From 1f2aed3e29b83dc2dc9f9a97ea740e9a1039e170 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 15 Aug 2024 12:25:49 +0200 Subject: [PATCH] reformat with nixfmt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörg Thalheim --- default.nix | 14 +- docs/default.nix | 34 +- flake.nix | 15 +- hydrajobs/flake-module.nix | 47 +- lib.nix | 117 ++-- lib/ghaf-modules.nix | 5 +- lib/icons.nix | 133 ++-- lib/launcher.nix | 25 +- lib/mk-flash-script/default.nix | 64 +- modules/common/boot/systemd-boot-dtb.nix | 6 +- modules/common/common.nix | 3 +- modules/common/development/debug-tools.nix | 61 +- modules/common/development/nix.nix | 24 +- .../development/scripts/nvpmodel_check.nix | 6 +- .../scripts/perf_test_icicle_kit.nix | 6 +- .../scripts/rm_linux_bootmgr_entries.nix | 6 +- .../scripts/sysbench_fileio_test.nix | 6 +- .../development/scripts/sysbench_test.nix | 6 +- modules/common/development/ssh.nix | 10 +- modules/common/development/usb-serial.nix | 12 +- modules/common/development/yubikey.nix | 17 +- modules/common/firewall/default.nix | 6 +- modules/common/firewall/kernel-modules.nix | 10 +- modules/common/logging/client.nix | 10 +- modules/common/logging/default.nix | 6 +- modules/common/logging/hw-mac-retrieve.nix | 10 +- modules/common/logging/logs-aggregator.nix | 16 +- modules/common/networking/default.nix | 6 +- modules/common/networking/hosts.nix | 55 +- modules/common/profiles/debug.nix | 10 +- modules/common/profiles/host-hardening.nix | 12 +- modules/common/profiles/kernel-hardening.nix | 10 +- modules/common/profiles/release.nix | 10 +- modules/common/security/default.nix | 6 +- modules/common/security/sshkeys.nix | 6 +- modules/common/services/audio.nix | 40 +- modules/common/services/desktop.nix | 59 +- modules/common/services/firmware.nix | 10 +- modules/common/services/fprint.nix | 8 +- modules/common/services/namespaces.nix | 16 +- modules/common/services/pdfopen.nix | 17 +- modules/common/services/wifi.nix | 10 +- modules/common/services/yubikey.nix | 18 +- modules/common/systemd/base.nix | 42 +- modules/common/systemd/boot.nix | 21 +- modules/common/systemd/harden.nix | 37 +- .../common/NetworkManager-dispatcher.nix | 20 +- .../systemd/hardened-configs/common/dbus.nix | 22 +- .../hardened-configs/common/dnsmasq.nix | 18 +- .../hardened-configs/common/enable-ksm.nix | 18 +- .../hardened-configs/common/firewall.nix | 20 +- .../common/generate-shutdown-ramfs.nix | 20 +- .../hardened-configs/common/ghaf-session.nix | 20 +- .../common/install-microvm-netvm.nix | 20 +- .../common/kmod-static-nodes.nix | 20 +- .../common/logrotate-checkconf.nix | 20 +- .../hardened-configs/common/logrotate.nix | 20 +- .../common/microvm-tap-interfaces@.nix | 20 +- .../common/microvm-virtiofsd@.nix | 2 +- .../hardened-configs/common/microvm@.nix | 20 +- .../common/network-local-commands.nix | 20 +- .../systemd/hardened-configs/common/nscd.nix | 20 +- .../hardened-configs/common/pulseaudio.nix | 18 +- .../hardened-configs/common/rtkit-daemon.nix | 18 +- .../systemd/hardened-configs/common/seatd.nix | 20 +- .../common/systemd-fsck-root.nix | 20 +- .../common/systemd-journal-catalog-update.nix | 20 +- .../common/systemd-journal-flush.nix | 20 +- .../common/systemd-networkd-wait-online.nix | 20 +- .../common/systemd-random-seed.nix | 22 +- .../common/systemd-remount-fs.nix | 20 +- .../common/systemd-rfkill.nix | 22 +- .../common/systemd-tmpfiles-clean.nix | 20 +- .../common/systemd-tmpfiles-setup-dev.nix | 20 +- .../common/systemd-tmpfiles-setup.nix | 20 +- .../common/systemd-udev-trigger.nix | 22 +- .../hardened-configs/common/systemd-udevd.nix | 20 +- .../common/systemd-user-sessions.nix | 20 +- .../hardened-configs/common/tpm2-abrmd.nix | 18 +- .../common/user-runtime-dir@.nix | 18 +- .../hardened-configs/common/vsockproxy.nix | 18 +- .../common/wpa_supplicant.nix | 18 +- .../release/NetworkManager.nix | 18 +- .../hardened-configs/release/audit.nix | 20 +- .../systemd/hardened-configs/release/sshd.nix | 25 +- .../hardened-configs/release/user@.nix | 20 +- .../systemd/hardened-configs/template.nix | 18 +- modules/common/users/accounts.nix | 30 +- modules/common/version/default.nix | 10 +- modules/common/virtualization/docker.nix | 10 +- modules/desktop/graphics/boot.nix | 15 +- modules/desktop/graphics/demo-apps.nix | 14 +- modules/desktop/graphics/fonts.nix | 10 +- modules/desktop/graphics/ghaf-launcher.nix | 35 +- modules/desktop/graphics/labwc.config.nix | 37 +- modules/desktop/graphics/labwc.nix | 54 +- modules/desktop/graphics/launchers.nix | 36 +- modules/desktop/graphics/waybar.config.nix | 19 +- modules/desktop/graphics/window-manager.nix | 32 +- modules/desktop/profiles/applications.nix | 10 +- modules/desktop/profiles/graphics.nix | 29 +- modules/disko/disko-ab-partitions.nix | 11 +- modules/disko/disko-basic-partition-v1.nix | 9 +- modules/disko/disko-basic-postboot.nix | 6 +- modules/disko/disko-zfs-postboot.nix | 6 +- modules/disko/flake-module.nix | 3 +- modules/flake-module.nix | 27 +- modules/hardware/common/devices.nix | 46 +- modules/hardware/common/kernel.nix | 46 +- modules/hardware/common/qemu.nix | 25 +- modules/hardware/common/usb/external.nix | 61 +- modules/hardware/common/usb/internal.nix | 88 ++- modules/hardware/definition.nix | 608 +++++++++--------- .../dell-latitude/dell-latitude-7230.nix | 53 +- .../dell-latitude/dell-latitude-7330.nix | 34 +- modules/hardware/laptop.nix | 43 +- .../lenovo-x1/definitions/x1-gen10.nix | 20 +- .../lenovo-x1/definitions/x1-gen11.nix | 20 +- .../lenovo-x1/kernel/guest/test/default.nix | 7 +- .../kernel/guest/test/test-configuration.nix | 3 +- .../x86_64-generic/kernel/guest/default.nix | 3 +- .../x86_64-generic/kernel/hardening.nix | 3 +- .../x86_64-generic/kernel/host/default.nix | 13 +- .../kernel/host/pkvm/default.nix | 6 +- .../kernel/host/pkvm/test/default.nix | 7 +- .../host/pkvm/test/test-configuration.nix | 7 +- .../kernel/host/test/default.nix | 7 +- .../kernel/host/test/test-configuration.nix | 3 +- .../hardware/x86_64-generic/modules/tpm2.nix | 6 +- .../hardware/x86_64-generic/x86_64-linux.nix | 12 +- modules/host/default.nix | 7 +- modules/imx8/default.nix | 6 +- modules/imx8/imx8mp-sdimage.nix | 9 +- .../agx-netvm-wlan-pci-passthrough.nix | 14 +- .../nx-netvm-ethernet-pci-passthrough.nix | 14 +- .../nvidia-jetson-orin/format-module.nix | 4 +- .../nvidia-jetson-orin/jetson-orin.nix | 27 +- modules/jetpack/nvidia-jetson-orin/optee.nix | 3 +- .../nvidia-jetson-orin/ota-utils-fix.nix | 19 +- .../nvidia-jetson-orin/partition-template.nix | 35 +- .../pci-passthrough-common.nix | 14 +- .../jetpack/nvidia-jetson-orin/sdimage.nix | 109 ++-- .../common/bpmp-virt-common/default.nix | 12 +- .../host/bpmp-virt-host/default.nix | 8 +- .../bpmp-virt-host/overlays/qemu/default.nix | 10 +- .../host/uarta-host/default.nix | 12 +- .../passthrough/uarti-net-vm/default.nix | 14 +- modules/jetpack/profiles/debug.nix | 10 +- modules/jetpack/profiles/default.nix | 6 +- modules/lanzaboote/default.nix | 6 +- modules/microvm/flake-module.nix | 3 +- modules/microvm/networking.nix | 15 +- modules/microvm/power-control.nix | 14 +- .../virtualization/microvm/adminvm.nix | 172 ++--- .../microvm/virtualization/microvm/appvm.nix | 471 +++++++------- .../virtualization/microvm/audiovm.nix | 200 +++--- .../microvm/common/vm-networking.nix | 46 +- .../microvm/virtualization/microvm/guivm.nix | 330 +++++----- .../virtualization/microvm/idsvm/idsvm.nix | 98 +-- .../microvm/idsvm/mitmproxy/default.nix | 49 +- .../virtualization/microvm/microvm-host.nix | 34 +- .../virtualization/microvm/modules.nix | 41 +- .../microvm/virtualization/microvm/netvm.nix | 180 +++--- modules/polarfire/default.nix | 6 +- modules/polarfire/mpfs-nixos-sdimage.nix | 7 +- modules/profiles/laptop-x86.nix | 14 +- modules/profiles/mvp-user-trial.nix | 14 +- modules/reference/appvms/appflowy.nix | 7 +- modules/reference/appvms/business.nix | 72 ++- modules/reference/appvms/chromium.nix | 66 +- modules/reference/appvms/default.nix | 23 +- modules/reference/appvms/element.nix | 55 +- modules/reference/appvms/gala.nix | 11 +- modules/reference/appvms/zathura.nix | 9 +- modules/reference/programs/chromium.nix | 10 +- .../reference/programs/windows-launcher.nix | 14 +- modules/reference/programs/zathura.nix | 10 +- modules/reference/services/default.nix | 10 +- .../dendrite-pinecone/dendrite-config.nix | 55 +- .../dendrite-pinecone/dendrite-pinecone.nix | 23 +- nix/checks.nix | 50 +- nix/devshell.nix | 77 ++- nix/devshell/kernel.nix | 107 +-- nix/nixpkgs.nix | 25 +- nix/treefmt.nix | 119 ++-- overlays/cross-compilation/default.nix | 4 +- .../papirus-icon-theme/default.nix | 6 +- overlays/custom-packages/default.nix | 30 +- .../element-desktop/default.nix | 4 +- .../custom-packages/element-gps/default.nix | 4 +- .../custom-packages/element-web/default.nix | 4 +- overlays/custom-packages/gtklock/default.nix | 2 +- overlays/custom-packages/labwc/default.nix | 5 +- .../custom-packages/mitmweb-ui/default.nix | 4 +- overlays/custom-packages/qemu/default.nix | 24 +- .../custom-packages/tpm2-pkcs11/default.nix | 4 +- overlays/custom-packages/waybar/default.nix | 17 +- overlays/custom-packages/waypipe/default.nix | 4 +- packages/audio-ctrl/default.nix | 10 +- packages/dendrite-pinecone/default.nix | 7 +- packages/element-gps/default.nix | 14 +- packages/element-web/default.nix | 122 ++-- packages/flake-module.nix | 77 +-- packages/gala/default.nix | 92 +-- packages/ghaf-open/default.nix | 8 +- packages/ghaf-openbox-theme/default.nix | 4 +- packages/hardware-scan/default.nix | 4 +- packages/hart-software-services/default.nix | 89 ++- packages/icon-pack/default.nix | 16 +- packages/kernel-hardening-checker/default.nix | 5 +- packages/kernel/default.nix | 110 ++-- packages/mitmweb-ui/default.nix | 74 ++- packages/openPdf/default.nix | 5 +- packages/powercontrol/default.nix | 121 ++-- packages/ssh-keys-helper/default.nix | 18 +- packages/vsockproxy/default.nix | 5 +- packages/windows-launcher/default.nix | 292 ++++----- shell.nix | 14 +- targets/generic-x86_64/flake-module.nix | 83 +-- targets/imx8mp-evk/flake-module.nix | 55 +- targets/laptop-hw-scan/flake-module.nix | 78 +-- targets/laptop/flake-module.nix | 16 +- .../laptop/laptop-configuration-builder.nix | 30 +- targets/lenovo-x1-installer/flake-module.nix | 115 ++-- targets/microchip-icicle-kit/flake-module.nix | 54 +- .../nvidia-jetson-orin/cross-compilation.nix | 4 +- targets/nvidia-jetson-orin/flake-module.nix | 138 ++-- targets/nvidia-jetson-orin/optee.nix | 139 ++-- targets/vm/flake-module.nix | 89 +-- templates/boilerplate/default.nix | 14 +- templates/boilerplate/flake.nix | 8 +- .../boilerplate/hydrajobs/flake-module.nix | 5 +- .../boilerplate/modules/flake-module.nix | 6 +- .../boilerplate/modules/hardware/default.nix | 16 +- templates/boilerplate/nix/checks.nix | 15 +- templates/boilerplate/nix/devshell.nix | 60 +- templates/boilerplate/nix/nixpkgs.nix | 25 +- templates/boilerplate/nix/treefmt.nix | 54 +- templates/boilerplate/shell.nix | 14 +- .../boilerplate/targets/flake-module.nix | 3 +- templates/modules/default.nix | 15 +- 241 files changed, 4307 insertions(+), 4091 deletions(-) diff --git a/default.nix b/default.nix index 59dcb3cd4..4f8ffb1a0 100644 --- a/default.nix +++ b/default.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.defaultNix +flake.defaultNix diff --git a/docs/default.nix b/docs/default.nix index e1a3b026a..a7d2d9fbc 100644 --- a/docs/default.nix +++ b/docs/default.nix @@ -9,21 +9,20 @@ mdbook-alerts, mdbook-footnote, revision ? "", - options ? {}, -}: let + options ? { }, +}: +let optionsDocMd = (nixosOptionsDoc { inherit revision options; - transformOptions = x: - # TODO this hides the other modules (e.g. microvm.nix) - # But they are stilled passed as options modules ??? - if lib.strings.hasPrefix "ghaf" x.name - then x - else x // {visible = false;}; + transformOptions = + x: + # TODO this hides the other modules (e.g. microvm.nix) + # But they are stilled passed as options modules ??? + if lib.strings.hasPrefix "ghaf" x.name then x else x // { visible = false; }; markdownByDefault = true; - }) - .optionsCommonMark; - combinedSrc = runCommandLocal "ghaf-doc-src" {} '' + }).optionsCommonMark; + combinedSrc = runCommandLocal "ghaf-doc-src" { } '' mkdir $out cp -r ${./.}/* $out chmod +w $out/src/ref_impl/modules_options.md @@ -32,10 +31,14 @@ sed 's/\(file:\/\/\)\?\/nix\/store\/[^/]*-source/https:\/\/github.com\/tiiuae\/ghaf\/blob\/main/g' ${optionsDocMd} >> $out/src/ref_impl/modules_options.md ''; in - # TODO Change this, runCommandLocal is not intended for longer running processes - runCommandLocal "ghaf-doc" +# TODO Change this, runCommandLocal is not intended for longer running processes +runCommandLocal "ghaf-doc" { - nativeBuildInputs = [mdbook mdbook-footnote mdbook-alerts]; + nativeBuildInputs = [ + mdbook + mdbook-footnote + mdbook-alerts + ]; src = combinedSrc; # set the package Meta info @@ -47,6 +50,7 @@ in "aarch64-linux" ]; }; - } '' + } + '' ${mdbook}/bin/mdbook build -d $out $src '' diff --git a/flake.nix b/flake.nix index 53b67e192..852b5c7e8 100644 --- a/flake.nix +++ b/flake.nix @@ -29,7 +29,7 @@ inputs = { #TODO: clean this up before merging to main - nixpkgs.url = "github:tiiuae/nixpkgs/nixos-unstable-texinfo"; #"flake:mylocalnixpkgs"; # + nixpkgs.url = "github:tiiuae/nixpkgs/nixos-unstable-texinfo"; # "flake:mylocalnixpkgs"; # #nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; # @@ -130,13 +130,12 @@ }; }; - outputs = inputs @ {flake-parts, ...}: let - lib = import ./lib.nix {inherit inputs;}; - in - flake-parts.lib.mkFlake - { - inherit inputs; - } { + outputs = + inputs@{ flake-parts, ... }: + let + lib = import ./lib.nix { inherit inputs; }; + in + flake-parts.lib.mkFlake { inherit inputs; } { # Toggle this to allow debugging in the repl # see:https://flake.parts/debug debug = false; diff --git a/hydrajobs/flake-module.nix b/hydrajobs/flake-module.nix index f1b87d5bd..d1393738f 100644 --- a/hydrajobs/flake-module.nix +++ b/hydrajobs/flake-module.nix @@ -1,23 +1,30 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{self, ...}: let - mkBpmpEnabled = cfg: let - bpmpEnableModule = {lib, ...}: { - ghaf.hardware.nvidia = { - virtualization.enable = lib.mkForce true; - virtualization.host.bpmp.enable = lib.mkForce true; - passthroughs.host.uarta.enable = lib.mkForce true; - }; - }; - newCfg = cfg.extendModules {modules = [bpmpEnableModule];}; - package = newCfg.config.system.build.${newCfg.config.formatAttr}; - in +{ self, ... }: +let + mkBpmpEnabled = + cfg: + let + bpmpEnableModule = + { lib, ... }: + { + ghaf.hardware.nvidia = { + virtualization.enable = lib.mkForce true; + virtualization.host.bpmp.enable = lib.mkForce true; + passthroughs.host.uarta.enable = lib.mkForce true; + }; + }; + newCfg = cfg.extendModules { modules = [ bpmpEnableModule ]; }; + package = newCfg.config.system.build.${newCfg.config.formatAttr}; + in package; -in { +in +{ flake.hydraJobs = { generic-x86_64-debug.x86_64-linux = self.packages.x86_64-linux.generic-x86_64-debug; lenovo-x1-carbon-gen11-debug.x86_64-linux = self.packages.x86_64-linux.lenovo-x1-carbon-gen11-debug; - nvidia-jetson-orin-agx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; + nvidia-jetson-orin-agx-debug.aarch64-linux = + self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; nvidia-jetson-orin-nx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-nx-debug; intel-vm-debug.x86_64-linux = self.packages.x86_64-linux.vm-debug; nxp-imx8mp-evk-debug.x86_64-linux = self.packages.aarch64-linux.nxp-imx8mp-evk-debug; @@ -25,12 +32,16 @@ in { docs.aarch64-linux = self.packages.aarch64-linux.doc; microchip-icicle-kit-debug.x86_64-linux = self.packages.riscv64-linux.microchip-icicle-kit-debug; # Build cross-copmiled images - nvidia-jetson-orin-agx-debug-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64; - nvidia-jetson-orin-nx-debug-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64; + nvidia-jetson-orin-agx-debug-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64; + nvidia-jetson-orin-nx-debug-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64; # Build also cross-compiled images without demo apps - nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64; - nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64; + nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64; + nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64; # BPMP virt enabled versions nvidia-jetson-orin-agx-debug-bpmp.aarch64-linux = mkBpmpEnabled self.nixosConfigurations.nvidia-jetson-orin-agx-debug; diff --git a/lib.nix b/lib.nix index 744f05ba7..174337f0d 100644 --- a/lib.nix +++ b/lib.nix @@ -4,13 +4,15 @@ # SPDX-License-Identifier: MIT # FlattenTree and rakeLeaves originate from # https://github.com/divnix/digga -{inputs, ...}: let +{ inputs, ... }: +let inherit (inputs) nixpkgs; in - nixpkgs.lib.extend (lib: _: - # some utils for importing trees - rec { - /* +nixpkgs.lib.extend ( + lib: _: + # some utils for importing trees + rec { + /* * Filters Nix packages based on the target system platform. Returns a filtered attribute set of Nix packages compatible with the target system. @@ -35,15 +37,21 @@ in - [system] Target system platform (e.g., "x86_64-linux"). - [pkgsSet] a set of Nix packages. - */ - platformPkgs = system: - lib.filterAttrs - (_: value: let - platforms = lib.attrByPath ["meta" "platforms"] [] value; + */ + platformPkgs = + system: + lib.filterAttrs ( + _: value: + let + platforms = lib.attrByPath [ + "meta" + "platforms" + ] [ ] value; in - lib.elem system platforms); + lib.elem system platforms + ); - /* + /* * Flattens a _tree_ of the shape that is produced by rakeLeaves. An attrset with names in the spirit of the Reverse DNS Notation form @@ -61,20 +69,19 @@ in } => { "a.b.c" = ; } ``` - */ - flattenTree = tree: let - op = sum: path: val: let - pathStr = builtins.concatStringsSep "." path; # dot-based reverse DNS notation - in - if builtins.isPath val - then + */ + flattenTree = + tree: + let + op = + sum: path: val: + let + pathStr = builtins.concatStringsSep "." path; # dot-based reverse DNS notation + in + if builtins.isPath val then # builtins.trace "${toString val} is a path" - (sum - // { - "${pathStr}" = val; - }) - else if builtins.isAttrs val - then + (sum // { "${pathStr}" = val; }) + else if builtins.isAttrs val then # builtins.trace "${builtins.toJSON val} is an attrset" # recurse into that attribute set (recurse sum path val) @@ -83,15 +90,13 @@ in # builtins.trace "${toString path} is something else" sum; - recurse = sum: path: val: - builtins.foldl' - (sum: key: op sum (path ++ [key]) val.${key}) - sum - (builtins.attrNames val); + recurse = + sum: path: val: + builtins.foldl' (sum: key: op sum (path ++ [ key ]) val.${key}) sum (builtins.attrNames val); in - recurse {} [] tree; + recurse { } [ ] tree; - /* + /* * Recursively collect the nix files of _path_ into attrs. Return an attribute set where all `.nix` files and directories with `default.nix` in them @@ -120,34 +125,38 @@ in }; } ``` - */ - - rakeLeaves = dirPath: let - seive = file: type: - # Only rake `.nix` files or directories + */ + + rakeLeaves = + dirPath: + let + seive = + file: type: + # Only rake `.nix` files or directories (type == "regular" && lib.hasSuffix ".nix" file) || (type == "directory"); collect = file: type: { name = lib.removeSuffix ".nix" file; - value = let - path = dirPath + "/${file}"; - in - if - (type == "regular") - || (type == "directory" && builtins.pathExists (path + "/default.nix")) - then path + value = + let + path = dirPath + "/${file}"; + in + if (type == "regular") || (type == "directory" && builtins.pathExists (path + "/default.nix")) then + path # recurse on directories that don't contain a `default.nix` - else rakeLeaves path; + else + rakeLeaves path; }; files = lib.filterAttrs seive (builtins.readDir dirPath); in - lib.filterAttrs (_n: v: v != {}) (lib.mapAttrs' collect files); - - importLeaves = - # - # Create an import stanza by recursing a directory to find all default.nix and - # files beneath withough manually having to list all the subsequent files. - # - path: builtins.attrValues (lib.mapAttrs (_: import) (rakeLeaves path)); - }) + lib.filterAttrs (_n: v: v != { }) (lib.mapAttrs' collect files); + + importLeaves = + # + # Create an import stanza by recursing a directory to find all default.nix and + # files beneath withough manually having to list all the subsequent files. + # + path: builtins.attrValues (lib.mapAttrs (_: import) (rakeLeaves path)); + } +) diff --git a/lib/ghaf-modules.nix b/lib/ghaf-modules.nix index 992a7da8a..c594e6098 100644 --- a/lib/ghaf-modules.nix +++ b/lib/ghaf-modules.nix @@ -2,11 +2,12 @@ # SPDX-FileCopyrightText: 2023 TII (SSRC) and the Ghaf contributors # # SPDX-License-Identifier: Apache-2.0 -{lib}: let +{ lib }: +let inherit (builtins) readFile filter; inherit (lib) filesystem hasInfix hasSuffix; isDesiredFile = path: hasSuffix ".nix" path && hasInfix "options" (readFile path); modulesDirectoryFiles = filesystem.listFilesRecursive ../modules; in - filter isDesiredFile modulesDirectoryFiles +filter isDesiredFile modulesDirectoryFiles diff --git a/lib/icons.nix b/lib/icons.nix index cf5fcb4df..96aeb6a7a 100644 --- a/lib/icons.nix +++ b/lib/icons.nix @@ -1,104 +1,101 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: { +{ pkgs, ... }: +{ /* - * - Resizes a PNG to fit the given size. + * + Resizes a PNG to fit the given size. - # Inputs + # Inputs - `name` + `name` - : Name of the file, this will be included in the output filename. + : Name of the file, this will be included in the output filename. - `path` + `path` - : Path of the original PNG file to be resized. + : Path of the original PNG file to be resized. - `size` + `size` - : The new size for the image (x). + : The new size for the image (x). - # Type + # Type - ``` - resizePNG :: [String] -> [String] -> [String] -> [String] - ``` + ``` + resizePNG :: [String] -> [String] -> [String] -> [String] + ``` - # Example - :::{.example} - ## Simple example + # Example + :::{.example} + ## Simple example - ```nix - resizePNG "my-icon" ./my-icon-hi-res.png "24x24"; - ``` - - ::: + ```nix + resizePNG "my-icon" ./my-icon-hi-res.png "24x24"; + ``` + ::: */ - resizePNG = name: path: size: let - out = - pkgs.runCommand "${name}-${size}" { - nativeBuildInputs = with pkgs; [ - buildPackages.imagemagick - ]; - } '' - mkdir -p $out - convert \ - ${path} \ - -resize ${size} \ - $out/${name}.png - ''; - in "${out}/${name}.png"; + resizePNG = + name: path: size: + let + out = + pkgs.runCommand "${name}-${size}" { nativeBuildInputs = with pkgs; [ buildPackages.imagemagick ]; } + '' + mkdir -p $out + convert \ + ${path} \ + -resize ${size} \ + $out/${name}.png + ''; + in + "${out}/${name}.png"; /* - * - Converts an SVG file to a PNG of a specific size. - - # Inputs + * + Converts an SVG file to a PNG of a specific size. - `name` + # Inputs - : Name of the file, this will be included in the output filename. + `name` - `path` + : Name of the file, this will be included in the output filename. - : Path of the original SVG file to be converted. + `path` - `size` + : Path of the original SVG file to be converted. - : The size of the PNG image to be rendered. + `size` - # Type + : The size of the PNG image to be rendered. - ``` - svgToPNG :: [String] -> [String] -> [String] -> [String] - ``` + # Type - # Example - :::{.example} - ## Simple example + ``` + svgToPNG :: [String] -> [String] -> [String] -> [String] + ``` - ```nix - svgToPNG "my-icon" ./my-icon.svg "24x24"; - ``` + # Example + :::{.example} + ## Simple example - ::: + ```nix + svgToPNG "my-icon" ./my-icon.svg "24x24"; + ``` + ::: */ - svgToPNG = name: path: size: let - sizes = builtins.split "x" size; - width = builtins.head sizes; - height = builtins.elemAt sizes 2; - out = - pkgs.runCommand "${name}-${size}" { - nativeBuildInputs = with pkgs; [ - librsvg - ]; - } '' + svgToPNG = + name: path: size: + let + sizes = builtins.split "x" size; + width = builtins.head sizes; + height = builtins.elemAt sizes 2; + out = pkgs.runCommand "${name}-${size}" { nativeBuildInputs = with pkgs; [ librsvg ]; } '' mkdir -p $out rsvg-convert ${path} -o $out/${name}.png \ --width=${width} --height=${height} --keep-aspect-ratio ''; - in "${out}/${name}.png"; + in + "${out}/${name}.png"; } diff --git a/lib/launcher.nix b/lib/launcher.nix index c4721e6e9..a4f1742a2 100644 --- a/lib/launcher.nix +++ b/lib/launcher.nix @@ -1,15 +1,18 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 _: { - rmDesktopEntries = pkgs: - map (pkg: - pkg.overrideAttrs (old: let - pInst = - if (old ? postInstall) - then old.postInstall - else ""; - in { - postInstall = pInst + "rm -rf \"$out/share/applications\""; - })) - pkgs; + rmDesktopEntries = + pkgs: + map ( + pkg: + pkg.overrideAttrs ( + old: + let + pInst = if (old ? postInstall) then old.postInstall else ""; + in + { + postInstall = pInst + "rm -rf \"$out/share/applications\""; + } + ) + ) pkgs; } diff --git a/lib/mk-flash-script/default.nix b/lib/mk-flash-script/default.nix index d93586991..fba8966ae 100644 --- a/lib/mk-flash-script/default.nix +++ b/lib/mk-flash-script/default.nix @@ -7,7 +7,8 @@ hostConfiguration, jetpack-nixos, flash-tools-system, -}: let +}: +let cfg = hostConfiguration.config.hardware.nvidia-jetpack; inherit (jetpack-nixos.legacyPackages.${flash-tools-system}) flash-tools; @@ -19,18 +20,23 @@ isCross = hostConfiguration.config.nixpkgs.buildPlatform.system != hostConfiguration.config.nixpkgs.hostPlatform.system; - devicePkgsSystem = - if isCross - then "x86_64-linux" - else "aarch64-linux"; - devicePkgs = jetpack-nixos.legacyPackages.${devicePkgsSystem}.devicePkgsFromNixosConfig hostConfiguration.config; + devicePkgsSystem = if isCross then "x86_64-linux" else "aarch64-linux"; + devicePkgs = + jetpack-nixos.legacyPackages.${devicePkgsSystem}.devicePkgsFromNixosConfig + hostConfiguration.config; inherit (jetpack-nixos.legacyPackages.${devicePkgsSystem}) l4tVersion; flashScript = devicePkgs.mkFlashScript { - flash-tools = flash-tools.overrideAttrs ({postPatch ? "", ...}: { - postPatch = postPatch + cfg.flashScriptOverrides.postPatch; - }); + flash-tools = flash-tools.overrideAttrs ( + { + postPatch ? "", + ... + }: + { + postPatch = postPatch + cfg.flashScriptOverrides.postPatch; + } + ); preFlashCommands = nixpkgs.lib.optionalString (flash-tools-system == "aarch64-linux") '' echo "WARNING! WARNING! WARNING!" @@ -45,26 +51,22 @@ patchFlashScript = builtins.replaceStrings - [ - "@pzstd@" - "@sed@" - "@patch@" - "@l4tVersion@" - "@isCross@" - ] - [ - "${nixpkgs.legacyPackages.${flash-tools-system}.zstd}/bin/pzstd" - "${nixpkgs.legacyPackages.${flash-tools-system}.gnused}/bin/sed" - "${nixpkgs.legacyPackages.${flash-tools-system}.patch}/bin/patch" - "${l4tVersion}" - "${ - if isCross - then "true" - else "false" - }" - ]; + [ + "@pzstd@" + "@sed@" + "@patch@" + "@l4tVersion@" + "@isCross@" + ] + [ + "${nixpkgs.legacyPackages.${flash-tools-system}.zstd}/bin/pzstd" + "${nixpkgs.legacyPackages.${flash-tools-system}.gnused}/bin/sed" + "${nixpkgs.legacyPackages.${flash-tools-system}.patch}/bin/patch" + "${l4tVersion}" + "${if isCross then "true" else "false"}" + ]; in - nixpkgs.legacyPackages.${flash-tools-system}.writeShellApplication { - name = "flash-ghaf"; - text = patchFlashScript flashScript; - } +nixpkgs.legacyPackages.${flash-tools-system}.writeShellApplication { + name = "flash-ghaf"; + text = patchFlashScript flashScript; +} diff --git a/modules/common/boot/systemd-boot-dtb.nix b/modules/common/boot/systemd-boot-dtb.nix index 4f2e19759..a7e32ec55 100644 --- a/modules/common/boot/systemd-boot-dtb.nix +++ b/modules/common/boot/systemd-boot-dtb.nix @@ -11,10 +11,12 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.boot.loader.systemd-boot-dtb; inherit (lib) mkEnableOption mkIf; -in { +in +{ options.ghaf.boot.loader.systemd-boot-dtb = { enable = mkEnableOption "systemd-boot-dtb"; }; diff --git a/modules/common/common.nix b/modules/common/common.nix index b86989e7d..d9b62d875 100644 --- a/modules/common/common.nix +++ b/modules/common/common.nix @@ -3,7 +3,8 @@ # # TODO: Refactor even more. # This is the old "host/default.nix" file. -{lib, ...}: { +{ lib, ... }: +{ imports = [ # TODO remove this when the minimal config is defined # Replace with the baseModules definition diff --git a/modules/common/development/debug-tools.nix b/modules/common/development/debug-tools.nix index 93ce3d333..7c7613384 100644 --- a/modules/common/development/debug-tools.nix +++ b/modules/common/development/debug-tools.nix @@ -5,18 +5,20 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.development.debug.tools; - rm-linux-bootmgrs = pkgs.callPackage ./scripts/rm_linux_bootmgr_entries.nix {}; - perf-test-script-icicle = pkgs.callPackage ./scripts/perf_test_icicle_kit.nix {}; - sysbench-test-script = pkgs.callPackage ./scripts/sysbench_test.nix {}; - sysbench-fileio-test-script = pkgs.callPackage ./scripts/sysbench_fileio_test.nix {}; - nvpmodel-check = pkgs.callPackage ./scripts/nvpmodel_check.nix {}; + rm-linux-bootmgrs = pkgs.callPackage ./scripts/rm_linux_bootmgr_entries.nix { }; + perf-test-script-icicle = pkgs.callPackage ./scripts/perf_test_icicle_kit.nix { }; + sysbench-test-script = pkgs.callPackage ./scripts/sysbench_test.nix { }; + sysbench-fileio-test-script = pkgs.callPackage ./scripts/sysbench_fileio_test.nix { }; + nvpmodel-check = pkgs.callPackage ./scripts/nvpmodel_check.nix { }; inherit (lib) mkEnableOption mkIf; - inherit (import ../../../lib/launcher.nix {inherit pkgs lib;}) rmDesktopEntries; -in { + inherit (import ../../../lib/launcher.nix { inherit pkgs lib; }) rmDesktopEntries; +in +{ options.ghaf.development.debug.tools = { enable = mkEnableOption "Debug Tools"; }; @@ -27,50 +29,51 @@ in { }; environment.systemPackages = builtins.attrValues { - inherit - (pkgs) + inherit (pkgs) # For lspci: - + pciutils # For lsusb: - + usbutils # Useful in NetVM - + ethtool # Basic monitors - + iftop iotop traceroute dig evtest # For deleting Linux Boot Manager entries in automated testing - + efibootmgr # Performance testing - + speedtest-cli iperf tree file # to build ghaf on target - + git ; } ++ - # Match perf version with kernel. - [ - #(config.boot.kernelPackages.perf.override {python3 = pkgs.python311;}) - sysbench-test-script - sysbench-fileio-test-script - nvpmodel-check - rm-linux-bootmgrs - ] - ++ rmDesktopEntries [pkgs.htop] + # Match perf version with kernel. + [ + #(config.boot.kernelPackages.perf.override {python3 = pkgs.python311;}) + sysbench-test-script + sysbench-fileio-test-script + nvpmodel-check + rm-linux-bootmgrs + ] + ++ rmDesktopEntries [ pkgs.htop ] #TODO tmp disable perf as it is broken in cross-compiled Orin AGX/NX - ++ lib.optional (config.nixpkgs.hostPlatform.system != "aarch64-linux") config.boot.kernelPackages.perf + ++ lib.optional ( + config.nixpkgs.hostPlatform.system != "aarch64-linux" + ) config.boot.kernelPackages.perf # LuaJIT (which is sysbench dependency) not available on RISC-V ++ lib.optional (config.nixpkgs.hostPlatform.system != "riscv64-linux") pkgs.sysbench # Icicle Kit performance test script available on RISC-V @@ -78,6 +81,8 @@ in { # runtimeShell (unixbench dependency) not available on RISC-V nor on cross-compiled Orin AGX/NX ++ lib.optional (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) pkgs.unixbench # Build VLC only on x86 - ++ lib.optionals (config.nixpkgs.hostPlatform.system == "x86_64-linux") (rmDesktopEntries [pkgs.vlc]); + ++ lib.optionals (config.nixpkgs.hostPlatform.system == "x86_64-linux") (rmDesktopEntries [ + pkgs.vlc + ]); }; } diff --git a/modules/common/development/nix.nix b/modules/common/development/nix.nix index abbeb9ded..95376741c 100644 --- a/modules/common/development/nix.nix +++ b/modules/common/development/nix.nix @@ -1,13 +1,16 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.nix-setup; - inherit (lib) mkEnableOption mkOption mkIf types; -in { + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; +in +{ options.ghaf.development.nix-setup = { enable = mkEnableOption "Target Nix config options"; nixpkgs = mkOption { @@ -20,13 +23,16 @@ in { config = mkIf cfg.enable { nix = { settings = { - experimental-features = ["nix-command" "flakes"]; + experimental-features = [ + "nix-command" + "flakes" + ]; keep-outputs = true; keep-derivations = true; }; # Set the path and registry so that e.g. nix-shell and repl work - nixPath = lib.mkIf (cfg.nixpkgs != null) ["nixpkgs=${cfg.nixpkgs}"]; + nixPath = lib.mkIf (cfg.nixpkgs != null) [ "nixpkgs=${cfg.nixpkgs}" ]; registry = lib.mkIf (cfg.nixpkgs != null) { nixpkgs.to = { diff --git a/modules/common/development/scripts/nvpmodel_check.nix b/modules/common/development/scripts/nvpmodel_check.nix index 1d272df53..8dbe82552 100644 --- a/modules/common/development/scripts/nvpmodel_check.nix +++ b/modules/common/development/scripts/nvpmodel_check.nix @@ -1,10 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - writeShellApplication, - lib, - ... -}: +{ writeShellApplication, lib, ... }: writeShellApplication { name = "nvpmodel-check"; text = '' diff --git a/modules/common/development/scripts/perf_test_icicle_kit.nix b/modules/common/development/scripts/perf_test_icicle_kit.nix index ac3a0042a..595206dd8 100644 --- a/modules/common/development/scripts/perf_test_icicle_kit.nix +++ b/modules/common/development/scripts/perf_test_icicle_kit.nix @@ -1,10 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - writeShellApplication, - lib, - ... -}: +{ writeShellApplication, lib, ... }: writeShellApplication { name = "perf-test-icicle-kit"; text = '' diff --git a/modules/common/development/scripts/rm_linux_bootmgr_entries.nix b/modules/common/development/scripts/rm_linux_bootmgr_entries.nix index 6b90c0d16..8aab934fb 100644 --- a/modules/common/development/scripts/rm_linux_bootmgr_entries.nix +++ b/modules/common/development/scripts/rm_linux_bootmgr_entries.nix @@ -1,10 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - writeShellApplication, - lib, - ... -}: +{ writeShellApplication, lib, ... }: writeShellApplication { name = "rm-linux-bootmgrs"; text = '' diff --git a/modules/common/development/scripts/sysbench_fileio_test.nix b/modules/common/development/scripts/sysbench_fileio_test.nix index 2326e60e0..805b3ee54 100755 --- a/modules/common/development/scripts/sysbench_fileio_test.nix +++ b/modules/common/development/scripts/sysbench_fileio_test.nix @@ -1,10 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - writeShellApplication, - lib, - ... -}: +{ writeShellApplication, lib, ... }: writeShellApplication { name = "sysbench-fileio-test"; text = '' diff --git a/modules/common/development/scripts/sysbench_test.nix b/modules/common/development/scripts/sysbench_test.nix index 3b80c822a..e28401d34 100755 --- a/modules/common/development/scripts/sysbench_test.nix +++ b/modules/common/development/scripts/sysbench_test.nix @@ -1,10 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - writeShellApplication, - lib, - ... -}: +{ writeShellApplication, lib, ... }: writeShellApplication { name = "sysbench-test"; text = '' diff --git a/modules/common/development/ssh.nix b/modules/common/development/ssh.nix index 0daa60658..092fab509 100644 --- a/modules/common/development/ssh.nix +++ b/modules/common/development/ssh.nix @@ -1,14 +1,12 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.ssh.daemon; inherit ((import ./authorized_ssh_keys.nix)) authorizedKeys; inherit (lib) mkEnableOption mkIf; -in { +in +{ options.ghaf.development.ssh.daemon = { enable = mkEnableOption "ssh daemon"; }; diff --git a/modules/common/development/usb-serial.nix b/modules/common/development/usb-serial.nix index 69379cb75..c19db3a70 100644 --- a/modules/common/development/usb-serial.nix +++ b/modules/common/development/usb-serial.nix @@ -1,20 +1,18 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.usb-serial; inherit (lib) mkEnableOption mkIf; -in { +in +{ options.ghaf.development.usb-serial = { enable = mkEnableOption "Usb-Serial"; }; #TODO Should this be alos bound to only x86? config = mkIf cfg.enable { - services.getty.extraArgs = ["115200"]; + services.getty.extraArgs = [ "115200" ]; systemd.services."autovt@ttyUSB0".enable = true; # ttyUSB0 service is active as soon as corresponding device appears diff --git a/modules/common/development/yubikey.nix b/modules/common/development/yubikey.nix index 816b76a02..3549baa77 100644 --- a/modules/common/development/yubikey.nix +++ b/modules/common/development/yubikey.nix @@ -1,14 +1,17 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.yubikey; inherit ((import ./authorized_yubikeys.nix)) authorizedYubikeys; - inherit (lib) mkEnableOption mkIf concatStrings mkForce; -in { + inherit (lib) + mkEnableOption + mkIf + concatStrings + mkForce + ; +in +{ options.ghaf.development.yubikey = { enable = mkEnableOption "Yubikey test"; }; diff --git a/modules/common/firewall/default.nix b/modules/common/firewall/default.nix index d13e33b8f..9d28c039a 100644 --- a/modules/common/firewall/default.nix +++ b/modules/common/firewall/default.nix @@ -3,8 +3,4 @@ # # Firewall related modules # -{ - imports = [ - ./kernel-modules.nix - ]; -} +{ imports = [ ./kernel-modules.nix ]; } diff --git a/modules/common/firewall/kernel-modules.nix b/modules/common/firewall/kernel-modules.nix index 2a72d8078..79aafe0b7 100644 --- a/modules/common/firewall/kernel-modules.nix +++ b/modules/common/firewall/kernel-modules.nix @@ -6,13 +6,11 @@ # Adds bunch of modules to the kernel, so firewall can start, as our custom # kernels don't seem to always have all necessary modules enabled. # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.firewall.kernel-modules; -in { +in +{ options.ghaf.firewall.kernel-modules = { enable = lib.mkEnableOption "kernel modules required for firewall"; }; diff --git a/modules/common/logging/client.nix b/modules/common/logging/client.nix index 6004c922c..184d2ebed 100644 --- a/modules/common/logging/client.nix +++ b/modules/common/logging/client.nix @@ -1,13 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.logging.client; endpointUrl = config.ghaf.logging.client.endpoint; -in { +in +{ options.ghaf.logging.client.endpoint = lib.mkOption { description = '' Assign endpoint url value to the alloy.service running in diff --git a/modules/common/logging/default.nix b/modules/common/logging/default.nix index 34dbade89..4cab0fca7 100644 --- a/modules/common/logging/default.nix +++ b/modules/common/logging/default.nix @@ -1,8 +1,10 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: let +{ lib, ... }: +let inherit (lib) mkOption types; -in { +in +{ # Creating logging configuration options needed across the host and vms options.ghaf.logging = { client.enable = mkOption { diff --git a/modules/common/logging/hw-mac-retrieve.nix b/modules/common/logging/hw-mac-retrieve.nix index f011f9a67..82cc8863c 100644 --- a/modules/common/logging/hw-mac-retrieve.nix +++ b/modules/common/logging/hw-mac-retrieve.nix @@ -5,12 +5,14 @@ lib, pkgs, ... -}: let +}: +let # TODO: replace sshCommand and MacCommand with givc rpc to retrieve Mac Address sshCommand = "${pkgs.sshpass}/bin/sshpass -p ghaf ${pkgs.openssh}/bin/ssh -o StrictHostKeyChecking=no ghaf@net-vm"; macCommand = "${pkgs.hwinfo}/bin/hwinfo --network --only /class/net/wlp0s5f0 | ${pkgs.gawk}/bin/awk '/Permanent HW Address/ {print $4}'"; macAddressPath = config.ghaf.logging.identifierFilePath; -in { +in +{ options.ghaf.logging.identifierFilePath = lib.mkOption { description = '' This configuration option used to specify the identifier file path. @@ -26,8 +28,8 @@ in { # TODO: Remove hw-mac.service and replace with givc rpc later systemd.services."hw-mac" = { description = "Retrieve MAC address from net-vm"; - wantedBy = ["alloy.service"]; - requires = ["network-online.target"]; + wantedBy = [ "alloy.service" ]; + requires = [ "network-online.