From 7ac42248a5fe999b2b14b1d22f8d24d0b83acbc0 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Mon, 18 Nov 2024 03:15:33 +0300 Subject: [PATCH] some fixes for home-hypervisor --- profiles/hardware.nix | 59 ++++++++++++++++++---------------- profiles/security/user.nix | 2 -- profiles/servers/tinyproxy.nix | 18 ----------- profiles/virtualisation.nix | 2 -- profiles/vpn.nix | 4 +-- profiles/workspace/misc.nix | 6 ++-- 6 files changed, 37 insertions(+), 54 deletions(-) diff --git a/profiles/hardware.nix b/profiles/hardware.nix index 2293540..7248fe9 100644 --- a/profiles/hardware.nix +++ b/profiles/hardware.nix @@ -1,31 +1,36 @@ -{ pkgs, config, ... }: +{ config, lib, pkgs, ... }: with config.deviceSpecific; { - hardware.cpu.${devInfo.cpu.vendor}.updateMicrocode = true; - hardware.enableRedistributableFirmware = true; + config = lib.mkMerge [ + ({ + hardware.cpu.${devInfo.cpu.vendor}.updateMicrocode = true; + hardware.enableRedistributableFirmware = true; - hardware.graphics = { - enable = true; - enable32Bit = true; - extraPackages = if devInfo.gpu.vendor == "intel" then [ - pkgs.intel-media-driver - pkgs.intel-vaapi-driver - pkgs.libvdpau-va-gl - ] else if devInfo.gpu.vendor == "amd" then [ - pkgs.rocmPackages.clr.icd - ] else [ ]; - }; + boot.initrd.kernelModules = if devInfo.gpu.vendor == "amd" then [ + "amdgpu" + ] else if devInfo.gpu.vendor == "intel" then [ + "i915" + ] else [ ]; + }) + (lib.mkIf (!isServer) { + hardware.graphics = { + enable = true; + enable32Bit = true; + extraPackages = if devInfo.gpu.vendor == "intel" then [ + pkgs.intel-media-driver + pkgs.intel-vaapi-driver + pkgs.libvdpau-va-gl + ] else if devInfo.gpu.vendor == "amd" then [ + pkgs.rocmPackages.clr.icd + ] else [ ]; + }; - environment.sessionVariables = if (devInfo.gpu.vendor == "intel") then { - GST_VAAPI_ALL_DRIVERS = "1"; - LIBVA_DRIVER_NAME = "iHD"; - VDPAU_DRIVER = "va_gl"; - } else if (devInfo.gpu.vendor == "amd") then { - AMD_VULKAN_ICD = "RADV"; - } else {}; - - boot.initrd.kernelModules = if devInfo.gpu.vendor == "amd" then [ - "amdgpu" - ] else if devInfo.gpu.vendor == "intel" then [ - "i915" - ] else [ ]; + environment.sessionVariables = if (devInfo.gpu.vendor == "intel") then { + GST_VAAPI_ALL_DRIVERS = "1"; + LIBVA_DRIVER_NAME = "iHD"; + VDPAU_DRIVER = "va_gl"; + } else if (devInfo.gpu.vendor == "amd") then { + AMD_VULKAN_ICD = "RADV"; + } else {}; + }) + ]; } diff --git a/profiles/security/user.nix b/profiles/security/user.nix index f17c681..8f0b0b6 100644 --- a/profiles/security/user.nix +++ b/profiles/security/user.nix @@ -1,7 +1,5 @@ { config, pkgs, ... }: { security.apparmor.enable = true; - programs.firejail.enable = true; - users.mutableUsers = false; users.users.${config.mainuser} = { isNormalUser = true; diff --git a/profiles/servers/tinyproxy.nix b/profiles/servers/tinyproxy.nix index 8c2f1a1..60425cc 100644 --- a/profiles/servers/tinyproxy.nix +++ b/profiles/servers/tinyproxy.nix @@ -38,24 +38,6 @@ rejectPackets = false; }; }; - - nixpkgs.overlays = [(final: prev: { - sing-box = - if (lib.versionOlder prev.sing-box.version "1.10.1") then - prev.sing-box.overrideAttrs (_: { - version = "1.10.1"; - src = prev.fetchFromGitHub { - owner = "SagerNet"; - repo = "sing-box"; - rev = "v1.10.1"; - hash = "sha256-WGlYaD4u9M1hfT+L6Adc5gClIYOkFsn4c9FAympmscQ="; - }; - vendorHash = "sha256-lyZ2Up1SSaRGvai0gGtq43MSdHfXc2PuxflSbASYZ4A="; - }) - else - prev.sing-box; - })]; - system.stateVersion = "24.11"; }; }; diff --git a/profiles/virtualisation.nix b/profiles/virtualisation.nix index 5bc99f1..1f54ae1 100644 --- a/profiles/virtualisation.nix +++ b/profiles/virtualisation.nix @@ -78,8 +78,6 @@ with config.deviceSpecific; { "/var/lib/containers" ]; - networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ]; - # cross compilation of aarch64 uefi currently broken # link existing extracted from fedora package system.activationScripts.aarch64-ovmf = lib.mkIf (!isServer) { diff --git a/profiles/vpn.nix b/profiles/vpn.nix index 0011d07..1a451ea 100644 --- a/profiles/vpn.nix +++ b/profiles/vpn.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, secretsDir, ... }: let - isTailscale = config.deviceSpecific.vpn.tailscale.enable; + tailscale = config.deviceSpecific.vpn.tailscale; wg = config.deviceSpecific.vpn.wireguard; sing-box = config.deviceSpecific.vpn.sing-box; wgIFName = "wg0"; @@ -23,7 +23,7 @@ in { wantedBy = [ "multi-user.target" ]; }; }) - (lib.mkIf isTailscale { + (lib.mkIf tailscale.enable { services.tailscale.enable = true; services.tailscale.useRoutingFeatures = "client"; persist.state.directories = [ "/var/lib/tailscale" ]; diff --git a/profiles/workspace/misc.nix b/profiles/workspace/misc.nix index 8302a24..f6f8409 100644 --- a/profiles/workspace/misc.nix +++ b/profiles/workspace/misc.nix @@ -14,7 +14,7 @@ with config.deviceSpecific; { services.journald.extraConfig = "Compress=false"; services.gvfs.enable = !isServer; services.upower.enable = lib.mkDefault isLaptop; - xdg.portal.enable = true; + xdg.portal.enable = !isServer; xdg.portal.config.common.default = "*"; # xdg.portal.xdgOpenUsePortal = true; @@ -43,10 +43,10 @@ with config.deviceSpecific; { persist.state.directories = [ "/var/lib/nixos" "/var/lib/systemd" - ] ++ lib.optionals config.services.postgresql.enable [ - "/var/lib/postgresql" ] ++ lib.optionals config.services.mysql.enable [ config.services.mysql.dataDir + ] ++ lib.optionals ((devInfo.fileSystem != "zfs") && config.services.postgresql.enable) [ + "/var/lib/postgresql" ]; persist.state.homeDirectories = [ "projects"