feat(weller): add hardware diagnostics and MemTest86+ #295
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| { | ||
| config, | ||
| lib, | ||
| pkgs, | ||
| modulesPath, | ||
| ... | ||
| }: | ||
|
|
||
| { | ||
| imports = [ | ||
| (modulesPath + "/installer/scan/not-detected.nix") | ||
| ]; | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Hardware (normally in hardware-configuration.nix, but disko handles mounts) | ||
| # --------------------------------------------------------------------------- | ||
| boot.initrd.availableKernelModules = [ | ||
| "nvme" | ||
| "xhci_pci" | ||
| "ahci" | ||
| "usbhid" | ||
| "sd_mod" | ||
| ]; | ||
| boot.kernelModules = [ "kvm-amd" ]; | ||
| hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; | ||
| nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Bootloader - systemd-boot | ||
| # --------------------------------------------------------------------------- | ||
| # Windows is on Disk 0, NixOS on Disk 1 - use UEFI boot menu (F11/F12) to switch | ||
| boot.loader.systemd-boot.enable = true; | ||
| boot.loader.systemd-boot.memtest86.enable = true; | ||
| boot.loader.efi.canTouchEfiVariables = true; | ||
| boot.initrd.systemd.enable = true; | ||
|
|
||
| # Seagate FireCuda 510 firmware crashes with APST power saving (#263) | ||
| boot.kernelParams = [ | ||
| "nvme_core.default_ps_max_latency_us=0" | ||
| "btusb.enable_autosuspend=n" | ||
| ]; | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Filesystem - Btrfs with LUKS encryption (managed by disko) | ||
| # --------------------------------------------------------------------------- | ||
| boot.supportedFilesystems = [ | ||
| "btrfs" | ||
| "ntfs" | ||
| ]; | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Networking | ||
| # --------------------------------------------------------------------------- | ||
| networking.hostName = "weller"; | ||
| networking.networkmanager.enable = true; | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Hardware - NVIDIA RTX 4090 | ||
| # --------------------------------------------------------------------------- | ||
| nixpkgs.config.allowUnfree = true; | ||
|
|
||
| hardware.graphics.enable = true; | ||
|
|
||
| services.xserver.videoDrivers = [ "nvidia" ]; | ||
| hardware.nvidia = { | ||
| modesetting.enable = true; | ||
| powerManagement.enable = false; | ||
| powerManagement.finegrained = false; | ||
| open = false; # Use proprietary driver for best compatibility | ||
| nvidiaSettings = true; | ||
| package = config.boot.kernelPackages.nvidiaPackages.stable; | ||
| }; | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Bluetooth – optimised for Kinesis Advantage 360 Pro (ZMK / BLE) | ||
| # --------------------------------------------------------------------------- | ||
| hardware.bluetooth = { | ||
| enable = true; | ||
| powerOnBoot = true; | ||
| settings = { | ||
| General = { | ||
| # Keep adapter in page-scan mode for instant reconnects | ||
| FastConnectable = "true"; | ||
| # ZMK uses "Just Works" pairing – always allow re-pairing | ||
| JustWorksRepairing = "always"; | ||
| # Better LE handling & battery reporting | ||
| Experimental = "true"; | ||
| }; | ||
| LE = { | ||
| # Tighter polling interval (7.5–11.25 ms) for lower input latency | ||
| MinConnectionInterval = 6; | ||
| MaxConnectionInterval = 9; | ||
| ConnectionLatency = 0; | ||
| }; | ||
| Policy = { | ||
| AutoEnable = "true"; | ||
| ReconnectAttempts = 7; | ||
| ReconnectIntervals = "1,2,4,8,16,32,64"; | ||
| }; | ||
| }; | ||
| }; | ||
| environment.systemPackages = with pkgs; [ bluetuith ]; | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| { | ||
| config, | ||
| pkgs, | ||
| lib, | ||
| ... | ||
| }: | ||
|
|
||
| let | ||
| keys = import ../secrets/keys.nix; | ||
| in | ||
| { | ||
| imports = [ | ||
| ./common/system.nix | ||
| ]; | ||
|
|
||
| # Define the default user options here since we are importing system.nix | ||
| cosmo.user.default = "patrick"; | ||
| cosmo.user.email = "big.pat@gmail.com"; | ||
|
|
||
| # Enable SSH | ||
| services.openssh = { | ||
| enable = true; | ||
| settings = { | ||
| PermitRootLogin = "yes"; | ||
| PasswordAuthentication = true; | ||
|
Comment on lines
+24
to
+25
There was a problem hiding this comment.
Enabling password authentication and permitting root login over SSH is highly insecure, especially when combined with a hardcoded initial password. Since SSH keys are already configured, password authentication should be disabled to prevent unauthorized access during the bootstrap phase. Permitting root login is also unnecessary when a user with |
||
| }; | ||
| }; | ||
|
|
||
| # Mutable users for bootstrap | ||
| users.mutableUsers = true; | ||
|
|
||
| users.users.root.openssh.authorizedKeys.keys = keys.users; | ||
|
|
||
| users.users.${config.cosmo.user.default} = { | ||
| isNormalUser = true; | ||
| uid = 1000; | ||
| extraGroups = [ | ||
| "wheel" | ||
| "networkmanager" | ||
| "video" | ||
| ]; | ||
| initialPassword = "nixos"; | ||
|
There was a problem hiding this comment.
Hardcoding an initial password ( |
||
| openssh.authorizedKeys.keys = keys.users; | ||
| }; | ||
|
|
||
| # Make it easy to assume root during bootstrap | ||
| security.sudo.wheelNeedsPassword = false; | ||
|
There was a problem hiding this comment.
Allowing members of the 'wheel' group to use sudo without a password reduces the security of the system. In combination with the hardcoded password and enabled SSH password authentication, this allows an attacker to gain root access immediately upon logging in as the default user. It is safer to require a password for sudo even during the bootstrap phase. |
||
|
|
||
| # Ensure compatibility | ||
| system.stateVersion = "25.11"; | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
bluetuithpackage is a user-space application. While related to Bluetooth, definingenvironment.systemPackageshere mixes hardware configuration with software installation. For better separation of concerns, it's recommended to manage host-specific packages in a different module, likehosts/weller/default.nix. This keepshardware.nixfocused purely on hardware-level settings. Please consider moving this line tohosts/weller/default.nix.