Re-categorize some system modules that pertain to hardware

Personal-use NixOS configuration

Also includes hardening for secureboot (splitting from the systemd-boot
configuration), only enabling OOM management on certain hosts, don't
enable wifi on all laptops, and making NFS support optional

encode42.dev 3 months ago 75bddf13 a7f74d6d

+44 -38

23 changed files

expand all

hardware

audio

noise-cancellation.nix

pipewire.nix

laptop.nix

memory

oom.nix

network

bluetooth.nix

wifi.nix

peripherals

rgb.nix

xr1.nix

hosts

decryption

default.nix

encryption

default.nix

index

config

nfs.nix

zfs.nix

prospect

default.nix

modules

common

boot

common.nix

secureboot.nix

systemd-boot.nix

default.nix

filesystem

nfs.nix

system

memory.nix

desktop

default.nix

filesystem

nfs.nix

server

filesystem

nfs.nix

zfs.nix

+1 -3

hardware/laptop.nix

··· 1 1 { 2 - imports = [ 3 - ../modules/common/network/wifi.nix 4 - ]; 2 + # TODO: Power management, mostly 5 3 }

hardware/memory/oom.nix

··· 1 + { 2 + boot.kernel.sysctl."kernel.sysrq" = 1; 3 + 4 + systemd.oomd = { 5 + enable = true; 6 + }; 7 + }

hardware/xr1.nix hardware/peripherals/xr1.nix

+4 -1

hosts/decryption/default.nix

··· 12 12 ./disks.nix 13 13 (flakeRoot + /hardware/cpu/amd.nix) 14 14 (flakeRoot + /hardware/gpu/nvidia.nix) 15 + (flakeRoot + /hardware/memory/oom.nix) 16 + (flakeRoot + /hardware/audio/pipewire.nix) 17 + (flakeRoot + /hardware/network/wifi.nix) 18 + (flakeRoot + /hardware/network/bluetooth.nix) 15 19 16 20 (flakeRoot + /modules/common) 17 21 (flakeRoot + /modules/common/boot/secureboot.nix) 18 - (flakeRoot + /modules/common/system/audio.nix) 19 22 20 23 (flakeRoot + /modules/desktop/environments/gnome.nix) 21 24

+4 -3

hosts/encryption/default.nix

··· 12 12 ./hardware-configuration.nix 13 13 (flakeRoot + /hardware/cpu/amd.nix) 14 14 (flakeRoot + /hardware/gpu/amd.nix) 15 - (flakeRoot + /hardware/xr1.nix) 15 + (flakeRoot + /hardware/audio/pipewire.nix) 16 + (flakeRoot + /hardware/audio/noise-cancellation.nix) 17 + (flakeRoot + /hardware/peripherals/xr1.nix) 16 18 17 19 (flakeRoot + /modules/common) 18 20 (flakeRoot + /modules/common/boot/secureboot.nix) 19 - (flakeRoot + /modules/common/system/audio.nix) 20 21 (flakeRoot + /modules/common/virtualization.nix) 21 22 23 + (flakeRoot + /modules/desktop) 22 24 (flakeRoot + /modules/desktop/environments/gnome.nix) 23 - (flakeRoot + /modules/desktop/system/noise-cancellation.nix) 24 25 25 26 ./users 26 27 ];

+1 -1

hosts/index/config/nfs.nix

··· 2 2 3 3 { 4 4 imports = [ 5 - (flakeRoot + /modules/server/nfs.nix) 5 + (flakeRoot + /modules/server/filesystem/nfs.nix) 6 6 ]; 7 7 8 8 services.nfs.server = {

+1 -1

hosts/index/config/zfs.nix

··· 2 2 3 3 { 4 4 imports = [ 5 - (flakeRoot + /modules/server/zfs.nix) 5 + (flakeRoot + /modules/server/filesystem/zfs.nix) 6 6 ]; 7 7 8 8 networking.hostId = "c864ff4e";

