From 593c1fd617d785fc3ce4cc1ba227ac15e88f83fb Mon Sep 17 00:00:00 2001 From: cynicsketch <101476009+cynicsketch@users.noreply.github.com> Date: Sun, 4 Aug 2024 19:33:31 -0400 Subject: [PATCH] Merge performance overrides in nix-mineral --- nix-mineral.nix | 73 +++++++++++++++++-- nm-overrides/desktop/allow-multilib.nix | 16 ---- .../desktop/allow-unprivileged-userns.nix | 16 ---- nm-overrides/desktop/doas-sudo-wrapper.nix | 22 ------ nm-overrides/performance/allow-smt.nix | 16 ---- .../performance/iommu-passthrough.nix | 16 ---- nm-overrides/performance/no-mitigations.nix | 16 ---- nm-overrides/performance/no-pti.nix | 16 ---- 8 files changed, 66 insertions(+), 125 deletions(-) delete mode 100644 nm-overrides/desktop/allow-multilib.nix delete mode 100644 nm-overrides/desktop/allow-unprivileged-userns.nix delete mode 100644 nm-overrides/desktop/doas-sudo-wrapper.nix delete mode 100644 nm-overrides/performance/allow-smt.nix delete mode 100644 nm-overrides/performance/iommu-passthrough.nix delete mode 100644 nm-overrides/performance/no-mitigations.nix delete mode 100644 nm-overrides/performance/no-pti.nix diff --git a/nix-mineral.nix b/nix-mineral.nix index 9d6ff75..f4435d4 100755 --- a/nix-mineral.nix +++ b/nix-mineral.nix @@ -222,9 +222,51 @@ options.nix-mineral = { Reenable support for 32 bit applications. ''; }; + allow-unprivileged-userns = mkOption { + type = types.bool; + default = false; + description = '' + Allow unprivileged userns. + ''; + }; + doas-sudo-wrapper = mkOption { + type = types.bool; + default = false; + description = '' + Enable doas-sudo wrapper, with nano to utilize rnano as a "safe" + editor for editing as root. + ''; + }; }; performance = { - + allow-smt = mkOption { + type = types.bool; + default = false; + description = '' + Reenable symmetric multithreading. + ''; + }; + iommu-passthrough = mkOption { + type = types.bool; + default = false; + description = '' + Enable bypassing the IOMMU for direct memory access. + ''; + }; + no-mitigations = mkOption { + type = types.bool; + default = false; + description = '' + Disable all CPU vulnerability mitigations. + ''; + }; + no-pti = mkOption { + type = types.bool; + default = false; + description = '' + Disable page table isolation. + ''; + }; }; security = { @@ -273,9 +315,18 @@ config = l.mkMerge [ boot.kernelParams = mkOverride 100 [ ("ia32_emulation=1") ]; }) - () + (mkIf config.nix-mineral.overrides.desktop.allow-unprivileged-userns.enable { + boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkForce "1"; + }) - () + (mkIf config.nix-mineral.overrides.desktop.doas-sudo-wrapper { + environment.systemPackages = (with pkgs; [ + ((pkgs.writeScriptBin "sudo" ''exec doas "$@"'')) + ((pkgs.writeScriptBin "sudoedit" ''exec doas rnano "$@"'')) + ((pkgs.writeScriptBin "doasedit" ''exec doas rnano "$@"'')) + nano + ]); + }) () @@ -297,13 +348,21 @@ config = l.mkMerge [ # Performance - () + (mkIf config.nix-mineral.overrides.performance.allow-smt { + boot.kernelParams = mkOverride 100 [ ("mitigations=auto") ]; + }) - () + (mkIf config.nix-mineral.overrides.performance.iommu-passthrough { + boot.kernelParams = mkOverride 100 [ ("iommu.passthrough=1") ]; + }) - () + (mkIf config.nix-mineral.overrides.performance.no-mitigations { + boot.kernelParams = mkOverride 100 [ ("mitigations=off") ]; + }) - () + (mkIf config.nix-mineral.overrides.performance.no-pti { + boot.kernelParams = mkOverride 100 [ ("pti=off") ]; + }) # Security diff --git a/nm-overrides/desktop/allow-multilib.nix b/nm-overrides/desktop/allow-multilib.nix deleted file mode 100644 index 99919d0..0000000 --- a/nm-overrides/desktop/allow-multilib.nix +++ /dev/null @@ -1,16 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.desktop.allow-multilib.enable = mkOption { - type = types.bool; - default = false; - description = '' - Reenable support for 32 bit applications. - ''; - }; - - config = mkIf config.nm-overrides.desktop.allow-multilib.enable { - boot.kernelParams = mkOverride 100 [ ("ia32_emulation=1") ]; - }; -}) \ No newline at end of file diff --git a/nm-overrides/desktop/allow-unprivileged-userns.nix b/nm-overrides/desktop/allow-unprivileged-userns.nix deleted file mode 100644 index de7fe4c..0000000 --- a/nm-overrides/desktop/allow-unprivileged-userns.nix +++ /dev/null @@ -1,16 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.desktop.allow-unprivileged-userns.enable = mkOption { - type = types.bool; - default = false; - description = '' - Allow unprivileged userns. - ''; - }; - - config = mkIf config.nm-overrides.desktop.allow-unprivileged-userns.enable { - boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkForce "1"; - }; -}) \ No newline at end of file diff --git a/nm-overrides/desktop/doas-sudo-wrapper.nix b/nm-overrides/desktop/doas-sudo-wrapper.nix deleted file mode 100644 index 6016a84..0000000 --- a/nm-overrides/desktop/doas-sudo-wrapper.nix +++ /dev/null @@ -1,22 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.desktop.doas-sudo-wrapper.enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable doas-sudo wrapper, with nano to utilize rnano as a "safe" - editor for editing as root. - ''; - }; - - config = mkIf config.nm-overrides.desktop.doas-sudo-wrapper.enable { - environment.systemPackages = (with pkgs; [ - ((pkgs.writeScriptBin "sudo" ''exec doas "$@"'')) - ((pkgs.writeScriptBin "sudoedit" ''exec doas rnano "$@"'')) - ((pkgs.writeScriptBin "doasedit" ''exec doas rnano "$@"'')) - nano - ]); - }; -}) \ No newline at end of file diff --git a/nm-overrides/performance/allow-smt.nix b/nm-overrides/performance/allow-smt.nix deleted file mode 100644 index 3b836bd..0000000 --- a/nm-overrides/performance/allow-smt.nix +++ /dev/null @@ -1,16 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.performance.allow-smt.enable = mkOption { - type = types.bool; - default = false; - description = '' - Reenable symmetric multithreading. - ''; - }; - - config = mkIf config.nm-overrides.performance.allow-smt.enable { - boot.kernelParams = mkOverride 100 [ ("mitigations=auto") ]; - }; -}) \ No newline at end of file diff --git a/nm-overrides/performance/iommu-passthrough.nix b/nm-overrides/performance/iommu-passthrough.nix deleted file mode 100644 index 9692b3a..0000000 --- a/nm-overrides/performance/iommu-passthrough.nix +++ /dev/null @@ -1,16 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.performance.iommu-passthrough.enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable bypassing the IOMMU for direct memory access. - ''; - }; - - config = mkIf config.nm-overrides.performance.iommu-passthrough.enable { - boot.kernelParams = mkOverride 100 [ ("iommu.passthrough=1") ]; - }; -}) \ No newline at end of file diff --git a/nm-overrides/performance/no-mitigations.nix b/nm-overrides/performance/no-mitigations.nix deleted file mode 100644 index 0a8de67..0000000 --- a/nm-overrides/performance/no-mitigations.nix +++ /dev/null @@ -1,16 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.performance.no-mitigations.enable = mkOption { - type = types.bool; - default = false; - description = '' - Disable all CPU vulnerability mitigations. - ''; - }; - - config = mkIf config.nm-overrides.performance.no-mitigations.enable { - boot.kernelParams = mkOverride 100 [ ("mitigations=off") ]; - }; -}) \ No newline at end of file diff --git a/nm-overrides/performance/no-pti.nix b/nm-overrides/performance/no-pti.nix deleted file mode 100644 index 3a5f124..0000000 --- a/nm-overrides/performance/no-pti.nix +++ /dev/null @@ -1,16 +0,0 @@ -({ config, lib, pkgs, ... }: - -with lib; -{ - options.nm-overrides.performance.no-pti.enable = mkOption { - type = types.bool; - default = false; - description = '' - Disable page table isolation. - ''; - }; - - config = mkIf config.nm-overrides.performance.no-pti.enable { - boot.kernelParams = mkOverride 100 [ ("pti=off") ]; - }; -}) \ No newline at end of file