oops. dense commit

default.nix

@@ -15,6 +15,7 @@ in {
     package = pkgs.nix;
 
     # flake registry and nix path pinning
+    # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f
     nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     registry.nixpkgs.flake = inputs.nixpkgs;
   
@@ -32,6 +33,9 @@ in {
   	};
   };
 
+  # set our git revision inside `nixos-version`
+  system.configurationRevision = with inputs; mkIf (self ? rev) self.rev;
+
   time.timeZone = mkDefault "America/Los_Angeles";
   
   i18n.defaultLocale = mkDefault "en_US.UTF-8";

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709485962,
+        "lastModified": 1710164657,
-        "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=",
+        "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d579633ff9915a8f4058d5c439281097e92380a8",
+        "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2",
         "type": "github"
       },
       "original": {
@@ -22,11 +22,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709237383,
+        "lastModified": 1709961763,
-        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
+        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
+        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
         "type": "github"
       },
       "original": {

hosts/server/default.nix

@@ -4,20 +4,18 @@ let
 
 in {
   imports = [
-    ./hardware-configuration.nix
+    ./hardware.nix
     ./webapps/default.nix
   ];
 
   users.groups.dotfiles = {};
 
-  # HACK HACK HACK
-  services.logrotate.checkConfig = false;
-  # HACK HACK HACK
-
   normalUsers = {
     reidlab = {
       conf = {
-        packages = with pkgs; [ bat tree micro duf ];
+        packages = with pkgs; [
+          bat btop duf file micro nix-output-monitor tree which
+        ];
         extraGroups = [ "wheel" "dotfiles" ];
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"
@@ -33,11 +31,6 @@ in {
     };
   };
 
-  keyboard = {
-    locale = "en_US.UTF-8";
-    variant = "qwerty";
-  };
-
   modules = {
     services = {
       ssh = {
@@ -55,6 +48,7 @@ in {
     security.useDoas = false;
   };
 
+  # enable networking
   networking = {
     hostName = "nixos-server-reid";
     networkmanager.enable = true;

hosts/server/hardware.nix

@@ -7,10 +7,12 @@
     ];
 
   boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
 	initrd.kernelModules = [ ];
-    kernelPackages = pkgs.linuxPackages_latest;
 	kernelModules = [ ];
+	extraModulePackages = [ ];
+	# TODO: move bootloader, networking, boot speed to another file?
+    kernelPackages = pkgs.linuxPackages_latest;
     loader = {
       # use u-boot over grub
       grub.enable = lib.mkForce false;
@@ -18,14 +20,13 @@
     };
   };
 
-  fileSystems = {
+  fileSystems."/" = {
-  	"/" = {
   	  device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
       fsType = "ext4";
     };
-  };
 
-  swapDevices = [ ];
+  swapDevices = 
+    [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

modules/keyboard.nix

@@ -1,17 +0,0 @@
-{ config, lib, pkgs, options, ... }:
-
-with lib;
-let
-  cfg = config.keyboard;
-in {
-  options.keyboard = {
-    locale = mkOption {
-      type = types.str;
-      default = "en_US.UTF-8";
-    };
-    variant = mkOption {
-      type = types.str;
-      default = "";
-    };
-  };
-}

modules/security.nix

@@ -49,7 +49,10 @@ in {
       };
 
       security = {
+        # prevents replacing the kernel without a reboot
       	protectKernelImage = true;
+        # allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
+        polkit.enable = true;
       	rtkit.enable = true;
       };
     } // (mkIf cfg.useDoas {

readme.md

@@ -20,9 +20,10 @@ before committing, please run `nix flake check` and make sure everything is ok
 
 ## todo
 
-- remove the lua static stuff from nginx + maybe cloudflare ips too
+- remove the lua static stuff from nginx + maybe cloudflare ips too + redis
 - per-host architecture selection, atm it is hardcoded to `aarch64`
 - some weird perl error abt locales when building using doas - `keepEnv` might fix this
-- fix the logrotate error, only patchable with the hack displayed in [`hosts/server/default.nix`](./hosts/server/default.nix)
+- move common config such as bootloader and networking settings to [`default.nix`](./default.nix)
+- swap back to hardened kernel
 - leverage nixos-hardware
-- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup
+- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed