wip

chore: run formatter
temp: workaround for nixpkgs#514705
2026-05-20 22:55:27 +02:00 · 2026-05-12 10:36:25 +02:00 · 2026-05-12 10:35:53 +02:00 · 2026-05-10 00:08:17 +02:00
10 changed files with 148 additions and 156 deletions
--- a/features/bootloader.nix
+++ b/features/bootloader.nix
@@ -3,11 +3,23 @@
    {
      config,
      lib,
      pkgs,
      inputs,
      ...
    }:
    let
      cfg = config.features.bootloader;
      keyDir = "/etc/secrets/initrd";
      mkIpString =
        {
          address,
          gateway,
          netmask,
          interface,
          ...
        }:
        "${address}::${gateway}:${netmask}::${interface}:none";
    in
    {
      imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
@@ -23,15 +35,88 @@
          default = "systemd-boot";
        };
-        plymouth.enable = lib.mkEnableOption "plymouth boot splash";
+        configurationLimit = lib.mkOption {
          type = lib.types.int;
          default = 10;
        };
        consoleFont = lib.mkOption {
          type = lib.types.str;
          default = "ter-v32n";
        };
        resumeDevice = lib.mkOption {
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
        initrdSsh = {
          enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
          networkModule = lib.mkOption {
            type = lib.types.str;
          };
          ip = {
            enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
            address = lib.mkOption {
              type = lib.types.str;
            };
            gateway = lib.mkOption {
              type = lib.types.str;
            };
            netmask = lib.mkOption {
              type = lib.types.str;
              default = "255.255.255.0";
            };
            interface = lib.mkOption {
              type = lib.types.str;
            };
          };
          authorizedKeys = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            default = [ ];
          };
        };
      };
      config = lib.mkIf cfg.enable (
        lib.mkMerge [
          {
            boot.loader.efi.canTouchEfiVariables = true;
-            # request the largest framebuffer uefi offers; plymouth inherits it
+
-            boot.loader.systemd-boot.consoleMode = "max";
+            # lanzaboote inherits editor + configurationLimit from systemd-boot.*
            boot.loader.systemd-boot = {
              editor = false;
              inherit (cfg) configurationLimit;
            };
            boot.initrd.systemd.enable = true;
            # block simpledrm so fbcon defers until the gpu driver binds; avoids
            # the simpledrm -> real-driver fbcon transition that mangles console
            # text and leaves the luks prompt typing offset from the visible
            # surface. hosts must put the gpu driver in initrd (nixos-hardware
            # does this for amd; manual hardware.amdgpu.initrd.enable on others)
            boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
            # verbose boot: kernel messages and systemd unit lines visible end
            # to end. trade-off: the luks prompt will be interleaved with the
            # last few "Starting/Started ..." lines (no upstream fix exists
            # without plymouth). boot.initrd.verbose is a no-op under
            # systemd-initrd, so not set here.
            # readable luks prompt at panel-native dpi
            console = {
              earlySetup = true;
              font = cfg.consoleFont;
              packages = [ pkgs.terminus_font ];
            };
          }
          (lib.mkIf (cfg.mode == "systemd-boot") {
@@ -46,26 +131,41 @@
            };
          })
-          (lib.mkIf cfg.plymouth.enable {
+          (lib.mkIf (cfg.resumeDevice != null) {
-            # plymouth needs systemd-initrd to render the luks prompt cleanly
+            boot.resumeDevice = cfg.resumeDevice;
-            boot.initrd.systemd.enable = true;
+          })
-            # host is responsible for early-KMS so plymouth lands on the gpu driver,
+          (lib.mkIf cfg.initrdSsh.enable {
-            # not simpledrm (e.g. hardware.amdgpu.initrd.enable on amd hosts)
+            boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
            boot.plymouth.enable = true;
            stylix.targets.plymouth.logoAnimated = false;
-            boot.kernelParams = [
+            boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
-              "quiet"
+
-              "splash"
+            boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