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; diff --git a/modules/common/logging/logs-aggregator.nix b/modules/common/logging/logs-aggregator.nix index cb5a4e5d8..37874cb23 100644 --- a/modules/common/logging/logs-aggregator.nix +++ b/modules/common/logging/logs-aggregator.nix @@ -1,15 +1,13 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let endpointUrl = config.ghaf.logging.server.endpoint; listenerAddress = config.ghaf.logging.listener.address; listenerPort = toString config.ghaf.logging.listener.port; macAddressPath = config.ghaf.logging.identifierFilePath; -in { +in +{ options.ghaf.logging.server.endpoint = lib.mkOption { description = '' Assign endpoint url value to the alloy.service running in @@ -20,7 +18,9 @@ in { }; config = lib.mkIf config.ghaf.logging.client.enable { - environment.etc."loki/pass" = {text = "ghaf";}; + environment.etc."loki/pass" = { + text = "ghaf"; + }; environment.etc."alloy/logs-aggregator.alloy" = { text = '' local.file "macAddress" { @@ -76,7 +76,7 @@ in { }; services.alloy.enable = true; - systemd.services.alloy.serviceConfig.after = ["hw-mac.service"]; + systemd.services.alloy.serviceConfig.after = [ "hw-mac.service" ]; # If there is no internet connection , shutdown/reboot will take around 100sec # So, to fix that problem we need to add stop timeout # https://github.com/grafana/loki/issues/6533 diff --git a/modules/common/networking/default.nix b/modules/common/networking/default.nix index 1aecb04ce..d488e28fb 100644 --- a/modules/common/networking/default.nix +++ b/modules/common/networking/default.nix @@ -1,7 +1,3 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - imports = [ - ./hosts.nix - ]; -} +{ imports = [ ./hosts.nix ]; } diff --git a/modules/common/networking/hosts.nix b/modules/common/networking/hosts.nix index 227df528c..12b6efe3f 100644 --- a/modules/common/networking/hosts.nix +++ b/modules/common/networking/hosts.nix @@ -1,12 +1,14 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.networking.hosts; - inherit (lib) mkIf types mkOption optionals; + inherit (lib) + mkIf + types + mkOption + optionals + ; hostsEntrySubmodule = types.submodule { options = { @@ -83,34 +85,29 @@ } ]; - mkHostEntryTxt = { - ip, - name, - }: + mkHostEntryTxt = + { ip, name }: "${ipBase}.${toString ip}\t${name}\n" - + lib.optionalString config.ghaf.profiles.debug.enable - "${debugBase}.${toString ip}\t${name}-debug\n"; + + lib.optionalString config.ghaf.profiles.debug.enable "${debugBase}.${toString ip}\t${name}-debug\n"; entriesTxt = map mkHostEntryTxt hostsEntries; - mkHostEntry = { - ip, - name, - }: { - name = "${name}"; - ip = "${ipBase}.${toString ip}"; - }; - mkHostEntryDebug = { - ip, - name, - }: { - name = "${name}-debug"; - ip = "${debugBase}.${toString ip}"; - }; + mkHostEntry = + { ip, name }: + { + name = "${name}"; + ip = "${ipBase}.${toString ip}"; + }; + mkHostEntryDebug = + { ip, name }: + { + name = "${name}-debug"; + ip = "${debugBase}.${toString ip}"; + }; entries = (map mkHostEntry hostsEntries) - ++ optionals config.ghaf.profiles.debug.enable - (map mkHostEntryDebug hostsEntries); -in { + ++ optionals config.ghaf.profiles.debug.enable (map mkHostEntryDebug hostsEntries); +in +{ options.ghaf.networking.hosts = { enable = mkOption { type = types.bool; diff --git a/modules/common/profiles/debug.nix b/modules/common/profiles/debug.nix index 9eb5e133f..69191008c 100644 --- a/modules/common/profiles/debug.nix +++ b/modules/common/profiles/debug.nix @@ -1,13 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.debug; -in { +in +{ options.ghaf.profiles.debug = { enable = lib.mkEnableOption "debug profile"; }; diff --git a/modules/common/profiles/host-hardening.nix b/modules/common/profiles/host-hardening.nix index 4be8c75ab..b02308b2f 100644 --- a/modules/common/profiles/host-hardening.nix +++ b/modules/common/profiles/host-hardening.nix @@ -1,22 +1,20 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.host-hardening; has_host = builtins.hasAttr "host" config.ghaf; has_secureBoot = builtins.hasAttr "secureboot" config.ghaf.host; -in { +in +{ options.ghaf.profiles.host-hardening = { enable = lib.mkEnableOption "Host hardening profile"; }; config = lib.mkIf cfg.enable { ghaf = - {} + { } // lib.optionalAttrs (has_host && has_secureBoot) { host = { # Enable secure boot in the host configuration diff --git a/modules/common/profiles/kernel-hardening.nix b/modules/common/profiles/kernel-hardening.nix index bb1320f7d..f4c4bac06 100644 --- a/modules/common/profiles/kernel-hardening.nix +++ b/modules/common/profiles/kernel-hardening.nix @@ -1,13 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.hardening; -in { +in +{ options.ghaf.profiles.kernel-hardening = { enable = lib.mkEnableOption "hardened profile"; }; diff --git a/modules/common/profiles/release.nix b/modules/common/profiles/release.nix index b89ab915b..4b1af79a1 100644 --- a/modules/common/profiles/release.nix +++ b/modules/common/profiles/release.nix @@ -1,14 +1,12 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.release; inherit (lib) mkEnableOption mkIf; -in { +in +{ options.ghaf.profiles.release = { enable = mkEnableOption "release profile"; }; diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix index f91f3ff50..e3c4b07a0 100644 --- a/modules/common/security/default.nix +++ b/modules/common/security/default.nix @@ -1,7 +1,3 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - imports = [ - ./sshkeys.nix - ]; -} +{ imports = [ ./sshkeys.nix ]; } diff --git a/modules/common/security/sshkeys.nix b/modules/common/security/sshkeys.nix index 2d3553f4b..12abe80e0 100644 --- a/modules/common/security/sshkeys.nix +++ b/modules/common/security/sshkeys.nix @@ -1,8 +1,10 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: let +{ lib, ... }: +let inherit (lib) mkOption types; -in { +in +{ options.ghaf.security.sshKeys = { getAuthKeysFileName = mkOption { type = types.str; diff --git a/modules/common/services/audio.nix b/modules/common/services/audio.nix index 5449445fe..4434ea63d 100644 --- a/modules/common/services/audio.nix +++ b/modules/common/services/audio.nix @@ -6,10 +6,17 @@ pkgs, lib, ... -}: let +}: +let cfg = config.ghaf.services.audio; - inherit (lib) mkIf mkEnableOption mkOption types; -in { + inherit (lib) + mkIf + mkEnableOption + mkOption + types + ; +in +{ options.ghaf.services.audio = { enable = mkEnableOption "Enable audio service for audio VM"; pulseaudioTcpPort = mkOption { @@ -22,7 +29,7 @@ in { config = mkIf cfg.enable { # Enable pipewire service for audioVM with pulseaudio support security.rtkit.enable = true; - hardware.firmware = [pkgs.sof-firmware]; + hardware.firmware = [ pkgs.sof-firmware ]; services.pipewire = { enable = true; pulse.enable = true; @@ -34,7 +41,7 @@ in { name = "libpipewire-module-protocol-pulse"; args = { # Enable TCP socket for VMs pulseaudio clients - "server.address" = ["tcp:4713"]; + "server.address" = [ "tcp:4713" ]; "pulse.min.req" = "128/48000"; # 2.7ms "pulse.default.req" = "960/48000"; # 20 milliseconds "pulse.min.frag" = "128/48000"; # 2.7ms @@ -55,7 +62,12 @@ in { ''; # Allow ghaf user to access pulseaudio and pipewire - users.extraUsers.ghaf.extraGroups = ["audio" "video" "pulse-access" "pipewire"]; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + "pulse-access" + "pipewire" + ]; # Dummy service to get pipewire and pulseaudio services started at boot # Normally Pipewire and pulseaudio are started when they are needed by user, @@ -63,10 +75,16 @@ in { # This calls pulseaudios pa-info binary to get information about pulseaudio current # state which starts pipewire-pulseaudio service in the process. systemd.services.pulseaudio-starter = { - after = ["pipewire.service" "network-online.target"]; - requires = ["pipewire.service" "network-online.target"]; - wantedBy = ["default.target"]; - path = [pkgs.coreutils]; + after = [ + "pipewire.service" + "network-online.target" + ]; + requires = [ + "pipewire.service" + "network-online.target" + ]; + wantedBy = [ "default.target" ]; + path = [ pkgs.coreutils ]; enable = true; serviceConfig = { User = "ghaf"; @@ -76,6 +94,6 @@ in { }; # Open TCP port for the PDF XDG socket - networking.firewall.allowedTCPPorts = [cfg.pulseaudioTcpPort]; + networking.firewall.allowedTCPPorts = [ cfg.pulseaudioTcpPort ]; }; } diff --git a/modules/common/services/desktop.nix b/modules/common/services/desktop.nix index bf4cb5cc8..c6f485537 100644 --- a/modules/common/services/desktop.nix +++ b/modules/common/services/desktop.nix @@ -5,22 +5,32 @@ lib, pkgs, ... -}: let +}: +let inherit (builtins) filter map hasAttr; - inherit (lib) mkIf mkEnableOption head any optionals optionalAttrs; + inherit (lib) + mkIf + mkEnableOption + head + any + optionals + optionalAttrs + ; cfg = config.ghaf.services.desktop; winConfig = - if (hasAttr "reference" config.ghaf) - then - if (hasAttr "programs" config.ghaf.reference) - then config.ghaf.reference.programs.windows-launcher - else {} - else {}; + if (hasAttr "reference" config.ghaf) then + if (hasAttr "programs" config.ghaf.reference) then + config.ghaf.reference.programs.windows-launcher + else + { } + else + { }; isIdsvmEnabled = any (vm: vm == "ids-vm") config.ghaf.namespaces.vms; - # TODO: The desktop configuration needs to be re-worked. - # TODO it needs to be moved out of common and the launchers have to be set bu the reference programs NOT here -in { +in +# TODO: The desktop configuration needs to be re-worked. +# TODO it needs to be moved out of common and the launchers have to be set bu the reference programs NOT here +{ options.ghaf.services.desktop = { enable = mkEnableOption "Enable the desktop configuration"; }; @@ -29,12 +39,13 @@ in { ghaf = optionalAttrs (hasAttr "graphics" config.ghaf) { profiles.graphics.compositor = "labwc"; graphics = { - launchers = let - hostEntry = filter (x: x.name == "ghaf-host-debug") config.ghaf.networking.hosts.entries; - hostAddress = head (map (x: x.ip) hostEntry); - powerControl = pkgs.callPackage ../../../packages/powercontrol {}; - privateSshKeyPath = config.ghaf.security.sshKeys.sshKeyPath; - in + launchers = + let + hostEntry = filter (x: x.name == "ghaf-host-debug") config.ghaf.networking.hosts.entries; + hostAddress = head (map (x: x.ip) hostEntry); + powerControl = pkgs.callPackage ../../../packages/powercontrol { }; + privateSshKeyPath = config.ghaf.security.sshKeys.sshKeyPath; + in [ { # The SPKI fingerprint is calculated like this: @@ -42,18 +53,20 @@ in { # $ openssl dgst -sha256 -binary public.key | openssl enc -base64 name = "Chromium"; path = - if isIdsvmEnabled - then "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no chromium-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --user-data-dir=/home/${config.ghaf.users.accounts.user}/.config/chromium/Default --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU=" - else "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no chromium-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; + if isIdsvmEnabled then + "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no chromium-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --user-data-dir=/home/${config.ghaf.users.accounts.user}/.config/chromium/Default --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU=" + else + "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no chromium-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; icon = "${pkgs.icon-pack}/chromium.svg"; } { name = "Trusted Browser"; path = - if isIdsvmEnabled - then "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no business-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --user-data-dir=/home/${config.ghaf.users.accounts.user}/.config/chromium/Default --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU=" - else "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no business-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; + if isIdsvmEnabled then + "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no business-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --user-data-dir=/home/${config.ghaf.users.accounts.user}/.config/chromium/Default --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU=" + else + "${pkgs.openssh}/bin/ssh -i ${privateSshKeyPath} -o StrictHostKeyChecking=no business-vm run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; icon = "${pkgs.icon-pack}/thorium-browser.svg"; } # TODO must enable the waypipe to support more than one app in a VM diff --git a/modules/common/services/firmware.nix b/modules/common/services/firmware.nix index 384a583b8..1bfa9d8f5 100644 --- a/modules/common/services/firmware.nix +++ b/modules/common/services/firmware.nix @@ -1,13 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.services.firmware; inherit (lib) mkIf mkEnableOption; -in { +in +{ options.ghaf.services.firmware = { enable = mkEnableOption "PLaceholder for firmware handling"; }; diff --git a/modules/common/services/fprint.nix b/modules/common/services/fprint.nix index 958b5aeeb..8c136b548 100644 --- a/modules/common/services/fprint.nix +++ b/modules/common/services/fprint.nix @@ -5,10 +5,12 @@ lib, pkgs, ... -}: let +}: +let inherit (lib) mkEnableOption mkIf; cfg = config.ghaf.services.fprint; -in { +in +{ options.ghaf.services.fprint = { enable = mkEnableOption "Enable fingerprint reader support"; }; @@ -16,7 +18,7 @@ in { config = mkIf cfg.enable { # Enable service and package for fingerprint reader services.fprintd.enable = true; - environment.systemPackages = [pkgs.fprintd]; + environment.systemPackages = [ pkgs.fprintd ]; # Enable polkit and add rules ghaf.systemd.withPolkit = true; diff --git a/modules/common/services/namespaces.nix b/modules/common/services/namespaces.nix index 6597c6209..c654fdf9f 100644 --- a/modules/common/services/namespaces.nix +++ b/modules/common/services/namespaces.nix @@ -1,25 +1,21 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let inherit (builtins) attrNames hasAttr; inherit (lib) mkOption types optionalAttrs; -in { +in +{ options.ghaf.namespaces = { vms = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = "List of VMs currently enabled."; }; }; config = { ghaf = optionalAttrs (hasAttr "microvm" config) { - namespaces = optionalAttrs (hasAttr "vms" config.microvm) { - vms = attrNames config.microvm.vms; - }; + namespaces = optionalAttrs (hasAttr "vms" config.microvm) { vms = attrNames config.microvm.vms; }; }; }; } diff --git a/modules/common/services/pdfopen.nix b/modules/common/services/pdfopen.nix index f8ecadaa1..6012db915 100644 --- a/modules/common/services/pdfopen.nix +++ b/modules/common/services/pdfopen.nix @@ -5,9 +5,15 @@ lib, pkgs, ... -}: let +}: +let inherit (builtins) toString; - inherit (lib) mkEnableOption mkOption mkIf types; + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; cfg = config.ghaf.services.pdfopener; # TODO: Fix the path to get the sshKeyPath so that @@ -17,7 +23,8 @@ openPdf = pkgs.callPackage ../../../packages/openPdf { inherit (config.ghaf.security.sshKeys) sshKeyPath; }; -in { +in +{ options.ghaf.services.pdfopener = { enable = mkEnableOption "Enable the pdf opening service"; xdgPdfPort = mkOption { @@ -38,7 +45,7 @@ in { ListenStream = "${toString cfg.xdgPdfPort}"; Accept = "yes"; }; - wantedBy = ["sockets.target"]; + wantedBy = [ "sockets.target" ]; }; services."pdf@" = { @@ -53,6 +60,6 @@ in { }; # Open TCP port for the PDF XDG socket. - networking.firewall.allowedTCPPorts = [cfg.xdgPdfPort]; + networking.firewall.allowedTCPPorts = [ cfg.xdgPdfPort ]; }; } diff --git a/modules/common/services/wifi.nix b/modules/common/services/wifi.nix index 0765e7b44..5685b929b 100644 --- a/modules/common/services/wifi.nix +++ b/modules/common/services/wifi.nix @@ -5,10 +5,12 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.services.wifi; inherit (lib) mkIf mkForce mkEnableOption; -in { +in +{ options.ghaf.services.wifi = { enable = mkEnableOption "Wifi configuration for the net-vm"; }; @@ -18,7 +20,7 @@ in { wireless.enable = mkForce false; networkmanager = { enable = true; - unmanaged = ["ethint0"]; + unmanaged = [ "ethint0" ]; }; }; @@ -46,7 +48,7 @@ in { ''; mode = "0600"; }; - systemPackages = mkIf config.ghaf.profiles.debug.enable [pkgs.tcpdump]; + systemPackages = mkIf config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]; }; }; } diff --git a/modules/common/services/yubikey.nix b/modules/common/services/yubikey.nix index 2db0c6b24..e8313fd63 100644 --- a/modules/common/services/yubikey.nix +++ b/modules/common/services/yubikey.nix @@ -5,17 +5,25 @@ lib, pkgs, ... -}: let - inherit (lib) mkEnableOption mkIf mkOption types concatStrings; +}: +let + inherit (lib) + mkEnableOption + mkIf + mkOption + types + concatStrings + ; cfg = config.ghaf.services.yubikey; u2f_file = pkgs.writeText "u2f_mapping" config.ghaf.services.yubikey.u2fKeys; -in { +in +{ options.ghaf.services.yubikey = { enable = mkEnableOption "Enable yubikey support which provide 2FA"; u2fKeys = mkOption { type = types.str; - default = []; + default = [ ]; example = concatStrings [ ## Key should in following format :,,,:,,,:... "ghaf:SZ2CwN7EAE4Ujfxhm+CediUaT9ngoaMOqsKRDrOC+wUkTriKlc1cVtsxkOSav2r9ztaNKn/OwoHiN3BmsBYdZA==,oIdGgoGmkVrVis1kdzpvX3kXrOmBe2noFrpHqh4VKlq/WxrFk+Du670BL7DzLas+GxIPNjgdDCHo9daVzthIwQ==,es256,+presence" @@ -28,7 +36,7 @@ in { config = mkIf cfg.enable { # Enable service and package for Yubikey services.pcscd.enable = true; - environment.systemPackages = [pkgs.pam_u2f]; + environment.systemPackages = [ pkgs.pam_u2f ]; security.pam.services = { sudo.u2fAuth = true; diff --git a/modules/common/systemd/base.nix b/modules/common/systemd/base.nix index ffc43d170..219134909 100644 --- a/modules/common/systemd/base.nix +++ b/modules/common/systemd/base.nix @@ -5,15 +5,23 @@ lib, pkgs, ... -}: let +}: +let # Ghaf systemd config cfg = config.ghaf.systemd; - inherit (lib) mkEnableOption mkOption mkIf mkForce types; + inherit (lib) + mkEnableOption + mkOption + mkIf + mkForce + types + ; # Override minimal systemd package configuration package = - (pkgs.systemdMinimal.override ({ + (pkgs.systemdMinimal.override ( + { pname = cfg.withName; withAcl = true; withAnalyze = cfg.withDebug; @@ -50,14 +58,11 @@ // lib.optionalAttrs (lib.strings.versionAtLeast pkgs.systemdMinimal.version "255.0") { withVmspawn = cfg.withMachines; withQrencode = true; # Required for systemd-bsod (currently hardcoded in nixos) - })) - .overrideAttrs (prevAttrs: { - patches = - prevAttrs.patches - ++ [ - ./systemd-boot-double-dtb-buffer-size.patch - ]; - }); + } + )).overrideAttrs + (prevAttrs: { + patches = prevAttrs.patches ++ [ ./systemd-boot-double-dtb-buffer-size.patch ]; + }); # Definition of suppressed system units in systemd configuration. This removes the units and has priority. # Required to avoid build failures compared to only disabling units for some options. Note that errors will be silently ignored. @@ -112,9 +117,7 @@ "auditd.service" "systemd-journald-audit.socket" ]) - ++ (lib.optionals ((!cfg.withDebug) && (!cfg.withMachines)) [ - "systemd-coredump.socket" - ]) + ++ (lib.optionals ((!cfg.withDebug) && (!cfg.withMachines)) [ "systemd-coredump.socket" ]) ++ (lib.optionals (!cfg.withLogind) [ "systemd-logind.service" "dbus-org.freedesktop.login1.service" @@ -128,12 +131,8 @@ "nss-lookup.target.requires" "nss-user-lookup.target.requires" ]) - ++ (lib.optionals (!cfg.withTimesyncd) [ - "systemd-timesyncd.service" - ]) - ++ (lib.optionals (!cfg.withResolved) [ - "systemd-resolved.service" - ]) + ++ (lib.optionals (!cfg.withTimesyncd) [ "systemd-timesyncd.service" ]) + ++ (lib.optionals (!cfg.withResolved) [ "systemd-resolved.service" ]) ++ (lib.optionals (!cfg.withNetworkd) [ "network.target" "network-pre.target" @@ -172,7 +171,8 @@ "prepare-kexec.service" "prepare-kexec.target" ]); -in { +in +{ options.ghaf.systemd = { enable = mkEnableOption "Enable minimal systemd configuration."; diff --git a/modules/common/systemd/boot.nix b/modules/common/systemd/boot.nix index 26beea516..a73ca3b13 100644 --- a/modules/common/systemd/boot.nix +++ b/modules/common/systemd/boot.nix @@ -5,7 +5,8 @@ lib, pkgs, ... -}: let +}: +let # Ghaf configuration flags cfg = config.ghaf.systemd.boot; cfgBase = config.ghaf.systemd; @@ -13,7 +14,8 @@ inherit (lib) mkEnableOption mkIf optionals; # Package configuration - package = pkgs.systemdMinimal.override ({ + package = pkgs.systemdMinimal.override ( + { pname = "stage1-systemd"; inherit (cfgBase) withAudit; inherit (cfgBase) withCryptsetup; @@ -24,13 +26,12 @@ } // lib.optionalAttrs (lib.strings.versionAtLeast pkgs.systemdMinimal.version "255.0") { withQrencode = true; # Required for systemd-bsod, which is currently hardcoded in nixos - }); + } + ); # Suppressed initrd systemd units suppressedUnits = - [ - "multi-user.target" - ] + [ "multi-user.target" ] ++ (lib.optionals ((!cfgBase.withDebug) && (!cfgBase.withJournal)) [ "systemd-journald.service" "systemd-journald.socket" @@ -48,7 +49,8 @@ "rescue.target" "rpcbind.target" ]); -in { +in +{ options.ghaf.systemd.boot = { enable = mkEnableOption "Enable systemd in stage 1 of the boot (initrd)."; }; @@ -63,7 +65,10 @@ in { inherit suppressedUnits; emergencyAccess = config.ghaf.profiles.debug.enable; enableTpm2 = cfgBase.withTpm2Tss; - initrdBin = optionals config.ghaf.profiles.debug.enable [pkgs.lvm2 pkgs.util-linux]; + initrdBin = optionals config.ghaf.profiles.debug.enable [ + pkgs.lvm2 + pkgs.util-linux + ]; }; }; }; diff --git a/modules/common/systemd/harden.nix b/modules/common/systemd/harden.nix index b5cc57374..083864b8a 100644 --- a/modules/common/systemd/harden.nix +++ b/modules/common/systemd/harden.nix @@ -1,23 +1,23 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let # Ghaf systemd config cfg = config.ghaf.systemd; apply-service-configs = configs-dir: { services = lib.foldl' ( - services: s: let - svc = builtins.replaceStrings [".nix"] [""] s; + services: s: + let + svc = builtins.replaceStrings [ ".nix" ] [ "" ] s; in - services - // lib.optionalAttrs (!builtins.elem "${svc}.service" cfg.excludedHardenedConfigs) - {${svc}.serviceConfig = import "${configs-dir}/${svc}.nix";} - ) {} (builtins.attrNames (builtins.readDir configs-dir)); + services + // lib.optionalAttrs (!builtins.elem "${svc}.service" cfg.excludedHardenedConfigs) { + ${svc}.serviceConfig = import "${configs-dir}/${svc}.nix"; + } + ) { } (builtins.attrNames (builtins.readDir configs-dir)); }; -in { +in +{ options.ghaf.systemd = { withHardenedConfigs = lib.mkOption { description = "Enable common hardened configs."; @@ -26,9 +26,9 @@ in { }; excludedHardenedConfigs = lib.mkOption { - default = []; + default = [ ]; type = lib.types.listOf lib.types.str; - example = ["sshd.service"]; + example = [ "sshd.service" ]; description = '' A list of units to skip when applying hardened systemd service configurations. The main purpose of this is to provide a mechanism to exclude specific hardened @@ -37,7 +37,8 @@ in { }; logLevel = lib.mkOption { - description = '' Log Level for systemd services. + description = '' + Log Level for systemd services. Available options: "emerg", "alert", "crit", "err", "warning", "info", "debug" ''; type = lib.types.str; @@ -51,10 +52,12 @@ in { (lib.mkIf cfg.withHardenedConfigs (apply-service-configs ./hardened-configs/common)) # Apply release only service configurations - (lib.mkIf (!cfg.withDebug && cfg.withHardenedConfigs) (apply-service-configs ./hardened-configs/release)) + (lib.mkIf ( + !cfg.withDebug && cfg.withHardenedConfigs + ) (apply-service-configs ./hardened-configs/release)) # Set systemd log level - {services."_global_".environment.SYSTEMD_LOG_LEVEL = cfg.logLevel;} + { services."_global_".environment.SYSTEMD_LOG_LEVEL = cfg.logLevel; } ]; }; } diff --git a/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix b/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix index 76aeb732e..69c9b835a 100644 --- a/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix +++ b/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; # NoNewPrivileges=true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/dbus.nix b/modules/common/systemd/hardened-configs/common/dbus.nix index 14e09ded0..a0de4971a 100644 --- a/modules/common/systemd/hardened-configs/common/dbus.nix +++ b/modules/common/systemd/hardened-configs/common/dbus.nix @@ -25,7 +25,7 @@ ProtectSystem = "full"; # ProtectProc="noaccess"; # ReadWritePaths=[ "/etc"]; - ReadOnlyPaths = ["/"]; + ReadOnlyPaths = [ "/" ]; PrivateTmp = true; # Not applicable for the service runs as root @@ -65,21 +65,21 @@ # Delegate=false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/dnsmasq.nix b/modules/common/systemd/hardened-configs/common/dnsmasq.nix index 4d007c639..ec96f2718 100644 --- a/modules/common/systemd/hardened-configs/common/dnsmasq.nix +++ b/modules/common/systemd/hardened-configs/common/dnsmasq.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/enable-ksm.nix b/modules/common/systemd/hardened-configs/common/enable-ksm.nix index fbd21c24f..2f097646e 100644 --- a/modules/common/systemd/hardened-configs/common/enable-ksm.nix +++ b/modules/common/systemd/hardened-configs/common/enable-ksm.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/firewall.nix b/modules/common/systemd/hardened-configs/common/firewall.nix index 43e9f0e89..56bffddbe 100644 --- a/modules/common/systemd/hardened-configs/common/firewall.nix +++ b/modules/common/systemd/hardened-configs/common/firewall.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix b/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix index d71ee4113..e29e9fece 100644 --- a/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix +++ b/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/ghaf-session.nix b/modules/common/systemd/hardened-configs/common/ghaf-session.nix index 37a45fc98..e8246a625 100644 --- a/modules/common/systemd/hardened-configs/common/ghaf-session.nix +++ b/modules/common/systemd/hardened-configs/common/ghaf-session.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix b/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix index c47576b1c..d6880a9c9 100644 --- a/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix +++ b/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix b/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix index 98467b99f..dc5bf3997 100644 --- a/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix +++ b/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix b/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix index 147304456..b7d1399a4 100644 --- a/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix +++ b/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/logrotate.nix b/modules/common/systemd/hardened-configs/common/logrotate.nix index 147304456..b7d1399a4 100644 --- a/modules/common/systemd/hardened-configs/common/logrotate.nix +++ b/modules/common/systemd/hardened-configs/common/logrotate.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix b/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix index 76ac5751c..36420e297 100644 --- a/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix +++ b/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix b/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix index 0c82af658..38f638906 100644 --- a/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix +++ b/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix @@ -63,7 +63,7 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; diff --git a/modules/common/systemd/hardened-configs/common/microvm@.nix b/modules/common/systemd/hardened-configs/common/microvm@.nix index 4f1fe59f0..47715ae7f 100644 --- a/modules/common/systemd/hardened-configs/common/microvm@.nix +++ b/modules/common/systemd/hardened-configs/common/microvm@.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/network-local-commands.nix b/modules/common/systemd/hardened-configs/common/network-local-commands.nix index ff7c13737..69e19684e 100644 --- a/modules/common/systemd/hardened-configs/common/network-local-commands.nix +++ b/modules/common/systemd/hardened-configs/common/network-local-commands.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/nscd.nix b/modules/common/systemd/hardened-configs/common/nscd.nix index ccf1a4378..bd5c5b61d 100644 --- a/modules/common/systemd/hardened-configs/common/nscd.nix +++ b/modules/common/systemd/hardened-configs/common/nscd.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/pulseaudio.nix b/modules/common/systemd/hardened-configs/common/pulseaudio.nix index b8c5e09a4..3a3b5c97a 100644 --- a/modules/common/systemd/hardened-configs/common/pulseaudio.nix +++ b/modules/common/systemd/hardened-configs/common/pulseaudio.nix @@ -70,15 +70,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix b/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix index 92fe1a1ec..7f152cd20 100644 --- a/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix +++ b/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/seatd.nix b/modules/common/systemd/hardened-configs/common/seatd.nix index 538c86ec6..8134aef04 100644 --- a/modules/common/systemd/hardened-configs/common/seatd.nix +++ b/modules/common/systemd/hardened-configs/common/seatd.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix b/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix index 050b942da..efda36ea6 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix b/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix index 43eff182a..700f57cda 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix b/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix index 10de39359..4174778d4 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix b/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix index 39d9b764f..c4450d066 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix b/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix index 0956f9226..4bfd967a3 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix @@ -44,7 +44,7 @@ ########### PrivateDevices = true; - DeviceAllow = ["/dev/null rw"]; + DeviceAllow = [ "/dev/null rw" ]; ########## # Kernel # @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix b/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix index 6c9b43936..d6b241892 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix b/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix index ceb9ab497..471c0af31 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix @@ -44,7 +44,7 @@ ########### PrivateDevices = true; - DeviceAllow = ["/dev/null rw"]; + DeviceAllow = [ "/dev/null rw" ]; ########## # Kernel # @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix index dab1ef032..0aec328d1 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix index c47576b1c..d6880a9c9 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix index 4a785ef49..cf6d109f4 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix b/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix index 818b2c760..33b1c52b1 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix @@ -44,7 +44,7 @@ ########### PrivateDevices = true; - DeviceAllow = ["/dev/null rw"]; + DeviceAllow = [ "/dev/null rw" ]; ########## # Kernel # @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-udevd.nix b/modules/common/systemd/hardened-configs/common/systemd-udevd.nix index c444af198..35a5837f4 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-udevd.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-udevd.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; # ProtectHostname=true; ProtectClock = true; # ProtectControlGroups=true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ # LockPersonality=true; # MemoryDenyWriteExecute=true; diff --git a/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix b/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix index d71ee4113..e29e9fece 100644 --- a/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix +++ b/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix b/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix index 92fe1a1ec..7f152cd20 100644 --- a/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix +++ b/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix b/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix index c04a28e8a..d14ee7e79 100644 --- a/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix +++ b/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/vsockproxy.nix b/modules/common/systemd/hardened-configs/common/vsockproxy.nix index 92fe1a1ec..7f152cd20 100644 --- a/modules/common/systemd/hardened-configs/common/vsockproxy.nix +++ b/modules/common/systemd/hardened-configs/common/vsockproxy.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix b/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix index 5d1015aef..7938b9d20 100644 --- a/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix +++ b/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/release/NetworkManager.nix b/modules/common/systemd/hardened-configs/release/NetworkManager.nix index 1874aca63..8512d9a51 100644 --- a/modules/common/systemd/hardened-configs/release/NetworkManager.nix +++ b/modules/common/systemd/hardened-configs/release/NetworkManager.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/release/audit.nix b/modules/common/systemd/hardened-configs/release/audit.nix index b456ca878..5d7051b13 100644 --- a/modules/common/systemd/hardened-configs/release/audit.nix +++ b/modules/common/systemd/hardened-configs/release/audit.nix @@ -61,21 +61,21 @@ Delegate = false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; MemoryDenyWriteExecute = true; diff --git a/modules/common/systemd/hardened-configs/release/sshd.nix b/modules/common/systemd/hardened-configs/release/sshd.nix index 588c7c212..58b850821 100644 --- a/modules/common/systemd/hardened-configs/release/sshd.nix +++ b/modules/common/systemd/hardened-configs/release/sshd.nix @@ -68,21 +68,24 @@ # Delegate=false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; ProtectControlGroups = true; - RestrictNamespaces = ["~cgroup" "~uts"]; - /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" + RestrictNamespaces = [ + "~cgroup" + "~uts" ]; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ LockPersonality = true; # MemoryDenyWriteExecute=true; diff --git a/modules/common/systemd/hardened-configs/release/user@.nix b/modules/common/systemd/hardened-configs/release/user@.nix index 9e652b79d..47d72c29c 100644 --- a/modules/common/systemd/hardened-configs/release/user@.nix +++ b/modules/common/systemd/hardened-configs/release/user@.nix @@ -61,21 +61,21 @@ # Delegate=false; # KeyringMode="private"; NoNewPrivileges = true; - UMask = 077; + UMask = 77; ProtectHostname = true; ProtectClock = true; # ProtectControlGroups=true; RestrictNamespaces = true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ # LockPersonality=true; # MemoryDenyWriteExecute=true; diff --git a/modules/common/systemd/hardened-configs/template.nix b/modules/common/systemd/hardened-configs/template.nix index 6803329ea..88e304ae5 100644 --- a/modules/common/systemd/hardened-configs/template.nix +++ b/modules/common/systemd/hardened-configs/template.nix @@ -67,15 +67,15 @@ # ProtectControlGroups=true; # RestrictNamespaces=true; /* - RestrictNamespaces=[ - #"~user" - #"~pid" - #"~net" - #"~uts" - #"~mnt" - #"~cgroup" - #"~ipc" - ]; + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; */ # LockPersonality=true; # MemoryDenyWriteExecute=true; diff --git a/modules/common/users/accounts.nix b/modules/common/users/accounts.nix index 97c63b74d..e3822f8d7 100644 --- a/modules/common/users/accounts.nix +++ b/modules/common/users/accounts.nix @@ -1,15 +1,18 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: +{ config, lib, ... }: # account for the development time login with sudo rights let cfg = config.ghaf.users.accounts; - inherit (lib) mkEnableOption mkOption optionals mkIf types; -in { + inherit (lib) + mkEnableOption + mkOption + optionals + mkIf + types + ; +in +{ #TODO Extend this to allow definition of multiple users options.ghaf.users.accounts = { enable = mkEnableOption "Default account Setup"; @@ -36,17 +39,18 @@ in { isNormalUser = true; inherit (cfg) password; #TODO add "docker" use "lib.optionals" - extraGroups = - ["wheel" "video" "networkmanager"] - ++ optionals - config.security.tpm2.enable ["tss"]; + extraGroups = [ + "wheel" + "video" + "networkmanager" + ] ++ optionals config.security.tpm2.enable [ "tss" ]; }; groups."${cfg.user}" = { name = cfg.user; - members = [cfg.user]; + members = [ cfg.user ]; }; }; # to build ghaf as ghaf-user with caches - nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [cfg.user]; + nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.user ]; }; } diff --git a/modules/common/version/default.nix b/modules/common/version/default.nix index 531bd8292..04b6e254e 100644 --- a/modules/common/version/default.nix +++ b/modules/common/version/default.nix @@ -8,11 +8,13 @@ lib, config, ... -}: let +}: +let ghafVersion = pkgs.writeShellScriptBin "ghaf-version" '' echo "${config.ghaf.version}" ''; -in { +in +{ options = { ghaf.version = lib.mkOption { type = lib.types.str; @@ -23,8 +25,6 @@ in { }; }; config = { - environment.systemPackages = [ - ghafVersion - ]; + environment.systemPackages = [ ghafVersion ]; }; } diff --git a/modules/common/virtualization/docker.nix b/modules/common/virtualization/docker.nix index b9cb1f86d..6b9fa77e2 100644 --- a/modules/common/virtualization/docker.nix +++ b/modules/common/virtualization/docker.nix @@ -1,13 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.virtualization.docker.daemon; inherit (lib) mkEnableOption mkIf; -in { +in +{ options.ghaf.virtualization.docker.daemon = { enable = mkEnableOption "Docker Daemon"; }; diff --git a/modules/desktop/graphics/boot.nix b/modules/desktop/graphics/boot.nix index a32a82fd7..e50be87da 100644 --- a/modules/desktop/graphics/boot.nix +++ b/modules/desktop/graphics/boot.nix @@ -1,12 +1,10 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.graphics.boot; -in { +in +{ options.ghaf.graphics.boot = { enable = lib.mkOption { type = lib.types.bool; @@ -24,7 +22,10 @@ in { logo = ../../../assets/ghaf-logo.png; }; # Hide boot log from user completely - kernelParams = ["quiet" "udev.log_priority=3"]; + kernelParams = [ + "quiet" + "udev.log_priority=3" + ]; consoleLogLevel = 0; initrd.verbose = false; }; diff --git a/modules/desktop/graphics/demo-apps.nix b/modules/desktop/graphics/demo-apps.nix index 017b986fb..963259bcc 100644 --- a/modules/desktop/graphics/demo-apps.nix +++ b/modules/desktop/graphics/demo-apps.nix @@ -5,22 +5,24 @@ lib, config, ... -}: let +}: +let cfg = config.ghaf.graphics.demo-apps; /* - Generate launchers to be used in the application drawer - - Type: mkProgramOption :: string -> bool -> option + Generate launchers to be used in the application drawer + Type: mkProgramOption :: string -> bool -> option */ - mkProgramOption = name: default: + mkProgramOption = + name: default: lib.mkOption { inherit default; type = lib.types.bool; description = "Include package ${name} to menu and system environment"; }; -in { +in +{ options.ghaf.graphics.demo-apps = { chromium = mkProgramOption "Chromium browser" false; firefox = mkProgramOption "Firefox browser" config.ghaf.graphics.enableDemoApplications; diff --git a/modules/desktop/graphics/fonts.nix b/modules/desktop/graphics/fonts.nix index 70187a24c..fda3967d2 100644 --- a/modules/desktop/graphics/fonts.nix +++ b/modules/desktop/graphics/fonts.nix @@ -5,12 +5,12 @@ lib, config, ... -}: let +}: +let inherit (config.ghaf.graphics) labwc; -in { +in +{ config = lib.mkIf labwc.enable { - fonts.packages = builtins.attrValues { - inherit (pkgs) inter fira-code-nerdfont hack-font; - }; + fonts.packages = builtins.attrValues { inherit (pkgs) inter fira-code-nerdfont hack-font; }; }; } diff --git a/modules/desktop/graphics/ghaf-launcher.nix b/modules/desktop/graphics/ghaf-launcher.nix index 42f9bb38b..808e67848 100644 --- a/modules/desktop/graphics/ghaf-launcher.nix +++ b/modules/desktop/graphics/ghaf-launcher.nix @@ -1,6 +1,7 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let +{ pkgs, ... }: +let drawerCSS = pkgs.writeTextDir "nwg-drawer/drawer.css" '' /* Example configuration from: https://github.com/nwg-piotr/nwg-drawer/blob/main/drawer.css */ window { @@ -48,21 +49,21 @@ } ''; in - pkgs.writeShellApplication { - name = "ghaf-launcher"; - runtimeInputs = [ - pkgs.coreutils - pkgs.nwg-drawer - ]; - text = '' - export XDG_CONFIG_HOME="$HOME/.config" - export XDG_CACHE_HOME="$HOME/.cache" +pkgs.writeShellApplication { + name = "ghaf-launcher"; + runtimeInputs = [ + pkgs.coreutils + pkgs.nwg-drawer + ]; + text = '' + export XDG_CONFIG_HOME="$HOME/.config" + export XDG_CACHE_HOME="$HOME/.cache" - # Temporary workaround - mkdir -p "$XDG_CACHE_HOME" "$XDG_CONFIG_HOME" - rm -rf "$HOME/.config/nwg-drawer" - ln -s "${drawerCSS}/nwg-drawer" "$HOME/.config/" + # Temporary workaround + mkdir -p "$XDG_CACHE_HOME" "$XDG_CONFIG_HOME" + rm -rf "$HOME/.config/nwg-drawer" + ln -s "${drawerCSS}/nwg-drawer" "$HOME/.config/" - nwg-drawer -c 5 -mb 60 -ml 440 -mr 440 -mt 420 -nofs -nocats -ovl - ''; - } + nwg-drawer -c 5 -mb 60 -ml 440 -mr 440 -mt 420 -nofs -nocats -ovl + ''; +} diff --git a/modules/desktop/graphics/labwc.config.nix b/modules/desktop/graphics/labwc.config.nix index 075e16573..9e6938ab1 100644 --- a/modules/desktop/graphics/labwc.config.nix +++ b/modules/desktop/graphics/labwc.config.nix @@ -5,10 +5,11 @@ lib, config, ... -}: let +}: +let cfg = config.ghaf.graphics.labwc; - audio-ctrl = pkgs.callPackage ../../../packages/audio-ctrl {}; + audio-ctrl = pkgs.callPackage ../../../packages/audio-ctrl { }; gtklockStyle = pkgs.writeText "gtklock.css" '' window { background: rgba(29, 29, 29, 1); @@ -42,7 +43,7 @@ pkgs.waybar pkgs.mako - (pkgs.callPackage ./ghaf-launcher.nix {inherit config pkgs;}) + (pkgs.callPackage ./ghaf-launcher.nix { inherit config pkgs; }) ] ++ lib.optionals cfg.autolock.enable [ pkgs.swayidle @@ -101,10 +102,10 @@ ${lib.optionalString config.ghaf.profiles.debug.enable '' - - - - ''} + + + + ''} @@ -123,10 +124,13 @@ - ${lib.concatStringsSep "\n" (map (rule: '' - - '') - cfg.frameColouring)} + ${ + lib.concatStringsSep "\n" ( + map (rule: '' + + '') cfg.frameColouring + ) + } yes @@ -156,10 +160,10 @@ 'Reconfigure' and 'Exit' items --> ${lib.optionalString config.ghaf.profiles.debug.enable '' - - - - ''} + + + + ''} ''; @@ -173,7 +177,8 @@ padding=10 default-timeout=10000 ''; -in { +in +{ config = lib.mkIf cfg.enable { systemd.user.services."labwc".serviceConfig = { ExecStart = "${pkgs.labwc}/bin/labwc -C /etc/labwc -s ${autostart}/bin/labwc-autostart"; diff --git a/modules/desktop/graphics/labwc.nix b/modules/desktop/graphics/labwc.nix index 37ce79179..64d54e756 100644 --- a/modules/desktop/graphics/labwc.nix +++ b/modules/desktop/graphics/labwc.nix @@ -5,10 +5,16 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.graphics.labwc; - renderers = ["vulkan" "pixman" "egl2"]; -in { + renderers = [ + "vulkan" + "pixman" + "egl2" + ]; +in +{ options.ghaf.graphics.labwc = { enable = lib.mkEnableOption "labwc"; autolock = { @@ -37,20 +43,22 @@ in { description = "Path to the wallpaper image"; }; frameColouring = lib.mkOption { - type = lib.types.listOf (lib.types.submodule { - options = { - identifier = lib.mkOption { - type = lib.types.str; - example = "foot"; - description = "Identifier of the application"; - }; - colour = lib.mkOption { - type = lib.types.str; - example = "#006305"; - description = "Colour of the window frame"; + type = lib.types.listOf ( + lib.types.submodule { + options = { + identifier = lib.mkOption { + type = lib.types.str; + example = "foot"; + description = "Identifier of the application"; + }; + colour = lib.mkOption { + type = lib.types.str; + example = "#006305"; + description = "Colour of the window frame"; + }; }; - }; - }); + } + ); default = [ { identifier = "foot"; @@ -98,16 +106,16 @@ in { pkgs.ghaf-openbox-theme pkgs.adwaita-icon-theme - (import ./launchers.nix {inherit pkgs config;}) + (import ./launchers.nix { inherit pkgs config; }) ] # Grim screenshot tool is used for labwc debug-builds - ++ lib.optionals config.ghaf.profiles.debug.enable [pkgs.grim]; + ++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.grim ]; # It will create a /etc/pam.d/ file for authentication - security.pam.services.gtklock = {}; + security.pam.services.gtklock = { }; services.upower.enable = true; - fonts.fontconfig.defaultFonts.sansSerif = ["Inter"]; + fonts.fontconfig.defaultFonts.sansSerif = [ "Inter" ]; ghaf.graphics.launchers = lib.mkIf config.ghaf.profiles.debug.enable [ { @@ -123,8 +131,8 @@ in { systemd.user.services."labwc" = { enable = true; description = "labwc, a Wayland compositor, as a user service TEST"; - documentation = ["man:labwc(1)"]; - after = ["ghaf-session.service"]; + documentation = [ "man:labwc(1)" ]; + after = [ "ghaf-session.service" ]; serviceConfig = { # Previously there was "notify" type, but for some reason # systemd kills labwc.service because of timeout (even if it is disabled). @@ -155,7 +163,7 @@ in { WLR_NO_HARDWARE_CURSORS = "1"; _JAVA_AWT_WM_NONREPARENTING = "1"; }; - wantedBy = ["default.target"]; + wantedBy = [ "default.target" ]; }; #Allow video group to change brightness diff --git a/modules/desktop/graphics/launchers.nix b/modules/desktop/graphics/launchers.nix index 895a22f60..dd61d8423 100644 --- a/modules/desktop/graphics/launchers.nix +++ b/modules/desktop/graphics/launchers.nix @@ -1,29 +1,27 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - pkgs, - config, - ... -}: let - toDesktop = elem: +{ pkgs, config, ... }: +let + toDesktop = + elem: (pkgs.makeDesktopItem { inherit (elem) name icon; genericName = elem.name; desktopName = elem.name; comment = "Secured Ghaf Application"; exec = elem.path; - }) - .overrideAttrs (prevAttrs: { - checkPhase = - prevAttrs.checkPhase - + '' + }).overrideAttrs + (prevAttrs: { + checkPhase = + prevAttrs.checkPhase + + '' - # Check that the icon's path exists - [[ -f "${elem.icon}" ]] || (echo "The icon's path ${elem.icon} doesn't exist" && exit 1) - ''; - }); + # Check that the icon's path exists + [[ -f "${elem.icon}" ]] || (echo "The icon's path ${elem.icon} doesn't exist" && exit 1) + ''; + }); in - pkgs.symlinkJoin { - name = "ghaf-desktop-entries"; - paths = map toDesktop config.ghaf.graphics.launchers; - } +pkgs.symlinkJoin { + name = "ghaf-desktop-entries"; + paths = map toDesktop config.ghaf.graphics.launchers; +} diff --git a/modules/desktop/graphics/waybar.config.nix b/modules/desktop/graphics/waybar.config.nix index cd4801396..eebffe84a 100644 --- a/modules/desktop/graphics/waybar.config.nix +++ b/modules/desktop/graphics/waybar.config.nix @@ -5,23 +5,24 @@ lib, config, ... -}: let +}: +let cfg = config.ghaf.graphics.labwc; inherit (config.ghaf.hardware.definition.network) pciDevices; - inherit (import ../../../lib/icons.nix {inherit pkgs lib;}) svgToPNG; + inherit (import ../../../lib/icons.nix { inherit pkgs lib; }) svgToPNG; launchpad-icon = svgToPNG "launchpad" ../../../assets/icons/svg/launchpad.svg "38x38"; admin-icon = svgToPNG "admin" ../../../assets/icons/svg/admin-cog.svg "24x24"; ghaf-icon = svgToPNG "ghaf-white" ../../../assets/icons/svg/ghaf-white.svg "24x24"; wifiDevice = lib.lists.findFirst (d: d.name != null) null pciDevices; - wifi-signal-strength = pkgs.callPackage ../../../packages/wifi-signal-strength {wifiDevice = wifiDevice.name;}; - ghaf-launcher = pkgs.callPackage ./ghaf-launcher.nix {inherit config pkgs;}; - timeZone = - if config.time.timeZone != null - then config.time.timeZone - else "UTC"; -in { + wifi-signal-strength = pkgs.callPackage ../../../packages/wifi-signal-strength { + wifiDevice = wifiDevice.name; + }; + ghaf-launcher = pkgs.callPackage ./ghaf-launcher.nix { inherit config pkgs; }; + timeZone = if config.time.timeZone != null then config.time.timeZone else "UTC"; +in +{ config = lib.mkIf cfg.enable { ghaf.graphics.launchers = [ { diff --git a/modules/desktop/graphics/window-manager.nix b/modules/desktop/graphics/window-manager.nix index 62ac66af9..1961d6dd5 100644 --- a/modules/desktop/graphics/window-manager.nix +++ b/modules/desktop/graphics/window-manager.nix @@ -5,10 +5,12 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.graphics.window-manager-common; - ghaf-open = pkgs.callPackage ../../../packages/ghaf-open {}; -in { + ghaf-open = pkgs.callPackage ../../../packages/ghaf-open { }; +in +{ options.ghaf.graphics.window-manager-common = { enable = lib.mkOption { type = lib.types.bool; @@ -26,14 +28,10 @@ in { environment.noXlibs = false; - environment.systemPackages = - [ - # Seatd is needed to manage log-in process for wayland sessions - pkgs.seatd - ] - ++ lib.optionals config.ghaf.profiles.debug.enable [ - ghaf-open - ]; + environment.systemPackages = [ + # Seatd is needed to manage log-in process for wayland sessions + pkgs.seatd + ] ++ lib.optionals config.ghaf.profiles.debug.enable [ ghaf-open ]; # Next services/targets are taken from official weston documentation: # https://wayland.pages.freedesktop.org/weston/toc/running-weston.html @@ -41,8 +39,8 @@ in { systemd = { user.targets."ghaf-session" = { description = "Ghaf graphical session"; - bindsTo = ["ghaf-session.target"]; - before = ["ghaf-session.target"]; + bindsTo = [ "ghaf-session.target" ]; + before = [ "ghaf-session.target" ]; }; services = { @@ -50,7 +48,7 @@ in { description = "Ghaf graphical session"; # Make sure we are started after logins are permitted. - after = ["systemd-user-sessions.service"]; + after = [ "systemd-user-sessions.service" ]; # if you want you can make it part of the graphical session #Before=graphical.target @@ -87,20 +85,20 @@ in { UtmpIdentifier = "tty7"; UtmpMode = "user"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; # systemd service for seatd "seatd" = { description = "Seat management daemon"; - documentation = ["man:seatd(1)"]; + documentation = [ "man:seatd(1)" ]; serviceConfig = { Type = "simple"; ExecStart = "${pkgs.seatd}/bin/seatd -g video"; Restart = "always"; RestartSec = "1"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; }; }; diff --git a/modules/desktop/profiles/applications.nix b/modules/desktop/profiles/applications.nix index fe32f0199..4bd6628c0 100644 --- a/modules/desktop/profiles/applications.nix +++ b/modules/desktop/profiles/applications.nix @@ -1,13 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.applications; -in { +in +{ options.ghaf.profiles.applications = { enable = lib.mkEnableOption "Some sample applications"; #TODO Create options to allow enabling individual apps diff --git a/modules/desktop/profiles/graphics.nix b/modules/desktop/profiles/graphics.nix index a584ae87c..c50ec33b4 100644 --- a/modules/desktop/profiles/graphics.nix +++ b/modules/desktop/profiles/graphics.nix @@ -1,15 +1,18 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.graphics; - compositors = ["labwc"]; - inherit (lib) mkEnableOption mkOption types mkIf; -in { + compositors = [ "labwc" ]; + inherit (lib) + mkEnableOption + mkOption + types + mkIf + ; +in +{ options.ghaf.profiles.graphics = { enable = mkEnableOption "Graphics profile"; compositor = mkOption { @@ -26,10 +29,9 @@ in { options.ghaf.graphics = { launchers = mkOption { description = "Labwc application launchers to show in launch bar"; - default = []; - type = - types.listOf - (types.submodule { + default = [ ]; + type = types.listOf ( + types.submodule { options = { name = mkOption { description = "Name of the application"; @@ -44,7 +46,8 @@ in { type = types.path; }; }; - }); + } + ); }; enableDemoApplications = mkEnableOption "some applications for demoing"; }; diff --git a/modules/disko/disko-ab-partitions.nix b/modules/disko/disko-ab-partitions.nix index cac81a631..34bfc12a9 100644 --- a/modules/disko/disko-ab-partitions.nix +++ b/modules/disko/disko-ab-partitions.nix @@ -22,16 +22,15 @@ # - gp-storage : (50G) General purpose storage for some common insecure cases # - recovery : (no quota) Recovery factory image is stored here # - storagevm: (no quota) Dataset is meant to be used for StorageVM -{pkgs, ...}: { +{ pkgs, ... }: +{ # TODO Keep ZFS-related parts of the configuration here for now. # This allows to have all config dependencies in one place and cleans # other targets' configs from unnecessary components. networking.hostId = "8425e349"; boot = { - initrd.availableKernelModules = [ - "zfs" - ]; - supportedFilesystems = ["zfs"]; + initrd.availableKernelModules = [ "zfs" ]; + supportedFilesystems = [ "zfs" ]; }; disko = { # 8GB is the recommeneded minimum for ZFS, so we are using this for VMs to avoid `cp` oom errors. @@ -40,7 +39,7 @@ ${pkgs.zstd}/bin/zstd --compress $out/*raw rm $out/*raw ''; - extraRootModules = ["zfs"]; + extraRootModules = [ "zfs" ]; devices = { disk.disk1 = { type = "disk"; diff --git a/modules/disko/disko-basic-partition-v1.nix b/modules/disko/disko-basic-partition-v1.nix index 7d3abd752..527e44929 100644 --- a/modules/disko/disko-basic-partition-v1.nix +++ b/modules/disko/disko-basic-partition-v1.nix @@ -3,7 +3,8 @@ # Example to create a bios compatible gpt partition # To use this example, you will need to specify a device i.e. # { disko.devices.disk1.device = "/dev/sda"; } -{pkgs, ...}: { +{ pkgs, ... }: +{ disko.devices = { disk.disk1 = { type = "disk"; @@ -26,7 +27,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = ["umask=0077"]; + mountOptions = [ "umask=0077" ]; }; }; root = { @@ -50,9 +51,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; diff --git a/modules/disko/disko-basic-postboot.nix b/modules/disko/disko-basic-postboot.nix index c0b48f731..cb601b9d3 100644 --- a/modules/disko/disko-basic-postboot.nix +++ b/modules/disko/disko-basic-postboot.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let +{ pkgs, ... }: +let postBootCmds = '' set -xeuo pipefail @@ -57,6 +58,7 @@ # Finally resize the filesystem inside the logical volume ${pkgs.e2fsprogs}/bin/resize2fs "$DEVPATH" ''; -in { +in +{ boot.postBootCommands = postBootCmds; } diff --git a/modules/disko/disko-zfs-postboot.nix b/modules/disko/disko-zfs-postboot.nix index 5f830b096..3c28cdac8 100644 --- a/modules/disko/disko-zfs-postboot.nix +++ b/modules/disko/disko-zfs-postboot.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let +{ pkgs, ... }: +let postBootCmds = '' set -xeuo pipefail @@ -31,6 +32,7 @@ # Extend ZFS pool to use newly allocated space ${pkgs.zfs}/bin/zpool online -e "$ZFS_POOLNAME" "$ZFS_LOCATION" ''; -in { +in +{ boot.postBootCommands = postBootCmds; } diff --git a/modules/disko/flake-module.nix b/modules/disko/flake-module.nix index 0b875e6c5..1b94ecdf5 100644 --- a/modules/disko/flake-module.nix +++ b/modules/disko/flake-module.nix @@ -1,6 +1,7 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { +{ inputs, ... }: +{ flake.nixosModules = { disko-basic-partition-v1.imports = [ inputs.disko.nixosModules.disko diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 970c938bf..87a7b8e58 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -3,7 +3,8 @@ # # Modules to be exported from Flake # -{inputs, ...}: { +{ inputs, ... }: +{ imports = [ ./disko/flake-module.nix ./hardware/flake-module.nix @@ -13,18 +14,18 @@ flake.nixosModules = { common.imports = [ ./common - {ghaf.development.nix-setup.nixpkgs = inputs.nixpkgs;} + { ghaf.development.nix-setup.nixpkgs = inputs.nixpkgs; } ]; - desktop.imports = [./desktop]; - host.imports = [./host]; - imx8.imports = [./imx8]; - jetpack.imports = [./jetpack]; - jetpack-microvm.imports = [./jetpack-microvm]; - lanzaboote.imports = [./lanzaboote]; - polarfire.imports = [./polarfire]; - profiles.imports = [./profiles]; - reference-appvms.imports = [./reference/appvms]; - reference-programs.imports = [./reference/programs]; - reference-services.imports = [./reference/services]; + desktop.imports = [ ./desktop ]; + host.imports = [ ./host ]; + imx8.imports = [ ./imx8 ]; + jetpack.imports = [ ./jetpack ]; + jetpack-microvm.imports = [ ./jetpack-microvm ]; + lanzaboote.imports = [ ./lanzaboote ]; + polarfire.imports = [ ./polarfire ]; + profiles.imports = [ ./profiles ]; + reference-appvms.imports = [ ./reference/appvms ]; + reference-programs.imports = [ ./reference/programs ]; + reference-services.imports = [ ./reference/services ]; }; } diff --git a/modules/hardware/common/devices.nix b/modules/hardware/common/devices.nix index 8605abc3f..6e47345f8 100644 --- a/modules/hardware/common/devices.nix +++ b/modules/hardware/common/devices.nix @@ -1,37 +1,35 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let inherit (lib) mkOption types mkForce; -in { +in +{ options.ghaf.hardware.devices = { netvmPCIPassthroughModule = mkOption { type = types.attrsOf types.anything; - default = {}; + default = { }; description = '' PCI devices to passthrough to the netvm. ''; }; guivmPCIPassthroughModule = mkOption { type = types.attrsOf types.anything; - default = {}; + default = { }; description = '' PCI devices to passthrough to the guivm. ''; }; audiovmPCIPassthroughModule = mkOption { type = types.attrsOf types.anything; - default = {}; + default = { }; description = '' PCI devices to passthrough to the audiovm. ''; }; guivmVirtioInputHostEvdevModule = mkOption { type = types.attrsOf types.anything; - default = {}; + default = { }; description = '' Virtio evdev paths' to passthrough to the guivm. ''; @@ -45,8 +43,7 @@ in { builtins.map (d: { bus = "pci"; inherit (d) path; - }) - config.ghaf.hardware.definition.network.pciDevices + }) config.ghaf.hardware.definition.network.pciDevices ); ghaf.hardware.definition.network.pciDevices = config.ghaf.hardware.definition.network.pciDevices; }; @@ -56,8 +53,7 @@ in { builtins.map (d: { bus = "pci"; inherit (d) path; - }) - config.ghaf.hardware.definition.gpu.pciDevices + }) config.ghaf.hardware.definition.gpu.pciDevices ); ghaf.hardware.definition.gpu.pciDevices = config.ghaf.hardware.definition.gpu.pciDevices; }; @@ -67,22 +63,24 @@ in { builtins.map (d: { bus = "pci"; inherit (d) path; - }) - config.ghaf.hardware.definition.audio.pciDevices + }) config.ghaf.hardware.definition.audio.pciDevices ); ghaf.hardware.definition.audio.pciDevices = config.ghaf.hardware.definition.audio.pciDevices; }; guivmVirtioInputHostEvdevModule = { microvm.qemu.extraArgs = - builtins.concatMap (d: [ - "-device" - "virtio-input-host-pci,evdev=${d}" - ]) - (config.ghaf.hardware.definition.input.keyboard.evdev - ++ config.ghaf.hardware.definition.input.mouse.evdev - ++ config.ghaf.hardware.definition.input.touchpad.evdev - ++ config.ghaf.hardware.definition.input.misc.evdev); + builtins.concatMap + (d: [ + "-device" + "virtio-input-host-pci,evdev=${d}" + ]) + ( + config.ghaf.hardware.definition.input.keyboard.evdev + ++ config.ghaf.hardware.definition.input.mouse.evdev + ++ config.ghaf.hardware.definition.input.touchpad.evdev + ++ config.ghaf.hardware.definition.input.misc.evdev + ); # TODO: Remove this once wifi-signal-strength is changed ghaf.hardware.definition.network.pciDevices = config.ghaf.hardware.definition.network.pciDevices; diff --git a/modules/hardware/common/kernel.nix b/modules/hardware/common/kernel.nix index 28e1c1831..e13202295 100644 --- a/modules/hardware/common/kernel.nix +++ b/modules/hardware/common/kernel.nix @@ -8,28 +8,35 @@ lib, pkgs, ... -}: let +}: +let inherit (lib) mkOption types optionalAttrs; - inherit (builtins) concatStringsSep filter map hasAttr; + inherit (builtins) + concatStringsSep + filter + map + hasAttr + ; # Only x86 targets with hw definition supported at the moment inherit (pkgs.stdenv.hostPlatform) isx86; fullVirtualization = isx86 && (hasAttr "hardware" config.ghaf); -in { +in +{ options.ghaf.kernel = { host = mkOption { type = types.attrs; - default = {}; + default = { }; description = "Host kernel configuration"; }; guivm = mkOption { type = types.attrs; - default = {}; + default = { }; description = "GuiVM kernel configuration"; }; audiovm = mkOption { type = types.attrs; - default = {}; + default = { }; description = "AudioVM kernel configuration"; }; }; @@ -41,20 +48,21 @@ in { inherit (config.ghaf.hardware.definition.host.kernelConfig.stage1) kernelModules; }; inherit (config.ghaf.hardware.definition.host.kernelConfig.stage2) kernelModules; - kernelParams = let - # PCI device passthroughs for vfio - filterDevices = filter (d: d.vendorId != null && d.productId != null); - mapPciIdsToString = map (d: "${d.vendorId}:${d.productId}"); - vfioPciIds = mapPciIdsToString (filterDevices ( - config.ghaf.hardware.definition.network.pciDevices - ++ config.ghaf.hardware.definition.gpu.pciDevices - ++ config.ghaf.hardware.definition.audio.pciDevices - )); - in + kernelParams = + let + # PCI device passthroughs for vfio + filterDevices = filter (d: d.vendorId != null && d.productId != null); + mapPciIdsToString = map (d: "${d.vendorId}:${d.productId}"); + vfioPciIds = mapPciIdsToString ( + filterDevices ( + config.ghaf.hardware.definition.network.pciDevices + ++ config.ghaf.hardware.definition.gpu.pciDevices + ++ config.ghaf.hardware.definition.audio.pciDevices + ) + ); + in config.ghaf.hardware.definition.host.kernelConfig.kernelParams - ++ [ - "vfio-pci.ids=${concatStringsSep "," vfioPciIds}" - ]; + ++ [ "vfio-pci.ids=${concatStringsSep "," vfioPciIds}" ]; }; # Guest kernel configurations diff --git a/modules/hardware/common/qemu.nix b/modules/hardware/common/qemu.nix index 62cd4b302..e7ebbfc16 100644 --- a/modules/hardware/common/qemu.nix +++ b/modules/hardware/common/qemu.nix @@ -1,18 +1,21 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let inherit (builtins) hasAttr; - inherit (lib) mkOption types optionals optionalAttrs; -in { + inherit (lib) + mkOption + types + optionals + optionalAttrs + ; +in +{ options.ghaf.qemu = { guivm = mkOption { type = types.attrs; - default = {}; + default = { }; description = "Extra qemu arguments for GuiVM"; }; }; @@ -31,10 +34,8 @@ in { "-device" "acad" ] - ++ optionals (hasAttr "yubikey" config.ghaf.hardware.usb.external.qemuExtraArgs) - config.ghaf.hardware.usb.external.qemuExtraArgs.yubikey - ++ optionals (hasAttr "fpr0" config.ghaf.hardware.usb.internal.qemuExtraArgs) - config.ghaf.hardware.usb.internal.qemuExtraArgs.fpr0; + ++ optionals (hasAttr "yubikey" config.ghaf.hardware.usb.external.qemuExtraArgs) config.ghaf.hardware.usb.external.qemuExtraArgs.yubikey + ++ optionals (hasAttr "fpr0" config.ghaf.hardware.usb.internal.qemuExtraArgs) config.ghaf.hardware.usb.internal.qemuExtraArgs.fpr0; }; }; } diff --git a/modules/hardware/common/usb/external.nix b/modules/hardware/common/usb/external.nix index 3adeebf87..167c1aca4 100644 --- a/modules/hardware/common/usb/external.nix +++ b/modules/hardware/common/usb/external.nix @@ -1,39 +1,54 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.hardware.usb.external; - inherit (lib) mkEnableOption mkOption types mkIf literalExpression; + inherit (lib) + mkEnableOption + mkOption + types + mkIf + literalExpression + ; # Create USB argument strings for Qemu - qemuExtraArgs = let - generateArg = dev: - if ((dev.name != null) && (dev.vendorId != null) && (dev.productId != null)) - then { - name = "${dev.name}"; - value = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x${dev.vendorId},productid=0x${dev.productId}"]; - } - else builtins.throw "The external USB device is configured incorrectly. Please provide name, vendorId and productId."; - in + qemuExtraArgs = + let + generateArg = + dev: + if ((dev.name != null) && (dev.vendorId != null) && (dev.productId != null)) then + { + name = "${dev.name}"; + value = [ + "-device" + "qemu-xhci" + "-device" + "usb-host,vendorid=0x${dev.vendorId},productid=0x${dev.productId}" + ]; + } + else + builtins.throw "The external USB device is configured incorrectly. Please provide name, vendorId and productId."; + in builtins.listToAttrs (builtins.map generateArg config.ghaf.hardware.definition.usb.external); # Create udev argument strings - extraRules = let - generateRule = dev: - if ((dev.vendorId != null) && (dev.productId != null)) - then ''SUBSYSTEM=="usb", ATTR{idVendor}=="${dev.vendorId}", ATTR{idProduct}=="${dev.productId}", GROUP="kvm"'' - else builtins.throw "The external USB device is configured incorrectly. Please provide name, vendorId and productId."; - in + extraRules = + let + generateRule = + dev: + if ((dev.vendorId != null) && (dev.productId != null)) then + ''SUBSYSTEM=="usb", ATTR{idVendor}=="${dev.vendorId}", ATTR{idProduct}=="${dev.productId}", GROUP="kvm"'' + else + builtins.throw "The external USB device is configured incorrectly. Please provide name, vendorId and productId."; + in lib.strings.concatMapStringsSep "\n" generateRule config.ghaf.hardware.definition.usb.external; -in { +in +{ options.ghaf.hardware.usb.external = { enable = mkEnableOption "Enable external USB device(s) passthrough support"; qemuExtraArgs = mkOption { type = types.attrsOf types.anything; - default = {}; + default = { }; description = '' Extra arguments to pass to qemu when enabling the external USB device(s). Since there can be several devices that may need to be passed to different diff --git a/modules/hardware/common/usb/internal.nix b/modules/hardware/common/usb/internal.nix index b4dec93bc..280fc814f 100644 --- a/modules/hardware/common/usb/internal.nix +++ b/modules/hardware/common/usb/internal.nix @@ -1,50 +1,70 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.hardware.usb.internal; - inherit (lib) mkOption mkEnableOption types mkIf literalExpression; + inherit (lib) + mkOption + mkEnableOption + types + mkIf + literalExpression + ; # Create USB argument strings for Qemu - qemuExtraArgs = let - generateArg = dev: - if ((dev.name != null) && (dev.vendorId != null) && (dev.productId != null)) - then { - name = "${dev.name}"; - value = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x${dev.vendorId},productid=0x${dev.productId}"]; - } - else if ((dev.name != null) && (dev.hostbus != null) && (dev.hostport != null)) - then { - name = "${dev.name}"; - value = ["-device" "qemu-xhci" "-device" "usb-host,hostbus=${dev.hostbus},hostport=${dev.hostport}"]; - } - else - builtins.throw '' The internal USB device is configured incorrectly. - Please provide name, and either vendorId and productId or hostbus and hostport.''; - in + qemuExtraArgs = + let + generateArg = + dev: + if ((dev.name != null) && (dev.vendorId != null) && (dev.productId != null)) then + { + name = "${dev.name}"; + value = [ + "-device" + "qemu-xhci" + "-device" + "usb-host,vendorid=0x${dev.vendorId},productid=0x${dev.productId}" + ]; + } + else if ((dev.name != null) && (dev.hostbus != null) && (dev.hostport != null)) then + { + name = "${dev.name}"; + value = [ + "-device" + "qemu-xhci" + "-device" + "usb-host,hostbus=${dev.hostbus},hostport=${dev.hostport}" + ]; + } + else + builtins.throw '' + The internal USB device is configured incorrectly. + Please provide name, and either vendorId and productId or hostbus and hostport.''; + in builtins.listToAttrs (builtins.map generateArg config.ghaf.hardware.definition.usb.internal); # Create udev argument strings - extraRules = let - generateRule = dev: - if ((dev.vendorId != null) && (dev.productId != null)) - then ''SUBSYSTEM=="usb", ATTR{idVendor}=="${dev.vendorId}", ATTR{idProduct}=="${dev.productId}", GROUP="kvm"'' - else if ((dev.hostbus != null) && (dev.hostport != null)) - then ''KERNEL=="${dev.hostbus}-${dev.hostport}", SUBSYSTEM=="usb", ATTR{busnum}=="${dev.hostbus}", GROUP="kvm"'' - else - builtins.throw '' The internal USB device is configured incorrectly. - Please provide name, and either vendorId and productId or hostbus and hostport.''; - in + extraRules = + let + generateRule = + dev: + if ((dev.vendorId != null) && (dev.productId != null)) then + ''SUBSYSTEM=="usb", ATTR{idVendor}=="${dev.vendorId}", ATTR{idProduct}=="${dev.productId}", GROUP="kvm"'' + else if ((dev.hostbus != null) && (dev.hostport != null)) then + ''KERNEL=="${dev.hostbus}-${dev.hostport}", SUBSYSTEM=="usb", ATTR{busnum}=="${dev.hostbus}", GROUP="kvm"'' + else + builtins.throw '' + The internal USB device is configured incorrectly. + Please provide name, and either vendorId and productId or hostbus and hostport.''; + in lib.strings.concatMapStringsSep "\n" generateRule config.ghaf.hardware.definition.usb.internal; -in { +in +{ options.ghaf.hardware.usb.internal = { enable = mkEnableOption "Enable internal USB device(s) passthrough support"; qemuExtraArgs = mkOption { type = types.attrsOf types.anything; - default = {}; + default = { }; description = '' Extra arguments to pass to qemu when enabling the internal USB device(s). Since there could be several devices that may need to be passed to different diff --git a/modules/hardware/definition.nix b/modules/hardware/definition.nix index 4d3018f0b..642f912ba 100644 --- a/modules/hardware/definition.nix +++ b/modules/hardware/definition.nix @@ -5,350 +5,356 @@ # # The point of this module is to only store information about the hardware # configuration, and the logic that uses this information should be elsewhere. -{lib, ...