From 2fea36c19eb904125e2db5ba230b28d72dc881db Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Fri, 12 Sep 2025 13:11:20 -0700 Subject: start to refactor nixos modules --- flake/hosts.nix | 1 + machines/nixos/x86_64-linux/do-rproxy/default.nix | 1 - .../nixos/x86_64-linux/synology-vm/default.nix | 1 - modules/nixos/base.nix | 65 +++++++++++++++++++ modules/nixos/cgroups.nix | 75 ++++++++++++++++++++++ modules/nixos/default.nix | 8 +++ modules/nixos/ssh.nix | 21 ++++++ profiles/core/base-server.nix | 14 ---- profiles/core/boot.nix | 11 ---- profiles/core/cgroups.nix | 75 ---------------------- profiles/core/docs.nix | 5 -- profiles/core/locale.nix | 11 ---- profiles/core/motd.nix | 9 --- profiles/core/security.nix | 4 -- profiles/core/ssh.nix | 21 ------ profiles/core/tools.nix | 20 ------ profiles/core/users.nix | 8 --- 17 files changed, 170 insertions(+), 180 deletions(-) create mode 100644 modules/nixos/base.nix create mode 100644 modules/nixos/cgroups.nix create mode 100644 modules/nixos/default.nix create mode 100644 modules/nixos/ssh.nix delete mode 100644 profiles/core/base-server.nix delete mode 100644 profiles/core/boot.nix delete mode 100644 profiles/core/cgroups.nix delete mode 100644 profiles/core/docs.nix delete mode 100644 profiles/core/locale.nix delete mode 100644 profiles/core/motd.nix delete mode 100644 profiles/core/security.nix delete mode 100644 profiles/core/ssh.nix delete mode 100644 profiles/core/tools.nix delete mode 100644 profiles/core/users.nix diff --git a/flake/hosts.nix b/flake/hosts.nix index c194440..fe23cdd 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -59,6 +59,7 @@ let inputs.disko.nixosModules.disko inputs.home-manager.nixosModules.home-manager "${self}/modules/common" + "${self}/modules/nixos" "${self}/modules/nas-client.nix" "${self}/modules/backups.nix" ]; diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index e187bd2..fe8e367 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -25,7 +25,6 @@ "${self}/profiles/programs/home-manager.nix" "${self}/profiles/admin-user/user.nix" "${self}/profiles/admin-user/home-manager.nix" - "${self}/profiles/core/base-server.nix" "${self}/profiles/nix/nix.nix" "${self}/profiles/nix/gc.nix" "${self}/profiles/network/networkd.nix" diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index 9316432..dbf7bf9 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -21,7 +21,6 @@ "${self}/profiles/programs/home-manager.nix" "${self}/profiles/admin-user/user.nix" "${self}/profiles/admin-user/home-manager.nix" - "${self}/profiles/core/base-server.nix" "${self}/profiles/nix/nix.nix" "${self}/profiles/nix/gc.nix" "${self}/profiles/network/networkd.nix" diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix new file mode 100644 index 0000000..f3dece1 --- /dev/null +++ b/modules/nixos/base.nix @@ -0,0 +1,65 @@ +{ + self, + config, + pkgs, + lib, + ... +}: +{ + boot = { + kernelPackages = pkgs.linuxPackages_latest; + kernel.sysctl = { + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.ipv4.tcp_ecn" = 1; + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_tw_reuse" = 1; + }; + }; + + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + }; + + time.timeZone = "America/Los_Angeles"; + + users.motdFile = "/etc/motd"; + + environment.etc.motd.text = '' + Machine ${config.networking.hostName} + NixOS ${config.system.nixos.release} + @ ${self.shortRev or self.dirtyShortRev} + ''; + + ## disable that slow "building man-cache" step + documentation.man.generateCaches = lib.mkForce false; + + users = { + mutableUsers = false; + users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + curl + dysk + fd + fish + git + htop + jq + mtr + pciutils + powertop + ripgrep + tcpdump + traceroute + vim + wireguard-tools + ]; +} diff --git a/modules/nixos/cgroups.nix b/modules/nixos/cgroups.nix new file mode 100644 index 0000000..07dc964 --- /dev/null +++ b/modules/nixos/cgroups.nix @@ -0,0 +1,75 @@ +# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix +# Relatively inspired by fbtax2: +# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html +{ ... }: +let + systemCriticalSliceConfig = { + ManagedOOMMemoryPressure = "kill"; + + # guarantee availability of memory + MemoryMin = "192M"; + # default 100 + IOWeight = 1000; + # default 100 + CPUWeight = 1000; + }; +in +{ + systemd.oomd = { + enable = true; + enableRootSlice = true; + enableSystemSlice = true; + enableUserSlices = true; + }; + + systemd.services.nix-daemon = { + serviceConfig = { + CPUWeight = 10; + IOWeight = 10; + }; + }; + + systemd.slices.hostcritical = { + description = "Ensures that services to keep the system alive remain alive"; + + unitConfig = { + # required to avoid a dependency cycle on systemd-oomd. systemd will + # actually guess this right but we should fix it anyway. + DefaultDependencies = false; + }; + + sliceConfig = systemCriticalSliceConfig; + }; + + # make root logins higher priority for resources + systemd.slices."user-0" = { + sliceConfig = systemCriticalSliceConfig; + }; + + systemd.slices.system = { + sliceConfig = { + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "50%"; + + IOWeight = 100; + }; + }; + + systemd.services.sshd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-oomd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-journald = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..669cd75 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./base.nix + ./cgroups.nix + ./ssh.nix + ]; +} diff --git a/modules/nixos/ssh.nix b/modules/nixos/ssh.nix new file mode 100644 index 0000000..b4c8772 --- /dev/null +++ b/modules/nixos/ssh.