$USER_FLAKE_DIR"
-
-[[ $# -gt 0 ]] || {
-  show_help
-  exit 1
-}
-
-OPTIONS=()
-POSITIONAL_ARGS=()
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    "help" | "--help" | "-h")
-      show_help
-      exit 1
-      ;;
-    -*)
-      OPTIONS+=("$1")
-      ;;
-    *)
-      POSITIONAL_ARGS+=("$1")
-      ;;
-  esac
-  shift
-done
-
-[[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] ||
-die "Missing argument: <hosts,...>"
-[[ ! ${#POSITIONAL_ARGS[@]} -gt 1 ]] ||
-die "Too many arguments"
-
-shopt -s lastpipe
-tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
-
-NIXOS_CONFIGS=()
-for host in "${HOSTS[@]}"; do
-  NIXOS_CONFIGS+=(".#nixosConfigurations.$host.config.system.build.toplevel")
-done
-
-echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m"
-nom build --print-out-paths --no-link "${OPTIONS[@]}" "${NIXOS_CONFIGS[@]}" ||
-die "Failed building derivations"

pkgs/scripts/default.nix

@@ -1,16 +1,6 @@
 _final: prev: {
   scripts = {
     clone-term = prev.callPackage ./clone-term.nix { };
-    deploy = prev.writeShellApplication {
-      name = "deploy";
-      runtimeInputs = [ prev.nvd ];
-      text = builtins.readFile ./deploy.sh;
-    };
-    build = prev.writeShellApplication {
-      name = "build";
-      runtimeInputs = [ prev.nix-output-monitor ];
-      text = builtins.readFile ./build.sh;
-    };
     unlock = prev.writeShellApplication {
       name = "unlock-builders";
       runtimeInputs = [ ];

pkgs/scripts/deploy.sh

@@ -1,105 +0,0 @@
-function die {
-  echo "error: $*" >&2
-  exit 1
-}
-function show_help() {
-  echo ' Usage: deploy [OPTIONS] <system[@host],...> [ACTION]'
-  echo ' Deploy a system as defined in the current flakes nixosSystem'
-  echo ' If host is not given use the system name as host'
-  echo ""
-  echo 'ACTION:'
-  echo '  switch			[default] build, push and switch to the new configuration'
-  echo '  boot			switch on next boot'
-  echo '  test			switch to config but do not make it the boot default'
-  echo '  dry-activate	just show what an activation would do'
-  echo ""
-  echo 'OPTIONS:'
-  echo '  --help		show this help menu'
-}
-
-USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) ||
-die "Could not determine current directory"
-
-cd "$USER_FLAKE_DIR"
-
-[[ $# -gt 0 ]] || {
-  show_help
-  exit 1
-}
-
-OPTIONS=()
-POSITIONAL_ARGS=()
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    "help" | "--help" | "-h")
-      show_help
-      exit 1
-      ;;
-    -*)
-      OPTIONS+=("$1")
-      ;;
-    *)
-      POSITIONAL_ARGS+=("$1")
-      ;;
-  esac
-  shift
-done
-
-[[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] ||
-die "Missing argument: <hosts,...>"
-[[ ! ${#POSITIONAL_ARGS[@]} -gt 2 ]] ||
-die "Too many arguments"
-
-shopt -s lastpipe
-tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
-
-ACTION="${POSITIONAL_ARGS[1]-switch}"
-
-function main() {
-  local system
-  local host
-  if [[ $1 == *"@"* ]]; then
-    arr=()
-    echo -n "$1" | readarray -d "@" -t arr
-    system="${arr[0]}"
-    host="root@${arr[1]}"
-  else
-    system=$1
-    host=$system
-  fi
-  local config
-  config=".#nixosConfigurations.$system.config.system.build.toplevel"
-  local top_level
-  exec > >(
-    trap "" INT TERM
-    sed "s/^/$system: /"
-  )
-  exec 2> >(
-    trap "" INT TERM
-    sed "s/^/$system: /" >&2
-  )
-  top_level=$(nix build --no-link --print-out-paths "${OPTIONS[@]}" "$config" || die "Failed building derivation for $system")
-
-  echo -e "Copying toplevel for \033[0;32m$system\033[0m"
-  nix copy --to "ssh://$host" "$top_level" ||
-  die "Failed copying closure to $system"
-
-  echo -e "Applying toplevel for \033[0;32m$system\033[0m"
-  (
-    prev_system=$(ssh "$host" -- readlink -e /nix/var/nix/profiles/system)
-    ssh "$host" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" ||
-    die "Error registering toplevel $system"
-    ssh "$host" -- "$top_level/bin/switch-to-configuration" "$ACTION" ||
-    die "Error activating toplevel for $system"
-    if [[ -n "$prev_system" ]]; then
-      ssh "$host" -- nvd --color always diff "$prev_system" "$top_level"
-    fi
-  )
-}
-
-echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m"
-
-for host in "${HOSTS[@]}"; do
-  main "$host" &
-done
-wait

users/patrick/patrick.nix

@@ -6,7 +6,6 @@
   hm.home = {
     packages = with pkgs; [
       bashInteractive
-      beatsabermodmanager
       chatterino2
       chromium
       cmatrix