}: let +{ lib, ... }: +let inherit (lib) mkOption types literalExpression; -in { - options.ghaf.hardware.definition = let - pciDevSubmodule = types.submodule { - options = { - path = mkOption { - type = types.str; - description = '' - PCI device path - ''; - }; - vendorId = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - PCI Vendor ID (optional) - ''; - }; - productId = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - PCI Product ID (optional) - ''; - }; - name = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - PCI device name (optional) - ''; - }; - }; - }; - - # USB device submodule, defined either by product ID and vendor ID, or by bus and port number - usbDevSubmodule = types.submodule { - options = { - name = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - USB device name. NOT optional for external devices, in which case it must not contain spaces - or extravagant characters. - ''; - }; - vendorId = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - USB Vendor ID (optional). If this is set, the productId must also be set. - ''; - }; - productId = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - USB Product ID (optional). If this is set, the vendorId must also be set. - ''; - }; - hostbus = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - USB device bus number (optional). If this is set, the hostport must also be set. - ''; - }; - hostport = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - USB device device number (optional). If this is set, the hostbus must also be set. - ''; +in +{ + options.ghaf.hardware.definition = + let + pciDevSubmodule = types.submodule { + options = { + path = mkOption { + type = types.str; + description = '' + PCI device path + ''; + }; + vendorId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + PCI Vendor ID (optional) + ''; + }; + productId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + PCI Product ID (optional) + ''; + }; + name = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + PCI device name (optional) + ''; + }; }; }; - }; - # Input devices submodule - inputDevSubmodule = types.submodule { - options = { - name = mkOption { - type = types.listOf types.any; - default = []; - description = '' - List of input device names. Can either be a string, or a list of strings. - The list option allows to bind several input device names to the same evdev. - This allows to create one generic hardware definition for multiple SKUs. - ''; - }; - evdev = mkOption { - type = types.listOf types.str; - default = []; - description = '' - List of event devices. - ''; + # USB device submodule, defined either by product ID and vendor ID, or by bus and port number + usbDevSubmodule = types.submodule { + options = { + name = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB device name. NOT optional for external devices, in which case it must not contain spaces + or extravagant characters. + ''; + }; + vendorId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB Vendor ID (optional). If this is set, the productId must also be set. + ''; + }; + productId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB Product ID (optional). If this is set, the vendorId must also be set. + ''; + }; + hostbus = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB device bus number (optional). If this is set, the hostport must also be set. + ''; + }; + hostport = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB device device number (optional). If this is set, the hostbus must also be set. + ''; + }; }; }; - }; - # Kernel configuration submodule - kernelConfig = types.submodule { - options = { - stage1 = { - kernelModules = mkOption { - description = "Hardware specific kernel modules"; + # Input devices submodule + inputDevSubmodule = types.submodule { + options = { + name = mkOption { + type = types.listOf types.any; + default = [ ]; + description = '' + List of input device names. Can either be a string, or a list of strings. + The list option allows to bind several input device names to the same evdev. + This allows to create one generic hardware definition for multiple SKUs. + ''; + }; + evdev = mkOption { type = types.listOf types.str; - default = []; - example = literalExpression '' - [ - "i915" - ] + default = [ ]; + description = '' + List of event devices. ''; }; }; - stage2 = { - kernelModules = mkOption { - description = "Hardware specific kernel modules"; + }; + + # Kernel configuration submodule + kernelConfig = types.submodule { + options = { + stage1 = { + kernelModules = mkOption { + description = "Hardware specific kernel modules"; + type = types.listOf types.str; + default = [ ]; + example = literalExpression '' + [ + "i915" + ] + ''; + }; + }; + stage2 = { + kernelModules = mkOption { + description = "Hardware specific kernel modules"; + type = types.listOf types.str; + default = [ ]; + example = literalExpression '' + [ + "i915" + ] + ''; + }; + }; + kernelParams = mkOption { + description = "Hardware specific kernel parameters"; type = types.listOf types.str; - default = []; + default = [ ]; example = literalExpression '' [ - "i915" + "intel_iommu=on,sm_on" + "iommu=pt" + "module_blacklist=i915" + "acpi_backlight=vendor" + "acpi_osi=linux" ] ''; }; }; - kernelParams = mkOption { - description = "Hardware specific kernel parameters"; - type = types.listOf types.str; - default = []; - example = literalExpression '' - [ - "intel_iommu=on,sm_on" - "iommu=pt" - "module_blacklist=i915" - "acpi_backlight=vendor" - "acpi_osi=linux" - ] - ''; - }; }; - }; - in { - name = mkOption { - description = "Name of the hardware"; - type = types.str; - default = ""; - }; - - skus = mkOption { - description = "List of hardware SKUs (Stock Keeping Unit) covered with this definition"; - type = types.listOf types.str; - default = []; - }; - - host = { - kernelConfig = mkOption { - description = "Host kernel configuration"; - type = kernelConfig; - default = {}; + in + { + name = mkOption { + description = "Name of the hardware"; + type = types.str; + default = ""; }; - }; - input = { - keyboard = mkOption { - description = "Name of the keyboard device(s)"; - type = inputDevSubmodule; - default = {}; + skus = mkOption { + description = "List of hardware SKUs (Stock Keeping Unit) covered with this definition"; + type = types.listOf types.str; + default = [ ]; }; - mouse = mkOption { - description = "Name of the mouse device(s)"; - type = inputDevSubmodule; - default = {}; + host = { + kernelConfig = mkOption { + description = "Host kernel configuration"; + type = kernelConfig; + default = { }; + }; }; - touchpad = mkOption { - description = "Name of the touchpad device(s)"; - type = inputDevSubmodule; - default = {}; - }; + input = { + keyboard = mkOption { + description = "Name of the keyboard device(s)"; + type = inputDevSubmodule; + default = { }; + }; - misc = mkOption { - description = "Name of the misc device(s)"; - type = inputDevSubmodule; - default = {}; - }; - }; + mouse = mkOption { + description = "Name of the mouse device(s)"; + type = inputDevSubmodule; + default = { }; + }; - disks = mkOption { - description = "Disks to format and mount"; - type = types.attrsOf (types.submodule { - options.device = mkOption { - type = types.str; - description = '' - Path to the disk - ''; + touchpad = mkOption { + description = "Name of the touchpad device(s)"; + type = inputDevSubmodule; + default = { }; }; - }); - default = {}; - example = literalExpression '' - { - disk1.device = "/dev/nvme0n1"; - } - ''; - }; - network = { - # TODO? Should add NetVM enabler here? - # netvm.enable = mkEnableOption = "NetVM"; + misc = mkOption { + description = "Name of the misc device(s)"; + type = inputDevSubmodule; + default = { }; + }; + }; - pciDevices = mkOption { - description = "PCI Devices to passthrough to NetVM"; - type = types.listOf pciDevSubmodule; - default = []; + disks = mkOption { + description = "Disks to format and mount"; + type = types.attrsOf ( + types.submodule { + options.device = mkOption { + type = types.str; + description = '' + Path to the disk + ''; + }; + } + ); + default = { }; example = literalExpression '' - [{ - path = "0000:00:14.3"; - vendorId = "8086"; - productId = "51f1"; - }] + { + disk1.device = "/dev/nvme0n1"; + } ''; }; - kernelConfig = mkOption { - description = "Hardware specific kernel configuration for network devices"; - type = kernelConfig; - default = {}; - }; - }; - gpu = { - # TODO? Should add GuiVM enabler here? - # guivm.enable = mkEnableOption = "NetVM"; + network = { + # TODO? Should add NetVM enabler here? + # netvm.enable = mkEnableOption = "NetVM"; - pciDevices = mkOption { - description = "PCI Devices to passthrough to GuiVM"; - type = types.listOf pciDevSubmodule; - default = []; - example = literalExpression '' - [{ - path = "0000:00:02.0"; - vendorId = "8086"; - productId = "a7a1"; - }] - ''; - }; - kernelConfig = mkOption { - description = "Hardware specific kernel configuration for gpu devices"; - type = kernelConfig; - default = {}; + pciDevices = mkOption { + description = "PCI Devices to passthrough to NetVM"; + type = types.listOf pciDevSubmodule; + default = [ ]; + example = literalExpression '' + [{ + path = "0000:00:14.3"; + vendorId = "8086"; + productId = "51f1"; + }] + ''; + }; + kernelConfig = mkOption { + description = "Hardware specific kernel configuration for network devices"; + type = kernelConfig; + default = { }; + }; }; - }; - audio = { - # With the current implementation, the whole PCI IOMMU group 14: - # 00:1f.x in the example from Lenovo X1 Carbon - # must be defined for passthrough to AudioVM - pciDevices = mkOption { - description = "PCI Devices to passthrough to AudioVM"; - type = types.listOf pciDevSubmodule; - default = []; - example = literalExpression '' - [ - { - path = "0000:00:1f.0"; - vendorId = "8086"; - productId = "519d"; - } - { - path = "0000:00:1f.3"; - vendorId = "8086"; - productId = "51ca"; - } - { - path = "0000:00:1f.4"; - vendorId = "8086"; - productId = "51a3"; - } - { - path = "0000:00:1f.5"; + gpu = { + # TODO? Should add GuiVM enabler here? + # guivm.enable = mkEnableOption = "NetVM"; + + pciDevices = mkOption { + description = "PCI Devices to passthrough to GuiVM"; + type = types.listOf pciDevSubmodule; + default = [ ]; + example = literalExpression '' + [{ + path = "0000:00:02.0"; vendorId = "8086"; - productId = "51a4"; - } - ] - ''; + productId = "a7a1"; + }] + ''; + }; + kernelConfig = mkOption { + description = "Hardware specific kernel configuration for gpu devices"; + type = kernelConfig; + default = { }; + }; }; - kernelConfig = mkOption { - description = "Hardware specific kernel configuration for audio devices"; - type = kernelConfig; - default = {}; + + audio = { + # With the current implementation, the whole PCI IOMMU group 14: + # 00:1f.x in the example from Lenovo X1 Carbon + # must be defined for passthrough to AudioVM + pciDevices = mkOption { + description = "PCI Devices to passthrough to AudioVM"; + type = types.listOf pciDevSubmodule; + default = [ ]; + example = literalExpression '' + [ + { + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "519d"; + } + { + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "51ca"; + } + { + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "51a3"; + } + { + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "51a4"; + } + ] + ''; + }; + kernelConfig = mkOption { + description = "Hardware specific kernel configuration for audio devices"; + type = kernelConfig; + default = { }; + }; }; - }; - usb = { - internal = mkOption { - description = '' - Internal USB device(s) to passthrough. + usb = { + internal = mkOption { + description = '' + Internal USB device(s) to passthrough. - Each device definition requires a name, and either vendorId and productId, or hostbus and hostport. - The latter is useful for addressing devices that may have different vendor and product IDs in the - same hardware generation. + Each device definition requires a name, and either vendorId and productId, or hostbus and hostport. + The latter is useful for addressing devices that may have different vendor and product IDs in the + same hardware generation. - Note that internal devices must follow the naming convention to be correctly identified - and subsequently used. Current special names are: - - 'cam0' for the internal cam0 device - - 'fpr0' for the internal fingerprint reader device - ''; - type = types.listOf usbDevSubmodule; - default = []; - example = literalExpression '' - [ - { - name = "cam0"; - vendorId = "0123"; - productId = "0123"; - } - { - name = "fpr0"; - hostbus = "3"; - hostport = "3"; - } - ] - ''; - }; - external = mkOption { - description = "External USB device(s) to passthrough. Requires name, vendorId, and productId."; - type = types.listOf usbDevSubmodule; - default = []; - example = literalExpression '' - [ - { - name = "external-device-1"; - vendorId = "0123"; - productId = "0123"; - } - { - name = "external-device-2"; - vendorId = "0123"; - productId = "0123"; - } - ] - ''; + Note that internal devices must follow the naming convention to be correctly identified + and subsequently used. Current special names are: + - 'cam0' for the internal cam0 device + - 'fpr0' for the internal fingerprint reader device + ''; + type = types.listOf usbDevSubmodule; + default = [ ]; + example = literalExpression '' + [ + { + name = "cam0"; + vendorId = "0123"; + productId = "0123"; + } + { + name = "fpr0"; + hostbus = "3"; + hostport = "3"; + } + ] + ''; + }; + external = mkOption { + description = "External USB device(s) to passthrough. Requires name, vendorId, and productId."; + type = types.listOf usbDevSubmodule; + default = [ ]; + example = literalExpression '' + [ + { + name = "external-device-1"; + vendorId = "0123"; + productId = "0123"; + } + { + name = "external-device-2"; + vendorId = "0123"; + productId = "0123"; + } + ] + ''; + }; }; }; - }; } diff --git a/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix b/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix index 8352ba9aa..e4ec45561 100644 --- a/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix +++ b/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix @@ -5,9 +5,7 @@ name = "Dell Latitude 7230 Rugged"; # List of system SKUs covered by this configuration - skus = [ - "0BB7 Latitude 7230 Rugged Extreme Tablet" - ]; + skus = [ "0BB7 Latitude 7230 Rugged Extreme Tablet" ]; # Host configuration host = { @@ -23,18 +21,32 @@ # Input devices input = { keyboard = { - name = ["AT Translated Set 2 keyboard"]; - evdev = ["/dev/keyboard0"]; + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/keyboard0" ]; }; mouse = { - name = ["PS/2 Generic Mouse" "SYNAPTICS Synaptics HIDUSB TouchPad V1.05 Mouse"]; - evdev = ["/dev/mouse0" "/dev/mouse1"]; + name = [ + "PS/2 Generic Mouse" + "SYNAPTICS Synaptics HIDUSB TouchPad V1.05 Mouse" + ]; + evdev = [ + "/dev/mouse0" + "/dev/mouse1" + ]; }; touchpad = { - name = ["SYNAPTICS Synaptics HIDUSB TouchPad V1.05 Touchpad" "EETI8082:00 0EEF:C004" "EETI8082:00 0EEF:C004 Stylus"]; - evdev = ["/dev/touchpad0" "/dev/touchpad1" "/dev/touchpad2"]; + name = [ + "SYNAPTICS Synaptics HIDUSB TouchPad V1.05 Touchpad" + "EETI8082:00 0EEF:C004" + "EETI8082:00 0EEF:C004 Stylus" + ]; + evdev = [ + "/dev/touchpad0" + "/dev/touchpad1" + "/dev/touchpad2" + ]; }; misc = { @@ -66,9 +78,9 @@ } ]; kernelConfig = { - stage1.kernelModules = []; - stage2.kernelModules = ["iwlwifi"]; - kernelParams = []; + stage1.kernelModules = [ ]; + stage2.kernelModules = [ "iwlwifi" ]; + kernelParams = [ ]; }; }; @@ -86,9 +98,9 @@ } ]; kernelConfig = { - stage1.kernelModules = ["i915"]; - stage2.kernelModules = []; - kernelParams = ["earlykms"]; + stage1.kernelModules = [ "i915" ]; + stage2.kernelModules = [ ]; + kernelParams = [ "earlykms" ]; }; }; @@ -133,9 +145,14 @@ } ]; kernelConfig = { - stage1.kernelModules = []; - stage2.kernelModules = ["i2c_i801" "snd_hda_intel" "snd_sof_pci_intel_tgl" "spi_intel_pci"]; - kernelParams = []; + stage1.kernelModules = [ ]; + stage2.kernelModules = [ + "i2c_i801" + "snd_hda_intel" + "snd_sof_pci_intel_tgl" + "spi_intel_pci" + ]; + kernelParams = [ ]; }; }; diff --git a/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix b/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix index 435299ad3..fe294a679 100644 --- a/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix +++ b/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix @@ -5,9 +5,7 @@ name = "Dell Inc. Not Specified"; # List of system SKUs covered by this configuration - skus = [ - "0A9E Latitude 7330 Rugged Extreme" - ]; + skus = [ "0A9E Latitude 7330 Rugged Extreme" ]; # Host configuration host = { @@ -45,12 +43,8 @@ }; touchpad = { - name = [ - "CUST0000:00 0EEF:C003" - ]; - evdev = [ - "/dev/touchpad0" - ]; + name = [ "CUST0000:00 0EEF:C003" ]; + evdev = [ "/dev/touchpad0" ]; }; misc = { @@ -84,11 +78,9 @@ ]; kernelConfig = { # Kernel modules are indicative only, please investigate with lsmod/modinfo - stage1.kernelModules = []; - stage2.kernelModules = [ - "iwlwifi" - ]; - kernelParams = []; + stage1.kernelModules = [ ]; + stage2.kernelModules = [ "iwlwifi" ]; + kernelParams = [ ]; }; }; @@ -107,13 +99,9 @@ ]; kernelConfig = { # Kernel modules are indicative only, please investigate with lsmod/modinfo - stage1.kernelModules = [ - "i915" - ]; - stage2.kernelModules = []; - kernelParams = [ - "earlykms" - ]; + stage1.kernelModules = [ "i915" ]; + stage2.kernelModules = [ ]; + kernelParams = [ "earlykms" ]; }; }; @@ -169,7 +157,7 @@ ]; kernelConfig = { # Kernel modules are indicative only, please investigate with lsmod/modinfo - stage1.kernelModules = []; + stage1.kernelModules = [ ]; stage2.kernelModules = [ "e1000e" "i2c_i801" @@ -177,7 +165,7 @@ "snd_sof_pci_intel_tgl" "spi_intel_pci" ]; - kernelParams = []; + kernelParams = [ ]; }; }; diff --git a/modules/hardware/laptop.nix b/modules/hardware/laptop.nix index d09a9487f..bf538fe9a 100644 --- a/modules/hardware/laptop.nix +++ b/modules/hardware/laptop.nix @@ -1,30 +1,37 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let inherit (builtins) toString typeOf; - inherit (lib) mkOption types concatImapStrings concatMapStringsSep; + inherit (lib) + mkOption + types + concatImapStrings + concatMapStringsSep + ; cfg = config.ghaf.hardware.definition; hwDefinition = import (./. + cfg.configFile); # Helper function to create udev rules for input devices - generateUdevRules = devlink: deviceList: + generateUdevRules = + devlink: deviceList: concatImapStrings ( i: d: - if (typeOf d) == "list" - then ''${concatMapStringsSep "\n" (sd: ''SUBSYSTEM=="input", ATTRS{name}=="${sd}", KERNEL=="event*", GROUP="kvm", SYMLINK+="${devlink}${toString (i - 1)}"'') d}''\n'' - else ''SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="${devlink}${toString (i - 1)}"''\n'' - ) - deviceList; -in { - imports = [ - ./definition.nix - ]; + if (typeOf d) == "list" then + ''${ + concatMapStringsSep "\n" ( + sd: + ''SUBSYSTEM=="input", ATTRS{name}=="${sd}", KERNEL=="event*", GROUP="kvm", SYMLINK+="${devlink}${toString (i - 1)}"'' + ) d + }''\n'' + else + ''SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="${devlink}${toString (i - 1)}"''\n'' + ) deviceList; +in +{ + imports = [ ./definition.nix ]; options.ghaf.hardware.definition.configFile = mkOption { description = "Path to the hardware configuration file."; @@ -56,7 +63,9 @@ in { # Touchpad ${generateUdevRules "touchpad" hwDefinition.input.touchpad.name} # Misc - ${lib.strings.concatMapStringsSep "\n" (d: ''SUBSYSTEM=="input", ATTRS{name}=="${d}", GROUP="kvm"'') hwDefinition.input.misc.name} + ${lib.strings.concatMapStringsSep "\n" ( + d: ''SUBSYSTEM=="input", ATTRS{name}=="${d}", GROUP="kvm"'' + ) hwDefinition.input.misc.name} ''; }; } diff --git a/modules/hardware/lenovo-x1/definitions/x1-gen10.nix b/modules/hardware/lenovo-x1/definitions/x1-gen10.nix index 99615dc29..82f3139c7 100644 --- a/modules/hardware/lenovo-x1/definitions/x1-gen10.nix +++ b/modules/hardware/lenovo-x1/definitions/x1-gen10.nix @@ -22,8 +22,8 @@ input = { keyboard = { - name = ["AT Translated Set 2 keyboard"]; - evdev = ["/dev/input/by-path/platform-i8042-serio-0-event-kbd"]; + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/input/by-path/platform-i8042-serio-0-event-kbd" ]; }; mouse = { @@ -47,18 +47,12 @@ "SYNA8016:00 06CB:CEB3 Touchpad" ] ]; - evdev = [ - "/dev/touchpad0" - ]; + evdev = [ "/dev/touchpad0" ]; }; misc = { - name = [ - "ThinkPad Extra Buttons" - ]; - evdev = [ - "/dev/input/by-path/platform-thinkpad_acpi-event" - ]; + name = [ "ThinkPad Extra Buttons" ]; + evdev = [ "/dev/input/by-path/platform-thinkpad_acpi-event" ]; }; }; @@ -86,8 +80,8 @@ } ]; kernelConfig = { - stage1.kernelModules = ["i915"]; - kernelParams = ["earlykms"]; + stage1.kernelModules = [ "i915" ]; + kernelParams = [ "earlykms" ]; }; }; diff --git a/modules/hardware/lenovo-x1/definitions/x1-gen11.nix b/modules/hardware/lenovo-x1/definitions/x1-gen11.nix index d72745e5c..ea9e01323 100644 --- a/modules/hardware/lenovo-x1/definitions/x1-gen11.nix +++ b/modules/hardware/lenovo-x1/definitions/x1-gen11.nix @@ -23,8 +23,8 @@ input = { keyboard = { - name = ["AT Translated Set 2 keyboard"]; - evdev = ["/dev/input/by-path/platform-i8042-serio-0-event-kbd"]; + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/input/by-path/platform-i8042-serio-0-event-kbd" ]; }; mouse = { @@ -50,18 +50,12 @@ "ELAN067B:00 04F3:31F8 Touchpad" ] ]; - evdev = [ - "/dev/touchpad0" - ]; + evdev = [ "/dev/touchpad0" ]; }; misc = { - name = [ - "ThinkPad Extra Buttons" - ]; - evdev = [ - "/dev/input/by-path/platform-thinkpad_acpi-event" - ]; + name = [ "ThinkPad Extra Buttons" ]; + evdev = [ "/dev/input/by-path/platform-thinkpad_acpi-event" ]; }; }; @@ -89,8 +83,8 @@ } ]; kernelConfig = { - stage1.kernelModules = ["i915"]; - kernelParams = ["earlykms"]; + stage1.kernelModules = [ "i915" ]; + kernelParams = [ "earlykms" ]; }; }; diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/default.nix b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix index 288fd2e55..5e747d15b 100644 --- a/modules/hardware/lenovo-x1/kernel/guest/test/default.nix +++ b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let - config = pkgs.nixos [./test-configuration.nix]; +{ pkgs, ... }: +let + config = pkgs.nixos [ ./test-configuration.nix ]; in - config.config.system.build.toplevel +config.config.system.build.toplevel diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix index 5e8422224..b91f68595 100644 --- a/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix +++ b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { +{ lib, ... }: +{ imports = [ ../../../../x86_64-generic/kernel/host/default.nix ../../../../x86_64-generic/kernel/guest/default.nix diff --git a/modules/hardware/x86_64-generic/kernel/guest/default.nix b/modules/hardware/x86_64-generic/kernel/guest/default.nix index a1628b3b3..9d46dfde3 100644 --- a/modules/hardware/x86_64-generic/kernel/guest/default.nix +++ b/modules/hardware/x86_64-generic/kernel/guest/default.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { +{ lib, ... }: +{ options.ghaf.guest.kernel.hardening = { enable = lib.mkOption { description = "Enable Ghaf Guest hardening feature"; diff --git a/modules/hardware/x86_64-generic/kernel/hardening.nix b/modules/hardware/x86_64-generic/kernel/hardening.nix index 67826e6b6..f15623a00 100644 --- a/modules/hardware/x86_64-generic/kernel/hardening.nix +++ b/modules/hardware/x86_64-generic/kernel/hardening.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{...}: { +{ ... }: +{ imports = [ ./host ./guest diff --git a/modules/hardware/x86_64-generic/kernel/host/default.nix b/modules/hardware/x86_64-generic/kernel/host/default.nix index 5ff0e4301..ba3fd004c 100644 --- a/modules/hardware/x86_64-generic/kernel/host/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/default.nix @@ -5,11 +5,12 @@ lib, pkgs, ... -}: let +}: +let inherit (lib) types mkOption mkIf; # Importing kernel builder function from packages and checking hardening options - buildKernel = import ../../../../../packages/kernel {inherit config pkgs lib;}; + buildKernel = import ../../../../../packages/kernel { inherit config pkgs lib; }; config_baseline = ../configs/ghaf_host_hardened_baseline-x86; host_hardened_kernel = buildKernel { inherit config_baseline; @@ -17,7 +18,8 @@ }; cfg = config.ghaf.host.kernel.hardening; -in { +in +{ options.ghaf.host.kernel.hardening = { enable = mkOption { description = "Enable Ghaf Host hardening feature"; @@ -60,10 +62,7 @@ in { boot.kernelPackages = pkgs.linuxPackagesFor host_hardened_kernel; # https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212 nixpkgs.overlays = [ - (_final: prev: { - makeModulesClosure = x: - prev.makeModulesClosure (x // {allowMissing = true;}); - }) + (_final: prev: { makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; }); }) ]; }; } diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix index 9373c033a..9ccf91bc5 100644 --- a/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix @@ -5,7 +5,8 @@ lib, pkgs, ... -}: let +}: +let pkvmKernel = pkgs.linux_6_1.override { argsOverride = rec { src = pkgs.fetchurl { @@ -34,7 +35,8 @@ ]; hyp_cfg = config.ghaf.host.kernel.hardening.hypervisor; -in { +in +{ options.ghaf.host.kernel.hardening.hypervisor.enable = lib.mkOption { description = "Enable Hypervisor hardening feature"; type = lib.types.bool; diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix index 288fd2e55..5e747d15b 100644 --- a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let - config = pkgs.nixos [./test-configuration.nix]; +{ pkgs, ... }: +let + config = pkgs.nixos [ ./test-configuration.nix ]; in - config.config.system.build.toplevel +config.config.system.build.toplevel diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix index 1f8401faf..fbc6d75f4 100644 --- a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix +++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix @@ -1,9 +1,8 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { - imports = [ - ../default.nix - ]; +{ lib, ... }: +{ + imports = [ ../default.nix ]; # pkvm hardening is generic to all x86_64 devices config = { diff --git a/modules/hardware/x86_64-generic/kernel/host/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/test/default.nix index 288fd2e55..5e747d15b 100644 --- a/modules/hardware/x86_64-generic/kernel/host/test/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/test/default.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let - config = pkgs.nixos [./test-configuration.nix]; +{ pkgs, ... }: +let + config = pkgs.nixos [ ./test-configuration.nix ]; in - config.config.system.build.toplevel +config.config.system.build.toplevel diff --git a/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix index 98139d0a9..ff8005f0e 100644 --- a/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix +++ b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { +{ lib, ... }: +{ imports = [ ../default.nix # import guest also to bring the defaults (false) to scope diff --git a/modules/hardware/x86_64-generic/modules/tpm2.nix b/modules/hardware/x86_64-generic/modules/tpm2.nix index bbb1c9f39..4b6368a62 100644 --- a/modules/hardware/x86_64-generic/modules/tpm2.nix +++ b/modules/hardware/x86_64-generic/modules/tpm2.nix @@ -5,9 +5,11 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.hardware.tpm2; -in { +in +{ options.ghaf.hardware.tpm2 = { enable = lib.mkEnableOption "TPM2 PKCS#11 interface"; }; diff --git a/modules/hardware/x86_64-generic/x86_64-linux.nix b/modules/hardware/x86_64-generic/x86_64-linux.nix index 047fcbfc9..8b80b3739 100644 --- a/modules/hardware/x86_64-generic/x86_64-linux.nix +++ b/modules/hardware/x86_64-generic/x86_64-linux.nix @@ -1,12 +1,10 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.hardware.x86_64.common; -in { +in +{ options.ghaf.hardware.x86_64.common = { enable = lib.mkEnableOption "Common x86 configs"; }; @@ -26,7 +24,7 @@ in { boot = { # Enable normal Linux console on the display - kernelParams = ["console=tty0"]; + kernelParams = [ "console=tty0" ]; # To enable installation of ghaf into NVMe drives initrd.availableKernelModules = [ diff --git a/modules/host/default.nix b/modules/host/default.nix index 0da6080f7..5d2413b27 100644 --- a/modules/host/default.nix +++ b/modules/host/default.nix @@ -3,15 +3,14 @@ # # Modules that should be only imported to host # -{lib, ...}: { +{ lib, ... }: +{ networking.hostName = lib.mkDefault "ghaf-host"; # Overlays should be only defined for host, because microvm.nix uses the # pkgs that already has overlays in place. Otherwise the overlay will be # applied twice. - nixpkgs.overlays = [ - (import ../../overlays/custom-packages) - ]; + nixpkgs.overlays = [ (import ../../overlays/custom-packages) ]; imports = [ # To push logs to central location ../common/logging/client.nix diff --git a/modules/imx8/default.nix b/modules/imx8/default.nix index 9c0061398..bfa01f956 100644 --- a/modules/imx8/default.nix +++ b/modules/imx8/default.nix @@ -3,8 +3,4 @@ # # Support for Microchip Polarfire Icicle-Kit # -{ - imports = [ - ./imx8mp-sdimage.nix - ]; -} +{ imports = [ ./imx8mp-sdimage.nix ]; } diff --git a/modules/imx8/imx8mp-sdimage.nix b/modules/imx8/imx8mp-sdimage.nix index f3cf0b40b..c1977c446 100644 --- a/modules/imx8/imx8mp-sdimage.nix +++ b/modules/imx8/imx8mp-sdimage.nix @@ -6,12 +6,11 @@ pkgs, modulesPath, ... -}: { - imports = [ - (modulesPath + "/installer/sd-card/sd-image.nix") - ]; +}: +{ + imports = [ (modulesPath + "/installer/sd-card/sd-image.nix") ]; - disabledModules = [(modulesPath + "/profiles/all-hardware.nix")]; + disabledModules = [ (modulesPath + "/profiles/all-hardware.nix") ]; sdImage = { compressImage = false; diff --git a/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix b/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix index d6b0eba87..5bc10e176 100644 --- a/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix +++ b/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix @@ -1,15 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin.agx; -in { - options.ghaf.hardware.nvidia.orin.agx.enableNetvmWlanPCIPassthrough = - lib.mkEnableOption - "WLAN card PCI passthrough to NetVM"; +in +{ + options.ghaf.hardware.nvidia.orin.agx.enableNetvmWlanPCIPassthrough = lib.mkEnableOption "WLAN card PCI passthrough to NetVM"; config = lib.mkIf cfg.enableNetvmWlanPCIPassthrough { # Orin AGX WLAN card PCI passthrough ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = true; diff --git a/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix b/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix index 6c22899b7..77cbb66f6 100644 --- a/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix +++ b/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix @@ -1,15 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin.nx; -in { - options.ghaf.hardware.nvidia.orin.nx.enableNetvmEthernetPCIPassthrough = - lib.mkEnableOption - "Ethernet card PCI passthrough to NetVM"; +in +{ + options.ghaf.hardware.nvidia.orin.nx.enableNetvmEthernetPCIPassthrough = lib.mkEnableOption "Ethernet card PCI passthrough to NetVM"; config = lib.mkIf cfg.enableNetvmEthernetPCIPassthrough { # Orin NX Ethernet card PCI Passthrough ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = true; diff --git a/modules/jetpack/nvidia-jetson-orin/format-module.nix b/modules/jetpack/nvidia-jetson-orin/format-module.nix index 182dd68fd..ca707decb 100644 --- a/modules/jetpack/nvidia-jetson-orin/format-module.nix +++ b/modules/jetpack/nvidia-jetson-orin/format-module.nix @@ -5,9 +5,7 @@ # nixos-generators flake input as an argument. # { - imports = [ - ./sdimage.nix - ]; + imports = [ ./sdimage.nix ]; formatAttr = "sdImage"; } diff --git a/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix b/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix index ef63f6518..b378a15af 100644 --- a/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix +++ b/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix @@ -2,21 +2,22 @@ # SPDX-License-Identifier: Apache-2.0 # # Configuration for NVIDIA Jetson Orin AGX/NX reference boards -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin; - inherit (lib) mkEnableOption mkOption mkIf types; -in { + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; +in +{ options.ghaf.hardware.nvidia.orin = { # Enable the Orin boards enable = mkEnableOption "Orin hardware"; - flashScriptOverrides.onlyQSPI = - mkEnableOption - "to only flash QSPI partitions, i.e. disable flashing of boot and root partitions to eMMC"; + flashScriptOverrides.onlyQSPI = mkEnableOption "to only flash QSPI partitions, i.e. disable flashing of boot and root partitions to eMMC"; flashScriptOverrides.preFlashCommands = mkOption { description = "Commands to run before the actual flashing"; @@ -45,7 +46,11 @@ in { modesetting.enable = true; flashScriptOverrides = lib.optionalAttrs (cfg.somType == "agx") { - flashArgs = lib.mkForce ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "mmcblk0p1"]; + flashArgs = lib.mkForce [ + "-r" + config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard + "mmcblk0p1" + ]; }; firmware.uefi = { diff --git a/modules/jetpack/nvidia-jetson-orin/optee.nix b/modules/jetpack/nvidia-jetson-orin/optee.nix index b967a7fc7..1b9f6b8ac 100644 --- a/modules/jetpack/nvidia-jetson-orin/optee.nix +++ b/modules/jetpack/nvidia-jetson-orin/optee.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { +{ lib, ... }: +{ options.ghaf.hardware.nvidia.orin.optee = { xtest = lib.mkOption { type = lib.types.bool; diff --git a/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix b/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix index 847e910be..5c2667eb3 100644 --- a/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix +++ b/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix @@ -6,28 +6,25 @@ # There is upstream PR waiting for review: # https://github.com/anduril/jetpack-nixos/pull/162 # +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { # mkAfter needed here so that we can be sure the overlay is after the overlay # included from jetpack-nixos. Otherwise it will just override the whole # nvidia-jetpack set. nixpkgs.overlays = lib.mkAfter [ (_final: prev: { - nvidia-jetpack = - prev.nvidia-jetpack - // { - otaUtils = prev.nvidia-jetpack.otaUtils.overrideAttrs (_finalAttrs: prevAttrs: { - depsBuildHost = [pkgs.bash]; + nvidia-jetpack = prev.nvidia-jetpack // { + otaUtils = prev.nvidia-jetpack.otaUtils.overrideAttrs ( + _finalAttrs: prevAttrs: { + depsBuildHost = [ pkgs.bash ]; installPhase = prevAttrs.installPhase + '' substituteInPlace $out/bin/* --replace '#!/usr/bin/env bash' '#!${pkgs.bash}/bin/bash' ''; - }); - }; + } + ); + }; }) ]; } diff --git a/modules/jetpack/nvidia-jetson-orin/partition-template.nix b/modules/jetpack/nvidia-jetson-orin/partition-template.nix index 33403345b..fda796b80 100644 --- a/modules/jetpack/nvidia-jetson-orin/partition-template.nix +++ b/modules/jetpack/nvidia-jetson-orin/partition-template.nix @@ -8,7 +8,8 @@ config, lib, ... -}: let +}: +let # Using the same config for all orin boards (for now) # TODO should this be changed when NX added cfg = config.ghaf.hardware.nvidia.orin; @@ -75,18 +76,20 @@ # NVIDIA-supplied flash_t234_qspi_sdmmc.xml, with the partitions specified in # the above partitionsEmmc variable. partitionTemplateReplaceRange = - if !cfg.flashScriptOverrides.onlyQSPI - then { - firstLineCount = 588; - lastLineCount = 2; - } - else { - # If we don't flash anything to eMMC, then we don't need to have the - # XML-tag at all. - firstLineCount = 587; - lastLineCount = 1; - }; - partitionTemplate = pkgs.runCommand "flash.xml" {} ('' + if !cfg.flashScriptOverrides.onlyQSPI then + { + firstLineCount = 588; + lastLineCount = 2; + } + else + { + # If we don't flash anything to eMMC, then we don't need to have the + # XML-tag at all. + firstLineCount = 587; + lastLineCount = 1; + }; + partitionTemplate = pkgs.runCommand "flash.xml" { } ( + '' head -n ${builtins.toString partitionTemplateReplaceRange.firstLineCount} ${pkgs.nvidia-jetpack.bspSrc}/bootloader/t186ref/cfg/flash_t234_qspi_sdmmc.xml >"$out" '' @@ -99,8 +102,10 @@ + '' tail -n ${builtins.toString partitionTemplateReplaceRange.lastLineCount} ${pkgs.nvidia-jetpack.bspSrc}/bootloader/t186ref/cfg/flash_t234_qspi_sdmmc.xml >>"$out" - ''); -in { + '' + ); +in +{ config = lib.mkIf cfg.enable { hardware.nvidia-jetpack.flashScriptOverrides.partitionTemplate = partitionTemplate; diff --git a/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix b/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix index 49791462a..56d447427 100644 --- a/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix +++ b/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix @@ -1,15 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin; -in { - options.ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = - lib.mkEnableOption - "Enable common options related to PCI passthrough on Orin AGX and NX"; +in +{ + options.ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = lib.mkEnableOption "Enable common options related to PCI passthrough on Orin AGX and NX"; config = lib.mkIf cfg.enablePCIPassthroughCommon { boot.kernelModules = [ "vfio_pci" diff --git a/modules/jetpack/nvidia-jetson-orin/sdimage.nix b/modules/jetpack/nvidia-jetson-orin/sdimage.nix index 6bb8ba69d..870d834fa 100644 --- a/modules/jetpack/nvidia-jetson-orin/sdimage.nix +++ b/modules/jetpack/nvidia-jetson-orin/sdimage.nix @@ -16,66 +16,71 @@ pkgs, modulesPath, ... -}: { - imports = [ - (modulesPath + "/installer/sd-card/sd-image.nix") - ]; +}: +{ + imports = [ (modulesPath + "/installer/sd-card/sd-image.nix") ]; boot.loader.grub.enable = false; - disabledModules = [(modulesPath + "/profiles/all-hardware.nix")]; + disabledModules = [ (modulesPath + "/profiles/all-hardware.nix") ]; - sdImage = let - mkESPContentSource = pkgs.substituteAll { - src = ./mk-esp-contents.py; - isExecutable = true; - inherit (pkgs.buildPackages) python3; - }; - mkESPContent = - pkgs.runCommand "mk-esp-contents" { - nativeBuildInputs = with pkgs; [mypy python3]; - } '' - install -m755 ${mkESPContentSource} $out - mypy \ - --no-implicit-optional \ - --disallow-untyped-calls \ - --disallow-untyped-defs \ - $out + sdImage = + let + mkESPContentSource = pkgs.substituteAll { + src = ./mk-esp-contents.py; + isExecutable = true; + inherit (pkgs.buildPackages) python3; + }; + mkESPContent = + pkgs.runCommand "mk-esp-contents" + { + nativeBuildInputs = with pkgs; [ + mypy + python3 + ]; + } + '' + install -m755 ${mkESPContentSource} $out + mypy \ + --no-implicit-optional \ + --disallow-untyped-calls \ + --disallow-untyped-defs \ + $out + ''; + fdtPath = "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}"; + in + { + firmwareSize = 256; + populateFirmwareCommands = '' + mkdir -pv firmware + ${mkESPContent} \ + --toplevel ${config.system.build.toplevel} \ + --output firmware/ \ + --device-tree ${fdtPath} ''; - fdtPath = "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}"; - in { - firmwareSize = 256; - populateFirmwareCommands = '' - mkdir -pv firmware - ${mkESPContent} \ - --toplevel ${config.system.build.toplevel} \ - --output firmware/ \ - --device-tree ${fdtPath} - ''; - populateRootCommands = '' - ''; - postBuildCommands = '' - img=$out/sd-image/${config.sdImage.imageName} - fdisk_output=$(fdisk -l "$img") + populateRootCommands = ''''; + postBuildCommands = '' + img=$out/sd-image/${config.sdImage.imageName} + fdisk_output=$(fdisk -l "$img") - # Offsets and sizes are in 512 byte sectors - blocksize=512 + # Offsets and sizes are in 512 byte sectors + blocksize=512 - # ESP partition offset and sector count - part_esp=$(echo -n "$fdisk_output" | tail -n 2 | head -n 1 | tr -s ' ') - part_esp_begin=$(echo -n "$part_esp" | cut -d ' ' -f2) - part_esp_count=$(echo -n "$part_esp" | cut -d ' ' -f4) + # ESP partition offset and sector count + part_esp=$(echo -n "$fdisk_output" | tail -n 2 | head -n 1 | tr -s ' ') + part_esp_begin=$(echo -n "$part_esp" | cut -d ' ' -f2) + part_esp_count=$(echo -n "$part_esp" | cut -d ' ' -f4) - # root-partition offset and sector count - part_root=$(echo -n "$fdisk_output" | tail -n 1 | head -n 1 | tr -s ' ') - part_root_begin=$(echo -n "$part_root" | cut -d ' ' -f3) - part_root_count=$(echo -n "$part_root" | cut -d ' ' -f4) + # root-partition offset and sector count + part_root=$(echo -n "$fdisk_output" | tail -n 1 | head -n 1 | tr -s ' ') + part_root_begin=$(echo -n "$part_root" | cut -d ' ' -f3) + part_root_count=$(echo -n "$part_root" | cut -d ' ' -f4) - echo -n $part_esp_begin > $out/esp.offset - echo -n $part_esp_count > $out/esp.size - echo -n $part_root_begin > $out/root.offset - echo -n $part_root_count > $out/root.size - ''; - }; + echo -n $part_esp_begin > $out/esp.offset + echo -n $part_esp_count > $out/esp.size + echo -n $part_root_begin > $out/root.offset + echo -n $part_root_count > $out/root.size + ''; + }; fileSystems."/boot" = { device = "/dev/disk/by-label/${config.sdImage.firmwarePartitionName}"; diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix index c2b5968a2..a92ad9d8f 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix @@ -1,12 +1,10 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.virtualization; -in { +in +{ options.ghaf.hardware.nvidia.virtualization.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -58,6 +56,6 @@ in { } ]; - boot.kernelParams = ["vfio_iommu_type1.allow_unsafe_interrupts=1"]; + boot.kernelParams = [ "vfio_iommu_type1.allow_unsafe_interrupts=1" ]; }; } diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix index abb96497d..1ed0197f5 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix @@ -5,9 +5,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.hardware.nvidia.virtualization.host.bpmp; -in { +in +{ options.ghaf.hardware.nvidia.virtualization.host.bpmp.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -21,7 +23,7 @@ in { }; config = lib.mkIf cfg.enable { - nixpkgs.overlays = [(import ./overlays/qemu)]; + nixpkgs.overlays = [ (import ./overlays/qemu) ]; boot.kernelPatches = [ { diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix index 74be8ba34..8517238f6 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix @@ -1,11 +1,7 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 (_final: prev: { - qemu_kvm = prev.qemu_kvm.overrideAttrs (_final: prev: { - patches = - prev.patches - ++ [ - ./patches/0001-qemu-v8.1.3_bpmp-virt.patch - ]; - }); + qemu_kvm = prev.qemu_kvm.overrideAttrs ( + _final: prev: { patches = prev.patches ++ [ ./patches/0001-qemu-v8.1.3_bpmp-virt.patch ]; } + ); }) diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix index 8a79ee17b..2b0474b54 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix @@ -5,9 +5,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.hardware.nvidia.passthroughs.host.uarta; -in { +in +{ options.ghaf.hardware.nvidia.passthroughs.host.uarta.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -23,7 +25,7 @@ in { systemd.services = { enableVfioPlatform = { description = "Enable the vfio-platform driver for UARTA"; - wantedBy = ["bindSerial3100000.service"]; + wantedBy = [ "bindSerial3100000.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; @@ -35,8 +37,8 @@ in { bindSerial3100000 = { description = "Bind UARTA to the vfio-platform driver"; - wantedBy = ["multi-user.target"]; - after = ["enableVfioPlatform.service"]; + wantedBy = [ "multi-user.target" ]; + after = [ "enableVfioPlatform.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix index 6ce2d31a5..1e0e3cc6c 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix @@ -5,9 +5,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.hardware.nvidia.passthroughs.uarti_net_vm; -in { +in +{ options.ghaf.hardware.nvidia.passthroughs.uarti_net_vm.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -26,9 +28,7 @@ in { # Use serial passthrough (ttyAMA0) and virtual PCI serial (ttyS0) # as Linux console microvm = { - kernelParams = [ - "console=ttyAMA0 console=ttyS0" - ]; + kernelParams = [ "console=ttyAMA0 console=ttyS0" ]; qemu = { serialConsole = false; extraArgs = [ @@ -48,7 +48,7 @@ in { ]; # Make sure that Net-VM runs after the binding services are enabled - systemd.services."microvm@net-vm".after = ["bindSerial31d0000.service"]; + systemd.services."microvm@net-vm".after = [ "bindSerial31d0000.service" ]; boot.kernelPatches = [ { @@ -59,7 +59,7 @@ in { systemd.services.bindSerial31d0000 = { description = "Bind UARTI to the vfio-platform driver"; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; diff --git a/modules/jetpack/profiles/debug.nix b/modules/jetpack/profiles/debug.nix index 63009e03e..ec85ad421 100644 --- a/modules/jetpack/profiles/debug.nix +++ b/modules/jetpack/profiles/debug.nix @@ -1,13 +1,11 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.debug; -in { +in +{ config = lib.mkIf cfg.enable { # Enable default accounts and passwords ghaf.hardware.nvidia.orin.optee = { diff --git a/modules/jetpack/profiles/default.nix b/modules/jetpack/profiles/default.nix index 23deb7be2..1fe227f67 100644 --- a/modules/jetpack/profiles/default.nix +++ b/modules/jetpack/profiles/default.nix @@ -1,7 +1,3 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - imports = [ - ./debug.nix - ]; -} +{ imports = [ ./debug.nix ]; } diff --git a/modules/lanzaboote/default.nix b/modules/lanzaboote/default.nix index bffedf479..ca65483b9 100644 --- a/modules/lanzaboote/default.nix +++ b/modules/lanzaboote/default.nix @@ -7,9 +7,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.host.secureboot; -in { +in +{ options.ghaf.host.secureboot = { enable = lib.mkEnableOption "Host secureboot"; }; diff --git a/modules/microvm/flake-module.nix b/modules/microvm/flake-module.nix index fc2a048a3..1874b0309 100644 --- a/modules/microvm/flake-module.nix +++ b/modules/microvm/flake-module.nix @@ -1,6 +1,7 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { +{ inputs, ... }: +{ flake.nixosModules = { microvm.imports = [ inputs.microvm.nixosModules.host diff --git a/modules/microvm/networking.nix b/modules/microvm/networking.nix index 7ec18deb0..01d075856 100644 --- a/modules/microvm/networking.nix +++ b/modules/microvm/networking.nix @@ -5,13 +5,15 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.host.networking; sshKeysHelper = pkgs.callPackage ../../packages/ssh-keys-helper { inherit pkgs; inherit config; }; -in { +in +{ options.ghaf.host.networking = { enable = lib.mkEnableOption "Host networking"; # TODO add options to configure the network, e.g. ip addr etc @@ -33,11 +35,7 @@ in { networks."10-virbr0" = { matchConfig.Name = "virbr0"; networkConfig.DHCPServer = false; - addresses = [ - { - Address = "192.168.101.2/24"; - } - ]; + addresses = [ { Address = "192.168.101.2/24"; } ]; }; # Connect VM tun/tap device to the bridge # TODO configure this based on IF the netvm is enabled @@ -48,8 +46,7 @@ in { }; environment.etc = { - ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = - sshKeysHelper.getAuthKeysSource; + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; }; services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; diff --git a/modules/microvm/power-control.nix b/modules/microvm/power-control.nix index a0adaf9e0..323d01087 100644 --- a/modules/microvm/power-control.nix +++ b/modules/microvm/power-control.nix @@ -1,19 +1,15 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.host.powercontrol; -in { +in +{ options.ghaf.host.powercontrol.enable = lib.mkOption { type = lib.types.bool; default = false; description = "Enable host power control"; }; - config = - lib.mkIf cfg.enable { - }; + config = lib.mkIf cfg.enable { }; } diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix index 51f69dfc0..dd6147825 100644 --- a/modules/microvm/virtualization/microvm/adminvm.nix +++ b/modules/microvm/virtualization/microvm/adminvm.nix @@ -1,10 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let configHost = config; vmName = "admin-vm"; macAddress = "02:00:00:AD:01:01"; @@ -13,94 +10,103 @@ adminvmBaseConfiguration = { imports = [ (import ./common/vm-networking.nix { - inherit config lib vmName macAddress; + inherit + config + lib + vmName + macAddress + ; internalIP = 10; }) # We need to retrieve mac address and start log aggregator ../../../common/logging/hw-mac-retrieve.nix ../../../common/logging/logs-aggregator.nix - ({lib, ...}: { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - development = { - # NOTE: SSH port also becomes accessible on the network interface - # that has been passed through to VM - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; - }; - systemd = { - enable = true; - withName = "adminvm-systemd"; - withAudit = configHost.ghaf.profiles.debug.enable; - withNss = true; - withResolved = true; - withPolkit = true; - withTimesyncd = true; - withDebug = configHost.ghaf.profiles.debug.enable; - withHardenedConfigs = true; - }; + ( + { lib, ... }: + { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to VM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "adminvm-systemd"; + withAudit = configHost.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withPolkit = true; + withTimesyncd = true; + withDebug = configHost.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; - # Log aggregation configuration - logging.client.enable = isLoggingEnabled; - logging.listener.address = configHost.ghaf.logging.listener.address; - logging.listener.port = configHost.ghaf.logging.listener.port; - logging.identifierFilePath = "/var/lib/private/alloy/MACAddress"; - logging.server.endpoint = "https://loki.ghaflogs.vedenemo.dev/loki/api/v1/push"; - }; + # Log aggregation configuration + logging.client.enable = isLoggingEnabled; + logging.listener.address = configHost.ghaf.logging.listener.address; + logging.listener.port = configHost.ghaf.logging.listener.port; + logging.identifierFilePath = "/var/lib/private/alloy/MACAddress"; + logging.server.endpoint = "https://loki.ghaflogs.vedenemo.dev/loki/api/v1/push"; + }; - system.stateVersion = lib.trivial.release; + system.stateVersion = lib.trivial.release; - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - networking = { - firewall.allowedTCPPorts = lib.mkIf isLoggingEnabled [config.ghaf.logging.listener.port]; - firewall.allowedUDPPorts = []; - }; + networking = { + firewall.allowedTCPPorts = lib.mkIf isLoggingEnabled [ config.ghaf.logging.listener.port ]; + firewall.allowedUDPPorts = [ ]; + }; - systemd.network = { - enable = true; - networks."10-ethint0" = { - matchConfig.MACAddress = macAddress; - linkConfig.ActivationPolicy = "always-up"; + systemd.network = { + enable = true; + networks."10-ethint0" = { + matchConfig.MACAddress = macAddress; + linkConfig.ActivationPolicy = "always-up"; + }; }; - }; - microvm = { - optimize.enable = true; - #TODO: Add back support cloud-hypervisor - #the system fails to switch root to the stage2 with cloud-hypervisor - hypervisor = "qemu"; - shares = - [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - } - ] - ++ lib.optionals isLoggingEnabled [ - { - # Creating a persistent log-store which is mapped on ghaf-host - # This is only to preserve logs state across adminvm reboots - tag = "log-store"; - source = "/var/lib/private/alloy"; - mountPoint = "/var/lib/private/alloy"; - proto = "virtiofs"; - } - ]; + microvm = { + optimize.enable = true; + #TODO: Add back support cloud-hypervisor + #the system fails to switch root to the stage2 with cloud-hypervisor + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + } + ] + ++ lib.optionals isLoggingEnabled [ + { + # Creating a persistent log-store which is mapped on ghaf-host + # This is only to preserve logs state across adminvm reboots + tag = "log-store"; + source = "/var/lib/private/alloy"; + mountPoint = "/var/lib/private/alloy"; + proto = "virtiofs"; + } + ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - }; - imports = [../../../common]; - }) + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + }; + imports = [ ../../../common ]; + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.adminvm; -in { +in +{ options.ghaf.virtualization.microvm.adminvm = { enable = lib.mkEnableOption "AdminVM"; @@ -109,20 +115,16 @@ in { List of additional modules to be imported and evaluated as part of AdminVM's NixOS configuration. ''; - default = []; + default = [ ]; }; }; config = lib.mkIf cfg.enable { microvm.vms."${vmName}" = { autostart = true; - config = - adminvmBaseConfiguration - // { - imports = - adminvmBaseConfiguration.imports - ++ cfg.extraModules; - }; + config = adminvmBaseConfiguration // { + imports = adminvmBaseConfiguration.imports ++ cfg.extraModules; + }; }; }; } diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix index 5b4952717..eab16ddae 100644 --- a/modules/microvm/virtualization/microvm/appvm.nix +++ b/modules/microvm/virtualization/microvm/appvm.nix @@ -5,7 +5,8 @@ lib, pkgs, ... -}: let +}: +let inherit (lib) mkOption types optional; configHost = config; @@ -16,215 +17,223 @@ config = configHost; }; - makeVm = { - vm, - index, - }: let - vmName = "${vm.name}-vm"; - cid = - if vm.cid > 0 - then vm.cid - else cfg.vsockBaseCID + index; - appvmConfiguration = { - imports = [ - (import ./common/vm-networking.nix { - inherit config lib vmName; - inherit (vm) macAddress; - internalIP = index + 100; - }) - # To push logs to central location - ../../../common/logging/client.nix - ({ - lib, - config, - pkgs, - ... - }: let - waypipeBorder = - if vm.borderColor != null - then "--border \"${vm.borderColor}\"" - else ""; - runWaypipe = pkgs.writeScriptBin "run-waypipe" '' - #!${pkgs.runtimeShell} -e - ${pkgs.waypipe}/bin/waypipe --vsock -s ${toString configHost.ghaf.virtualization.microvm.guivm.waypipePort} ${waypipeBorder} server "$@" - ''; - in { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - - development = { - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; - }; - systemd = { - enable = true; - withName = "appvm-systemd"; - withAudit = configHost.ghaf.profiles.debug.enable; - withNss = true; - withResolved = true; - withTimesyncd = true; - withPolkit = true; - withDebug = configHost.ghaf.profiles.debug.enable; - withHardenedConfigs = true; - }; - # Logging client configuration - logging.client.enable = configHost.ghaf.logging.client.enable; - logging.client.endpoint = configHost.ghaf.logging.client.endpoint; - }; + makeVm = + { vm, index }: + let + vmName = "${vm.name}-vm"; + cid = if vm.cid > 0 then vm.cid else cfg.vsockBaseCID + index; + appvmConfiguration = { + imports = [ + (import ./common/vm-networking.nix { + inherit config lib vmName; + inherit (vm) macAddress; + internalIP = index + 100; + }) + # To push logs to central location + ../../../common/logging/client.nix + ( + { + lib, + config, + pkgs, + ... + }: + let + waypipeBorder = if vm.borderColor != null then "--border \"${vm.borderColor}\"" else ""; + runWaypipe = pkgs.writeScriptBin "run-waypipe" '' + #!${pkgs.runtimeShell} -e + ${pkgs.waypipe}/bin/waypipe --vsock -s ${toString configHost.ghaf.virtualization.microvm.guivm.waypipePort} ${waypipeBorder} server "$@" + ''; + in + { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - # SSH is very picky about the file permissions and ownership and will - # accept neither direct path inside /nix/store or symlink that points - # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by - # setting mode), instead of symlinking it. - environment.etc.${configHost.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; - services.openssh = configHost.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + development = { + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "appvm-systemd"; + withAudit = configHost.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withTimesyncd = true; + withPolkit = true; + withDebug = configHost.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + # Logging client configuration + logging.client.enable = configHost.ghaf.logging.client.enable; + logging.client.endpoint = configHost.ghaf.logging.client.endpoint; + }; - system.stateVersion = lib.trivial.release; + # SSH is very picky about the file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc.${configHost.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = + sshKeysHelper.getAuthKeysSource; + services.openssh = configHost.ghaf.security.sshKeys.sshAuthorizedKeysCommand; - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + system.stateVersion = lib.trivial.release; - environment.systemPackages = [ - pkgs.waypipe - runWaypipe - pkgs.tpm2-tools - pkgs.opensc - ]; + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - security.tpm2 = { - enable = true; - abrmd.enable = true; - }; + environment.systemPackages = [ + pkgs.waypipe + runWaypipe + pkgs.tpm2-tools + pkgs.opensc + ]; - microvm = { - optimize.enable = false; - mem = vm.ramMb; - vcpu = vm.cores; - hypervisor = "qemu"; - shares = [ - { - tag = "waypipe-ssh-public-key"; - source = configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - mountPoint = configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - } - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + security.tpm2 = { + enable = true; + abrmd.enable = true; + }; - qemu = { - extraArgs = - [ - "-M" - "accel=kvm:tcg,mem-merge=on,sata=off" - "-device" - "vhost-vsock-pci,guest-cid=${toString cid}" - ] - ++ lib.optionals vm.vtpm.enable [ - "-chardev" - "socket,id=chrtpm,path=/var/lib/swtpm/${vm.name}-sock" - "-tpmdev" - "emulator,id=tpm0,chardev=chrtpm" - "-device" - "tpm-tis,tpmdev=tpm0" + microvm = { + optimize.enable = false; + mem = vm.ramMb; + vcpu = vm.cores; + hypervisor = "qemu"; + shares = [ + { + tag = "waypipe-ssh-public-key"; + source = configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - machine = - { - # Use the same machine type as the host - x86_64-linux = "q35"; - aarch64-linux = "virt"; - } - .${configHost.nixpkgs.hostPlatform.system}; - }; - }; - fileSystems."${configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir}".options = ["ro"]; + qemu = { + extraArgs = + [ + "-M" + "accel=kvm:tcg,mem-merge=on,sata=off" + "-device" + "vhost-vsock-pci,guest-cid=${toString cid}" + ] + ++ lib.optionals vm.vtpm.enable [ + "-chardev" + "socket,id=chrtpm,path=/var/lib/swtpm/${vm.name}-sock" + "-tpmdev" + "emulator,id=tpm0,chardev=chrtpm" + "-device" + "tpm-tis,tpmdev=tpm0" + ]; - imports = [../../../common]; - }) - ]; + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${configHost.nixpkgs.hostPlatform.system}; + }; + }; + fileSystems."${configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir}".options = [ "ro" ]; + + imports = [ ../../../common ]; + } + ) + ]; + }; + in + { + autostart = true; + config = appvmConfiguration // { + imports = + appvmConfiguration.imports + ++ cfg.extraModules + ++ vm.extraModules + ++ [ { environment.systemPackages = vm.packages; } ]; + }; }; - in { - autostart = true; - config = appvmConfiguration // {imports = appvmConfiguration.imports ++ cfg.extraModules ++ vm.extraModules ++ [{environment.systemPackages = vm.packages;}];}; - }; # Host service dependencies after = optional config.ghaf.services.audio.enable "pulseaudio.service"; requires = after; # Sleep appvms to give gui-vm time to start serviceConfig.ExecStartPre = "/bin/sh -c 'sleep 8'"; -in { +in +{ options.ghaf.virtualization.microvm.appvm = { enable = lib.mkEnableOption "appvm"; vms = mkOption { description = '' List of AppVMs to be created ''; - type = lib.types.listOf (types.submodule { - options = { - name = mkOption { - description = '' - Name of the AppVM - ''; - type = types.str; - }; - packages = mkOption { - description = '' - Packages that are included into the AppVM - ''; - type = types.listOf types.package; - default = []; - }; - macAddress = mkOption { - description = '' - AppVM's network interface MAC address - ''; - type = types.str; - }; - ramMb = mkOption { - description = '' - Amount of RAM for this AppVM - ''; - type = types.int; - }; - cores = mkOption { - description = '' - Amount of processor cores for this AppVM - ''; - type = types.int; - }; - extraModules = mkOption { - description = '' - List of additional modules to be imported and evaluated as part of - appvm's NixOS configuration. - ''; - default = []; - }; - cid = mkOption { - description = '' - VSOCK context identifier (CID) for the AppVM - Default value 0 means auto-assign using vsockBaseCID and AppVM index - ''; - type = types.int; - default = 0; - }; - borderColor = mkOption { - description = '' - Border color of the AppVM window - ''; - type = types.nullOr types.str; - default = null; + type = lib.types.listOf ( + types.submodule { + options = { + name = mkOption { + description = '' + Name of the AppVM + ''; + type = types.str; + }; + packages = mkOption { + description = '' + Packages that are included into the AppVM + ''; + type = types.listOf types.package; + default = [ ]; + }; + macAddress = mkOption { + description = '' + AppVM's network interface MAC address + ''; + type = types.str; + }; + ramMb = mkOption { + description = '' + Amount of RAM for this AppVM + ''; + type = types.int; + }; + cores = mkOption { + description = '' + Amount of processor cores for this AppVM + ''; + type = types.int; + }; + extraModules = mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + appvm's NixOS configuration. + ''; + default = [ ]; + }; + cid = mkOption { + description = '' + VSOCK context identifier (CID) for the AppVM + Default value 0 means auto-assign using vsockBaseCID and AppVM index + ''; + type = types.int; + default = 0; + }; + borderColor = mkOption { + description = '' + Border color of the AppVM window + ''; + type = types.nullOr types.str; + default = null; + }; + vtpm.enable = lib.mkEnableOption "vTPM support in the virtual machine"; }; - vtpm.enable = lib.mkEnableOption "vTPM support in the virtual machine"; - }; - }); - default = []; + } + ); + default = [ ]; }; extraModules = mkOption { @@ -232,7 +241,7 @@ in { List of additional modules to be imported and evaluated as part of appvm's NixOS configuration. ''; - default = []; + default = [ ]; }; # Base VSOCK CID which is used for auto assigning CIDs for all AppVMs @@ -247,53 +256,59 @@ in { }; }; - config = let - makeSwtpmService = {vm}: let - swtpmScript = pkgs.writeShellApplication { - name = "${vm.name}-swtpm"; - runtimeInputs = with pkgs; [coreutils swtpm]; - text = '' - mkdir -p /var/lib/swtpm/${vm.name}-state - swtpm socket --tpmstate dir=/var/lib/swtpm/${vm.name}-state \ - --ctrl type=unixio,path=/var/lib/swtpm/${vm.name}-sock \ - --tpm2 \ - --log level=20 - ''; - }; - in - lib.mkIf vm.vtpm.enable { - enable = true; - description = "swtpm service for ${vm.name}"; - path = [swtpmScript]; - wantedBy = ["microvms.target"]; - serviceConfig = { - Type = "simple"; - User = "microvm"; - Restart = "always"; - StateDirectory = "swtpm"; - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${swtpmScript}/bin/${vm.name}-swtpm"; + config = + let + makeSwtpmService = + { vm }: + let + swtpmScript = pkgs.writeShellApplication { + name = "${vm.name}-swtpm"; + runtimeInputs = with pkgs; [ + coreutils + swtpm + ]; + text = '' + mkdir -p /var/lib/swtpm/${vm.name}-state + swtpm socket --tpmstate dir=/var/lib/swtpm/${vm.name}-state \ + --ctrl type=unixio,path=/var/lib/swtpm/${vm.name}-sock \ + --tpm2 \ + --log level=20 + ''; + }; + in + lib.mkIf vm.vtpm.enable { + enable = true; + description = "swtpm service for ${vm.name}"; + path = [ swtpmScript ]; + wantedBy = [ "microvms.target" ]; + serviceConfig = { + Type = "simple"; + User = "microvm"; + Restart = "always"; + StateDirectory = "swtpm"; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${swtpmScript}/bin/${vm.name}-swtpm"; + }; }; - }; - in + in lib.mkIf cfg.enable { - microvm.vms = let - vms = lib.imap0 (index: vm: {"${vm.name}-vm" = makeVm {inherit index vm;};}) cfg.vms; - in - lib.foldr lib.recursiveUpdate {} vms; + microvm.vms = + let + vms = lib.imap0 (index: vm: { "${vm.name}-vm" = makeVm { inherit index vm; }; }) cfg.vms; + in + lib.foldr lib.recursiveUpdate { } vms; # Apply host service dependencies, add swtpm - systemd.services = let - serviceDependencies = - map (vm: { + systemd.services = + let + serviceDependencies = map (vm: { "microvm@${vm.name}-vm" = { inherit after requires serviceConfig; }; - "${vm.name}-swtpm" = makeSwtpmService {inherit vm;}; - }) - cfg.vms; - in - lib.foldr lib.recursiveUpdate {} serviceDependencies; + "${vm.name}-swtpm" = makeSwtpmService { inherit vm; }; + }) cfg.vms; + in + lib.foldr lib.recursiveUpdate { } serviceDependencies; }; } diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix index 5a94b4747..1fdd05dbe 100644 --- a/modules/microvm/virtualization/microvm/audiovm.nix +++ b/modules/microvm/virtualization/microvm/audiovm.nix @@ -5,7 +5,8 @@ lib, pkgs, ... -}: let +}: +let configHost = config; vmName = "audio-vm"; macAddress = "02:00:00:03:03:03"; @@ -19,112 +20,119 @@ audiovmBaseConfiguration = { imports = [ (import ./common/vm-networking.nix { - inherit config lib vmName macAddress; + inherit + config + lib + vmName + macAddress + ; internalIP = 5; }) - ({ - lib, - pkgs, - ... - }: { - imports = [ - ../../../common - ]; + ( + { lib, pkgs, ... }: + { + imports = [ ../../../common ]; - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - development = { - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + development = { + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "audiovm-systemd"; + withAudit = configHost.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withTimesyncd = true; + withDebug = configHost.ghaf.profiles.debug.enable; + }; + services.audio.enable = true; }; - systemd = { - enable = true; - withName = "audiovm-systemd"; - withAudit = configHost.ghaf.profiles.debug.enable; - withNss = true; - withResolved = true; - withTimesyncd = true; - withDebug = configHost.ghaf.profiles.debug.enable; - }; - services.audio.enable = true; - }; - environment = { - systemPackages = [ - pkgs.pulseaudio - pkgs.pamixer - pkgs.pipewire - ]; - }; + environment = { + systemPackages = [ + pkgs.pulseaudio + pkgs.pamixer + pkgs.pipewire + ]; + }; - time.timeZone = config.time.timeZone; - system.stateVersion = lib.trivial.release; + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; - nixpkgs = { - buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - }; + nixpkgs = { + buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + }; - services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; - microvm = { - optimize.enable = true; - vcpu = 1; - mem = 256; - hypervisor = "qemu"; - shares = - [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] - ++ lib.optionals isGuiVmEnabled [ - { - # Add the waypipe-ssh public key to the microvm - tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; - source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - qemu = { - machine = - { - # Use the same machine type as the host - x86_64-linux = "q35"; - aarch64-linux = "virt"; - } - .${configHost.nixpkgs.hostPlatform.system}; + microvm = { + optimize.enable = true; + vcpu = 1; + mem = 256; + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] + ++ lib.optionals isGuiVmEnabled [ + { + # Add the waypipe-ssh public key to the microvm + tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + qemu = { + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${configHost.nixpkgs.hostPlatform.system}; + }; }; - }; - fileSystems = lib.mkIf isGuiVmEnabled {${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = ["ro"];}; + fileSystems = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ]; + }; - # Fixed IP-address for debugging subnet - # SSH is very picky about to file permissions and ownership and will - # accept neither direct path inside /nix/store or symlink that points - # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by - # setting mode), instead of symlinking it. - environment.etc = lib.mkIf isGuiVmEnabled {${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource;}; + # Fixed IP-address for debugging subnet + # SSH is very picky about to file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; + }; - systemd.network.networks."10-ethint0".addresses = let - getAudioVmEntry = builtins.filter (x: x.name == "audio-vm-debug") config.ghaf.networking.hosts.entries; - ip = lib.head (builtins.map (x: x.ip) getAudioVmEntry); - in [ - { - Address = "${ip}/24"; - } - ]; - }) + systemd.network.networks."10-ethint0".addresses = + let + getAudioVmEntry = builtins.filter ( + x: x.name == "audio-vm-debug" + ) config.ghaf.networking.hosts.entries; + ip = lib.head (builtins.map (x: x.ip) getAudioVmEntry); + in + [ { Address = "${ip}/24"; } ]; + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.audiovm; -in { +in +{ options.ghaf.virtualization.microvm.audiovm = { enable = lib.mkEnableOption "AudioVM"; @@ -133,20 +141,16 @@ in { List of additional modules to be imported and evaluated as part of AudioVM's NixOS configuration. ''; - default = []; + default = [ ]; }; }; config = lib.mkIf cfg.enable { microvm.vms."${vmName}" = { autostart = true; - config = - audiovmBaseConfiguration - // { - imports = - audiovmBaseConfiguration.imports - ++ cfg.extraModules; - }; + config = audiovmBaseConfiguration // { + imports = audiovmBaseConfiguration.imports ++ cfg.extraModules; + }; }; }; } diff --git a/modules/microvm/virtualization/microvm/common/vm-networking.nix b/modules/microvm/virtualization/microvm/common/vm-networking.nix index dcd43287c..40ca41415 100644 --- a/modules/microvm/virtualization/microvm/common/vm-networking.nix +++ b/modules/microvm/virtualization/microvm/common/vm-networking.nix @@ -6,20 +6,22 @@ vmName, macAddress, internalIP, - gateway ? ["192.168.100.1"], + gateway ? [ "192.168.100.1" ], ... -}: let +}: +let networkName = "ethint0"; -in { +in +{ networking = { hostName = vmName; enableIPv6 = false; - firewall.allowedTCPPorts = [22]; - firewall.allowedUDPPorts = [67]; + firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedUDPPorts = [ 67 ]; useNetworkd = true; nat = { enable = true; - internalInterfaces = [networkName]; + internalInterfaces = [ networkName ]; }; }; @@ -39,25 +41,19 @@ in { matchConfig.PermanentMACAddress = macAddress; linkConfig.Name = networkName; }; - networks."10-${networkName}" = - { - matchConfig.MACAddress = macAddress; - addresses = - [ - { - Address = "192.168.100.${toString internalIP}/24"; - } - ] - ++ lib.optionals config.ghaf.profiles.debug.enable [ - { - # IP-address for debugging subnet - Address = "192.168.101.${toString internalIP}/24"; - } - ]; - linkConfig.RequiredForOnline = "routable"; - linkConfig.ActivationPolicy = "always-up"; - } - // lib.optionalAttrs (gateway != []) {inherit gateway;}; + networks."10-${networkName}" = { + matchConfig.MACAddress = macAddress; + addresses = + [ { Address = "192.168.100.${toString internalIP}/24"; } ] + ++ lib.optionals config.ghaf.profiles.debug.enable [ + { + # IP-address for debugging subnet + Address = "192.168.101.${toString internalIP}/24"; + } + ]; + linkConfig.RequiredForOnline = "routable"; + linkConfig.ActivationPolicy = "always-up"; + } // lib.optionalAttrs (gateway != [ ]) { inherit gateway; }; }; # systemd-resolved does not support local names resolution diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix index cb84d5acd..a4b983f1f 100644 --- a/modules/microvm/virtualization/microvm/guivm.nix +++ b/modules/microvm/virtualization/microvm/guivm.nix @@ -5,164 +5,174 @@ lib, pkgs, ... -}: let +}: +let vmName = "gui-vm"; macAddress = "02:00:00:02:02:02"; - inherit (import ../../../../lib/launcher.nix {inherit pkgs lib;}) rmDesktopEntries; + inherit (import ../../../../lib/launcher.nix { inherit pkgs lib; }) rmDesktopEntries; guivmBaseConfiguration = { imports = [ (import ./common/vm-networking.nix { - inherit config lib vmName macAddress; + inherit + config + lib + vmName + macAddress + ; internalIP = 3; }) # To push logs to central location ../../../common/logging/client.nix - ({ - lib, - pkgs, - ... - }: { - ghaf = { - users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; - profiles = { - debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; - applications.enable = false; - graphics.enable = true; + ( + { lib, pkgs, ... }: + { + ghaf = { + users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; + profiles = { + debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; + applications.enable = false; + graphics.enable = true; + }; + # To enable screen locking set to true + graphics.labwc.autolock.enable = false; + development = { + ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "guivm-systemd"; + withAudit = config.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withTimesyncd = true; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + # Logging client configuration + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; }; - # To enable screen locking set to true - graphics.labwc.autolock.enable = false; - development = { - ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; - }; - systemd = { - enable = true; - withName = "guivm-systemd"; - withAudit = config.ghaf.profiles.debug.enable; - withNss = true; - withResolved = true; - withTimesyncd = true; - withDebug = config.ghaf.profiles.debug.enable; - withHardenedConfigs = true; - }; - # Logging client configuration - logging.client.enable = config.ghaf.logging.client.enable; - logging.client.endpoint = config.ghaf.logging.client.endpoint; - }; - - systemd.services."waypipe-ssh-keygen" = let - keygenScript = pkgs.writeShellScriptBin "waypipe-ssh-keygen" '' - set -xeuo pipefail - mkdir -p /run/waypipe-ssh - echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C "" - chown ghaf:ghaf /run/waypipe-ssh/* - cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub - ''; - in { - enable = true; - description = "Generate SSH keys for Waypipe"; - path = [keygenScript]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${keygenScript}/bin/waypipe-ssh-keygen"; - }; - }; - environment = { - systemPackages = - (rmDesktopEntries [ - pkgs.waypipe - pkgs.networkmanagerapplet - ]) - ++ [ - pkgs.nm-launcher - pkgs.pamixer - ] - ++ (lib.optional (config.ghaf.profiles.debug.