stary/nix-powerpc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

etc

Browse source
This commit is contained in:
Chloe Bethel 2025-02-10 14:51:16 +00:00
parent 24b41c4faf
commit 7036f5db2a
7 changed files with 1316 additions and 121 deletions
Download patch file Download diff file Expand all files Collapse all files

25
config.nix
View file

@ -1,25 +1,26 @@
{...} : { { ... }:
networking.hostName = "nixos"; {
services.openssh.enable = true; networking.hostName = "nixos";
services.openssh.enable = true;
users.users.stary = { users.users.stary = {
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
}; };
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
console = { console = {
font = "Lat2-Terminus16"; font = "Lat2-Terminus16";
keyMap = "uk"; keyMap = "uk";
}; };
system.stateVersion = "24.11"; system.stateVersion = "24.11";
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: super: { (final: super: {
makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
}) })
]; ];
} }

238
disable-systemd-security.nix
View file

@ -1,101 +1,139 @@
{...}: { { lib, ... }:
# who needs security lmao {
systemd.services.systemd-journald = { # who needs security lmao
serviceConfig = { systemd.services.systemd-journald = {
DeviceAllow = ""; serviceConfig = {
IPAddressDeny = ""; DeviceAllow = lib.mkForce "";
LockPersonality = "no"; IPAddressDeny = lib.mkForce "";
MemoryDenyWriteExecute = "no"; LockPersonality = lib.mkForce "no";
NoNewPrivileges = "no"; MemoryDenyWriteExecute = lib.mkForce "no";
ProtectClock = "no"; NoNewPrivileges = lib.mkForce "no";
RestrictAddressFamilies = ""; ProtectClock = lib.mkForce "no";
RestrictNamespaces = ""; RestrictAddressFamilies = lib.mkForce "";
RestrictRealtime = "no"; RestrictNamespaces = lib.mkForce "";
RestrictSUIDSGID = "no"; RestrictRealtime = lib.mkForce "no";
}; RestrictSUIDSGID = lib.mkForce "no";
}; SystemCallFilter = lib.mkForce "";
systemd.services.systemd-udevd = { };
serviceConfig = { };
DeviceAllow = ""; systemd.services.systemd-udevd = {
IPAddressDeny = ""; serviceConfig = {
LockPersonality = "no"; DeviceAllow = lib.mkForce "";
MemoryDenyWriteExecute = "no"; IPAddressDeny = lib.mkForce "";
NoNewPrivileges = "no"; LockPersonality = lib.mkForce "no";
ProtectClock = "no"; MemoryDenyWriteExecute = lib.mkForce "no";
RestrictAddressFamilies = ""; NoNewPrivileges = lib.mkForce "no";
RestrictNamespaces = ""; ProtectClock = lib.mkForce "no";
RestrictRealtime = "no"; RestrictAddressFamilies = lib.mkForce "";
RestrictSUIDSGID = "no"; RestrictNamespaces = lib.mkForce "";
}; RestrictRealtime = lib.mkForce "no";
}; RestrictSUIDSGID = lib.mkForce "no";
systemd.services.systemd-oomd = { SystemCallFilter = lib.mkForce "";
serviceConfig = { };
DeviceAllow = ""; };
IPAddressDeny = ""; systemd.services.systemd-oomd = {
LockPersonality = "no"; serviceConfig = {
MemoryDenyWriteExecute = "no"; DeviceAllow = lib.mkForce "";
NoNewPrivileges = "no"; IPAddressDeny = lib.mkForce "";
ProtectClock = "no"; LockPersonality = lib.mkForce "no";
RestrictAddressFamilies = ""; MemoryDenyWriteExecute = lib.mkForce "no";
RestrictNamespaces = ""; NoNewPrivileges = lib.mkForce "no";
RestrictRealtime = "no"; ProtectClock = lib.mkForce "no";
RestrictSUIDSGID = "no"; RestrictAddressFamilies = lib.mkForce "";
}; RestrictNamespaces = lib.mkForce "";
}; RestrictRealtime = lib.mkForce "no";
systemd.services.systemd-timesyncd = { RestrictSUIDSGID = lib.mkForce "no";
serviceConfig = { SystemCallFilter = lib.mkForce "";
DeviceAllow = ""; };
IPAddressDeny = ""; };
LockPersonality = "no"; systemd.services.systemd-timesyncd = {
MemoryDenyWriteExecute = "no"; serviceConfig = {
NoNewPrivileges = "no"; DeviceAllow = lib.mkForce "";
ProtectClock = "no"; IPAddressDeny = lib.mkForce "";
RestrictAddressFamilies = ""; LockPersonality = lib.mkForce "no";
RestrictNamespaces = ""; MemoryDenyWriteExecute = lib.mkForce "no";
RestrictRealtime = "no"; NoNewPrivileges = lib.mkForce "no";
RestrictSUIDSGID = "no"; ProtectClock = lib.mkForce "no";
}; RestrictAddressFamilies = lib.mkForce "";
}; RestrictNamespaces = lib.mkForce "";
systemd.services.systemd-logind = { RestrictRealtime = lib.mkForce "no";
serviceConfig = { RestrictSUIDSGID = lib.mkForce "no";
DeviceAllow = ""; SystemCallFilter = lib.mkForce "";
IPAddressDeny = ""; };
LockPersonality = "no"; };
MemoryDenyWriteExecute = "no"; systemd.services.systemd-timedated = {
NoNewPrivileges = "no"; serviceConfig = {
ProtectClock = "no"; DeviceAllow = lib.mkForce "";
RestrictAddressFamilies = ""; IPAddressDeny = lib.mkForce "";
RestrictNamespaces = ""; LockPersonality = lib.mkForce "no";
RestrictRealtime = "no"; MemoryDenyWriteExecute = lib.mkForce "no";
RestrictSUIDSGID = "no"; NoNewPrivileges = lib.mkForce "no";
}; ProtectClock = lib.mkForce "no";
}; RestrictAddressFamilies = lib.mkForce "";
systemd.services.dhcpcd = { RestrictNamespaces = lib.mkForce "";
serviceConfig = { RestrictRealtime = lib.mkForce "no";
DeviceAllow = lib.mkForce ""; RestrictSUIDSGID = lib.mkForce "no";
IPAddressDeny = lib.mkForce ""; SystemCallFilter = lib.mkForce "";
LockPersonality = lib.mkForce false; };
MemoryDenyWriteExecute = lib.mkForce "no"; };
NoNewPrivileges = lib.mkForce "no"; systemd.services.systemd-hostnamed = {
ProtectClock = lib.mkForce "no"; serviceConfig = {
RestrictAddressFamilies = lib.mkForce ""; DeviceAllow = lib.mkForce "";
RestrictNamespaces = lib.mkForce ""; IPAddressDeny = lib.mkForce "";
RestrictRealtime = lib.mkForce "no"; LockPersonality = lib.mkForce "no";
RestrictSUIDSGID = lib.mkForce "no"; MemoryDenyWriteExecute = lib.mkForce "no";
}; NoNewPrivileges = lib.mkForce "no";
}; ProtectClock = lib.mkForce "no";
systemd.services.nginx = { RestrictAddressFamilies = lib.mkForce "";
serviceConfig = { RestrictNamespaces = lib.mkForce "";
DeviceAllow = lib.mkForce ""; RestrictRealtime = lib.mkForce "no";
IPAddressDeny = lib.mkForce ""; RestrictSUIDSGID = lib.mkForce "no";
LockPersonality = lib.mkForce false; SystemCallFilter = lib.mkForce "";
MemoryDenyWriteExecute = lib.mkForce "no"; };
NoNewPrivileges = lib.mkForce "no"; };
ProtectClock = lib.mkForce "no"; systemd.services.systemd-logind = {
RestrictAddressFamilies = lib.mkForce ""; serviceConfig = {
RestrictNamespaces = lib.mkForce ""; DeviceAllow = lib.mkForce "";
RestrictRealtime = lib.mkForce "no"; IPAddressDeny = lib.mkForce "";
RestrictSUIDSGID = lib.mkForce "no"; LockPersonality = lib.mkForce "no";
}; MemoryDenyWriteExecute = lib.mkForce "no";
}; NoNewPrivileges = lib.mkForce "no";
ProtectClock = lib.mkForce "no";
RestrictAddressFamilies = lib.mkForce "";
RestrictNamespaces = lib.mkForce "";
RestrictRealtime = lib.mkForce "no";
RestrictSUIDSGID = lib.mkForce "no";
SystemCallFilter = lib.mkForce "";
};
};
systemd.services.dhcpcd = {
serviceConfig = {
DeviceAllow = lib.mkForce "";
IPAddressDeny = lib.mkForce "";
LockPersonality = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce "no";
NoNewPrivileges = lib.mkForce "no";
ProtectClock = lib.mkForce "no";
RestrictAddressFamilies = lib.mkForce "";
RestrictNamespaces = lib.mkForce "";
RestrictRealtime = lib.mkForce "no";
RestrictSUIDSGID = lib.mkForce "no";
SystemCallFilter = lib.mkForce "";
};
};
systemd.services.nginx = {
serviceConfig = {
DeviceAllow = lib.mkForce "";
IPAddressDeny = lib.mkForce "";
LockPersonality = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce "no";
NoNewPrivileges = lib.mkForce "no";
ProtectClock = lib.mkForce "no";
RestrictAddressFamilies = lib.mkForce "";
RestrictNamespaces = lib.mkForce "";
RestrictRealtime = lib.mkForce "no";
RestrictSUIDSGID = lib.mkForce "no";
SystemCallFilter = lib.mkForce "";
};
};
} }

