Merge pull request #519 from NixOS/build-cleanup

build: prune common configuration
NixOS · Dec 11, 2024 · 28532c2 · 28532c2
2 parents 0d476c9 + 211023c
commit 28532c2
Show file tree

Hide file tree

Showing 24 changed files with 140 additions and 820 deletions.
diff --git a/build/common.nix b/build/common.nix
@@ -1,12 +1,9 @@
 {
-  config,
   pkgs,
   lib,
   ...
 }:
 
-with lib;
-
 {
   imports = [
     ./diffoscope.nix
@@ -17,61 +14,71 @@ with lib;
 
   nixpkgs.config.allowUnfree = true;
 
-  services.openssh.authorizedKeysFiles = mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
-
-  boot.kernelModules = [ "coretemp" ];
-
-  # Prevent "out of sync" errors on the KVM switch.
-  boot.vesa = false;
-  boot.blacklistedKernelModules = [
-    "radeonfb"
-    "radeon"
-    "i915"
-  ];
-  boot.kernelParams = [ "nomodeset" ];
-
   hardware.enableAllFirmware = true;
   hardware.cpu.amd.updateMicrocode = true;
   hardware.cpu.intel.updateMicrocode = true;
 
-  environment.systemPackages = [
-    pkgs.emacs
-    pkgs.sysstat
-    pkgs.hdparm
-    pkgs.sdparm # pkgs.lsiutil
-    pkgs.htop
-    pkgs.sqlite
-    pkgs.iotop
-    pkgs.lm_sensors
-    pkgs.hwloc
-    pkgs.lsof
-    pkgs.numactl
-    pkgs.gcc
-    pkgs.smartmontools
-    pkgs.tcpdump
-    pkgs.gdb
-    pkgs.elfutils
-  ];
+  boot.kernel.sysctl = {
+    # reboot on kernel panic
+    "kernel.panic" = 60;
+    "kernel.panic_on_oops" = 1;
+  };
 
-  services.openssh.enable = true;
+  documentation.nixos.enable = false;
 
-  boot.kernel.sysctl."kernel.panic" = 60;
-  boot.kernel.sysctl."kernel.panic_on_oops" = 1;
+  environment = {
+    enableDebugInfo = true;
+    systemPackages = with pkgs; [
+      # debugging
+      gdb
+      lsof
+      sqlite-interactive
+
+      # editors
+      emacs
+      helix
+      neovim
+
+      # utilities
+      ripgrep
+      fd
+
+      # system introspection
+      hdparm
+      htop
+      iotop
+      lm_sensors
+      nvme-cli
+      smartmontools
+      sysstat
+      tcpdump
+      tmux
+    ];
+  };
 
-  nix.nrBuildUsers = 100;
+  services.openssh = {
+    enable = true;
+    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
+  };
 
   nix.extraOptions = ''
     allowed-impure-host-deps = /etc/protocols /etc/services /etc/nsswitch.conf
     allowed-uris = https://github.com/ https://git.savannah.gnu.org/ github:
   '';
 
+  # we use networkd
   networking.useDHCP = false;
 
-  networking.firewall.enable = true;
-  networking.firewall.rejectPackets = true;
-  networking.firewall.allowPing = true;
-  networking.firewall.allowedTCPPorts = [ 10050 ];
-  networking.firewall.logRefusedConnections = false;
+  networking.firewall = {
+    enable = true;
+
+    # be a good network citizen and allow some debugging interactions
+    rejectPackets = true;
+    allowPing = true;
+
+    # prevent firewall log spam from rotating the kernel rinbuffer
+    logRefusedConnections = false;
+  };
 
   services.resolved = {
     enable = true;
@@ -84,37 +91,10 @@ with lib;
     ];
   };
 
-  # Bump the open files limit so that non-root users can run NixOS VM
-  # tests (Samba opens lot of files).
-  security.pam.loginLimits = [
-    {
-      domain = "*";
-      item = "nofile";
-      type = "-";
-      value = "16384";
-    }
-  ];
-
-  # Enable Kernel Samepage Merging (reduces memory footprint of VMs).
-  hardware.ksm.enable = true;
-
-  # Disable the systemd-journald watchdog. The default timeout (1min)
-  # can easily be triggered on our slow, heavily-loaded disks. And
-  # that may cause services writing to the journal to fail until
-  # they're restarted.
-  systemd.services.systemd-journald.serviceConfig.WatchdogSec = 0;
-
-  environment.enableDebugInfo = true;
-
-  systemd.tmpfiles.rules = [ "d /tmp 1777 root root 7d" ];
-
-  # Disable sending email from cron.
-  services.cron.mailto = "";
-
-  documentation.nixos.enable = false;
-
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "[email protected]";
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "[email protected]";
+  };
 
   services.zfs.autoScrub.enable = true;
 }
diff --git a/build/diffoscope.nix b/build/diffoscope.nix
@@ -1,17 +1,18 @@
-{ pkgs, ... }:
-
-with pkgs.lib;
+{
+  pkgs,
+  ...
+}:
 
 let
 
   diffoscopeWrapper = pkgs.writeScript "diffoscope-wrapper" ''
-            #! ${pkgs.stdenv.shell}
-    	exec >&2
-    	echo ""
-            echo "non-determinism detected in $2; diff with previous round follows:"
-            echo ""
-            time ${pkgs.utillinux}/bin/runuser -u diffoscope -- ${pkgs.diffoscope}/bin/diffoscope "$1" "$2"
-            exit 0
+    #! ${pkgs.stdenv.shell}
+    exec >&2
+    echo ""
+    echo "non-determinism detected in $2; diff with previous round follows:"
+    echo ""
+    time ${pkgs.utillinux}/bin/runuser -u diffoscope -- ${pkgs.diffoscope}/bin/diffoscope "$1" "$2"
+    exit 0
   '';
 
 in

diff --git a/build/flake.nix b/build/flake.nix
@@ -79,15 +79,6 @@
         ];
       };
 
-      nixosConfigurations.rhea = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-
-        modules = [
-          flakesModule
-          ./rhea/configuration.nix
-        ];
-      };
-
       nixosConfigurations.mimas = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";