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable) pkgs.mitmweb-ui); - }; - - time.timeZone = config.time.timeZone; - system.stateVersion = lib.trivial.release; + systemd.services."waypipe-ssh-keygen" = + let + keygenScript = pkgs.writeShellScriptBin "waypipe-ssh-keygen" '' + set -xeuo pipefail + mkdir -p /run/waypipe-ssh + echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C "" + chown ghaf:ghaf /run/waypipe-ssh/* + cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub + ''; + in + { + enable = true; + description = "Generate SSH keys for Waypipe"; + path = [ keygenScript ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${keygenScript}/bin/waypipe-ssh-keygen"; + }; + }; - nixpkgs = { - buildPlatform.system = config.nixpkgs.buildPlatform.system; - hostPlatform.system = config.nixpkgs.hostPlatform.system; - }; + environment = { + systemPackages = + (rmDesktopEntries [ + pkgs.waypipe + pkgs.networkmanagerapplet + ]) + ++ [ + pkgs.nm-launcher + pkgs.pamixer + ] + ++ (lib.optional ( + config.ghaf.profiles.debug.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable + ) pkgs.mitmweb-ui); + }; - # Suspend inside Qemu causes segfault - # See: https://gitlab.com/qemu-project/qemu/-/issues/2321 - services.logind.lidSwitch = "ignore"; + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; - microvm = { - optimize.enable = false; - vcpu = 2; - mem = 2048; - hypervisor = "qemu"; - shares = [ - { - tag = "rw-waypipe-ssh-public-key"; - source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - } - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + nixpkgs = { + buildPlatform.system = config.nixpkgs.buildPlatform.system; + hostPlatform.system = config.nixpkgs.hostPlatform.system; + }; - qemu = { - extraArgs = [ - "-device" - "vhost-vsock-pci,guest-cid=${toString cfg.vsockCID}" - ]; + # Suspend inside Qemu causes segfault + # See: https://gitlab.com/qemu-project/qemu/-/issues/2321 + services.logind.lidSwitch = "ignore"; - machine = + microvm = { + optimize.enable = false; + vcpu = 2; + mem = 2048; + hypervisor = "qemu"; + shares = [ + { + tag = "rw-waypipe-ssh-public-key"; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } { - # Use the same machine type as the host - x86_64-linux = "q35"; - aarch64-linux = "virt"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; } - .${config.nixpkgs.hostPlatform.system}; + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + + qemu = { + extraArgs = [ + "-device" + "vhost-vsock-pci,guest-cid=${toString cfg.vsockCID}" + ]; + + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${config.nixpkgs.hostPlatform.system}; + }; }; - }; - imports = [ - ../../../common - ../../../desktop - ]; - - # Waypipe service runs in the GUIVM and listens for incoming connections from AppVMs - systemd.user.services.waypipe = { - enable = true; - description = "waypipe"; - after = ["labwc.service"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.waypipe}/bin/waypipe --vsock -s ${toString cfg.waypipePort} client"; - Restart = "always"; - RestartSec = "1"; + imports = [ + ../../../common + ../../../desktop + ]; + + # Waypipe service runs in the GUIVM and listens for incoming connections from AppVMs + systemd.user.services.waypipe = { + enable = true; + description = "waypipe"; + after = [ "labwc.service" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.waypipe}/bin/waypipe --vsock -s ${toString cfg.waypipePort} client"; + Restart = "always"; + RestartSec = "1"; + }; + startLimitIntervalSec = 0; + wantedBy = [ "ghaf-session.target" ]; }; - startLimitIntervalSec = 0; - wantedBy = ["ghaf-session.target"]; - }; - }) + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.guivm; - vsockproxy = pkgs.callPackage ../../../../packages/vsockproxy {}; + vsockproxy = pkgs.callPackage ../../../../packages/vsockproxy { }; # Importing kernel builder function and building guest_graphics_hardened_kernel - buildKernel = import ../../../../packages/kernel {inherit config pkgs lib;}; + buildKernel = import ../../../../packages/kernel { inherit config pkgs lib; }; config_baseline = ../../../hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86; - guest_graphics_hardened_kernel = buildKernel {inherit config_baseline;}; -in { + guest_graphics_hardened_kernel = buildKernel { inherit config_baseline; }; +in +{ options.ghaf.virtualization.microvm.guivm = { enable = lib.mkEnableOption "GUIVM"; @@ -171,7 +181,7 @@ in { List of additional modules to be imported and evaluated as part of GUIVM's NixOS configuration. ''; - default = []; + default = [ ]; }; # GUIVM uses a VSOCK which requires a CID @@ -200,38 +210,36 @@ in { config = lib.mkIf cfg.enable { microvm.vms."${vmName}" = { autostart = true; - config = - guivmBaseConfiguration - // { - boot.kernelPackages = - lib.mkIf config.ghaf.guest.kernel.hardening.graphics.enable - (pkgs.linuxPackagesFor guest_graphics_hardened_kernel); - - imports = - guivmBaseConfiguration.imports - ++ cfg.extraModules; - }; + config = guivmBaseConfiguration // { + boot.kernelPackages = lib.mkIf config.ghaf.guest.kernel.hardening.graphics.enable ( + pkgs.linuxPackagesFor guest_graphics_hardened_kernel + ); + + imports = guivmBaseConfiguration.imports ++ cfg.extraModules; + }; }; # This directory needs to be created before any of the microvms start. - systemd.services."create-waypipe-ssh-public-key-directory" = let - script = pkgs.writeShellScriptBin "create-waypipe-ssh-public-key-directory" '' - mkdir -pv ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir} - chown -v microvm ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir} - ''; - in { - enable = true; - description = "Create shared directory on host"; - path = []; - wantedBy = ["microvms.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${script}/bin/create-waypipe-ssh-public-key-directory"; + systemd.services."create-waypipe-ssh-public-key-directory" = + let + script = pkgs.writeShellScriptBin "create-waypipe-ssh-public-key-directory" '' + mkdir -pv ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir} + chown -v microvm ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir} + ''; + in + { + enable = true; + description = "Create shared directory on host"; + path = [ ]; + wantedBy = [ "microvms.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${script}/bin/create-waypipe-ssh-public-key-directory"; + }; }; - }; # Waypipe in GUIVM needs to communicate with AppVMs over VSOCK # However, VSOCK does not support direct guest to guest communication @@ -246,7 +254,7 @@ in { RestartSec = "1"; ExecStart = "${vsockproxy}/bin/vsockproxy ${toString cfg.waypipePort} ${toString cfg.vsockCID} ${toString cfg.waypipePort}"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; }; } diff --git a/modules/microvm/virtualization/microvm/idsvm/idsvm.nix b/modules/microvm/virtualization/microvm/idsvm/idsvm.nix index 3947d2129..fe3bf39db 100644 --- a/modules/microvm/virtualization/microvm/idsvm/idsvm.nix +++ b/modules/microvm/virtualization/microvm/idsvm/idsvm.nix @@ -5,64 +5,76 @@ lib, pkgs, ... -}: let +}: +let configHost = config; vmName = "ids-vm"; macAddress = "02:00:00:01:01:02"; idsvmBaseConfiguration = { imports = [ (import ../common/vm-networking.nix { - inherit config lib vmName macAddress; + inherit + config + lib + vmName + macAddress + ; internalIP = 4; }) - ({lib, ...}: { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; + ( + { lib, ... }: + { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - virtualization.microvm.idsvm.mitmproxy.enable = configHost.ghaf.virtualization.microvm.idsvm.mitmproxy.enable; + virtualization.microvm.idsvm.mitmproxy.enable = + configHost.ghaf.virtualization.microvm.idsvm.mitmproxy.enable; - development = { - # NOTE: SSH port also becomes accessible on the network interface - # that has been passed through to NetVM - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; }; - }; - system.stateVersion = lib.trivial.release; + system.stateVersion = lib.trivial.release; - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - microvm.hypervisor = "cloud-hypervisor"; + microvm.hypervisor = "cloud-hypervisor"; - environment.systemPackages = - [ + environment.systemPackages = [ pkgs.snort # TODO: put into separate module - ] - ++ (lib.optional configHost.ghaf.profiles.debug.enable pkgs.tcpdump); + ] ++ (lib.optional configHost.ghaf.profiles.debug.enable pkgs.tcpdump); - microvm = { - optimize.enable = true; - shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - }; + microvm = { + optimize.enable = true; + shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + }; - imports = [../../../../common ./mitmproxy]; - }) + imports = [ + ../../../../common + ./mitmproxy + ]; + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.idsvm; -in { +in +{ options.ghaf.virtualization.microvm.idsvm = { enable = lib.mkEnableOption "Whether to enable IDS-VM on the system"; @@ -71,20 +83,16 @@ in { List of additional modules to be imported and evaluated as part of IDSVM's NixOS configuration. ''; - default = []; + default = [ ]; }; }; config = lib.mkIf cfg.enable { microvm.vms."${vmName}" = { autostart = true; - config = - idsvmBaseConfiguration - // { - imports = - idsvmBaseConfiguration.imports - ++ cfg.extraModules; - }; + config = idsvmBaseConfiguration // { + imports = idsvmBaseConfiguration.imports ++ cfg.extraModules; + }; }; }; } diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix index 17f15e80e..3eb43094f 100644 --- a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix +++ b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix @@ -5,11 +5,13 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.virtualization.microvm.idsvm.mitmproxy; mitmproxyport = 8080; mitmwebUIport = 8081; -in { +in +{ options.ghaf.virtualization.microvm.idsvm.mitmproxy = { enable = lib.mkEnableOption "Whether to enable mitmproxy on ids-vm"; }; @@ -28,27 +30,32 @@ in { "mitmproxy/mitmproxy-dhparam.pem".source = ./mitmproxy-ca/mitmproxy-dhparam.pem; }; - systemd.services."mitmweb-server" = let - mitmwebScript = pkgs.writeShellScriptBin "mitmweb-server" '' - ${pkgs.mitmproxy}/bin/mitmweb --web-host localhost --web-port ${toString mitmwebUIport} --set confdir=/etc/mitmproxy - ''; - in { - enable = true; - description = "Run mitmweb to establish web interface for mitmproxy"; - path = [mitmwebScript]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "simple"; - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${mitmwebScript}/bin/mitmweb-server"; - Restart = "on-failure"; - RestartSec = "1"; + systemd.services."mitmweb-server" = + let + mitmwebScript = pkgs.writeShellScriptBin "mitmweb-server" '' + ${pkgs.mitmproxy}/bin/mitmweb --web-host localhost --web-port ${toString mitmwebUIport} --set confdir=/etc/mitmproxy + ''; + in + { + enable = true; + description = "Run mitmweb to establish web interface for mitmproxy"; + path = [ mitmwebScript ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${mitmwebScript}/bin/mitmweb-server"; + Restart = "on-failure"; + RestartSec = "1"; + }; }; - }; networking = { - firewall.allowedTCPPorts = [mitmproxyport mitmwebUIport]; + firewall.allowedTCPPorts = [ + mitmproxyport + mitmwebUIport + ]; nat.extraCommands = # Redirect http(s) traffic to mitmproxy. '' @@ -56,6 +63,6 @@ in { iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 443 -j REDIRECT --to-port ${toString mitmproxyport} ''; }; - environment.systemPackages = [pkgs.mitmproxy]; + environment.systemPackages = [ pkgs.mitmproxy ]; }; } diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix index aa28b106c..a65e3d4d2 100644 --- a/modules/microvm/virtualization/microvm/microvm-host.nix +++ b/modules/microvm/virtualization/microvm/microvm-host.nix @@ -5,9 +5,11 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.virtualization.microvm-host; -in { +in +{ options.ghaf.virtualization.microvm-host = { enable = lib.mkEnableOption "MicroVM Host"; networkSupport = lib.mkEnableOption "Network support services to run host applications."; @@ -34,18 +36,20 @@ in { }; # TODO: remove hardcoded paths - systemd.services."microvm@audio-vm".serviceConfig = lib.optionalAttrs config.ghaf.virtualization.microvm.audiovm.enable { - # The + here is a systemd feature to make the script run as root. - ExecStopPost = [ - "+${pkgs.writeShellScript "reload-audio" '' - # The script makes audio device internal state to reset - # This fixes issue of audio device getting into some unexpected - # state when the VM is being shutdown during audio mic recording - echo "1" > /sys/bus/pci/devices/0000:00:1f.3/remove - sleep 0.1 - echo "1" > /sys/bus/pci/devices/0000:00:1f.0/rescan - ''}" - ]; - }; + systemd.services."microvm@audio-vm".serviceConfig = + lib.optionalAttrs config.ghaf.virtualization.microvm.audiovm.enable + { + # The + here is a systemd feature to make the script run as root. + ExecStopPost = [ + "+${pkgs.writeShellScript "reload-audio" '' + # The script makes audio device internal state to reset + # This fixes issue of audio device getting into some unexpected + # state when the VM is being shutdown during audio mic recording + echo "1" > /sys/bus/pci/devices/0000:00:1f.3/remove + sleep 0.1 + echo "1" > /sys/bus/pci/devices/0000:00:1f.0/rescan + ''}" + ]; + }; }; } diff --git a/modules/microvm/virtualization/microvm/modules.nix b/modules/microvm/virtualization/microvm/modules.nix index a978b0f18..fae96457e 100644 --- a/modules/microvm/virtualization/microvm/modules.nix +++ b/modules/microvm/virtualization/microvm/modules.nix @@ -5,23 +5,27 @@ lib, pkgs, ... -}: let +}: +let inherit (builtins) hasAttr; - inherit (lib) mkOption types optionals optionalAttrs concatStrings; + inherit (lib) + mkOption + types + optionals + optionalAttrs + concatStrings + ; cfg = config.ghaf.virtualization.microvm; # Currently only x86 with hw definition supported inherit (pkgs.stdenv.hostPlatform) isx86; fullVirtualization = - isx86 - && (hasAttr "hardware" config.ghaf) - && (hasAttr "devices" config.ghaf.hardware); + isx86 && (hasAttr "hardware" config.ghaf) && (hasAttr "devices" config.ghaf.hardware); # Hardware devices passthrough modules deviceModules = optionalAttrs fullVirtualization { - inherit - (config.ghaf.hardware.devices) + inherit (config.ghaf.hardware.devices) netvmPCIPassthroughModule audiovmPCIPassthroughModule guivmPCIPassthroughModule @@ -30,13 +34,7 @@ }; # Kernel configurations - kernelConfigs = optionalAttrs fullVirtualization { - inherit - (config.ghaf.kernel) - guivm - audiovm - ; - }; + kernelConfigs = optionalAttrs fullVirtualization { inherit (config.ghaf.kernel) guivm audiovm; }; # Firmware module firmwareModule = { @@ -51,19 +49,13 @@ # Service modules serviceModules = { # Audio module - audio = optionalAttrs cfg.audiovm.audio { - config.ghaf.services.audio.enable = true; - }; + audio = optionalAttrs cfg.audiovm.audio { config.ghaf.services.audio.enable = true; }; # Wifi module - wifi = optionalAttrs cfg.netvm.wifi { - config.ghaf.services.wifi.enable = true; - }; + wifi = optionalAttrs cfg.netvm.wifi { config.ghaf.services.wifi.enable = true; }; # Fprint module - fprint = optionalAttrs cfg.guivm.fprint { - config.ghaf.services.fprint.enable = true; - }; + fprint = optionalAttrs cfg.guivm.fprint { config.ghaf.services.fprint.enable = true; }; # Desktop module desktop = { @@ -107,7 +99,8 @@ }; }; }; -in { +in +{ options.ghaf.virtualization.microvm = { netvm.wifi = mkOption { type = types.bool; diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix index 2bf338702..522387811 100644 --- a/modules/microvm/virtualization/microvm/netvm.nix +++ b/modules/microvm/virtualization/microvm/netvm.nix @@ -5,7 +5,8 @@ lib, pkgs, ... -}: let +}: +let vmName = "net-vm"; macAddress = "02:00:00:01:01:01"; @@ -19,101 +20,112 @@ netvmBaseConfiguration = { imports = [ (import ./common/vm-networking.nix { - inherit config lib vmName macAddress; + inherit + config + lib + vmName + macAddress + ; internalIP = 1; - gateway = []; + gateway = [ ]; }) # To push logs to central location ../../../common/logging/client.nix - ({lib, ...}: { - imports = [ - ../../../common - ]; + ( + { lib, ... }: + { + imports = [ ../../../common ]; - ghaf = { - users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; - profiles.debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; - development = { - # NOTE: SSH port also becomes accessible on the network interface - # that has been passed through to NetVM - ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; + ghaf = { + users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "netvm-systemd"; + withAudit = config.ghaf.profiles.debug.enable; + withPolkit = true; + withResolved = true; + withTimesyncd = true; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + # Logging client configuration + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; }; - systemd = { - enable = true; - withName = "netvm-systemd"; - withAudit = config.ghaf.profiles.debug.enable; - withPolkit = true; - withResolved = true; - withTimesyncd = true; - withDebug = config.ghaf.profiles.debug.enable; - withHardenedConfigs = true; - }; - # Logging client configuration - logging.client.enable = config.ghaf.logging.client.enable; - logging.client.endpoint = config.ghaf.logging.client.endpoint; - }; - time.timeZone = config.time.timeZone; - system.stateVersion = lib.trivial.release; + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; - nixpkgs = { - buildPlatform.system = config.nixpkgs.buildPlatform.system; - hostPlatform.system = config.nixpkgs.hostPlatform.system; - }; + nixpkgs = { + buildPlatform.system = config.nixpkgs.buildPlatform.system; + hostPlatform.system = config.nixpkgs.hostPlatform.system; + }; - networking = { - firewall.allowedTCPPorts = [53]; - firewall.allowedUDPPorts = [53]; - }; + networking = { + firewall.allowedTCPPorts = [ 53 ]; + firewall.allowedUDPPorts = [ 53 ]; + }; - services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; - microvm = { - optimize.enable = true; - hypervisor = "qemu"; - shares = - [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] - ++ lib.optionals isGuiVmEnabled [ - { - # Add the waypipe-ssh public key to the microvm - tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; - source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - } - ]; + microvm = { + optimize.enable = true; + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] + ++ lib.optionals isGuiVmEnabled [ + { + # Add the waypipe-ssh public key to the microvm + tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - qemu = { - machine = - { - # Use the same machine type as the host - x86_64-linux = "q35"; - aarch64-linux = "virt"; - } - .${config.nixpkgs.hostPlatform.system}; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + qemu = { + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${config.nixpkgs.hostPlatform.system}; + }; }; - }; - fileSystems = lib.mkIf isGuiVmEnabled {${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = ["ro"];}; + fileSystems = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ]; + }; - # SSH is very picky about to file permissions and ownership and will - # accept neither direct path inside /nix/store or symlink that points - # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by - # setting mode), instead of symlinking it. - environment.etc = lib.mkIf isGuiVmEnabled {${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource;}; - }) + # SSH is very picky about to file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; + }; + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.netvm; -in { +in +{ options.ghaf.virtualization.microvm.netvm = { enable = lib.mkEnableOption "NetVM"; @@ -122,7 +134,7 @@ in { List of additional modules to be imported and evaluated as part of NetVM's NixOS configuration. ''; - default = []; + default = [ ]; }; }; @@ -130,13 +142,9 @@ in { microvm.vms."${vmName}" = { autostart = true; restartIfChanged = false; - config = - netvmBaseConfiguration - // { - imports = - netvmBaseConfiguration.imports - ++ cfg.extraModules; - }; + config = netvmBaseConfiguration // { + imports = netvmBaseConfiguration.imports ++ cfg.extraModules; + }; }; }; } diff --git a/modules/polarfire/default.nix b/modules/polarfire/default.nix index 3f64e4f29..dc1dfc364 100644 --- a/modules/polarfire/default.nix +++ b/modules/polarfire/default.nix @@ -3,8 +3,4 @@ # # Support for Microchip Polarfire Icicle-Kit # -{ - imports = [ - ./mpfs-nixos-sdimage.nix - ]; -} +{ imports = [ ./mpfs-nixos-sdimage.nix ]; } diff --git a/modules/polarfire/mpfs-nixos-sdimage.nix b/modules/polarfire/mpfs-nixos-sdimage.nix index 8b2676e32..59ad28e9c 100644 --- a/modules/polarfire/mpfs-nixos-sdimage.nix +++ b/modules/polarfire/mpfs-nixos-sdimage.nix @@ -6,10 +6,9 @@ pkgs, modulesPath, ... -}: { - imports = [ - (modulesPath + "/installer/sd-card/sd-image.nix") - ]; +}: +{ + imports = [ (modulesPath + "/installer/sd-card/sd-image.nix") ]; sdImage = { compressImage = false; diff --git a/modules/profiles/laptop-x86.nix b/modules/profiles/laptop-x86.nix index 58f8547e5..2209fecfb 100644 --- a/modules/profiles/laptop-x86.nix +++ b/modules/profiles/laptop-x86.nix @@ -5,12 +5,14 @@ lib, pkgs, ... -}: let - powerControl = pkgs.callPackage ../../packages/powercontrol {}; +}: +let + powerControl = pkgs.callPackage ../../packages/powercontrol { }; cfg = config.ghaf.profiles.laptop-x86; listenerAddress = config.ghaf.logging.listener.address; listenerPort = toString config.ghaf.logging.listener.port; -in { +in +{ imports = [ ../desktop/graphics ../common @@ -31,19 +33,19 @@ in { description = '' List of additional modules to be passed to the netvm. ''; - default = []; + default = [ ]; }; guivmExtraModules = lib.mkOption { description = '' List of additional modules to be passed to the guivm. ''; - default = []; + default = [ ]; }; enabled-app-vms = lib.mkOption { type = lib.types.listOf lib.types.attrs; - default = []; + default = [ ]; description = '' List of appvms to include in the Ghaf reference appvms module ''; diff --git a/modules/profiles/mvp-user-trial.nix b/modules/profiles/mvp-user-trial.nix index 9979d20b0..e03e0af29 100644 --- a/modules/profiles/mvp-user-trial.nix +++ b/modules/profiles/mvp-user-trial.nix @@ -1,12 +1,10 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.mvp-user-trial; -in { +in +{ imports = [ ../reference/appvms ../reference/programs @@ -46,8 +44,8 @@ in { profiles = { laptop-x86 = { enable = true; - netvmExtraModules = [../reference/services]; - guivmExtraModules = [../reference/programs]; + netvmExtraModules = [ ../reference/services ]; + guivmExtraModules = [ ../reference/programs ]; inherit (config.ghaf.reference.appvms) enabled-app-vms; }; }; diff --git a/modules/reference/appvms/appflowy.nix b/modules/reference/appvms/appflowy.nix index c7071d0b3..48260c18e 100644 --- a/modules/reference/appvms/appflowy.nix +++ b/modules/reference/appvms/appflowy.nix @@ -1,13 +1,10 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: { name = "appflowy"; - packages = [pkgs.appflowy]; + packages = [ pkgs.appflowy ]; macAddress = "02:00:00:03:08:01"; ramMb = 512; cores = 1; diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix index bb1aa352e..5e363799d 100644 --- a/modules/reference/appvms/business.nix +++ b/modules/reference/appvms/business.nix @@ -6,45 +6,52 @@ config, lib, ... -}: let +}: +let #TODO: Move this to a common place xdgPdfPort = 1200; -in { +in +{ name = "business"; - packages = let - # PDF XDG handler is executed when the user opens a PDF file in the browser - # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection - xdgPdfItem = pkgs.makeDesktopItem { - name = "ghaf-pdf"; - desktopName = "Ghaf PDF handler"; - exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; - mimeTypes = ["application/pdf"]; - }; - xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' - filepath=$(realpath "$1") - echo "Opening $filepath" | systemd-cat -p info - echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} - ''; - in [ - pkgs.chromium - pkgs.pulseaudio - pkgs.xdg-utils - xdgPdfItem - xdgOpenPdf - pkgs.globalprotect-openconnect - pkgs.openconnect - pkgs.nftables - ]; + packages = + let + # PDF XDG handler is executed when the user opens a PDF file in the browser + # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection + xdgPdfItem = pkgs.makeDesktopItem { + name = "ghaf-pdf"; + desktopName = "Ghaf PDF handler"; + exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; + mimeTypes = [ "application/pdf" ]; + }; + xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' + filepath=$(realpath "$1") + echo "Opening $filepath" | systemd-cat -p info + echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} + ''; + in + [ + pkgs.chromium + pkgs.pulseaudio + pkgs.xdg-utils + xdgPdfItem + xdgOpenPdf + pkgs.globalprotect-openconnect + pkgs.openconnect + pkgs.nftables + ]; # TODO create a repository of mac addresses to avoid conflicts macAddress = "02:00:00:03:10:01"; ramMb = 3072; cores = 4; extraModules = [ { - imports = [../programs/chromium.nix]; + imports = [ ../programs/chromium.nix ]; # Enable pulseaudio for Chromium VM security.rtkit.enable = true; - users.extraUsers.ghaf.extraGroups = ["audio" "video"]; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + ]; hardware.pulseaudio = { enable = true; @@ -61,10 +68,11 @@ in { time.timeZone = config.time.timeZone; microvm = { - qemu.extraArgs = lib.optionals (config.ghaf.hardware.usb.internal.enable - && (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs)) - config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; - devices = []; + qemu.extraArgs = lib.optionals ( + config.ghaf.hardware.usb.internal.enable + && (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs) + ) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; + devices = [ ]; }; ghaf.reference.programs.chromium.enable = true; diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix index aca2a06a7..6f9a6b5b5 100644 --- a/modules/reference/appvms/chromium.nix +++ b/modules/reference/appvms/chromium.nix @@ -6,42 +6,49 @@ lib, config, ... -}: let +}: +let inherit (lib) hasAttr optionals; xdgPdfPort = 1200; -in { +in +{ name = "chromium"; - packages = let - # PDF XDG handler is executed when the user opens a PDF file in the browser - # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection - xdgPdfItem = pkgs.makeDesktopItem { - name = "ghaf-pdf"; - desktopName = "Ghaf PDF handler"; - exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; - mimeTypes = ["application/pdf"]; - }; - xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' - filepath=$(realpath "$1") - echo "Opening $filepath" | systemd-cat -p info - echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} - ''; - in [ - pkgs.chromium - pkgs.pulseaudio - pkgs.xdg-utils - xdgPdfItem - xdgOpenPdf - ]; + packages = + let + # PDF XDG handler is executed when the user opens a PDF file in the browser + # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection + xdgPdfItem = pkgs.makeDesktopItem { + name = "ghaf-pdf"; + desktopName = "Ghaf PDF handler"; + exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; + mimeTypes = [ "application/pdf" ]; + }; + xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' + filepath=$(realpath "$1") + echo "Opening $filepath" | systemd-cat -p info + echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} + ''; + in + [ + pkgs.chromium + pkgs.pulseaudio + pkgs.xdg-utils + xdgPdfItem + xdgOpenPdf + ]; # TODO create a repository of mac addresses to avoid conflicts macAddress = "02:00:00:03:05:01"; ramMb = 3072; cores = 4; extraModules = [ { - imports = [../programs/chromium.nix]; + imports = [ ../programs/chromium.nix ]; # Enable pulseaudio for Chromium VM security.rtkit.enable = true; - users.extraUsers.ghaf.extraGroups = ["audio" "video"]; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + ]; hardware.pulseaudio = { enable = true; @@ -57,10 +64,11 @@ in { time.timeZone = config.time.timeZone; - microvm.qemu.extraArgs = optionals (config.ghaf.hardware.usb.internal.enable - && (hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs)) - config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; - microvm.devices = []; + microvm.qemu.extraArgs = optionals ( + config.ghaf.hardware.usb.internal.enable + && (hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs) + ) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; + microvm.devices = [ ]; ghaf.reference.programs.chromium.enable = true; diff --git a/modules/reference/appvms/default.nix b/modules/reference/appvms/default.nix index f760790f6..47c14b8f3 100644 --- a/modules/reference/appvms/default.nix +++ b/modules/reference/appvms/default.nix @@ -5,11 +5,12 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.reference.appvms; -in { - imports = [ - ]; +in +{ + imports = [ ]; options.ghaf.reference.appvms = { enable = lib.mkEnableOption "Enable the Ghaf reference appvms module"; @@ -21,7 +22,7 @@ in { business-vm = lib.mkEnableOption "Enable the Business appvm"; enabled-app-vms = lib.mkOption { type = lib.types.listOf lib.types.attrs; - default = []; + default = [ ]; description = '' List of appvms to include in the Ghaf reference appvms module ''; @@ -31,12 +32,12 @@ in { config = lib.mkIf cfg.enable { ghaf.reference.appvms = { enabled-app-vms = - (lib.optionals cfg.chromium-vm [(import ./chromium.nix {inherit pkgs lib config;})]) - ++ (lib.optionals cfg.gala-vm [(import ./gala.nix {inherit pkgs lib config;})]) - ++ (lib.optionals cfg.zathura-vm [(import ./zathura.nix {inherit pkgs config;})]) - ++ (lib.optionals cfg.element-vm [(import ./element.nix {inherit pkgs lib config;})]) - ++ (lib.optionals cfg.appflowy-vm [(import ./appflowy.nix {inherit pkgs config;})]) - ++ (lib.optionals cfg.business-vm [(import ./business.nix {inherit pkgs lib config;})]); + (lib.optionals cfg.chromium-vm [ (import ./chromium.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.gala-vm [ (import ./gala.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.zathura-vm [ (import ./zathura.nix { inherit pkgs config; }) ]) + ++ (lib.optionals cfg.element-vm [ (import ./element.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.appflowy-vm [ (import ./appflowy.nix { inherit pkgs config; }) ]) + ++ (lib.optionals cfg.business-vm [ (import ./business.nix { inherit pkgs lib config; }) ]); }; }; } diff --git a/modules/reference/appvms/element.nix b/modules/reference/appvms/element.nix index 2db6b857d..db6a8f6ee 100644 --- a/modules/reference/appvms/element.nix +++ b/modules/reference/appvms/element.nix @@ -6,25 +6,26 @@ lib, config, ... -}: let +}: +let inherit (lib) hasAttr optionals; - dendrite-pinecone = pkgs.callPackage ../../../packages/dendrite-pinecone {}; + dendrite-pinecone = pkgs.callPackage ../../../packages/dendrite-pinecone { }; isDendritePineconeEnabled = - if (hasAttr "services" config.ghaf.reference) - then config.ghaf.reference.services.dendrite - else false; -in { + if (hasAttr "services" config.ghaf.reference) then + config.ghaf.reference.services.dendrite + else + false; +in +{ name = "element"; - packages = - [ - pkgs.element-desktop - pkgs.element-gps - pkgs.gpsd - pkgs.tcpdump - pkgs.pulseaudio - ] - ++ pkgs.lib.optionals isDendritePineconeEnabled [dendrite-pinecone]; + packages = [ + pkgs.element-desktop + pkgs.element-gps + pkgs.gpsd + pkgs.tcpdump + pkgs.pulseaudio + ] ++ pkgs.lib.optionals isDendritePineconeEnabled [ dendrite-pinecone ]; macAddress = "02:00:00:03:09:01"; ramMb = 4096; cores = 4; @@ -32,7 +33,10 @@ in { { # Enable pulseaudio for user ghaf to access mic security.rtkit.enable = true; - users.extraUsers.ghaf.extraGroups = ["audio" "video"]; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + ]; hardware.pulseaudio = { enable = true; @@ -57,7 +61,7 @@ in { Restart = "on-failure"; RestartSec = "2"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; "dendrite-pinecone" = pkgs.lib.mkIf isDendritePineconeEnabled { @@ -69,30 +73,31 @@ in { Restart = "on-failure"; RestartSec = "2"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; }; }; networking = pkgs.lib.mkIf isDendritePineconeEnabled { - firewall.allowedTCPPorts = [dendrite-pinecone.TcpPortInt]; - firewall.allowedUDPPorts = [dendrite-pinecone.McastUdpPortInt]; + firewall.allowedTCPPorts = [ dendrite-pinecone.TcpPortInt ]; + firewall.allowedUDPPorts = [ dendrite-pinecone.McastUdpPortInt ]; }; time.timeZone = config.time.timeZone; services.gpsd = { enable = true; - devices = ["/dev/ttyUSB0"]; + devices = [ "/dev/ttyUSB0" ]; readonly = true; debugLevel = 2; listenany = true; - extraArgs = ["-n"]; # Do not wait for a client to connect before polling + extraArgs = [ "-n" ]; # Do not wait for a client to connect before polling }; - microvm.qemu.extraArgs = optionals (config.ghaf.hardware.usb.external.enable - && (hasAttr "gps0" config.ghaf.hardware.usb.external.qemuExtraArgs)) - config.ghaf.hardware.usb.external.qemuExtraArgs.gps0; + microvm.qemu.extraArgs = optionals ( + config.ghaf.hardware.usb.external.enable + && (hasAttr "gps0" config.ghaf.hardware.usb.external.qemuExtraArgs) + ) config.ghaf.hardware.usb.external.qemuExtraArgs.gps0; } ]; borderColor = "#337aff"; diff --git a/modules/reference/appvms/gala.nix b/modules/reference/appvms/gala.nix index a4ff7c80e..2caa7b98c 100644 --- a/modules/reference/appvms/gala.nix +++ b/modules/reference/appvms/gala.nix @@ -6,18 +6,19 @@ lib, config, ... -}: { +}: +{ name = "gala"; - packages = [pkgs.gala-app]; + packages = [ pkgs.gala-app ]; macAddress = "02:00:00:03:06:01"; ramMb = 1536; cores = 2; extraModules = [ { time.timeZone = config.time.timeZone; - security.pki.certificateFiles = - lib.mkIf config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable - [../../../modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.pem]; + security.pki.certificateFiles = lib.mkIf config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable [ + ../../../modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.pem + ]; } ]; borderColor = "#027d7b"; diff --git a/modules/reference/appvms/zathura.nix b/modules/reference/appvms/zathura.nix index 26eacb95c..635caebb7 100644 --- a/modules/reference/appvms/zathura.nix +++ b/modules/reference/appvms/zathura.nix @@ -1,19 +1,16 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: { name = "zathura"; - packages = [pkgs.zathura]; + packages = [ pkgs.zathura ]; macAddress = "02:00:00:03:07:01"; ramMb = 512; cores = 1; extraModules = [ { - imports = [../programs/zathura.nix]; + imports = [ ../programs/zathura.nix ]; time.timeZone = config.time.timeZone; ghaf.reference.programs.zathura.enable = true; } diff --git a/modules/reference/programs/chromium.nix b/modules/reference/programs/chromium.nix index 17ec85793..74c375d1c 100644 --- a/modules/reference/programs/chromium.nix +++ b/modules/reference/programs/chromium.nix @@ -1,12 +1,10 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.reference.programs.chromium; -in { +in +{ options.ghaf.reference.programs.chromium = { enable = lib.mkEnableOption "Enable Chromium program settings"; useZathuraVM = lib.mkEnableOption "Open PDFs in Zathura VM"; diff --git a/modules/reference/programs/windows-launcher.nix b/modules/reference/programs/windows-launcher.nix index b75df7eb0..d95f2b12f 100644 --- a/modules/reference/programs/windows-launcher.nix +++ b/modules/reference/programs/windows-launcher.nix @@ -5,12 +5,14 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.reference.programs.windows-launcher; - windows-launcher = pkgs.callPackage ../../../packages/windows-launcher {enableSpice = cfg.spice;}; -in { + windows-launcher = pkgs.callPackage ../../../packages/windows-launcher { enableSpice = cfg.spice; }; +in +{ #TODO fix all these imports to correct scoping - imports = [../../desktop]; + imports = [ ../../desktop ]; options.ghaf.reference.programs.windows-launcher = { enable = lib.mkEnableOption "Windows launcher"; @@ -39,7 +41,7 @@ in { } ]; - networking.firewall.allowedTCPPorts = lib.mkIf cfg.spice [cfg.spice-port]; - environment.systemPackages = [windows-launcher]; + networking.firewall.allowedTCPPorts = lib.mkIf cfg.spice [ cfg.spice-port ]; + environment.systemPackages = [ windows-launcher ]; }; } diff --git a/modules/reference/programs/zathura.nix b/modules/reference/programs/zathura.nix index 57ebcaa4a..85b6b559f 100644 --- a/modules/reference/programs/zathura.nix +++ b/modules/reference/programs/zathura.nix @@ -1,12 +1,10 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.reference.programs.zathura; -in { +in +{ options.ghaf.reference.programs.zathura = { enable = lib.mkEnableOption "Enable Zathura program settings"; }; diff --git a/modules/reference/services/default.nix b/modules/reference/services/default.nix index facceca05..2dbb1f824 100644 --- a/modules/reference/services/default.nix +++ b/modules/reference/services/default.nix @@ -1,14 +1,12 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let inherit (lib) mkEnableOption mkIf mkForce; cfg = config.ghaf.reference.services; isNetVM = "net-vm" == config.system.name; -in { +in +{ imports = [ ./dendrite-pinecone/dendrite-pinecone.nix ./dendrite-pinecone/dendrite-config.nix diff --git a/modules/reference/services/dendrite-pinecone/dendrite-config.nix b/modules/reference/services/dendrite-pinecone/dendrite-config.nix index 36a107c80..4bde55e3d 100644 --- a/modules/reference/services/dendrite-pinecone/dendrite-config.nix +++ b/modules/reference/services/dendrite-pinecone/dendrite-config.nix @@ -1,31 +1,36 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: { - config, - lib, - ... -}: { - config.ghaf.reference.services.dendrite-pinecone = let - externalNic = let - firstPciWifiDevice = lib.head config.ghaf.hardware.definition.network.pciDevices; - in "${firstPciWifiDevice.name}"; + config.ghaf.reference.services.dendrite-pinecone = + let + externalNic = + let + firstPciWifiDevice = lib.head config.ghaf.hardware.definition.network.pciDevices; + in + "${firstPciWifiDevice.name}"; - internalNic = let - vmNetworking = import ../../../microvm/virtualization/microvm/common/vm-networking.nix { - inherit config; - inherit lib; - vmName = "net-vm"; - inherit (config.microvm.net-vm) macAddress; - internalIP = 1; - }; - in "${lib.head vmNetworking.networking.nat.internalInterfaces}"; + internalNic = + let + vmNetworking = import ../../../microvm/virtualization/microvm/common/vm-networking.nix { + inherit config; + inherit lib; + vmName = "net-vm"; + inherit (config.microvm.net-vm) macAddress; + internalIP = 1; + }; + in + "${lib.head vmNetworking.networking.nat.internalInterfaces}"; - getElementVmEntry = builtins.filter (x: x.name == "element-vm") config.ghaf.networking.hosts.entries; - serverIpAddr = lib.head (builtins.map (x: x.ip) getElementVmEntry); - in { - enable = lib.mkDefault false; - inherit externalNic; - inherit internalNic; - inherit serverIpAddr; - }; + getElementVmEntry = builtins.filter ( + x: x.name == "element-vm" + ) config.ghaf.networking.hosts.entries; + serverIpAddr = lib.head (builtins.map (x: x.ip) getElementVmEntry); + in + { + enable = lib.mkDefault false; + inherit externalNic; + inherit internalNic; + inherit serverIpAddr; + }; } diff --git a/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix b/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix index a4ab7802e..d20f38e0e 100644 --- a/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix +++ b/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix @@ -5,11 +5,18 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.reference.services.dendrite-pinecone; - dendrite-pineconePkg = pkgs.callPackage ../../../../packages/dendrite-pinecone/default.nix {}; - inherit (lib) mkEnableOption mkOption mkIf types; -in { + dendrite-pineconePkg = pkgs.callPackage ../../../../packages/dendrite-pinecone/default.nix { }; + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; +in +{ options.ghaf.reference.services.dendrite-pinecone = { enable = mkEnableOption "Enable dendrite pinecone module"; @@ -70,11 +77,11 @@ in { }; } ]; - environment.systemPackages = [pkgs.smcroute]; + environment.systemPackages = [ pkgs.smcroute ]; systemd.services."smcroute" = { description = "Static Multicast Routing daemon"; - bindsTo = ["sys-subsystem-net-devices-${cfg.externalNic}.device"]; - after = ["sys-subsystem-net-devices-${cfg.externalNic}.device"]; + bindsTo = [ "sys-subsystem-net-devices-${cfg.externalNic}.device" ]; + after = [ "sys-subsystem-net-devices-${cfg.externalNic}.device" ]; preStart = '' configContent=$(cat < "$out/version" - jq -s '.