-              "loglevel=3"
+              "ip=${mkIpString cfg.initrdSsh.ip}"
              "rd.systemd.show_status=false"
              "rd.udev.log_level=3"
              "udev.log_priority=3"
              "plymouth.force-scale=1"
            ];
-            boot.consoleLogLevel = 0;
+
-            boot.initrd.verbose = false;
+            boot.initrd.network = {
              enable = true;
              ssh = {
                enable = true;
                port = 22;
                hostKeys = [
                  "${keyDir}/ssh_host_rsa_key"
                  "${keyDir}/ssh_host_ed25519_key"
                ];
                inherit (cfg.initrdSsh) authorizedKeys;
              };
            };
            # forward LUKS password prompt to the ssh session (systemd-initrd idiom)
            boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
            boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
              "10-initrd" = {
                matchConfig.Driver = cfg.initrdSsh.networkModule;
                networkConfig.DHCP = "yes";
              };
            };
          })
        ]
      );
--- a/features/desktop.nix
+++ b/features/desktop.nix
@@ -105,7 +105,11 @@
          # bluetooth
          (lib.mkIf cfg.bluetooth.enable {
            hardware.bluetooth.enable = true;
-            services.blueman.enable = true;
+            services.blueman = {
              enable = true;
              # TEMP:(@janezicmatej) workaround for nixpkgs#514705, fix in nixpkgs#517250
              withApplet = false;
            };
          })
          # apps
--- a/features/initrd-ssh.nix
+++ b/features/initrd-ssh.nix
@@ -1,90 +0,0 @@
 {
  nixos =
    { lib, config, ... }:
    let
      cfg = config.features.initrd-ssh;
      keyDir = "/etc/secrets/initrd";
      mkIpString =
        {
          address,
          gateway,
          netmask,
          interface,
          ...
        }:
        "${address}::${gateway}:${netmask}::${interface}:none";
    in
    {
      options.features.initrd-ssh = {
        enable = lib.mkEnableOption "initrd ssh";
        ip = {
          enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
          address = lib.mkOption {
            type = lib.types.str;
          };
          gateway = lib.mkOption {
            type = lib.types.str;
          };
          netmask = lib.mkOption {
            type = lib.types.str;
            default = "255.255.255.0";
          };
          interface = lib.mkOption {
            type = lib.types.str;
          };
        };
        authorizedKeys = lib.mkOption {
          type = lib.types.listOf lib.types.str;
          default = [ ];
        };
        networkModule = lib.mkOption {
          type = lib.types.str;
        };
      };
      config = lib.mkIf cfg.enable {
        boot.initrd.availableKernelModules = [ cfg.networkModule ];
        boot.initrd.kernelModules = [ cfg.networkModule ];
        boot.kernelParams = lib.mkIf cfg.ip.enable [
          "ip=${mkIpString cfg.ip}"
        ];
        boot.initrd.systemd.enable = true;
        # remote unlock may take a while; don't let device units give up
        boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
        boot.initrd.network = {
          enable = true;
          ssh = {
            enable = true;
            port = 22;
            hostKeys = [
              "${keyDir}/ssh_host_rsa_key"
              "${keyDir}/ssh_host_ed25519_key"
            ];
            inherit (cfg) authorizedKeys;
          };
        };
        # systemd-networkd retries DHCP indefinitely, unlike udhcpc
        boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
          "10-initrd" = {
            matchConfig.Driver = cfg.networkModule;
            networkConfig.DHCP = "yes";
          };
        };
        # forward LUKS password prompt to the SSH session
        boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
      };
    };
 }
--- a/features/power.nix
+++ b/features/power.nix
@@ -8,11 +8,6 @@
      options.features.power = {
        enable = lib.mkEnableOption "laptop power management";
        resumeDevice = lib.mkOption {
          type = lib.types.nullOr lib.types.str;
          default = null;
        };
        lidSwitch = lib.mkOption {
          type = lib.types.str;
          default = "suspend-then-hibernate";
@@ -40,8 +35,6 @@
      };
      config = lib.mkIf cfg.enable {
        boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
        services.logind.settings.Login = {