13
flake.nix
View file

@ -36,6 +36,11 @@
networking.hostName = "lancom"; networking.hostName = "lancom";
boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./lancom-kernel.nix { }); boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./lancom-kernel.nix { });
system.boot.loader.kernelFile = "uImage"; system.boot.loader.kernelFile = "uImage";
fileSystems."/" = {
device = "/dev/nvme0n1p2";
fsType = "ext4";
};
} }
) )
]; ];
@ -50,14 +55,20 @@
(import ./ppc.nix) (import ./ppc.nix)
(import ./nginx.nix) (import ./nginx.nix)
(import ./config.nix) (import ./config.nix)
(import ./disable-systemd-security.nix)
( (
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
networking.hostName = "nixos"; networking.hostName = "nixos";
boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./wiiu-kernel.nix { }); boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./wiiu-kernel-6.6.nix { });
system.boot.loader.kernelFile = "dtbImage.wiiu"; system.boot.loader.kernelFile = "dtbImage.wiiu";
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
} }
) )
]; ];

5
ppc.nix
View file

@ -32,9 +32,4 @@
# temp hack in config # temp hack in config
systemd.tpm2.enable = false; systemd.tpm2.enable = false;
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
} }

1100
stripped-config.nix Normal file
View file

File diff suppressed because it is too large Load diff

41
wiiu-kernel-4.19.nix Normal file
View file

@ -0,0 +1,41 @@
# see https://discourse.nixos.org/t/port-nixos-to-ppc32/11965/13
{
buildLinux,
fetchFromGitLab,
fetchurl,
lib,
stdenv,
...
}@args:
lib.overrideDerivation
(buildLinux (
args
// {
version = "4.19.322-wiiu";
src = fetchFromGitLab {
owner = "linux-wiiu";
repo = "linux-wiiu";
rev = "18a5a3dd77d992da8b154a9f4d1787d8a3a8b20c"; # rewrite-4.19
hash = "sha256-uqH8IPK4wcGKLEFXlwG8FaSTcQ/LmKHT+LZSE2QEvpU=";
};
autoModules = false;
features = {
efiBootStub = false;
iwlwifi = false;
needsCifsUtils = false;
};
enableCommonConfig = false;
defconfig = "wiiu_defconfig";
}
))
(old: {
postInstall =
''
cp arch/powerpc/boot/dtbImage.wiiu $out/
''
+ old.postInstall;
})

11
wiiu-kernel.nix → wiiu-kernel-6.6.nix
View file

@ -28,13 +28,22 @@ lib.overrideDerivation
needsCifsUtils = false; needsCifsUtils = false;
}; };
enableCommonConfig = false;
#structuredExtraConfig = import ./stripped-config.nix {
# version = "6.6.75-wiiu";
# inherit lib stdenv ;
# rustAvailable = true;
# features = {}; # Ensure we know of all extra patches, etc.
#};
defconfig = "wiiu_defconfig"; defconfig = "wiiu_defconfig";
} }
)) ))
(old: { (old: {
postInstall = postInstall =
'' ''
cp arch/powerpc/boot/dtbImage.wiiu $out/ cp arch/powerpc/boot/dtbImage.wiiu $out/
'' ''
+ old.postInstall; + old.postInstall;
}) })