Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

no stub: <insert TLC song> #383

Merged
merged 1 commit into from
Feb 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 27 additions & 21 deletions nixos/common/default.nix
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# A default configuration that applies to all servers.
# Common configuration accross *all* the machines
{ config, lib, ... }:
{ config, options, lib, ... }:
{

imports = [
./flake.nix
./mdmonitor-fix.nix
Expand All @@ -16,26 +15,33 @@
./zfs.nix
];

# Use systemd during boot as well on systems except:
# - systems that require networking in early-boot
# - systems with raids as this currently require manual configuration (https://github.com/NixOS/nixpkgs/issues/210210)
# - for containers we currently rely on the `stage-2` init script that sets up our /etc
boot.initrd.systemd.enable = lib.mkDefault (
!(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then
config.boot.swraid.enable
else
config.boot.initrd.services.swraid.enable) &&
!config.boot.isContainer &&
!config.boot.growPartition
);
config = {
# Use systemd during boot as well on systems except:
# - systems that require networking in early-boot
# - systems with raids as this currently require manual configuration (https://github.com/NixOS/nixpkgs/issues/210210)
# - for containers we currently rely on the `stage-2` init script that sets up our /etc
boot.initrd.systemd.enable = lib.mkDefault (
!(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then
config.boot.swraid.enable
else
config.boot.initrd.services.swraid.enable) &&
!config.boot.isContainer &&
!config.boot.growPartition
);

# Work around for https://github.com/NixOS/nixpkgs/issues/124215
documentation.info.enable = false;

# Work around for https://github.com/NixOS/nixpkgs/issues/124215
documentation.info.enable = false;
# This is pulled in by the container profile, but it seems broken and causes
# unecessary rebuilds.
environment.noXlibs = false;

# This is pulled in by the container profile, but it seems broken and causes
# unecessary rebuilds.
environment.noXlibs = false;
# Ensure a clean & sparkling /tmp on fresh boots.
boot.tmp.cleanOnBoot = lib.mkDefault true;
} // lib.optionalAttrs (options.environment ? ldso32) {
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of
# nixpkgs.
environment.ldso32 = null;
};

# Ensure a clean & sparkling /tmp on fresh boots.
boot.tmp.cleanOnBoot = lib.mkDefault true;
}
160 changes: 83 additions & 77 deletions nixos/server/default.nix
Original file line number Diff line number Diff line change
@@ -1,89 +1,95 @@
# A default configuration that applies to all servers.
# Common configuration accross *all* the machines
{ pkgs, lib, ... }:
{ options, pkgs, lib, ... }:
{

imports = [
../common
];

# List packages installed in system profile.
environment.systemPackages = map lib.lowPrio [
pkgs.curl
pkgs.dnsutils
pkgs.gitMinimal
pkgs.htop
pkgs.jq
pkgs.tmux
];

# Notice this also disables --help for some commands such es nixos-rebuild
documentation.enable = lib.mkDefault false;
documentation.info.enable = lib.mkDefault false;
documentation.man.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;

# No need for fonts on a server
fonts.fontconfig.enable = lib.mkDefault false;

programs.vim.defaultEditor = lib.mkDefault true;

# Print the URL instead on servers
environment.variables.BROWSER = "echo";

# Make sure firewall is enabled
networking.firewall.enable = true;

# Delegate the hostname setting to dhcp/cloud-init by default
networking.hostName = lib.mkDefault "";

# If the user is in @wheel they are trusted by default.
nix.settings.trusted-users = [ "root" "@wheel" ];

security.sudo.wheelNeedsPassword = false;

# Enable SSH everywhere
services.openssh.enable = true;

# No need for sound on a server
sound.enable = false;

# UTC everywhere!
time.timeZone = lib.mkDefault "UTC";

# No mutable users by default
users.mutableUsers = false;

systemd = {
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
enableEmergencyMode = false;

# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 10s.
# If the hardware watchdog does not get a signal for 20s,
# it will forcefully reboot the system.
runtimeTime = "20s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
config = {
# List packages installed in system profile.
environment.systemPackages = map lib.lowPrio [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this change these packages aren't installed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just checked and it looks like it's the case, but I'm unsure why.

pkgs.curl
pkgs.dnsutils
pkgs.gitMinimal
pkgs.htop
pkgs.jq
pkgs.tmux
];

# Notice this also disables --help for some commands such es nixos-rebuild
documentation.enable = lib.mkDefault false;
documentation.info.enable = lib.mkDefault false;
documentation.man.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;

# No need for fonts on a server
fonts.fontconfig.enable = lib.mkDefault false;

programs.vim.defaultEditor = lib.mkDefault true;

# Print the URL instead on servers
environment.variables.BROWSER = "echo";

# Make sure firewall is enabled
networking.firewall.enable = true;

# Delegate the hostname setting to dhcp/cloud-init by default
networking.hostName = lib.mkDefault "";

# If the user is in @wheel they are trusted by default.
nix.settings.trusted-users = [ "root" "@wheel" ];

security.sudo.wheelNeedsPassword = false;

# Enable SSH everywhere
services.openssh.enable = true;

# No need for sound on a server
sound.enable = false;

# UTC everywhere!
time.timeZone = lib.mkDefault "UTC";

# No mutable users by default
users.mutableUsers = false;

systemd = {
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
enableEmergencyMode = false;

# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 10s.
# If the hardware watchdog does not get a signal for 20s,
# it will forcefully reboot the system.
runtimeTime = "20s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
};

sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
'';
};

sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
'';
};

# use TCP BBR has significantly increased throughput and reduced latency for connections
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
# use TCP BBR has significantly increased throughput and reduced latency for connections
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
} // lib.optionalAttrs (options.environment ? stub-ld) {
# Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2
# stubs. Server users should know what they are doing.
environment.stub-ld.enable = lib.mkDefault false;
};
}