[0] * $conf' "config.sample.json" --argjson "conf" '${builtins.toJSON noPhoningHome}' > "$out/config.json" + cp -R webapp $out + cp ${jitsi-meet}/libs/external_api.min.js $out/jitsi_external_api.min.js + echo "${finalAttrs.version}" > "$out/version" + jq -s '.[0] * $conf' "config.sample.json" --argjson "conf" '${builtins.toJSON noPhoningHome}' > "$out/config.json" - runHook postInstall - ''; + runHook postInstall + ''; - meta = { - description = "A glossy Matrix collaboration client for the web"; - homepage = "https://element.io/"; - changelog = "https://github.com/vector-im/element-web/blob/v${finalAttrs.version}/CHANGELOG.md"; - maintainers = lib.teams.matrix.members; - license = lib.licenses.asl20; - platforms = lib.platforms.all; - }; - }) + meta = { + description = "A glossy Matrix collaboration client for the web"; + homepage = "https://element.io/"; + changelog = "https://github.com/vector-im/element-web/blob/v${finalAttrs.version}/CHANGELOG.md"; + maintainers = lib.teams.matrix.members; + license = lib.licenses.asl20; + platforms = lib.platforms.all; + }; + } +) diff --git a/packages/flake-module.nix b/packages/flake-module.nix index 2b3e349c4..b5cc08fc0 100644 --- a/packages/flake-module.nix +++ b/packages/flake-module.nix @@ -1,42 +1,47 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{self, ...}: { +{ self, ... }: +{ flake.packages.riscv64-linux.hart-software-services = - self.nixosConfigurations.microchip-icicle-kit-debug.pkgs.callPackage ./hart-software-services {}; - perSystem = { - pkgs, - lib, - system, - ... - }: let - inherit (pkgs) callPackage; - in { - packages = self.lib.platformPkgs system { - gala-app = callPackage ./gala {}; - kernel-hardening-checker = callPackage ./kernel-hardening-checker {}; - windows-launcher = callPackage ./windows-launcher {enableSpice = false;}; - windows-launcher-spice = callPackage ./windows-launcher {enableSpice = true;}; - hardware-scan = callPackage ./hardware-scan {}; - doc = callPackage ../docs { - revision = lib.strings.fileContents ../.version; - # options = ; - # TODO Add the options in from the self.nixosModules - # The below is not needed anymore to setoptions - # - # options = let - # cfg = nixpkgs.lib.nixosSystem { - # inherit system; - # modules = - # lib.ghaf.modules - # ++ [ - # jetpack-nixos.nixosModules.default - # microvm.nixosModules.host - # lanzaboote.nixosModules.lanzaboote - # ]; - # }; - # in - # cfg.options; + self.nixosConfigurations.microchip-icicle-kit-debug.pkgs.callPackage ./hart-software-services + { }; + perSystem = + { + pkgs, + lib, + system, + ... + }: + let + inherit (pkgs) callPackage; + in + { + packages = self.lib.platformPkgs system { + gala-app = callPackage ./gala { }; + kernel-hardening-checker = callPackage ./kernel-hardening-checker { }; + windows-launcher = callPackage ./windows-launcher { enableSpice = false; }; + windows-launcher-spice = callPackage ./windows-launcher { enableSpice = true; }; + hardware-scan = callPackage ./hardware-scan { }; + doc = callPackage ../docs { + revision = lib.strings.fileContents ../.version; + # options = ; + # TODO Add the options in from the self.nixosModules + # The below is not needed anymore to setoptions + # + # options = let + # cfg = nixpkgs.lib.nixosSystem { + # inherit system; + # modules = + # lib.ghaf.modules + # ++ [ + # jetpack-nixos.nixosModules.default + # microvm.nixosModules.host + # lanzaboote.nixosModules.lanzaboote + # ]; + # }; + # in + # cfg.options; + }; }; }; - }; } diff --git a/packages/gala/default.nix b/packages/gala/default.nix index 13bf710e3..10c2bdc25 100644 --- a/packages/gala/default.nix +++ b/packages/gala/default.nix @@ -40,7 +40,8 @@ mesa, unzip, wayland, -}: let +}: +let dynamic-linker = stdenv.cc.bintools.dynamicLinker; libPath = lib.makeLibraryPath [ @@ -82,57 +83,56 @@ wayland ]; in - stdenv.mkDerivation rec { - name = "gala"; +stdenv.mkDerivation rec { + name = "gala"; - nativeBuildInputs = [unzip]; + nativeBuildInputs = [ unzip ]; - buildInputs = [unzip]; + buildInputs = [ unzip ]; - # See meta.platforms section for supported platforms - src = - if stdenv.isAarch64 - then - fetchurl { - url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26-arm64.zip"; - sha256 = "16d8g6h22zsnw4kq8nkama5yxp5swn7fj8m197kgm58w3dai3mn7"; - } - else - fetchurl { - url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26.zip"; - sha256 = "0chn1rbdvs71mxfdwpld4v2zdg2crrqln9ckscivas48rmg6sj6f"; - }; + # See meta.platforms section for supported platforms + src = + if stdenv.isAarch64 then + fetchurl { + url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26-arm64.zip"; + sha256 = "16d8g6h22zsnw4kq8nkama5yxp5swn7fj8m197kgm58w3dai3mn7"; + } + else + fetchurl { + url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26.zip"; + sha256 = "0chn1rbdvs71mxfdwpld4v2zdg2crrqln9ckscivas48rmg6sj6f"; + }; - phases = "unpackPhase fixupPhase"; - targetPath = "$out/gala"; - intLibPath = "$out/gala/swiftshader"; + phases = "unpackPhase fixupPhase"; + targetPath = "$out/gala"; + intLibPath = "$out/gala/swiftshader"; - unpackPhase = '' - mkdir -p ${targetPath} - unzip $src -d ${targetPath} - ''; + unpackPhase = '' + mkdir -p ${targetPath} + unzip $src -d ${targetPath} + ''; - rpath = lib.concatStringsSep ":" [ - libPath - targetPath - intLibPath - ]; + rpath = lib.concatStringsSep ":" [ + libPath + targetPath + intLibPath + ]; - fixupPhase = '' - patchelf \ - --set-interpreter "${dynamic-linker}" \ - --set-rpath "${rpath}" \ - ${targetPath}/dev.scpp.saca.gala + fixupPhase = '' + patchelf \ + --set-interpreter "${dynamic-linker}" \ + --set-rpath "${rpath}" \ + ${targetPath}/dev.scpp.saca.gala - mkdir -p $out/bin - ln -s $out/gala/dev.scpp.saca.gala $out/bin/gala - ''; + mkdir -p $out/bin + ln -s $out/gala/dev.scpp.saca.gala $out/bin/gala + ''; - meta = with lib; { - description = "Google Android look-alike"; - platforms = [ - "aarch64-linux" - "x86_64-linux" - ]; - }; - } + meta = with lib; { + description = "Google Android look-alike"; + platforms = [ + "aarch64-linux" + "x86_64-linux" + ]; + }; +} diff --git a/packages/ghaf-open/default.nix b/packages/ghaf-open/default.nix index 811f62780..362d16e41 100644 --- a/packages/ghaf-open/default.nix +++ b/packages/ghaf-open/default.nix @@ -2,14 +2,10 @@ # SPDX-License-Identifier: Apache-2.0 # # A debug script that allows executing applications from the command line. -{ - writeShellApplication, - gawk, - ... -}: +{ writeShellApplication, gawk, ... }: writeShellApplication { name = "ghaf-open"; - runtimeInputs = [gawk]; + runtimeInputs = [ gawk ]; text = '' APPS=/run/current-system/sw/share/applications diff --git a/packages/ghaf-openbox-theme/default.nix b/packages/ghaf-openbox-theme/default.nix index b1ab6e04a..9d1c724a5 100644 --- a/packages/ghaf-openbox-theme/default.nix +++ b/packages/ghaf-openbox-theme/default.nix @@ -1,7 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{runCommand, ...}: -runCommand "ghaf-openbox-theme" {} '' +{ runCommand, ... }: +runCommand "ghaf-openbox-theme" { } '' mkdir -p $out/share/themes/Ghaf/openbox-3 cp ${../../assets/icons/svg/close.svg} $out/share/themes/Ghaf/openbox-3/close.svg ln -s $out/share/themes/Ghaf/openbox-3/close{,-active}.svg diff --git a/packages/hardware-scan/default.nix b/packages/hardware-scan/default.nix index 12bbba020..9864c0f0b 100644 --- a/packages/hardware-scan/default.nix +++ b/packages/hardware-scan/default.nix @@ -23,8 +23,6 @@ writeShellApplication { text = builtins.readFile ./hardware-scan.sh; meta = { description = "Helper script for hardware discovery and configuration file generation"; - platforms = [ - "x86_64-linux" - ]; + platforms = [ "x86_64-linux" ]; }; } diff --git a/packages/hart-software-services/default.nix b/packages/hart-software-services/default.nix index 785ebf322..bf71644c5 100644 --- a/packages/hart-software-services/default.nix +++ b/packages/hart-software-services/default.nix @@ -5,50 +5,49 @@ lib, python3, stdenv, -}: let +}: +let version = "v2022.09"; in - stdenv.mkDerivation ( - { - pname = "hart-software-services"; - inherit version; - - src = fetchFromGitHub { - owner = "polarfire-soc"; - repo = "hart-software-services"; - rev = version; - sha256 = "sha256-j/nda7//CjJW09zt/YrBy6h+q+VKE5t/ueXxDzwVWQ0="; - }; - - depsBuildBuild = [ - python3 - ]; - - configurePhase = '' - runHook preConfigure - - cp boards/mpfs-icicle-kit-es/def_config .config - - runHook postConfigure - ''; - - makeFlags = [ - "V=1" - "BOARD=mpfs-icicle-kit-es" - "PLATFORM_RISCV_ABI=lp64d" - "PLATFORM_RISCV_ISA=rv64imadc_zicsr_zifencei" - ]; - - installPhase = '' - runHook preInstall - - mkdir -p $out - cp Default/*.elf Default/*.bin $out/ - - runHook postInstall - ''; - } - // lib.optionalAttrs (stdenv.buildPlatform.system != stdenv.hostPlatform.system) { - CROSS_COMPILE = stdenv.cc.targetPrefix; - } - ) +stdenv.mkDerivation ( + { + pname = "hart-software-services"; + inherit version; + + src = fetchFromGitHub { + owner = "polarfire-soc"; + repo = "hart-software-services"; + rev = version; + sha256 = "sha256-j/nda7//CjJW09zt/YrBy6h+q+VKE5t/ueXxDzwVWQ0="; + }; + + depsBuildBuild = [ python3 ]; + + configurePhase = '' + runHook preConfigure + + cp boards/mpfs-icicle-kit-es/def_config .config + + runHook postConfigure + ''; + + makeFlags = [ + "V=1" + "BOARD=mpfs-icicle-kit-es" + "PLATFORM_RISCV_ABI=lp64d" + "PLATFORM_RISCV_ISA=rv64imadc_zicsr_zifencei" + ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out + cp Default/*.elf Default/*.bin $out/ + + runHook postInstall + ''; + } + // lib.optionalAttrs (stdenv.buildPlatform.system != stdenv.hostPlatform.system) { + CROSS_COMPILE = stdenv.cc.targetPrefix; + } +) diff --git a/packages/icon-pack/default.nix b/packages/icon-pack/default.nix index 0c9228939..710e6ecb5 100644 --- a/packages/icon-pack/default.nix +++ b/packages/icon-pack/default.nix @@ -7,7 +7,8 @@ lib, runCommand, papirus-icon-theme, -}: let +}: +let icons = [ "chromium.svg" "distributor-logo-android.svg" @@ -29,15 +30,18 @@ "yast-vpn.svg" ]; in - runCommand "icon-pack" { +runCommand "icon-pack" + { # Preserve Papirus license meta.license = papirus-icon-theme.meta.license; - } '' + } + '' mkdir -p $out # All SVGs are located inside 64x64, all other sizes are symlinks. - ${lib.concatStringsSep "\n" (map (icon: '' + ${lib.concatStringsSep "\n" ( + map (icon: '' cp ${papirus-icon-theme}/share/icons/Papirus/64x64/apps/${icon} $out/ - '') - icons)} + '') icons + )} '' diff --git a/packages/kernel-hardening-checker/default.nix b/packages/kernel-hardening-checker/default.nix index dedd96cff..c47fb0ba1 100644 --- a/packages/kernel-hardening-checker/default.nix +++ b/packages/kernel-hardening-checker/default.nix @@ -1,9 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - python3Packages, - fetchFromGitHub, -}: +{ python3Packages, fetchFromGitHub }: python3Packages.buildPythonApplication rec { pname = "kernel-hardening-checker"; version = "0.6.1-git${src.rev}"; diff --git a/packages/kernel/default.nix b/packages/kernel/default.nix index ff180fe32..d958ad330 100644 --- a/packages/kernel/default.nix +++ b/packages/kernel/default.nix @@ -6,54 +6,54 @@ config, pkgs, lib, -}: { - kernelPatches ? [], +}: +{ + kernelPatches ? [ ], config_baseline, host_build ? false, -}: let +}: +let kernel_package = pkgs.linux_latest; version = "${kernel_package.version}-ghaf-hardened"; modDirVersion = version; - base_kernel = - pkgs.linuxManualConfig rec - { - inherit (kernel_package) src; - inherit version modDirVersion kernelPatches; - /* + base_kernel = pkgs.linuxManualConfig rec { + inherit (kernel_package) src; + inherit version modDirVersion kernelPatches; + /* NixOS required (asserted) kernel features to comply with no import from derivation. For the actual kernel build these config options must come via the kernel config_baseline argument - */ - config = { - CONFIG_DEVTMPFS = "y"; - CONFIG_CGROUPS = "y"; - CONFIG_INOTIFY_USER = "y"; - CONFIG_SIGNALFD = "y"; - CONFIG_TIMERFD = "y"; - CONFIG_EPOLL = "y"; - CONFIG_NET = "y"; - CONFIG_SYSFS = "y"; - CONFIG_PROC_FS = "y"; - CONFIG_FHANDLE = "y"; - CONFIG_CRYPTO_USER_API_HASH = "y"; - CONFIG_CRYPTO_HMAC = "y"; - CONFIG_CRYPTO_SHA256 = "y"; - CONFIG_DMIID = "y"; - CONFIG_AUTOFS_FS = "y"; - CONFIG_TMPFS_POSIX_ACL = "y"; - CONFIG_TMPFS_XATTR = "y"; - CONFIG_SECCOMP = "y"; - CONFIG_TMPFS = "y"; - CONFIG_BLK_DEV_INITRD = "y"; - CONFIG_EFI_STUB = "y"; - CONFIG_MODULES = "y"; - CONFIG_BINFMT_ELF = "y"; - CONFIG_UNIX = "y"; - }; - configfile = config_baseline; + */ + config = { + CONFIG_DEVTMPFS = "y"; + CONFIG_CGROUPS = "y"; + CONFIG_INOTIFY_USER = "y"; + CONFIG_SIGNALFD = "y"; + CONFIG_TIMERFD = "y"; + CONFIG_EPOLL = "y"; + CONFIG_NET = "y"; + CONFIG_SYSFS = "y"; + CONFIG_PROC_FS = "y"; + CONFIG_FHANDLE = "y"; + CONFIG_CRYPTO_USER_API_HASH = "y"; + CONFIG_CRYPTO_HMAC = "y"; + CONFIG_CRYPTO_SHA256 = "y"; + CONFIG_DMIID = "y"; + CONFIG_AUTOFS_FS = "y"; + CONFIG_TMPFS_POSIX_ACL = "y"; + CONFIG_TMPFS_XATTR = "y"; + CONFIG_SECCOMP = "y"; + CONFIG_TMPFS = "y"; + CONFIG_BLK_DEV_INITRD = "y"; + CONFIG_EFI_STUB = "y"; + CONFIG_MODULES = "y"; + CONFIG_BINFMT_ELF = "y"; + CONFIG_UNIX = "y"; }; + configfile = config_baseline; + }; generic_host_configs = ../../modules/hardware/x86_64-generic/kernel/host/configs; generic_guest_configs = ../../modules/hardware/x86_64-generic/kernel/guest/configs; @@ -61,23 +61,37 @@ # - we could add a configuration fragment for host debug via usb-ethernet-adapter(s) kernel_features = - lib.optionals config.ghaf.host.kernel.hardening.virtualization.enable ["${generic_host_configs}/virtualization.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.networking.enable ["${generic_host_configs}/networking.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.usb.enable ["${generic_host_configs}/usb.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.inputdevices.enable ["${generic_host_configs}/user-input-devices.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.debug.enable ["${generic_host_configs}/debug.config"] - ++ lib.optionals (config.ghaf.guest.kernel.hardening.enable && !host_build) ["${generic_guest_configs}/guest.config"] - ++ lib.optionals (config.ghaf.guest.kernel.hardening.graphics.enable && !host_build) ["${generic_guest_configs}/display-gpu.config"]; + lib.optionals config.ghaf.host.kernel.hardening.virtualization.enable [ + "${generic_host_configs}/virtualization.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.networking.enable [ + "${generic_host_configs}/networking.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.usb.enable [ + "${generic_host_configs}/usb.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.inputdevices.enable [ + "${generic_host_configs}/user-input-devices.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.debug.enable [ + "${generic_host_configs}/debug.config" + ] + ++ lib.optionals (config.ghaf.guest.kernel.hardening.enable && !host_build) [ + "${generic_guest_configs}/guest.config" + ] + ++ lib.optionals (config.ghaf.guest.kernel.hardening.graphics.enable && !host_build) [ + "${generic_guest_configs}/display-gpu.config" + ]; kernel = - if lib.length kernel_features > 0 - then + if lib.length kernel_features > 0 then base_kernel.overrideAttrs (_old: { inherit kernel_features; postConfigure = '' ./scripts/kconfig/merge_config.sh -O $buildRoot $buildRoot/.config $kernel_features; ''; }) - else base_kernel; + else + base_kernel; in - kernel +kernel diff --git a/packages/mitmweb-ui/default.nix b/packages/mitmweb-ui/default.nix index c469f41a8..66c902303 100644 --- a/packages/mitmweb-ui/default.nix +++ b/packages/mitmweb-ui/default.nix @@ -5,49 +5,47 @@ pkgs, lib, ... -}: let +}: +let waypipePort = 1100; # TODO: remove hardcoded port number idsvmIP = "ids-vm"; - mitmwebUI = - pkgs.writeShellScript - "mitmweb-ui" - '' - # Create ssh-tunnel between chromium-vm and ids-vm - ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ - -o StrictHostKeyChecking=no \ - -t ghaf@chromium-vm \ - ${pkgs.openssh}/bin/ssh -M -S /tmp/control_socket \ - -f -N -L 8081:localhost:8081 ghaf@${idsvmIP} - # TODO: check pipe creation failures + mitmwebUI = pkgs.writeShellScript "mitmweb-ui" '' + # Create ssh-tunnel between chromium-vm and ids-vm + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -t ghaf@chromium-vm \ + ${pkgs.openssh}/bin/ssh -M -S /tmp/control_socket \ + -f -N -L 8081:localhost:8081 ghaf@${idsvmIP} + # TODO: check pipe creation failures - # Launch chromium application and open mitmweb page - ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm \ - ${pkgs.waypipe}/bin/waypipe --border=#ff5733,5 --vsock -s ${toString waypipePort} server \ - chromium --enable-features=UseOzonePlatform --ozone-platform=wayland \ - http://localhost:8081 + # Launch chromium application and open mitmweb page + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm \ + ${pkgs.waypipe}/bin/waypipe --border=#ff5733,5 --vsock -s ${toString waypipePort} server \ + chromium --enable-features=UseOzonePlatform --ozone-platform=wayland \ + http://localhost:8081 - # Use the control socket to close the ssh tunnel between chromium-vm and ids-vm - ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ - -o StrictHostKeyChecking=no \ - -t ghaf@chromium-vm \ - ${pkgs.openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@${idsvmIP} - ''; + # Use the control socket to close the ssh tunnel between chromium-vm and ids-vm + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -t ghaf@chromium-vm \ + ${pkgs.openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@${idsvmIP} + ''; in - stdenvNoCC.mkDerivation { - name = "mitmweb-ui"; +stdenvNoCC.mkDerivation { + name = "mitmweb-ui"; - phases = ["installPhase"]; + phases = [ "installPhase" ]; - installPhase = '' - mkdir -p $out/bin - cp ${mitmwebUI} $out/bin/mitmweb-ui - ''; + installPhase = '' + mkdir -p $out/bin + cp ${mitmwebUI} $out/bin/mitmweb-ui + ''; - meta = with lib; { - description = "Script to launch Chromium to open mitmweb interface using ssh-tunneling and authentication."; - platforms = [ - "x86_64-linux" - "aarch64-linux" - ]; - }; - } + meta = with lib; { + description = "Script to launch Chromium to open mitmweb interface using ssh-tunneling and authentication."; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ]; + }; +} diff --git a/packages/openPdf/default.nix b/packages/openPdf/default.nix index 6f581ab87..37b123bc1 100644 --- a/packages/openPdf/default.nix +++ b/packages/openPdf/default.nix @@ -12,7 +12,10 @@ # It reads the file path, copies it from chromium-vm to zathura-vm and opens it there writeShellApplication { name = "openPdf"; - runtimeInputs = [dnsutils openssh]; + runtimeInputs = [ + dnsutils + openssh + ]; text = '' read -r sourcepath filename=$(basename "$sourcepath") diff --git a/packages/powercontrol/default.nix b/packages/powercontrol/default.nix index b9a6835a8..664867dde 100644 --- a/packages/powercontrol/default.nix +++ b/packages/powercontrol/default.nix @@ -5,81 +5,74 @@ openssh, stdenv, writeShellScript, -}: let +}: +let systemctl = "/run/current-system/systemd/bin/systemctl"; busName = "org.freedesktop.login1"; - makeSystemCtlPowerActionViaSsh = { - hostAddress, - privateSshKeyPath, - method, - }: - writeShellScript - "${method}-host" - '' ${openssh}/bin/ssh \ + makeSystemCtlPowerActionViaSsh = + { + hostAddress, + privateSshKeyPath, + method, + }: + writeShellScript "${method}-host" '' + ${openssh}/bin/ssh \ -i ${privateSshKeyPath} \ -o StrictHostKeyChecking=no \ ghaf@${hostAddress} \ ${systemctl} ${method}''; in - stdenv.mkDerivation { - name = "powercontrol"; +stdenv.mkDerivation { + name = "powercontrol"; - makePowerOffCommand = { - hostAddress, - privateSshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress privateSshKeyPath; - method = "poweroff"; - }; + makePowerOffCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "poweroff"; + }; - makeRebootCommand = { - hostAddress, - privateSshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress privateSshKeyPath; - method = "reboot"; - }; + makeRebootCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "reboot"; + }; - makeSuspendCommand = { - hostAddress, - privateSshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress privateSshKeyPath; - method = "suspend"; - }; + makeSuspendCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "suspend"; + }; - makeHibernateCommand = { - hostAddress, - privateSshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress privateSshKeyPath; - method = "hibernate"; - }; + makeHibernateCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "hibernate"; + }; - polkitExtraConfig = '' - polkit.addRule(function(action, subject) { - if ((subject.user == "ghaf") && - (action.id == "${busName}.power-off" || - action.id == "${busName}.power-off-multiple-sessions" || - action.id == "${busName}.reboot" || - action.id == "${busName}.reboot-multiple-sessions" || - action.id == "${busName}.suspend" || - action.id == "${busName}.suspend-multiple-sessions" || - action.id == "${busName}.hibernate" || - action.id == "${busName}.hibernate-multiple-sessions") - ) { - return polkit.Result.YES; - } - }); - ''; + polkitExtraConfig = '' + polkit.addRule(function(action, subject) { + if ((subject.user == "ghaf") && + (action.id == "${busName}.power-off" || + action.id == "${busName}.power-off-multiple-sessions" || + action.id == "${busName}.reboot" || + action.id == "${busName}.reboot-multiple-sessions" || + action.id == "${busName}.suspend" || + action.id == "${busName}.suspend-multiple-sessions" || + action.id == "${busName}.hibernate" || + action.id == "${busName}.hibernate-multiple-sessions") + ) { + return polkit.Result.YES; + } + }); + ''; - meta = { - description = "Scripts for host power control"; - platforms = lib.platforms.linux; - }; - } + meta = { + description = "Scripts for host power control"; + platforms = lib.platforms.linux; + }; +} diff --git a/packages/ssh-keys-helper/default.nix b/packages/ssh-keys-helper/default.nix index a166ad608..e0dabb719 100644 --- a/packages/ssh-keys-helper/default.nix +++ b/packages/ssh-keys-helper/default.nix @@ -1,16 +1,16 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ pkgs, config }: { - pkgs, - config, -}: { getAuthKeysSource = { - source = let - script = pkgs.writeShellScriptBin config.ghaf.security.sshKeys.getAuthKeysFileName '' - [[ "$1" != "ghaf" ]] && exit 0 - ${pkgs.coreutils}/bin/cat ${config.ghaf.security.sshKeys.waypipeSshPublicKeyFile} - ''; - in "${script}/bin/${config.ghaf.security.sshKeys.getAuthKeysFileName}"; + source = + let + script = pkgs.writeShellScriptBin config.ghaf.security.sshKeys.getAuthKeysFileName '' + [[ "$1" != "ghaf" ]] && exit 0 + ${pkgs.coreutils}/bin/cat ${config.ghaf.security.sshKeys.waypipeSshPublicKeyFile} + ''; + in + "${script}/bin/${config.ghaf.security.sshKeys.getAuthKeysFileName}"; mode = "0555"; }; } diff --git a/packages/vsockproxy/default.nix b/packages/vsockproxy/default.nix index 829879daf..c078456ac 100644 --- a/packages/vsockproxy/default.nix +++ b/packages/vsockproxy/default.nix @@ -9,7 +9,10 @@ stdenv.mkDerivation { name = "vsockproxy"; - depsBuildBuild = [meson ninja]; + depsBuildBuild = [ + meson + ninja + ]; src = fetchFromGitHub { owner = "tiiuae"; diff --git a/packages/windows-launcher/default.nix b/packages/windows-launcher/default.nix index 891c3e1af..049cc1016 100644 --- a/packages/windows-launcher/default.nix +++ b/packages/windows-launcher/default.nix @@ -10,161 +10,165 @@ writeShellScript, enableSpice ? false, ... -}: let +}: +let ovmfPrefix = - if stdenv.isx86_64 - then "OVMF" - else if stdenv.isAarch64 - then "AAVMF" - else throw "Unsupported architecture"; - windowsLauncher = - writeShellScript - "windows-launcher" - ('' - IMG_FILE=$1 - ISO_FILE="" - if [ $# -eq 0 ]; then - '' - + lib.optionalString stdenv.isAarch64 '' - echo "Usage: windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX" - '' - + lib.optionalString stdenv.isx86_64 '' - echo "Usage: windows-launcher ./Win11_22H2_English_x64v2.iso or ./win11.qcow2" - '' - + '' - exit - fi - '' - + lib.optionalString (!enableSpice) '' - if [[ -z "''${WAYLAND_DISPLAY}" ]]; then - echo "Wayland display not found" - exit - fi - '' - + '' - IMG_DIR="$(dirname "$IMG_FILE")" - OVMF_VARS="$IMG_DIR/${ovmfPrefix}_VARS.fd" - OVMF_CODE="$IMG_DIR/${ovmfPrefix}_CODE.fd" + if stdenv.isx86_64 then + "OVMF" + else if stdenv.isAarch64 then + "AAVMF" + else + throw "Unsupported architecture"; + windowsLauncher = writeShellScript "windows-launcher" ( + '' + IMG_FILE=$1 + ISO_FILE="" + if [ $# -eq 0 ]; then + '' + + lib.optionalString stdenv.isAarch64 '' + echo "Usage: windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX" + '' + + lib.optionalString stdenv.isx86_64 '' + echo "Usage: windows-launcher ./Win11_22H2_English_x64v2.iso or ./win11.qcow2" + '' + + '' + exit + fi + '' + + lib.optionalString (!enableSpice) '' + if [[ -z "''${WAYLAND_DISPLAY}" ]]; then + echo "Wayland display not found" + exit + fi + '' + + '' + IMG_DIR="$(dirname "$IMG_FILE")" + OVMF_VARS="$IMG_DIR/${ovmfPrefix}_VARS.fd" + OVMF_CODE="$IMG_DIR/${ovmfPrefix}_CODE.fd" - if [ ! -f $OVMF_VARS ] || [ ! -f $OVMF_CODE ]; then - cp ${OVMF.fd}/FV/${ovmfPrefix}_VARS.fd $OVMF_VARS - cp ${OVMF.fd}/FV/${ovmfPrefix}_CODE.fd $OVMF_CODE - chmod 644 $OVMF_VARS + if [ ! -f $OVMF_VARS ] || [ ! -f $OVMF_CODE ]; then + cp ${OVMF.fd}/FV/${ovmfPrefix}_VARS.fd $OVMF_VARS + cp ${OVMF.fd}/FV/${ovmfPrefix}_CODE.fd $OVMF_CODE + chmod 644 $OVMF_VARS + fi + '' + + lib.optionalString stdenv.isx86_64 '' + if [[ $1 == *.iso || $1 == *.ISO ]]; then + ISO_FILE=$1 + IMG_FILE="$IMG_DIR/win11.qcow2" + if [ ! -f $IMG_FILE ]; then + ${qemu_kvm}/bin/qemu-img create -f qcow2 $IMG_FILE 64G fi - '' - + lib.optionalString stdenv.isx86_64 '' - if [[ $1 == *.iso || $1 == *.ISO ]]; then - ISO_FILE=$1 - IMG_FILE="$IMG_DIR/win11.qcow2" - if [ ! -f $IMG_FILE ]; then - ${qemu_kvm}/bin/qemu-img create -f qcow2 $IMG_FILE 64G - fi - fi - '' - + '' - QEMU_PARAMS=( - "-name \"Windows VM\"" - "-cpu host" - "-enable-kvm" - "-smp 6" - "-m 8G" - "-drive file=$OVMF_CODE,format=raw,if=pflash,readonly=on" - "-drive file=$OVMF_VARS,format=raw,if=pflash" - '' - + lib.optionalString (!enableSpice) '' - "-vga none" - "-device ramfb" - "-device virtio-gpu-pci" - "-nic user,model=virtio" - '' - + lib.optionalString enableSpice '' - "-vga qxl" - "-device virtio-serial-pci" - "-spice port=5900,addr=0.0.0.0,disable-ticketing=on" - "-netdev tap,id=tap-windows,ifname=tap-windows,script=no,downscript=no" - "-device e1000,netdev=tap-windows,mac=02:00:00:03:55:01" - '' - + '' - "-device qemu-xhci" - "-device usb-kbd" - "-device usb-tablet" - '' - + lib.optionalString stdenv.isAarch64 '' - "-M virt,highmem=on,gic-version=max" - "-drive file=$IMG_FILE,format=vhdx,if=none,id=boot" - "-device usb-storage,drive=boot,serial=boot,bootindex=1" - ) - '' - + lib.optionalString stdenv.isx86_64 '' - "-drive file=$IMG_FILE,format=qcow2,if=none,id=boot" - "-device nvme,drive=boot,serial=boot,bootindex=1" - ) + fi + '' + + '' + QEMU_PARAMS=( + "-name \"Windows VM\"" + "-cpu host" + "-enable-kvm" + "-smp 6" + "-m 8G" + "-drive file=$OVMF_CODE,format=raw,if=pflash,readonly=on" + "-drive file=$OVMF_VARS,format=raw,if=pflash" + '' + + lib.optionalString (!enableSpice) '' + "-vga none" + "-device ramfb" + "-device virtio-gpu-pci" + "-nic user,model=virtio" + '' + + lib.optionalString enableSpice '' + "-vga qxl" + "-device virtio-serial-pci" + "-spice port=5900,addr=0.0.0.0,disable-ticketing=on" + "-netdev tap,id=tap-windows,ifname=tap-windows,script=no,downscript=no" + "-device e1000,netdev=tap-windows,mac=02:00:00:03:55:01" + '' + + '' + "-device qemu-xhci" + "-device usb-kbd" + "-device usb-tablet" + '' + + lib.optionalString stdenv.isAarch64 '' + "-M virt,highmem=on,gic-version=max" + "-drive file=$IMG_FILE,format=vhdx,if=none,id=boot" + "-device usb-storage,drive=boot,serial=boot,bootindex=1" + ) + '' + + lib.optionalString stdenv.isx86_64 '' + "-drive file=$IMG_FILE,format=qcow2,if=none,id=boot" + "-device nvme,drive=boot,serial=boot,bootindex=1" + ) - if [ ! -z "$ISO_FILE" ]; then - QEMU_PARAMS+=( - "-drive file=$ISO_FILE,media=cdrom,if=none,id=installcd" - "-device usb-storage,drive=installcd,bootindex=0" - ) - fi - '' - + '' - eval "${qemu_kvm}/bin/qemu-kvm ''${QEMU_PARAMS[@]} ''${@:2}" - ''); - windowsLauncherUI = - writeShellScript - "windows-launcher-ui" - ('' - if [[ -z "''${WAYLAND_DISPLAY}" ]]; then - echo "Wayland display not found" - exit - fi + if [ ! -z "$ISO_FILE" ]; then + QEMU_PARAMS+=( + "-drive file=$ISO_FILE,media=cdrom,if=none,id=installcd" + "-device usb-storage,drive=installcd,bootindex=0" + ) + fi + '' + + '' + eval "${qemu_kvm}/bin/qemu-kvm ''${QEMU_PARAMS[@]} ''${@:2}" + '' + ); + windowsLauncherUI = writeShellScript "windows-launcher-ui" ( + '' + if [[ -z "''${WAYLAND_DISPLAY}" ]]; then + echo "Wayland display not found" + exit + fi - CONFIG=~/.config/windows-launcher-ui.conf - if [ -f "$CONFIG" ]; then - source $CONFIG - fi + CONFIG=~/.config/windows-launcher-ui.conf + if [ -f "$CONFIG" ]; then + source $CONFIG + fi - if [ ! -f "$FILE" ]; then - '' - + lib.optionalString stdenv.isAarch64 '' - FILE=`${yad}/bin/yad --file --title="Select Windows VM image (VHDX)"` - '' - + lib.optionalString stdenv.isx86_64 '' - FILE=`${yad}/bin/yad --file --title="Select Windows VM image (QCOW2 or ISO)"` - '' - + '' - if [ ''$? -ne 0 ]; then - exit - else - if [[ $FILE != *.iso && $FILE != *.ISO ]]; then - echo FILE="$FILE" > "$CONFIG" - fi + if [ ! -f "$FILE" ]; then + '' + + lib.optionalString stdenv.isAarch64 '' + FILE=`${yad}/bin/yad --file --title="Select Windows VM image (VHDX)"` + '' + + lib.optionalString stdenv.isx86_64 '' + FILE=`${yad}/bin/yad --file --title="Select Windows VM image (QCOW2 or ISO)"` + '' + + '' + if [ ''$? -ne 0 ]; then + exit + else + if [[ $FILE != *.iso && $FILE != *.ISO ]]; then + echo FILE="$FILE" > "$CONFIG" fi fi + fi - if ! ${windowsLauncher} $FILE; then - ${yad}/bin/yad --image=gtk-dialog-error --text="Failed to run Windows VM: $?" - fi - ''); + if ! ${windowsLauncher} $FILE; then + ${yad}/bin/yad --image=gtk-dialog-error --text="Failed to run Windows VM: $?" + fi + '' + ); in - stdenvNoCC.mkDerivation { - name = "windows-launcher"; +stdenvNoCC.mkDerivation { + name = "windows-launcher"; - buildInputs = [yad qemu_kvm OVMF]; + buildInputs = [ + yad + qemu_kvm + OVMF + ]; - phases = ["installPhase"]; + phases = [ "installPhase" ]; - installPhase = '' - mkdir -p $out/bin - cp ${windowsLauncher} $out/bin/windows-launcher - cp ${windowsLauncherUI} $out/bin/windows-launcher-ui - ''; + installPhase = '' + mkdir -p $out/bin + cp ${windowsLauncher} $out/bin/windows-launcher + cp ${windowsLauncherUI} $out/bin/windows-launcher-ui + ''; - meta = { - description = "Helper scripts for launching Windows virtual machines using QEMU"; - platforms = [ - "x86_64-linux" - "aarch64-linux" - ]; - }; - } + meta = { + description = "Helper scripts for launching Windows virtual machines using QEMU"; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ]; + }; +} diff --git a/shell.nix b/shell.nix index 867a3e382..e5368b16b 100644 --- a/shell.nix +++ b/shell.