From 8baa3cf42d12f076bd3aaa35c5f8185c974dca73 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 5 Nov 2018 12:04:06 +0100 Subject: [PATCH] nix/os: tidy up hw/boot handling --- nix/os/devices/steveej-laptop/boot.nix | 6 ---- nix/os/devices/steveej-laptop/hw.nix | 19 +++++-------- .../steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix | 6 +++- nix/os/devices/steveej-t480s-work/hw.nix | 12 ++++---- nix/os/devices/steveej-t480s-work/system.nix | 11 ++++---- nix/os/profiles/common/boot.nix | 7 +++++ nix/os/profiles/common/configuration.nix | 1 + nix/os/profiles/common/hw.nix | 14 ++++++++++ nix/os/profiles/graphical/boot.nix | 7 +++++ nix/os/profiles/graphical/configuration.nix | 6 ++-- nix/os/profiles/graphical/hw.nix | 7 +++++ nix/os/profiles/removable-medium/boot.nix | 28 ------------------- nix/os/profiles/removable-medium/hw.nix | 1 - 13 files changed, 63 insertions(+), 62 deletions(-) create mode 100644 nix/os/profiles/common/hw.nix create mode 100644 nix/os/profiles/graphical/boot.nix create mode 100644 nix/os/profiles/graphical/hw.nix diff --git a/nix/os/devices/steveej-laptop/boot.nix b/nix/os/devices/steveej-laptop/boot.nix index 975fc6e..7c689ce 100644 --- a/nix/os/devices/steveej-laptop/boot.nix +++ b/nix/os/devices/steveej-laptop/boot.nix @@ -4,10 +4,4 @@ # workaround to disable CPU wining # current CPU has 9 idle cstates. boot.kernelParams = [ "intel_idle.max_cstate=9" ]; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; } diff --git a/nix/os/devices/steveej-laptop/hw.nix b/nix/os/devices/steveej-laptop/hw.nix index 8af9706..9e66240 100644 --- a/nix/os/devices/steveej-laptop/hw.nix +++ b/nix/os/devices/steveej-laptop/hw.nix @@ -4,26 +4,21 @@ { config, lib, pkgs, ... }: { - nix.maxJobs = 3; - nix.buildCores = 3; + boot.initrd.availableKernelModules = [ + "aesni_intel" + "kvm-intel" + "aes_x86_64" + ]; - hardware.enableAllFirmware = true; - hardware.trackpoint.emulateWheel = true; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; boot.extraModprobeConfig = '' options kvm-intel nested=1 options kvm-intel enable_shadow_vmcs=1 options kvm-intel enable_apicv=1 options kvm-intel ept=1 ''; - boot.extraModulePackages = [ ]; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - fileSystems."/boot" = { + # TODO: migrate this to the encryptedDisk module + fileSystems."/boot" = { device = "/dev/disk/by-uuid/445D-DBAA"; fsType = "vfat"; }; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 6aa9818..1c7f7a3 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,5 +1,9 @@ { ... }: { - hardware.encryptedDisk.diskId = "mmc-SL32G_0x259093f6"; + # TASK: new device + hardware.encryptedDisk = { + enable = true; + diskId = "mmc-SL32G_0x259093f6"; + }; } diff --git a/nix/os/devices/steveej-t480s-work/hw.nix b/nix/os/devices/steveej-t480s-work/hw.nix index 074a132..b2b8293 100644 --- a/nix/os/devices/steveej-t480s-work/hw.nix +++ b/nix/os/devices/steveej-t480s-work/hw.nix @@ -7,14 +7,12 @@ diskId = "nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K827498"; }; - nix.maxJobs = 3; - nix.buildCores = 3; + boot.initrd.availableKernelModules = [ + "aesni_intel" + "kvm-intel" + "aes_x86_64" + ]; - hardware.enableAllFirmware = true; - hardware.trackpoint.emulateWheel = true; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; boot.extraModprobeConfig = '' options kvm-intel nested=1 options kvm-intel enable_shadow_vmcs=1 diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index 3c819b8..a44044f 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -30,11 +30,12 @@ ]; }; - services.fprintd.enable = true; - security.pam.services = { - login.fprintAuth = true; - sudo.fprintAuth = true; - }; +# TODO: get external fingerprint reader +# services.fprintd.enable = true; +# security.pam.services = { +# login.fprintAuth = true; +# sudo.fprintAuth = true; +# }; # Kubernetes # services.kubernetes.roles = ["master" "node"]; diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix index 8e1a03c..3d035cc 100644 --- a/nix/os/profiles/common/boot.nix +++ b/nix/os/profiles/common/boot.nix @@ -11,7 +11,14 @@ version = 2; }; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.tmpOnTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; } diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index a2519ca..0540f85 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -6,5 +6,6 @@ ./pkg.nix ./user.nix ./system.nix + ./hw.nix ]; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix new file mode 100644 index 0000000..885663e --- /dev/null +++ b/nix/os/profiles/common/hw.nix @@ -0,0 +1,14 @@ +{ ... }: + +{ + hardware.trackpoint.emulateWheel = true; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "cryptd" + ]; +} diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix new file mode 100644 index 0000000..e4d35b0 --- /dev/null +++ b/nix/os/profiles/graphical/boot.nix @@ -0,0 +1,7 @@ + +{ lib +, ... +}: + +{ +} diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index ee53530..1ab66e9 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,9 +1,11 @@ { pkgs -, ... +, ... }: { - imports = [ + imports = [ + ./boot.nix ./system.nix + ./hw.nix ]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix new file mode 100644 index 0000000..7cc04be --- /dev/null +++ b/nix/os/profiles/graphical/hw.nix @@ -0,0 +1,7 @@ +{ +... +}: + +{ + hardware.enableAllFirmware = true; +} diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index 7c3d25b..b3939cb 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -5,33 +5,5 @@ { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - "aes_x86_64" - "aesni_intel" - "cryptd" - ]; - - boot.kernelModules = [ - "kvm-intel" - - # Workaround for nm-pptp to enforce module load - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; - - boot.extraModprobeConfig = '' - options kvm-intel nested=1 - options kvm-intel enable_shadow_vmcs=1 - options kvm-intel enable_apicv=1 - options kvm-intel ept=1 - ''; boot.extraModulePackages = [ ]; - - boot.loader.systemd-boot.enable = true; } diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index dc39ae9..99f014f 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -3,5 +3,4 @@ { hardware.encryptedDisk.enable = true; hardware.enableAllFirmware = true; - hardware.trackpoint.emulateWheel = true; }