          HandleLidSwitch = cfg.lidSwitch;
          HandlePowerKey = cfg.powerKey;
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -55,7 +55,6 @@ in
        "git"
        "gnupg"
        "harmonia"
        "initrd-ssh"
        "localisation"
        "neovim"
        "networkmanager"
--- a/hosts/fw16/configuration.nix
+++ b/hosts/fw16/configuration.nix
@@ -10,16 +10,13 @@
    inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
  ];
-  features.bootloader.plymouth.enable = true;
+  features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
  features.desktop.bluetooth.enable = true;
  features.gnupg.yubikey.enable = true;
  features.udev = {
    ledger.enable = true;
    keyboard-zsa.enable = true;
  };
  features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
  boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
  programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
--- a/hosts/fw16/hardware-configuration.nix
+++ b/hosts/fw16/hardware-configuration.nix
@@ -37,10 +37,7 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/42D9-FAFD";
    fsType = "vfat";
-    options = [
+    options = [ "umask=0077" ];
      "fmask=0022"
      "dmask=0022"
    ];
  };
  swapDevices = [
--- a/hosts/tower/configuration.nix
+++ b/hosts/tower/configuration.nix
@@ -8,7 +8,11 @@
  features.nix-settings.towerCache.enable = false;
  features.bootloader = {
    mode = "lanzaboote";
-    plymouth.enable = true;
+    initrdSsh = {
      enable = true;
      networkModule = "r8169";
      authorizedKeys = userKeys.sshAuthorizedKeys;
    };
  };
  features.desktop.bluetooth.enable = true;
  features.gnupg.yubikey.enable = true;
@@ -16,17 +20,14 @@
    ledger.enable = true;
    keyboard-zsa.enable = true;
  };
  features.initrd-ssh = {
    networkModule = "r8169";
    authorizedKeys = userKeys.sshAuthorizedKeys;
  };
  # nix store signing
  sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
  nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
  boot.kernelParams = [ "btusb.reset=1" ];
-  # early kms so plymouth lands on amdgpu, not simpledrm
+  # pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
  # from the start, no driver-swap mode-set
  hardware.amdgpu.initrd.enable = true;
  services.udisks2.enable = true;
--- a/29
+++ b/29
@@ -2,31 +2,20 @@
 default:
    @just --list
-# rebuild and switch
+# rebuild the system
-switch config="":
+rebuild op="switch" host=`hostname`:
-    nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo
+    nixos-rebuild {{op}} --flake .#{{host}} --sudo
 # fetch flake inputs
 sync:
    nix flake prefetch-inputs
 # update flake inputs
 update:
    nix flake update
 # update flake inputs, rebuild and switch
 bump: update switch
 # update a package to latest version
 update-package pkg:
    bash packages/{{pkg}}/update.sh
 # update all packages with update scripts
-update-package-all:
+update-package:
    @for script in packages/*/update.sh; do bash "$script"; done
 # build all packages and hosts
-build:
+check:
    nix flake check
 # build installation iso
@@ -37,10 +26,6 @@ iso:
 ephvm *ARGS:
    bash scripts/ephvm-run.sh {{ARGS}}
 # ssh into running ephemeral VM
 ephvm-ssh port="2222":
    ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
 # provision a host with nixos-anywhere
 provision host ip:
    #!/usr/bin/env bash
@@ -59,8 +44,8 @@ provision host ip:
    ssh root@{{ip}} reboot
 # deploy config to a remote host
-deploy host remote=host:
+deploy op="switch" host=`hostname` remote=host:
-    nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
+    nixos-rebuild {{op}} --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
 # garbage collect old generations
 clean host=`hostname`:
--- a/lib/mkHost.nix
+++ b/lib/mkHost.nix
@@ -90,7 +90,13 @@ nixpkgs.lib.nixosSystem {
    # TEMP:(@janezicmatej) temporary mitigation for dirty frag
    # blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
    # remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
-    { boot.blacklistedKernelModules = [ "esp4" "esp6" "rxrpc" ]; }
+    {
      boot.blacklistedKernelModules = [
        "esp4"
        "esp6"
        "rxrpc"
      ];
    }
    featureEnableModule
    hostConfig
Author	SHA1	Message	Date
Matej Janežič	524dafd513	wip	2026-05-20 22:55:27 +02:00
Matej Janežič	db1e9c15ac	chore: run formatter	2026-05-12 10:36:25 +02:00
Matej Janežič	f4b9eff715	temp: workaround for nixpkgs#514705	2026-05-12 10:35:53 +02:00
Matej Janežič	325b863238	feat: justfile recipe improvements	2026-05-10 00:08:17 +02:00