+3 -2

hosts/prospect/default.nix

··· 12 12 ./disks.nix 13 13 (flakeRoot + /hardware/cpu/amd.nix) 14 14 (flakeRoot + /hardware/gpu/amd.nix) 15 + (flakeRoot + /hardware/audio/pipewire.nix) 16 + (flakeRoot + /hardware/network/bluetooth.nix) 17 + (flakeRoot + /hardware/peripherals/rgb.nix) 15 18 16 19 (flakeRoot + /modules/common) 17 20 (flakeRoot + /modules/common/boot/systemd-boot.nix) 18 - (flakeRoot + /modules/common/system/audio.nix) 19 - (flakeRoot + /modules/common/system/rgb.nix) 20 21 21 22 (flakeRoot + /modules/desktop/environments/gnome.nix) 22 23

+3 -3

modules/common/boot/common.nix

··· 1 1 { 2 - boot = { 3 - kernelParams = [ "boot.shell_on_fail" ]; 2 + boot.loader.systemd-boot = { 3 + editor = false; 4 4 5 - kernel.sysctl."kernel.sysrq" = 1; 5 + configurationLimit = 6; 6 6 }; 7 7 }

+8 -5

modules/common/boot/secureboot.nix

··· 10 10 11 11 { 12 12 imports = [ 13 - ./systemd-boot.nix 14 13 lanzaboote.nixosModules.lanzaboote 14 + 15 + ./common.nix 15 16 ]; 16 17 17 - boot.loader.systemd-boot.enable = lib.mkForce false; 18 + boot = { 19 + loader.systemd-boot.enable = lib.mkForce false; 18 20 19 - boot.lanzaboote = { 20 - enable = true; 21 + lanzaboote = { 22 + enable = true; 21 23 22 - pkiBundle = "/var/lib/sbctl"; 24 + pkiBundle = "/var/lib/sbctl"; 25 + }; 23 26 }; 24 27 25 28 environment.systemPackages = with pkgs; [

+3 -6

modules/common/boot/systemd-boot.nix

··· 3 3 ./common.nix 4 4 ]; 5 5 6 - boot.loader.systemd-boot = { 7 - enable = true; 6 + boot = { 7 + kernelParams = [ "boot.shell_on_fail" ]; 8 8 9 - editor = false; 10 - configurationLimit = 6; 9 + loader.systemd-boot.enable = true; 11 10 }; 12 - 13 - boot.loader.timeout = 0; 14 11 }

-3

modules/common/default.nix

··· 1 1 { 2 2 imports = [ 3 - ./nfs.nix 4 - 5 3 ./locale/en_US.nix 6 4 7 5 ./network/firewall.nix ··· 9 7 10 8 ./system/coreutils.nix 11 9 ./system/firmware.nix 12 - ./system/memory.nix 13 10 ./system/sudo.nix 14 11 15 12 ./home-manager.nix

modules/common/network/bluetooth.nix hardware/network/bluetooth.nix

modules/common/network/wifi.nix hardware/network/wifi.nix

modules/common/nfs.nix modules/common/filesystem/nfs.nix

modules/common/system/audio.nix hardware/audio/pipewire.nix

-5

modules/common/system/memory.nix

··· 1 - { 2 - systemd.oomd = { 3 - enable = true; 4 - }; 5 - }

modules/common/system/rgb.nix hardware/peripherals/rgb.nix

modules/desktop/default.nix

··· 1 + { 2 + imports = [ 3 + ../common/filesystem/nfs.nix 4 + ]; 5 + }

modules/desktop/filesystem/nfs.nix

··· 1 + { 2 + boot.supportedFilesystems = [ "nfs" ]; 3 + }

+1 -1

modules/desktop/system/noise-cancellation.nix hardware/audio/noise-cancellation.nix

··· 2 2 3 3 { 4 4 imports = [ 5 - ../../common/system/audio.nix 5 + ./pipewire.nix 6 6 ]; 7 7 8 8 services.pipewire.extraConfig.pipewire."99-deepfilter-mono-source" = {

-4

modules/server/nfs.nix modules/server/filesystem/nfs.nix

··· 9 9 ]; 10 10 in 11 11 { 12 - imports = [ 13 - ../common/nfs.nix 14 - ]; 15 - 16 12 services.rpcbind.enable = true; 17 13 18 14 services.nfs.server = {

modules/server/zfs.nix modules/server/filesystem/zfs.nix