diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 261a48d2..505c64fb 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -1,8 +1,7 @@ # A default configuration that applies to all servers. # Common configuration accross *all* the machines -{ config, lib, ... }: +{ config, options, lib, ... }: { - imports = [ ./flake.nix ./mdmonitor-fix.nix @@ -16,26 +15,33 @@ ./zfs.nix ]; - # Use systemd during boot as well on systems except: - # - systems that require networking in early-boot - # - systems with raids as this currently require manual configuration (https://github.com/NixOS/nixpkgs/issues/210210) - # - for containers we currently rely on the `stage-2` init script that sets up our /etc - boot.initrd.systemd.enable = lib.mkDefault ( - !(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then - config.boot.swraid.enable - else - config.boot.initrd.services.swraid.enable) && - !config.boot.isContainer && - !config.boot.growPartition - ); + config = { + # Use systemd during boot as well on systems except: + # - systems that require networking in early-boot + # - systems with raids as this currently require manual configuration (https://github.com/NixOS/nixpkgs/issues/210210) + # - for containers we currently rely on the `stage-2` init script that sets up our /etc + boot.initrd.systemd.enable = lib.mkDefault ( + !(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then + config.boot.swraid.enable + else + config.boot.initrd.services.swraid.enable) && + !config.boot.isContainer && + !config.boot.growPartition + ); + + # Work around for https://github.com/NixOS/nixpkgs/issues/124215 + documentation.info.enable = false; - # Work around for https://github.com/NixOS/nixpkgs/issues/124215 - documentation.info.enable = false; + # This is pulled in by the container profile, but it seems broken and causes + # unecessary rebuilds. + environment.noXlibs = false; - # This is pulled in by the container profile, but it seems broken and causes - # unecessary rebuilds. - environment.noXlibs = false; + # Ensure a clean & sparkling /tmp on fresh boots. + boot.tmp.cleanOnBoot = lib.mkDefault true; + } // lib.optionalAttrs (options.environment ? ldso32) { + # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of + # nixpkgs. + environment.ldso32 = null; + }; - # Ensure a clean & sparkling /tmp on fresh boots. - boot.tmp.cleanOnBoot = lib.mkDefault true; } diff --git a/nixos/server/default.nix b/nixos/server/default.nix index 155c42ca..75bca60f 100644 --- a/nixos/server/default.nix +++ b/nixos/server/default.nix @@ -1,89 +1,95 @@ # A default configuration that applies to all servers. # Common configuration accross *all* the machines -{ pkgs, lib, ... }: +{ options, pkgs, lib, ... }: { imports = [ ../common ]; - # List packages installed in system profile. - environment.systemPackages = map lib.lowPrio [ - pkgs.curl - pkgs.dnsutils - pkgs.gitMinimal - pkgs.htop - pkgs.jq - pkgs.tmux - ]; - - # Notice this also disables --help for some commands such es nixos-rebuild - documentation.enable = lib.mkDefault false; - documentation.info.enable = lib.mkDefault false; - documentation.man.enable = lib.mkDefault false; - documentation.nixos.enable = lib.mkDefault false; - - # No need for fonts on a server - fonts.fontconfig.enable = lib.mkDefault false; - - programs.vim.defaultEditor = lib.mkDefault true; - - # Print the URL instead on servers - environment.variables.BROWSER = "echo"; - - # Make sure firewall is enabled - networking.firewall.enable = true; - - # Delegate the hostname setting to dhcp/cloud-init by default - networking.hostName = lib.mkDefault ""; - - # If the user is in @wheel they are trusted by default. - nix.settings.trusted-users = [ "root" "@wheel" ]; - - security.sudo.wheelNeedsPassword = false; - - # Enable SSH everywhere - services.openssh.enable = true; - - # No need for sound on a server - sound.enable = false; - - # UTC everywhere! - time.timeZone = lib.mkDefault "UTC"; - - # No mutable users by default - users.mutableUsers = false; - - systemd = { - # Given that our systems are headless, emergency mode is useless. - # We prefer the system to attempt to continue booting so - # that we can hopefully still access it remotely. - enableEmergencyMode = false; - - # For more detail, see: - # https://0pointer.de/blog/projects/watchdog.html - watchdog = { - # systemd will send a signal to the hardware watchdog at half - # the interval defined here, so every 10s. - # If the hardware watchdog does not get a signal for 20s, - # it will forcefully reboot the system. - runtimeTime = "20s"; - # Forcefully reboot if the final stage of the reboot - # hangs without progress for more than 30s. - # For more info, see: - # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog - rebootTime = "30s"; + config = { + # List packages installed in system profile. + environment.systemPackages = map lib.lowPrio [ + pkgs.curl + pkgs.dnsutils + pkgs.gitMinimal + pkgs.htop + pkgs.jq + pkgs.tmux + ]; + + # Notice this also disables --help for some commands such es nixos-rebuild + documentation.enable = lib.mkDefault false; + documentation.info.enable = lib.mkDefault false; + documentation.man.enable = lib.mkDefault false; + documentation.nixos.enable = lib.mkDefault false; + + # No need for fonts on a server + fonts.fontconfig.enable = lib.mkDefault false; + + programs.vim.defaultEditor = lib.mkDefault true; + + # Print the URL instead on servers + environment.variables.BROWSER = "echo"; + + # Make sure firewall is enabled + networking.firewall.enable = true; + + # Delegate the hostname setting to dhcp/cloud-init by default + networking.hostName = lib.mkDefault ""; + + # If the user is in @wheel they are trusted by default. + nix.settings.trusted-users = [ "root" "@wheel" ]; + + security.sudo.wheelNeedsPassword = false; + + # Enable SSH everywhere + services.openssh.enable = true; + + # No need for sound on a server + sound.enable = false; + + # UTC everywhere! + time.timeZone = lib.mkDefault "UTC"; + + # No mutable users by default + users.mutableUsers = false; + + systemd = { + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + enableEmergencyMode = false; + + # For more detail, see: + # https://0pointer.de/blog/projects/watchdog.html + watchdog = { + # systemd will send a signal to the hardware watchdog at half + # the interval defined here, so every 10s. + # If the hardware watchdog does not get a signal for 20s, + # it will forcefully reboot the system. + runtimeTime = "20s"; + # Forcefully reboot if the final stage of the reboot + # hangs without progress for more than 30s. + # For more info, see: + # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog + rebootTime = "30s"; + }; + + sleep.extraConfig = '' + AllowSuspend=no + AllowHibernation=no + ''; }; - sleep.extraConfig = '' - AllowSuspend=no - AllowHibernation=no - ''; - }; - - # use TCP BBR has significantly increased throughput and reduced latency for connections - boot.kernel.sysctl = { - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; + # use TCP BBR has significantly increased throughput and reduced latency for connections + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + } // lib.optionalAttrs (options.environment ? stub-ld) { + # Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2 + # stubs. Server users should know what they are doing. + environment.stub-ld.enable = lib.mkDefault false; }; }