chore: refactor system modules
This commit is contained in:
99
system/boot/boot.nix
Normal file
99
system/boot/boot.nix
Normal file
@@ -0,0 +1,99 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.system.boot;
|
||||
in {
|
||||
options.system.boot = {
|
||||
extraModprobeConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = ''
|
||||
options snd_usb_audio vid=0x1235 pid=0x8212 device_setup=1
|
||||
'';
|
||||
};
|
||||
kernel = {
|
||||
package = mkOption {
|
||||
type = types.raw;
|
||||
default = pkgs.linuxPackages_zen;
|
||||
};
|
||||
modules = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
};
|
||||
cpuVendor = mkOption {
|
||||
description = "Intel or AMD?";
|
||||
type = types.enum ["intel" "amd"];
|
||||
default = "amd";
|
||||
};
|
||||
v4l2loopback = mkOption {
|
||||
description = "Enables v4l2loopback";
|
||||
type = types.bool;
|
||||
default = true;
|
||||
};
|
||||
hardened = mkEnableOption "Enables hardened Linux kernel";
|
||||
};
|
||||
systemd-boot = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Does the system use systemd-boot?";
|
||||
};
|
||||
zfs = {
|
||||
enable = mkEnableOption "Enables ZFS";
|
||||
pools = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config.boot = {
|
||||
initrd.kernelModules = lists.optional config.system.hardware.amdgpu.enable "amdgpu";
|
||||
loader = {
|
||||
systemd-boot.enable = cfg.systemd-boot;
|
||||
efi.canTouchEfiVariables = cfg.systemd-boot;
|
||||
};
|
||||
supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
|
||||
zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;
|
||||
kernelPackages =
|
||||
if cfg.kernel.hardened
|
||||
then pkgs.linuxPackages_hardened
|
||||
else cfg.kernel.package;
|
||||
kernelModules =
|
||||
cfg.kernel.modules
|
||||
++ ["kvm-${cfg.kernel.cpuVendor}"]
|
||||
++ lists.optional cfg.kernel.v4l2loopback "v4l2loopback"
|
||||
++ lists.optional cfg.kernel.hardened "tcp_bbr";
|
||||
kernel.sysctl = mkIf cfg.kernel.hardened {
|
||||
"kernel.sysrq" = 0; # Disable magic SysRq key
|
||||
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
|
||||
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
|
||||
# Ignore bad ICMP errors
|
||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||
# SYN flood protection
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default_accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||
# Protect against tcp time-wait assassination hazards
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
# Latency reduction
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
# Bufferfloat mitigations
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
};
|
||||
}
|
||||
7
system/boot/default.nix
Normal file
7
system/boot/default.nix
Normal file
@@ -0,0 +1,7 @@
|
||||
{
|
||||
imports = [
|
||||
./boot.nix
|
||||
./plymouth.nix
|
||||
./zram.nix
|
||||
];
|
||||
}
|
||||
33
system/boot/plymouth.nix
Normal file
33
system/boot/plymouth.nix
Normal file
@@ -0,0 +1,33 @@
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.system.boot.plymouth;
|
||||
in {
|
||||
options.system.boot.plymouth.enable = mkEnableOption "Enables Plymouth at system boot";
|
||||
config.boot = mkIf cfg.enable {
|
||||
plymouth = {
|
||||
inherit (cfg) enable;
|
||||
theme = "circle_hud";
|
||||
themePackages = with pkgs; [
|
||||
(adi1090x-plymouth-themes.override {
|
||||
selected_themes = ["circle_hud"];
|
||||
})
|
||||
];
|
||||
};
|
||||
consoleLogLevel = 3;
|
||||
initrd.verbose = false;
|
||||
kernelParams = [
|
||||
"quiet"
|
||||
"splash"
|
||||
"boot.shell_on_fail"
|
||||
"udev.log_priority=3"
|
||||
"rd.systemd.show_status=auto"
|
||||
];
|
||||
# Loader appears only if a key is pressed
|
||||
loader.timeout = 0;
|
||||
};
|
||||
}
|
||||
21
system/boot/zram.nix
Normal file
21
system/boot/zram.nix
Normal file
@@ -0,0 +1,21 @@
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.system.boot.zram;
|
||||
in {
|
||||
options.system.boot.zram = {
|
||||
enable = mkEnableOption "Enable ZRAM";
|
||||
memoryMax = mkOption {
|
||||
type = types.int;
|
||||
example = "512";
|
||||
description = "Maximum size allocated to ZRAM in MiB";
|
||||
};
|
||||
};
|
||||
config.zramSwap = mkIf cfg.enable {
|
||||
inherit (cfg) enable;
|
||||
memoryMax = cfg.memoryMax * 1024 * 1024;
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user