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.shellNix +flake.shellNix diff --git a/targets/generic-x86_64/flake-module.nix b/targets/generic-x86_64/flake-module.nix index 16f80cbc2..e358890b1 100644 --- a/targets/generic-x86_64/flake-module.nix +++ b/targets/generic-x86_64/flake-module.nix @@ -7,38 +7,40 @@ lib, self, ... -}: let +}: +let inherit (inputs) nixos-generators; name = "generic-x86_64"; system = "x86_64-linux"; - generic-x86 = variant: extraModules: let - netvmExtraModules = [ - { - microvm.devices = [ - { - bus = "pci"; - path = "0000:00:14.3"; - } - ]; + generic-x86 = + variant: extraModules: + let + netvmExtraModules = [ + { + microvm.devices = [ + { + bus = "pci"; + path = "0000:00:14.3"; + } + ]; - # For WLAN firmwares - hardware.enableRedistributableFirmware = true; + # For WLAN firmwares + hardware.enableRedistributableFirmware = true; - networking.wireless = { - enable = true; + networking.wireless = { + enable = true; - # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; - }; - services.dnsmasq.settings.dhcp-option = [ - "option:router,192.168.100.1" # set net-vm as a default gw - "option:dns-server,192.168.100.1" - ]; - } - ]; - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ + # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; + }; + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.1" # set net-vm as a default gw + "option:dns-server,192.168.100.1" + ]; + } + ]; + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ nixos-generators.nixosModules.raw-efi self.nixosModules.common self.nixosModules.desktop @@ -90,26 +92,27 @@ "vfio-pci.ids=8086:a0f0" ]; } - ] - ++ extraModules; + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; - debugModules = [{ghaf.development.usb-serial.enable = true;}]; + debugModules = [ { ghaf.development.usb-serial.enable = true; } ]; targets = [ (generic-x86 "debug" debugModules) - (generic-x86 "release" []) + (generic-x86 "release" [ ]) ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - x86_64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/targets/imx8mp-evk/flake-module.nix b/targets/imx8mp-evk/flake-module.nix index 54f6cfccf..3c949a6f7 100644 --- a/targets/imx8mp-evk/flake-module.nix +++ b/targets/imx8mp-evk/flake-module.nix @@ -7,23 +7,27 @@ lib, inputs, ... -}: let +}: +let inherit (inputs) nixos-hardware; name = "nxp-imx8mp-evk"; system = "aarch64-linux"; - nxp-imx8mp-evk = variant: extraModules: let - hostConfiguration = lib.nixosSystem { - inherit system; - specialArgs = {inherit lib;}; - modules = - [ + nxp-imx8mp-evk = + variant: extraModules: + let + hostConfiguration = lib.nixosSystem { + inherit system; + specialArgs = { + inherit lib; + }; + modules = [ nixos-hardware.nixosModules.nxp-imx8mp-evk self.nixosModules.common self.nixosModules.host self.nixosModules.imx8 { boot = { - kernelParams = lib.mkForce ["root=/dev/mmcblk0p2"]; + kernelParams = lib.mkForce [ "root=/dev/mmcblk0p2" ]; loader = { grub.enable = false; generic-extlinux-compatible.enable = true; @@ -44,34 +48,33 @@ }; nixpkgs = { buildPlatform.system = "x86_64-linux"; - overlays = [ - self.overlays.cross-compilation - ]; + overlays = [ self.overlays.cross-compilation ]; }; hardware.deviceTree.name = lib.mkForce "freescale/imx8mp-evk.dtb"; - disabledModules = ["profiles/all-hardware.nix"]; + disabledModules = [ "profiles/all-hardware.nix" ]; } - ] - ++ extraModules; + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.sdImage; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.sdImage; - }; - debugModules = []; - releaseModules = []; + debugModules = [ ]; + releaseModules = [ ]; targets = [ (nxp-imx8mp-evk "debug" debugModules) (nxp-imx8mp-evk "release" releaseModules) ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - aarch64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + aarch64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/targets/laptop-hw-scan/flake-module.nix b/targets/laptop-hw-scan/flake-module.nix index 377ad2991..4460a0015 100644 --- a/targets/laptop-hw-scan/flake-module.nix +++ b/targets/laptop-hw-scan/flake-module.nix @@ -2,48 +2,48 @@ # SPDX-License-Identifier: Apache-2.0 # # Laptop image to run hardware scan and generate config files -{ - lib, - self, - ... -}: let +{ lib, self, ... }: +let name = "laptop-hw-scan"; system = "x86_64-linux"; - hw-scan = let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = [ - ({modulesPath, ...}: { - imports = [ - "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" - ]; - users.users.nixos.openssh.authorizedKeys.keys = (import ../../modules/common/development/authorized_ssh_keys.nix).authorizedKeys; - systemd.services.wpa_supplicant.wantedBy = lib.mkForce ["multi-user.target"]; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; - isoImage.isoBaseName = "ghaf"; - isoImage.squashfsCompression = "zstd -Xcompression-level 3"; - environment.systemPackages = [ - self.packages.x86_64-linux.hardware-scan - ]; - boot.kernelParams = [ - # TODO AMD support - "intel_iommu=on,sm_on" - "iommu=pt" - ]; - }) - ]; + hw-scan = + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + ( + { modulesPath, ... }: + { + imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ]; + users.users.nixos.openssh.authorizedKeys.keys = + (import ../../modules/common/development/authorized_ssh_keys.nix).authorizedKeys; + systemd.services.wpa_supplicant.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + isoImage.isoBaseName = "ghaf"; + isoImage.squashfsCompression = "zstd -Xcompression-level 3"; + environment.systemPackages = [ self.packages.x86_64-linux.hardware-scan ]; + boot.kernelParams = [ + # TODO AMD support + "intel_iommu=on,sm_on" + "iommu=pt" + ]; + } + ) + ]; + }; + in + { + inherit hostConfiguration; + inherit name; + package = hostConfiguration.config.system.build.isoImage; }; - in { - inherit hostConfiguration; - inherit name; - package = hostConfiguration.config.system.build.isoImage; - }; - targets = [hw-scan]; -in { + targets = [ hw-scan ]; +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); - packages.${system} = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages.${system} = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; } diff --git a/targets/laptop/flake-module.nix b/targets/laptop/flake-module.nix index 6063ce9ec..fd838530e 100644 --- a/targets/laptop/flake-module.nix +++ b/targets/laptop/flake-module.nix @@ -7,10 +7,11 @@ self, inputs, ... -}: let +}: +let system = "x86_64-linux"; - laptop-configuration = import ./laptop-configuration-builder.nix {inherit lib self inputs;}; + laptop-configuration = import ./laptop-configuration-builder.nix { inherit lib self inputs; }; targets = [ # Laptop Debug configurations @@ -89,11 +90,12 @@ } ]) ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); - packages.${system} = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages.${system} = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; } diff --git a/targets/laptop/laptop-configuration-builder.nix b/targets/laptop/laptop-configuration-builder.nix index 55ee334b8..85417ec2e 100644 --- a/targets/laptop/laptop-configuration-builder.nix +++ b/targets/laptop/laptop-configuration-builder.nix @@ -5,16 +5,18 @@ self, inputs, ... -}: let +}: +let system = "x86_64-linux"; #TODO move this to a standalone function #should it live in the library or just as a function file - mkLaptopConfiguration = machineType: variant: extraModules: let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ + mkLaptopConfiguration = + machineType: variant: extraModules: + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ self.nixosModules.profiles self.nixosModules.laptop inputs.lanzaboote.nixosModules.lanzaboote @@ -36,13 +38,13 @@ }; }; }) - ] - ++ extraModules; + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${machineType}-${variant}"; + package = hostConfiguration.config.system.build.diskoImages; }; - in { - inherit hostConfiguration; - name = "${machineType}-${variant}"; - package = hostConfiguration.config.system.build.diskoImages; - }; in - mkLaptopConfiguration +mkLaptopConfiguration diff --git a/targets/lenovo-x1-installer/flake-module.nix b/targets/lenovo-x1-installer/flake-module.nix index 954be7db0..96c91e5a0 100644 --- a/targets/lenovo-x1-installer/flake-module.nix +++ b/targets/lenovo-x1-installer/flake-module.nix @@ -2,81 +2,82 @@ # SPDX-License-Identifier: Apache-2.0 # # Lenovo X1 Carbon Installer -{ - lib, - self, - ... -}: let +{ lib, self, ... }: +let name = "lenovo-x1-carbon"; system = "x86_64-linux"; - installer = generation: variant: let - imagePath = self.packages.x86_64-linux."${name}-${generation}-${variant}" + "/disk1.raw.zst"; - hostConfiguration = lib.nixosSystem { - inherit system; - modules = [ - ({ - pkgs, - modulesPath, - ... - }: let - installScript = pkgs.callPackage ../../packages/installer {}; - in { - imports = [ - "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" - ]; + installer = + generation: variant: + let + imagePath = self.packages.x86_64-linux."${name}-${generation}-${variant}" + "/disk1.raw.zst"; + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + ( + { pkgs, modulesPath, ... }: + let + installScript = pkgs.callPackage ../../packages/installer { }; + in + { + imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ]; - environment.sessionVariables = { - IMG_PATH = imagePath; - }; + environment.sessionVariables = { + IMG_PATH = imagePath; + }; - # SSH key to installer for test automation. - users.users.nixos.openssh.authorizedKeys.keys = lib.mkIf (variant == "debug") (import ../../modules/common/development/authorized_ssh_keys.nix).authorizedKeys; + # SSH key to installer for test automation. + users.users.nixos.openssh.authorizedKeys.keys = lib.mkIf ( + variant == "debug" + ) (import ../../modules/common/development/authorized_ssh_keys.nix).authorizedKeys; - systemd.services.wpa_supplicant.wantedBy = lib.mkForce ["multi-user.target"]; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; + systemd.services.wpa_supplicant.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; - isoImage.isoBaseName = "ghaf"; - networking.hostName = "ghaf-installer"; + isoImage.isoBaseName = "ghaf"; + networking.hostName = "ghaf-installer"; - environment.systemPackages = [ - installScript - self.packages.x86_64-linux.hardware-scan - ]; + environment.systemPackages = [ + installScript + self.packages.x86_64-linux.hardware-scan + ]; - services.getty = { - greetingLine = ''<<< Welcome to the Ghaf installer >>>''; - helpLine = lib.mkAfter '' + services.getty = { + greetingLine = ''<<< Welcome to the Ghaf installer >>>''; + helpLine = lib.mkAfter '' - To run the installer, type - `sudo ghaf-installer` and select the installation target. - ''; - }; + To run the installer, type + `sudo ghaf-installer` and select the installation target. + ''; + }; - isoImage.squashfsCompression = "zstd -Xcompression-level 3"; + isoImage.squashfsCompression = "zstd -Xcompression-level 3"; - # NOTE: Stop nixos complains about "warning: - # mdadm: Neither MAILADDR nor PROGRAM has been set. This will cause the `mdmon` service to crash." - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L112 - boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true"; - }) - ]; + # NOTE: Stop nixos complains about "warning: + # mdadm: Neither MAILADDR nor PROGRAM has been set. This will cause the `mdmon` service to crash." + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L112 + boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true"; + } + ) + ]; + }; + in + { + inherit hostConfiguration; + name = "${name}-${generation}-${variant}-installer"; + package = hostConfiguration.config.system.build.isoImage; }; - in { - inherit hostConfiguration; - name = "${name}-${generation}-${variant}-installer"; - package = hostConfiguration.config.system.build.isoImage; - }; targets = [ (installer "gen10" "debug") (installer "gen11" "debug") (installer "gen10" "release") (installer "gen11" "release") ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); - packages.${system} = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages.${system} = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; } diff --git a/targets/microchip-icicle-kit/flake-module.nix b/targets/microchip-icicle-kit/flake-module.nix index daae48bdd..935fcf5dd 100644 --- a/targets/microchip-icicle-kit/flake-module.nix +++ b/targets/microchip-icicle-kit/flake-module.nix @@ -7,15 +7,17 @@ lib, self, ... -}: let +}: +let inherit (inputs) nixos-hardware; name = "microchip-icicle-kit"; system = "riscv64-linux"; - microchip-icicle-kit = variant: extraModules: let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ + microchip-icicle-kit = + variant: extraModules: + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ nixos-hardware.nixosModules.microchip-icicle-kit self.nixosModules.common self.nixosModules.host @@ -44,33 +46,35 @@ nixpkgs = { buildPlatform.system = "x86_64-linux"; hostPlatform.system = "riscv64-linux"; - overlays = [ - self.overlays.cross-compilation - ]; + overlays = [ self.overlays.cross-compilation ]; }; - boot.kernelParams = ["root=/dev/mmcblk0p2" "rootdelay=5"]; - disabledModules = ["profiles/all-hardware.nix"]; + boot.kernelParams = [ + "root=/dev/mmcblk0p2" + "rootdelay=5" + ]; + disabledModules = [ "profiles/all-hardware.nix" ]; } - ] - ++ extraModules; + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.sdImage; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.sdImage; - }; targets = [ - (microchip-icicle-kit "debug" []) - (microchip-icicle-kit "release" []) + (microchip-icicle-kit "debug" [ ]) + (microchip-icicle-kit "release" [ ]) ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - riscv64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + riscv64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/targets/nvidia-jetson-orin/cross-compilation.nix b/targets/nvidia-jetson-orin/cross-compilation.nix index 8f16d935b..181bcfb3d 100644 --- a/targets/nvidia-jetson-orin/cross-compilation.nix +++ b/targets/nvidia-jetson-orin/cross-compilation.nix @@ -6,8 +6,6 @@ { nixpkgs = { buildPlatform.system = "x86_64-linux"; - overlays = [ - (import ../../overlays/cross-compilation) - ]; + overlays = [ (import ../../overlays/cross-compilation) ]; }; } diff --git a/targets/nvidia-jetson-orin/flake-module.nix b/targets/nvidia-jetson-orin/flake-module.nix index dd658bd3d..e9b72c7f8 100644 --- a/targets/nvidia-jetson-orin/flake-module.nix +++ b/targets/nvidia-jetson-orin/flake-module.nix @@ -8,40 +8,42 @@ lib, self, ... -}: let +}: +let inherit (inputs) nixpkgs nixos-generators jetpack-nixos; name = "nvidia-jetson-orin"; system = "aarch64-linux"; - nvidia-jetson-orin = som: variant: extraModules: let - netvmExtraModules = [ - { - # The Nvidia Orin hardware dependent configuration is in - # modules/jetpack and modules/jetpack-microvm. Please refer to that - # section for hardware dependent netvm configuration. + nvidia-jetson-orin = + som: variant: extraModules: + let + netvmExtraModules = [ + { + # The Nvidia Orin hardware dependent configuration is in + # modules/jetpack and modules/jetpack-microvm. Please refer to that + # section for hardware dependent netvm configuration. - # Wireless Configuration. Orin AGX has WiFi enabled where Orin NX does - # not. + # Wireless Configuration. Orin AGX has WiFi enabled where Orin NX does + # not. - # To enable or disable wireless - networking.wireless.enable = som == "agx"; + # To enable or disable wireless + networking.wireless.enable = som == "agx"; - # For WLAN firmwares - hardware = { - enableRedistributableFirmware = som == "agx"; - wirelessRegulatoryDatabase = true; - }; + # For WLAN firmwares + hardware = { + enableRedistributableFirmware = som == "agx"; + wirelessRegulatoryDatabase = true; + }; - services.dnsmasq.settings.dhcp-option = [ - "option:router,192.168.100.1" # set net-vm as a default gw - "option:dns-server,192.168.100.1" - ]; - } - ]; - hostConfiguration = lib.nixosSystem { - inherit system; + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.1" # set net-vm as a default gw + "option:dns-server,192.168.100.1" + ]; + } + ]; + hostConfiguration = lib.nixosSystem { + inherit system; - modules = - [ + modules = [ (nixos-generators + "/format-module.nix") ../../modules/jetpack/nvidia-jetson-orin/format-module.nix jetpack-nixos.nixosModules.default @@ -98,41 +100,35 @@ }; } - (import ./optee.nix {}) - ] - ++ extraModules; + (import ./optee.nix { }) + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${som}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - in { - inherit hostConfiguration; - name = "${name}-${som}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; - nvidia-jetson-orin-agx-debug = nvidia-jetson-orin "agx" "debug" []; - nvidia-jetson-orin-agx-release = nvidia-jetson-orin "agx" "release" []; - nvidia-jetson-orin-nx-debug = nvidia-jetson-orin "nx" "debug" []; - nvidia-jetson-orin-nx-release = nvidia-jetson-orin "nx" "release" []; - generate-nodemoapps = tgt: + nvidia-jetson-orin-agx-debug = nvidia-jetson-orin "agx" "debug" [ ]; + nvidia-jetson-orin-agx-release = nvidia-jetson-orin "agx" "release" [ ]; + nvidia-jetson-orin-nx-debug = nvidia-jetson-orin "nx" "debug" [ ]; + nvidia-jetson-orin-nx-release = nvidia-jetson-orin "nx" "release" [ ]; + generate-nodemoapps = + tgt: tgt // rec { name = tgt.name + "-nodemoapps"; hostConfiguration = tgt.hostConfiguration.extendModules { - modules = [ - { - ghaf.graphics.enableDemoApplications = lib.mkForce false; - } - ]; + modules = [ { ghaf.graphics.enableDemoApplications = lib.mkForce false; } ]; }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - generate-cross-from-x86_64 = tgt: + generate-cross-from-x86_64 = + tgt: tgt // rec { name = tgt.name + "-from-x86_64"; - hostConfiguration = tgt.hostConfiguration.extendModules { - modules = [ - ./cross-compilation.nix - ]; - }; + hostConfiguration = tgt.hostConfiguration.extendModules { modules = [ ./cross-compilation.nix ]; }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; # Base targets to use for generating demoapps and cross-compilation targets @@ -147,7 +143,8 @@ crossTargets = map generate-cross-from-x86_64 targets; mkFlashScript = import ../../lib/mk-flash-script; # Generate flash script variant which flashes both QSPI and eMMC - generate-flash-script = tgt: flash-tools-system: + generate-flash-script = + tgt: flash-tools-system: mkFlashScript { inherit nixpkgs; inherit (tgt) hostConfiguration; @@ -156,35 +153,48 @@ }; # Generate flash script variant which flashes QSPI only. Useful for Orin NX # and non-eMMC based development. - generate-flash-qspi = tgt: flash-tools-system: + generate-flash-qspi = + tgt: flash-tools-system: mkFlashScript { inherit nixpkgs; hostConfiguration = tgt.hostConfiguration.extendModules { - modules = [ - { - ghaf.hardware.nvidia.orin.flashScriptOverrides.onlyQSPI = true; - } - ]; + modules = [ { ghaf.hardware.nvidia.orin.flashScriptOverrides.onlyQSPI = true; } ]; }; inherit jetpack-nixos; inherit flash-tools-system; }; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets)); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets) + ); packages = { aarch64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets) # EXPERIMENTAL: The aarch64-linux hosted flashing support is experimental # and it simply might not work. Providing the script anyway - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "aarch64-linux")) targets) - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "aarch64-linux")) targets); + // builtins.listToAttrs ( + map ( + t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "aarch64-linux") + ) targets + ) + // builtins.listToAttrs ( + map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "aarch64-linux")) targets + ); x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) crossTargets) - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "x86_64-linux")) (targets ++ crossTargets)) - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "x86_64-linux")) (targets ++ crossTargets)); + // builtins.listToAttrs ( + map (t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "x86_64-linux")) ( + targets ++ crossTargets + ) + ) + // builtins.listToAttrs ( + map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "x86_64-linux")) ( + targets ++ crossTargets + ) + ); }; }; } diff --git a/targets/nvidia-jetson-orin/optee.nix b/targets/nvidia-jetson-orin/optee.nix index 8e077f8a6..27ea82be9 100644 --- a/targets/nvidia-jetson-orin/optee.nix +++ b/targets/nvidia-jetson-orin/optee.nix @@ -1,13 +1,15 @@ # SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors # # SPDX-License-Identifier: Apache-2.0 -_: ( +_: +( { pkgs, config, lib, ... - }: let + }: + let # TODO: Refactor this later, if this gets proper implementation on the # jetpack-nixos stdenv = pkgs.gcc9Stdenv; @@ -24,7 +26,7 @@ _: ( pname = "optee_xtest"; version = l4tVersion; src = opteeSource; - nativeBuildInputs = [(pkgs.buildPackages.python3.withPackages (p: [p.cryptography]))]; + nativeBuildInputs = [ (pkgs.buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; postPatch = '' patchShebangs --build $(find optee/optee_test -type d -name scripts -printf '%p ') ''; @@ -47,7 +49,7 @@ _: ( pname = "pkcs11"; version = l4tVersion; src = opteeSource; - nativeBuildInputs = [(pkgs.buildPackages.python3.withPackages (p: [p.cryptography]))]; + nativeBuildInputs = [ (pkgs.buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; makeFlags = [ "-C optee/optee_os/ta/pkcs11" "CROSS_COMPILE=${stdenv.cc.targetPrefix}" @@ -68,69 +70,74 @@ _: ( pkcs11-tool-optee = pkgs.writeShellScriptBin "pkcs11-tool-optee" '' exec "${pkgs.opensc}/bin/pkcs11-tool" --module "${opteeClient}/lib/libckteec.so" $@ ''; - in { - hardware.nvidia-jetpack.firmware.optee.supplicant.trustedApplications = let - xTestTaDir = "${opteeXtest}/ta"; - xTestTaPaths = - builtins.map (ta: { - name = ta; - path = xTestTaDir + "/" + ta; - }) [ - # List of OP-TEE's xtest required TA's - # - # A short guide about a ways of constructing xtest TA list - # - # A) Run xtest and based on errors add TAs to the list - # - Run xtest and you might see following error - # E/LD: init_elf:453 sys_open_ta_bin(cb3e5ba0-adf1-11e0-998b-0002a5d5c51b) - # E/TC:?? 0 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff0008 - # --> Add cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta into list and repeat - # - # B) From OP-TEE's xtest sources https://github.com/OP-TEE/optee_test - # - Navigate into optee_test repo and run - # $ find ta -path ta/supp_plugin -prune -o -name Makefile -exec grep -oP 'BINARY = \K.*' {} \; - # --> Above comaand produces a list of TAs UUID - # --> It does not produce all UUID due some of them are hardcode into source files - # --> It produce more TA than needed - # - # C) At "find ./out -name "*.ta"" into opteeXtest derivation installPhase - # and uild package with "-L"-flag - # --> Scroll output until find TAs - # ./out/ta/crypt/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta - # ./out/ta/concurrent_large/5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta - # - # Below list used option C + in + { + hardware.nvidia-jetpack.firmware.optee.supplicant.trustedApplications = + let + xTestTaDir = "${opteeXtest}/ta"; + xTestTaPaths = + builtins.map + (ta: { + name = ta; + path = xTestTaDir + "/" + ta; + }) + [ + # List of OP-TEE's xtest required TA's + # + # A short guide about a ways of constructing xtest TA list + # + # A) Run xtest and based on errors add TAs to the list + # - Run xtest and you might see following error + # E/LD: init_elf:453 sys_open_ta_bin(cb3e5ba0-adf1-11e0-998b-0002a5d5c51b) + # E/TC:?? 0 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff0008 + # --> Add cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta into list and repeat + # + # B) From OP-TEE's xtest sources https://github.com/OP-TEE/optee_test + # - Navigate into optee_test repo and run + # $ find ta -path ta/supp_plugin -prune -o -name Makefile -exec grep -oP 'BINARY = \K.*' {} \; + # --> Above comaand produces a list of TAs UUID + # --> It does not produce all UUID due some of them are hardcode into source files + # --> It produce more TA than needed + # + # C) At "find ./out -name "*.ta"" into opteeXtest derivation installPhase + # and uild package with "-L"-flag + # --> Scroll output until find TAs + # ./out/ta/crypt/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta + # ./out/ta/concurrent_large/5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta + # + # Below list used option C - "cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta" - "5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta" - "e626662e-c0e2-485c-b8c8-09fbce6edf3d.ta" - "c3f6e2c0-3548-11e1-b86c-0800200c9a66.ta" - "873bcd08-c2c3-11e6-a937-d0bf9c45c61c.ta" - "b689f2a7-8adf-477a-9f99-32e90c0ad0a2.ta" - "a4c04d50-f180-11e8-8eb2-f2801f1b9fd1.ta" - "25497083-a58a-4fc5-8a72-1ad7b69b8562.ta" - "731e279e-aafb-4575-a771-38caa6f0cca6.ta" - "5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.ta" - "380231ac-fb99-47ad-a689-9e017eb6e78a.ta" - "d17f73a0-36ef-11e1-984a-0002a5d5c51b.ta" - "614789f2-39c0-4ebf-b235-92b32ac107ed.ta" - "e6a33ed4-562b-463a-bb7e-ff5e15a493c8.ta" - "e13010e0-2ae1-11e5-896a-0002a5d5c51b.ta" - "528938ce-fc59-11e8-8eb2-f2801f1b9fd1.ta" - "ffd2bded-ab7d-4988-95ee-e4962fff7154.ta" - "b3091a65-9751-4784-abf7-0298a7cc35ba.ta" - "f157cda0-550c-11e5-a6fa-0002a5d5c51b.ta" - "5c206987-16a3-59cc-ab0f-64b9cfc9e758.ta" - "a720ccbb-51da-417d-b82e-e5445d474a7a.ta" - ]; - pkcs11TaPath = { - name = "fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; - path = "${pcks11Ta}/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; - }; - paths = - lib.optionals config.ghaf.hardware.nvidia.orin.optee.xtest xTestTaPaths - ++ lib.optional config.ghaf.hardware.nvidia.orin.optee.pkcs11.enable pkcs11TaPath; - in [(pkgs.linkFarm "optee-load-path" paths)]; + "cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta" + "5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta" + "e626662e-c0e2-485c-b8c8-09fbce6edf3d.ta" + "c3f6e2c0-3548-11e1-b86c-0800200c9a66.ta" + "873bcd08-c2c3-11e6-a937-d0bf9c45c61c.ta" + "b689f2a7-8adf-477a-9f99-32e90c0ad0a2.ta" + "a4c04d50-f180-11e8-8eb2-f2801f1b9fd1.ta" + "25497083-a58a-4fc5-8a72-1ad7b69b8562.ta" + "731e279e-aafb-4575-a771-38caa6f0cca6.ta" + "5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.ta" + "380231ac-fb99-47ad-a689-9e017eb6e78a.ta" + "d17f73a0-36ef-11e1-984a-0002a5d5c51b.ta" + "614789f2-39c0-4ebf-b235-92b32ac107ed.ta" + "e6a33ed4-562b-463a-bb7e-ff5e15a493c8.ta" + "e13010e0-2ae1-11e5-896a-0002a5d5c51b.ta" + "528938ce-fc59-11e8-8eb2-f2801f1b9fd1.ta" + "ffd2bded-ab7d-4988-95ee-e4962fff7154.ta" + "b3091a65-9751-4784-abf7-0298a7cc35ba.ta" + "f157cda0-550c-11e5-a6fa-0002a5d5c51b.ta" + "5c206987-16a3-59cc-ab0f-64b9cfc9e758.ta" + "a720ccbb-51da-417d-b82e-e5445d474a7a.ta" + ]; + pkcs11TaPath = { + name = "fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; + path = "${pcks11Ta}/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; + }; + paths = + lib.optionals config.ghaf.hardware.nvidia.orin.optee.xtest xTestTaPaths + ++ lib.optional config.ghaf.hardware.nvidia.orin.optee.pkcs11.enable pkcs11TaPath; + in + [ (pkgs.linkFarm "optee-load-path" paths) ]; environment.systemPackages = (lib.optional config.ghaf.hardware.nvidia.orin.optee.pkcs11-tool pkcs11-tool-optee) diff --git a/targets/vm/flake-module.nix b/targets/vm/flake-module.nix index 3404525af..13091b366 100644 --- a/targets/vm/flake-module.nix +++ b/targets/vm/flake-module.nix @@ -5,64 +5,69 @@ lib, self, ... -}: let +}: +let inherit (inputs) nixos-generators; name = "vm"; system = "x86_64-linux"; - vm = variant: let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = [ - nixos-generators.nixosModules.vm - self.nixosModules.common - self.nixosModules.desktop - self.nixosModules.host - self.nixosModules.microvm - self.nixosModules.hw-x86_64-generic + vm = + variant: + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + nixos-generators.nixosModules.vm + self.nixosModules.common + self.nixosModules.desktop + self.nixosModules.host + self.nixosModules.microvm + self.nixosModules.hw-x86_64-generic - { - ghaf = { - hardware.x86_64.common.enable = true; + { + ghaf = { + hardware.x86_64.common.enable = true; - virtualization = { - microvm-host = { - enable = true; - networkSupport = true; - }; + virtualization = { + microvm-host = { + enable = true; + networkSupport = true; + }; - # TODO: NetVM enabled, but it does not include anything specific - # for this Virtual Machine target - microvm.netvm.enable = true; - }; + # TODO: NetVM enabled, but it does not include anything specific + # for this Virtual Machine target + microvm.netvm.enable = true; + }; - host.networking.enable = true; + host.networking.enable = true; - # Enable all the default UI applications - profiles = { - applications.enable = true; - release.enable = variant == "release"; - debug.enable = variant == "debug"; + # Enable all the default UI applications + profiles = { + applications.enable = true; + release.enable = variant == "release"; + debug.enable = variant == "debug"; + }; }; - }; - } - ]; + } + ]; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; targets = [ (vm "debug") (vm "release") ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - x86_64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/templates/boilerplate/default.nix b/templates/boilerplate/default.nix index 59dcb3cd4..4f8ffb1a0 100644 --- a/templates/boilerplate/default.nix +++ b/templates/boilerplate/default.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.defaultNix +flake.defaultNix diff --git a/templates/boilerplate/flake.nix b/templates/boilerplate/flake.nix index f337dcc5a..a43b2303c 100644 --- a/templates/boilerplate/flake.nix +++ b/templates/boilerplate/flake.nix @@ -83,11 +83,9 @@ }; }; - outputs = inputs @ {flake-parts, ...}: - flake-parts.lib.mkFlake - { - inherit inputs; - } { + outputs = + inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { # Toggle this to allow debugging in the repl # see:https://flake.parts/debug debug = false; diff --git a/templates/boilerplate/hydrajobs/flake-module.nix b/templates/boilerplate/hydrajobs/flake-module.nix index d976f4152..7655fa3ee 100644 --- a/templates/boilerplate/hydrajobs/flake-module.nix +++ b/templates/boilerplate/hydrajobs/flake-module.nix @@ -1,6 +1,3 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -_: { - flake.hydraJobs = { - }; -} +_: { flake.hydraJobs = { }; } diff --git a/templates/boilerplate/modules/flake-module.nix b/templates/boilerplate/modules/flake-module.nix index 940f1826b..6174729f4 100644 --- a/templates/boilerplate/modules/flake-module.nix +++ b/templates/boilerplate/modules/flake-module.nix @@ -4,9 +4,7 @@ # Modules to be exported from Flake # _: { - imports = [ - ]; + imports = [ ]; - flake.nixosModules = { - }; + flake.nixosModules = { }; } diff --git a/templates/boilerplate/modules/hardware/default.nix b/templates/boilerplate/modules/hardware/default.nix index a8b17547e..982744d36 100644 --- a/templates/boilerplate/modules/hardware/default.nix +++ b/templates/boilerplate/modules/hardware/default.nix @@ -25,8 +25,8 @@ input = { keyboard = { - name = ["AT Translated Set 2 keyboard"]; - evdev = ["/dev/input/by-path/platform-i8042-serio-0-event-kbd"]; + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/input/by-path/platform-i8042-serio-0-event-kbd" ]; }; mouse = { @@ -37,9 +37,7 @@ "ELAN067B:00 04F3:31F8 Mouse" ] ]; - evdev = [ - "/dev/mouse0" - ]; + evdev = [ "/dev/mouse0" ]; }; touchpad = { @@ -50,9 +48,7 @@ "ELAN067B:00 04F3:31F8 Touchpad" ] ]; - evdev = [ - "/dev/touchpad0" - ]; + evdev = [ "/dev/touchpad0" ]; }; misc = { @@ -91,8 +87,8 @@ } ]; kernelConfig = { - stage1.kernelModules = ["i915"]; - kernelParams = ["earlykms"]; + stage1.kernelModules = [ "i915" ]; + kernelParams = [ "earlykms" ]; }; }; diff --git a/templates/boilerplate/nix/checks.nix b/templates/boilerplate/nix/checks.nix index e0e4cd642..1f6e264b9 100644 --- a/templates/boilerplate/nix/checks.nix +++ b/templates/boilerplate/nix/checks.nix @@ -1,17 +1,16 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - perSystem = {pkgs, ...}: { - checks = { - reuse = - pkgs.runCommandLocal "reuse-lint" { - buildInputs = [pkgs.reuse]; - } '' + perSystem = + { pkgs, ... }: + { + checks = { + reuse = pkgs.runCommandLocal "reuse-lint" { buildInputs = [ pkgs.reuse ]; } '' cd ${../.} reuse lint touch $out ''; + }; + # // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages); }; - # // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages); - }; } diff --git a/templates/boilerplate/nix/devshell.nix b/templates/boilerplate/nix/devshell.nix index b378f0724..c2b4d71de 100644 --- a/templates/boilerplate/nix/devshell.nix +++ b/templates/boilerplate/nix/devshell.nix @@ -1,36 +1,34 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - imports = [ - ]; - perSystem = { - pkgs, - inputs', - lib, - ... - }: { - devShells.default = pkgs.mkShell { - name = "Ghaf derived devshell"; - packages = - builtins.attrValues { - inherit - (pkgs) - alejandra - git - mdbook - nix - nixci - nixos-rebuild - nix-output-monitor - nix-tree - reuse - statix - ; - } - ++ [ - inputs'.nix-fast-build.packages.default - ] - ++ lib.optional (pkgs.hostPlatform.system != "riscv64-linux") pkgs.cachix; + imports = [ ]; + perSystem = + { + pkgs, + inputs', + lib, + ... + }: + { + devShells.default = pkgs.mkShell { + name = "Ghaf derived devshell"; + packages = + builtins.attrValues { + inherit (pkgs) + alejandra + git + mdbook + nix + nixci + nixos-rebuild + nix-output-monitor + nix-tree + reuse + statix + ; + } + ++ [ inputs'.nix-fast-build.packages.default ] + ++ lib.optional (pkgs.hostPlatform.system != "riscv64-linux") pkgs.cachix; + }; }; - }; } diff --git a/templates/boilerplate/nix/nixpkgs.nix b/templates/boilerplate/nix/nixpkgs.nix index e0e4f5392..fecabf1a0 100644 --- a/templates/boilerplate/nix/nixpkgs.nix +++ b/templates/boilerplate/nix/nixpkgs.nix @@ -1,19 +1,18 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ lib, inputs, ... }: { - lib, - inputs, - ... -}: { - perSystem = {system, ...}: { - # customise pkgs - _module.args.pkgs = import inputs.nixpkgs { - inherit system inputs; - config = { - allowUnfree = true; + perSystem = + { system, ... }: + { + # customise pkgs + _module.args.pkgs = import inputs.nixpkgs { + inherit system inputs; + config = { + allowUnfree = true; + }; }; + # make custom top-level lib available to all `perSystem` functions + _module.args.lib = lib; }; - # make custom top-level lib available to all `perSystem` functions - _module.args.lib = lib; - }; } diff --git a/templates/boilerplate/nix/treefmt.nix b/templates/boilerplate/nix/treefmt.nix index 45d3d6e7a..6483a9b4f 100644 --- a/templates/boilerplate/nix/treefmt.nix +++ b/templates/boilerplate/nix/treefmt.nix @@ -1,37 +1,35 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - perSystem = { - config, - pkgs, - ... - }: { - treefmt.config = { - package = pkgs.treefmt; - inherit (config.flake-root) projectRootFile; + perSystem = + { config, pkgs, ... }: + { + treefmt.config = { + package = pkgs.treefmt; + inherit (config.flake-root) projectRootFile; - programs = { - # Nix - alejandra.enable = true; # nix formatter https://github.com/kamadorueda/alejandra - deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix - statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix + programs = { + # Nix + alejandra.enable = true; # nix formatter https://github.com/kamadorueda/alejandra + deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix + statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix - # Python - # It was found out that the best outcome comes from running mulitple - # formatters. - black.enable = true; # The Classic Python formatter - isort.enable = true; # Python import sorter - # Ruff, a Python formatter written in Rust (30x faster than Black). - # Also provides additional linting. - # Do not enable ruff.format = true; because then it won't complaing - # about linting errors. The default mode is the check mode. - ruff.check = true; + # Python + # It was found out that the best outcome comes from running mulitple + # formatters. + black.enable = true; # The Classic Python formatter + isort.enable = true; # Python import sorter + # Ruff, a Python formatter written in Rust (30x faster than Black). + # Also provides additional linting. + # Do not enable ruff.format = true; because then it won't complaing + # about linting errors. The default mode is the check mode. + ruff.check = true; - # Bash - shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + # Bash + shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + }; }; - }; - formatter = config.treefmt.build.wrapper; - }; + formatter = config.treefmt.build.wrapper; + }; } diff --git a/templates/boilerplate/shell.nix b/templates/boilerplate/shell.nix index 867a3e382..e5368b16b 100644 --- a/templates/boilerplate/shell.nix +++ b/templates/boilerplate/shell.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.shellNix +flake.shellNix diff --git a/templates/boilerplate/targets/flake-module.nix b/templates/boilerplate/targets/flake-module.nix index fa0496200..bb568bee9 100644 --- a/templates/boilerplate/targets/flake-module.nix +++ b/templates/boilerplate/targets/flake-module.nix @@ -1,4 +1,3 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -_: { -} +_: { } diff --git a/templates/modules/default.nix b/templates/modules/default.nix index d867a8ba9..0614f7712 100644 --- a/templates/modules/default.nix +++ b/templates/modules/default.nix @@ -6,22 +6,19 @@ # # https://nixos.org/manual/nixos/stable/index.html#sec-writing-modules # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let # inherit (builtins) A B C; # inherit (lib) D E F; # inherit (lib.ghaf) G H I; cfg = config.ghaf.X.Y; -in { - imports = [ - ]; +in +{ + imports = [ ]; options.ghaf.X.Y = { enable = lib.mkEnableOption "Option"; }; - config = lib.mkIf cfg.enable {}; + config = lib.mkIf cfg.enable { }; }