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +{ + networking.firewall.allowedTCPPorts = [ 22 ]; + + services.openssh = { + enable = lib.mkDefault true; + settings = { + PasswordAuthentication = lib.mkForce false; + KbdInteractiveAuthentication = lib.mkForce false; + + PermitRootLogin = lib.mkForce "prohibit-password"; + }; + openFirewall = lib.mkDefault true; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; +} diff --git a/profiles/core/base-server.nix b/profiles/core/base-server.nix deleted file mode 100644 index 2a13f96..0000000 --- a/profiles/core/base-server.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - imports = [ - ./boot.nix - ./cgroups.nix - ./docs.nix - ./locale.nix - ./motd.nix - ./security.nix - ./ssh.nix - ./tools.nix - ./users.nix - ]; -} diff --git a/profiles/core/boot.nix b/profiles/core/boot.nix deleted file mode 100644 index 8aacfbf..0000000 --- a/profiles/core/boot.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: -{ - boot.kernelPackages = pkgs.linuxPackages_latest; - - boot.kernel.sysctl = { - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_ecn" = 1; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_tw_reuse" = 1; - }; -} diff --git a/profiles/core/cgroups.nix b/profiles/core/cgroups.nix deleted file mode 100644 index 07dc964..0000000 --- a/profiles/core/cgroups.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix -# Relatively inspired by fbtax2: -# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html -{ ... }: -let - systemCriticalSliceConfig = { - ManagedOOMMemoryPressure = "kill"; - - # guarantee availability of memory - MemoryMin = "192M"; - # default 100 - IOWeight = 1000; - # default 100 - CPUWeight = 1000; - }; -in -{ - systemd.oomd = { - enable = true; - enableRootSlice = true; - enableSystemSlice = true; - enableUserSlices = true; - }; - - systemd.services.nix-daemon = { - serviceConfig = { - CPUWeight = 10; - IOWeight = 10; - }; - }; - - systemd.slices.hostcritical = { - description = "Ensures that services to keep the system alive remain alive"; - - unitConfig = { - # required to avoid a dependency cycle on systemd-oomd. systemd will - # actually guess this right but we should fix it anyway. - DefaultDependencies = false; - }; - - sliceConfig = systemCriticalSliceConfig; - }; - - # make root logins higher priority for resources - systemd.slices."user-0" = { - sliceConfig = systemCriticalSliceConfig; - }; - - systemd.slices.system = { - sliceConfig = { - ManagedOOMMemoryPressure = "kill"; - ManagedOOMMemoryPressureLimit = "50%"; - - IOWeight = 100; - }; - }; - - systemd.services.sshd = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; - - systemd.services.systemd-oomd = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; - - systemd.services.systemd-journald = { - serviceConfig = { - Slice = "hostcritical.slice"; - }; - }; -} diff --git a/profiles/core/docs.nix b/profiles/core/docs.nix deleted file mode 100644 index dcf38e6..0000000 --- a/profiles/core/docs.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ lib, ... }: -{ - ## disable that slow "building man-cache" step - documentation.man.generateCaches = lib.mkForce false; -} diff --git a/profiles/core/locale.nix b/profiles/core/locale.nix deleted file mode 100644 index 73eece0..0000000 --- a/profiles/core/locale.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: -{ - i18n = { - defaultLocale = "en_US.UTF-8"; - supportedLocales = [ - "en_US.UTF-8/UTF-8" - ]; - }; - - time.timeZone = "America/Los_Angeles"; -} diff --git a/profiles/core/motd.nix b/profiles/core/motd.nix deleted file mode 100644 index 01575e1..0000000 --- a/profiles/core/motd.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ self, config, ... }: -{ - users.motdFile = "/etc/motd"; - environment.etc.motd.text = '' - Machine ${config.networking.hostName} - NixOS ${config.system.nixos.release} - @ ${self.shortRev or self.dirtyShortRev} - ''; -} diff --git a/profiles/core/security.nix b/profiles/core/security.nix deleted file mode 100644 index 146012f..0000000 --- a/profiles/core/security.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: -{ - security.sudo.wheelNeedsPassword = false; -} diff --git a/profiles/core/ssh.nix b/profiles/core/ssh.nix deleted file mode 100644 index b4c8772..0000000 --- a/profiles/core/ssh.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, ... }: -{ - networking.firewall.allowedTCPPorts = [ 22 ]; - - services.openssh = { - enable = lib.mkDefault true; - settings = { - PasswordAuthentication = lib.mkForce false; - KbdInteractiveAuthentication = lib.mkForce false; - - PermitRootLogin = lib.mkForce "prohibit-password"; - }; - openFirewall = lib.mkDefault true; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; -} diff --git a/profiles/core/tools.nix b/profiles/core/tools.nix deleted file mode 100644 index 74f90cc..0000000 --- a/profiles/core/tools.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - curl - dysk - fd - fish - git - htop - jq - mtr - pciutils - powertop - ripgrep - tcpdump - traceroute - vim - wireguard-tools - ]; -} diff --git a/profiles/core/users.nix b/profiles/core/users.nix deleted file mode 100644 index da2c8ff..0000000 --- a/profiles/core/users.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - users.mutableUsers = false; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - ]; -} -- cgit v1.2.3