Skip to content

Commit

Permalink
no stub: <insert TLC song>
Browse files Browse the repository at this point in the history 
This feature was introduced in
NixOS/nixpkgs#269551 and is mostly useful for
servers.

Saves around 80MiB of evaluation on x86_64 due to the extra i686 nixpkgs
instance.
  • Loading branch information
@zimbatm
zimbatm committed Feb 14, 2024
1 parent e6f41df commit cfe8494
Show file tree
Hide file tree
Showing 2 changed files with 110 additions and 98 deletions.
48 changes: 27 additions & 21 deletions nixos/common/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# A default configuration that applies to all servers.
# Common configuration accross *all* the machines
{ config, lib, ... }:
{ config, options, lib, ... }:
{

imports = [
./flake.nix
./mdmonitor-fix.nix
Expand All @@ -16,26 +15,33 @@
./zfs.nix
];

# Use systemd during boot as well on systems except:
# - systems that require networking in early-boot
# - systems with raids as this currently require manual configuration (https://github.com/NixOS/nixpkgs/issues/210210)
# - for containers we currently rely on the `stage-2` init script that sets up our /etc
boot.initrd.systemd.enable = lib.mkDefault (
!(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then
config.boot.swraid.enable
else
config.boot.initrd.services.swraid.enable) &&
!config.boot.isContainer &&
!config.boot.growPartition
);
config = {
# Use systemd during boot as well on systems except:
# - systems that require networking in early-boot
# - systems with raids as this currently require manual configuration (https://github.com/NixOS/nixpkgs/issues/210210)
# - for containers we currently rely on the `stage-2` init script that sets up our /etc
boot.initrd.systemd.enable = lib.mkDefault (
!(if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then
config.boot.swraid.enable
else
config.boot.initrd.services.swraid.enable) &&
!config.boot.isContainer &&
!config.boot.growPartition
);

# Work around for https://github.com/NixOS/nixpkgs/issues/124215
documentation.info.enable = false;

# Work around for https://github.com/NixOS/nixpkgs/issues/124215
documentation.info.enable = false;
# This is pulled in by the container profile, but it seems broken and causes
# unecessary rebuilds.
environment.noXlibs = false;

# This is pulled in by the container profile, but it seems broken and causes
# unecessary rebuilds.
environment.noXlibs = false;
# Ensure a clean & sparkling /tmp on fresh boots.
boot.tmp.cleanOnBoot = lib.mkDefault true;
} // lib.optionalAttrs (options.environment ? ldso32) {
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of
# nixpkgs.
environment.ldso32 = null;
};

# Ensure a clean & sparkling /tmp on fresh boots.
boot.tmp.cleanOnBoot = lib.mkDefault true;
}
160 changes: 83 additions & 77 deletions nixos/server/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,89 +1,95 @@
# A default configuration that applies to all servers.
# Common configuration accross *all* the machines
{ pkgs, lib, ... }:
{ options, pkgs, lib, ... }:
{

imports = [
../common
];

# List packages installed in system profile.
environment.systemPackages = map lib.lowPrio [
pkgs.curl
pkgs.dnsutils
pkgs.gitMinimal
pkgs.htop
pkgs.jq
pkgs.tmux
];

# Notice this also disables --help for some commands such es nixos-rebuild
documentation.enable = lib.mkDefault false;
documentation.info.enable = lib.mkDefault false;
documentation.man.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;

# No need for fonts on a server
fonts.fontconfig.enable = lib.mkDefault false;

programs.vim.defaultEditor = lib.mkDefault true;

# Print the URL instead on servers
environment.variables.BROWSER = "echo";

# Make sure firewall is enabled
networking.firewall.enable = true;

# Delegate the hostname setting to dhcp/cloud-init by default
networking.hostName = lib.mkDefault "";

# If the user is in @wheel they are trusted by default.
nix.settings.trusted-users = [ "root" "@wheel" ];

security.sudo.wheelNeedsPassword = false;

# Enable SSH everywhere
services.openssh.enable = true;

# No need for sound on a server
sound.enable = false;

# UTC everywhere!
time.timeZone = lib.mkDefault "UTC";

# No mutable users by default
users.mutableUsers = false;

systemd = {
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
enableEmergencyMode = false;

# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 10s.
# If the hardware watchdog does not get a signal for 20s,
# it will forcefully reboot the system.
runtimeTime = "20s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
config = {
# List packages installed in system profile.
environment.systemPackages = map lib.lowPrio [
pkgs.curl
pkgs.dnsutils
pkgs.gitMinimal
pkgs.htop
pkgs.jq
pkgs.tmux
];

# Notice this also disables --help for some commands such es nixos-rebuild
documentation.enable = lib.mkDefault false;
documentation.info.enable = lib.mkDefault false;
documentation.man.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;

# No need for fonts on a server
fonts.fontconfig.enable = lib.mkDefault false;

programs.vim.defaultEditor = lib.mkDefault true;

# Print the URL instead on servers
environment.variables.BROWSER = "echo";

# Make sure firewall is enabled
networking.firewall.enable = true;

# Delegate the hostname setting to dhcp/cloud-init by default
networking.hostName = lib.mkDefault "";

# If the user is in @wheel they are trusted by default.
nix.settings.trusted-users = [ "root" "@wheel" ];

security.sudo.wheelNeedsPassword = false;

# Enable SSH everywhere
services.openssh.enable = true;

# No need for sound on a server
sound.enable = false;

# UTC everywhere!
time.timeZone = lib.mkDefault "UTC";

# No mutable users by default
users.mutableUsers = false;

systemd = {
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
enableEmergencyMode = false;

# For more detail, see:
# https://0pointer.de/blog/projects/watchdog.html
watchdog = {
# systemd will send a signal to the hardware watchdog at half
# the interval defined here, so every 10s.
# If the hardware watchdog does not get a signal for 20s,
# it will forcefully reboot the system.
runtimeTime = "20s";
# Forcefully reboot if the final stage of the reboot
# hangs without progress for more than 30s.
# For more info, see:
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
rebootTime = "30s";
};

sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
'';
};

sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
'';
};

# use TCP BBR has significantly increased throughput and reduced latency for connections
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
# use TCP BBR has significantly increased throughput and reduced latency for connections
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
} // lib.optionalAttrs (options.environment ? stub-ld) {
# Don't install the /lib/ld-linux.so.2 and /lib64/ld-linux-x86-64.so.2
# stubs. Server users should know what they are doing.
environment.stub-ld.enable = lib.mkDefault false;
};
}

0 comments on commit cfe8494

Please sign in to comment.