diff --git a/lib/global-config.nix b/lib/global-config.nix index 2f37c8ade7..a8f905d5cc 100644 --- a/lib/global-config.nix +++ b/lib/global-config.nix @@ -33,26 +33,12 @@ rec { # This is used in the ghaf.global-config option definition globalConfigType = types.submodule { options = { - debug = { - enable = mkEnableOption "debug mode globally (host and all VMs)"; - }; + debug.enable = mkEnableOption "debug mode globally (host and all VMs)"; development = { - ssh = { - daemon = { - enable = mkEnableOption "SSH daemon globally"; - }; - }; - - debug = { - tools = { - enable = mkEnableOption "debug tools globally"; - }; - }; - - nix-setup = { - enable = mkEnableOption "Nix development setup globally"; - }; + ssh.daemon.enable = mkEnableOption "SSH daemon globally"; + debug.tools.enable = mkEnableOption "debug tools globally"; + nix-setup.enable = mkEnableOption "Nix development setup globally"; }; logging = { @@ -81,32 +67,17 @@ rec { }; }; - security = { - audit = { - enable = mkEnableOption "security auditing globally"; - }; - }; + security.audit.enable = mkEnableOption "security auditing globally"; givc = { enable = mkEnableOption "GIVC (Ghaf Inter-VM Communication) globally"; - debug = mkOption { - type = types.bool; - default = false; - description = "Whether to enable GIVC debug mode"; - }; + debug = mkEnableOption "GIVC debug mode"; }; storage = { - encryption = { - enable = mkEnableOption "storage encryption globally"; - }; - - storeOnDisk = mkOption { - type = types.bool; - default = false; - description = "Store VM nix stores on disk rather than virtiofs"; - }; + encryption.enable = mkEnableOption "storage encryption globally"; + storeOnDisk = mkEnableOption "storing VM nix stores on disk rather than virtiofs"; }; # Shared memory configuration @@ -127,18 +98,10 @@ rec { }; # Graphics/boot UI settings - graphics = { - boot = { - enable = mkEnableOption "graphical boot support (splash screen, user login detection)"; - }; - }; + graphics.boot.enable = mkEnableOption "graphical boot support (splash screen, user login detection)"; # IDS VM specific settings - idsvm = { - mitmproxy = { - enable = mkEnableOption "MITM proxy in IDS VM for traffic inspection"; - }; - }; + idsvm.mitmproxy.enable = mkEnableOption "MITM proxy in IDS VM for traffic inspection"; # Platform information (populated from host config) platform = { diff --git a/modules/common/logging/common.nix b/modules/common/logging/common.nix index 7d358b760f..6f5a1afc10 100644 --- a/modules/common/logging/common.nix +++ b/modules/common/logging/common.nix @@ -7,7 +7,12 @@ ... }: let - inherit (lib) mkIf mkOption types; + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; recCfg = config.ghaf.logging.recovery; ghafClockJumpWatcher = pkgs.writeShellApplication { @@ -74,15 +79,7 @@ in # Creating logging configuration options needed across the host and vms options.ghaf.logging = { - enable = mkOption { - description = '' - Enable logging service. Currently we have grafana alloy - running as client which will upload system journal logs to - grafana alloy running in admin-vm. - ''; - type = types.bool; - default = false; - }; + enable = mkEnableOption "logging service (grafana alloy client uploading journal logs to admin-vm)"; listener.address = mkOption { description = '' @@ -147,11 +144,7 @@ in }; recovery = { - enable = mkOption { - description = "Recover journald/alloy after a realtime clock jump (e.g., manual clock change)."; - type = types.bool; - default = false; - }; + enable = mkEnableOption "journald/alloy recovery after realtime clock jumps"; thresholdSeconds = mkOption { description = "Only act on clock jumps >= this many seconds."; diff --git a/modules/common/security/audit/default.nix b/modules/common/security/audit/default.nix index 31f9291ba7..390ba40806 100644 --- a/modules/common/security/audit/default.nix +++ b/modules/common/security/audit/default.nix @@ -39,31 +39,11 @@ in default = importAuditRules "common"; description = "Common audit rules for host and guests"; }; - enableVerboseCommon = mkOption { - type = types.bool; - default = false; - description = "Include verbose Common audit rules"; - }; - enableStig = mkOption { - type = types.bool; - default = false; - description = "Enable STIG rules"; - }; - enableOspp = mkOption { - type = types.bool; - default = false; - description = "Enable OSPP rules"; - }; - enableVerboseOspp = mkOption { - type = types.bool; - default = false; - description = "Include verbose OSPP rules"; - }; - enableVerboseRebuild = mkOption { - type = types.bool; - default = false; - description = "Include verbose nixos-rebuild rule"; - }; + enableVerboseCommon = mkEnableOption "verbose Common audit rules"; + enableStig = mkEnableOption "STIG rules"; + enableOspp = mkEnableOption "OSPP rules"; + enableVerboseOspp = mkEnableOption "verbose OSPP rules"; + enableVerboseRebuild = mkEnableOption "verbose nixos-rebuild rule"; host = { enable = mkOption { type = types.bool; diff --git a/modules/common/services/createFakeBattery.nix b/modules/common/services/createFakeBattery.nix index 1682a5d068..3c92f77755 100644 --- a/modules/common/services/createFakeBattery.nix +++ b/modules/common/services/createFakeBattery.nix @@ -14,9 +14,8 @@ in { _file = ./createFakeBattery.nix; - options.ghaf.services.create-fake-battery = { - enable = mkEnableOption "Create a fake battery device for VMs"; - }; + options.ghaf.services.create-fake-battery.enable = + mkEnableOption "Create a fake battery device for VMs"; config = mkIf diff --git a/modules/common/services/killswitch.nix b/modules/common/services/killswitch.nix index 4814a1d0da..f5051d9540 100644 --- a/modules/common/services/killswitch.nix +++ b/modules/common/services/killswitch.nix @@ -8,9 +8,8 @@ }: let inherit (lib) - mkOption + mkEnableOption mkIf - types ; cfg = config.ghaf.services.kill-switch; @@ -291,15 +290,7 @@ in { _file = ./killswitch.nix; - options.ghaf.services.kill-switch = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable ghaf kill switch support". - ''; - }; - }; + options.ghaf.services.kill-switch.enable = mkEnableOption "ghaf kill switch support"; # TODO: Currently enabled for x86_64, we will evaluate the need for aarch64 support in the future config = mkIf (cfg.enable && pkgs.stdenv.hostPlatform.isx86_64) { diff --git a/modules/common/services/locale.nix b/modules/common/services/locale.nix index e7555ab3ee..7ed1bb68db 100644 --- a/modules/common/services/locale.nix +++ b/modules/common/services/locale.nix @@ -56,9 +56,8 @@ in { _file = ./locale.nix; - options.ghaf.services.locale = { - enable = mkEnableOption "Propagate locale changes from the system to givc-cli"; - }; + options.ghaf.services.locale.enable = + mkEnableOption "Propagate locale changes from the system to givc-cli"; config = mkIf (cfg.enable && useGivc) { systemd.services = { diff --git a/modules/common/services/timezone.nix b/modules/common/services/timezone.nix index 9f722bd734..54c633c9bd 100644 --- a/modules/common/services/timezone.nix +++ b/modules/common/services/timezone.nix @@ -54,9 +54,8 @@ in { _file = ./timezone.nix; - options.ghaf.services.timezone = { - enable = mkEnableOption "Propagate timezone changes from the system to givc-cli"; - }; + options.ghaf.services.timezone.enable = + mkEnableOption "Propagate timezone changes from the system to givc-cli"; config = mkIf (cfg.enable && useGivc) { systemd.services = { diff --git a/modules/common/systemd/base.nix b/modules/common/systemd/base.nix index 4ac4822581..a10ef4b908 100644 --- a/modules/common/systemd/base.nix +++ b/modules/common/systemd/base.nix @@ -223,41 +223,17 @@ in default = true; }; - withTimesyncd = mkOption { - description = "Enable systemd timesync daemon."; - type = types.bool; - default = false; - }; + withTimesyncd = mkEnableOption "systemd timesync daemon"; - withResolved = mkOption { - description = "Enable systemd resolve daemon."; - type = types.bool; - default = false; - }; + withResolved = mkEnableOption "systemd resolve daemon"; - withRepart = mkOption { - description = "Enable systemd repart functionality."; - type = types.bool; - default = false; - }; + withRepart = mkEnableOption "systemd repart functionality"; - withHomed = mkOption { - description = "Enable systemd homed for users home functionality."; - type = types.bool; - default = false; - }; + withHomed = mkEnableOption "systemd homed for users home functionality"; - withHostnamed = mkOption { - description = "Enable systemd hostname daemon."; - type = types.bool; - default = false; - }; + withHostnamed = mkEnableOption "systemd hostname daemon"; - withNss = mkOption { - description = "Enable systemd Name Service Switch (NSS) functionality."; - type = types.bool; - default = false; - }; + withNss = mkEnableOption "systemd Name Service Switch (NSS) functionality"; withEfi = mkOption { description = "Enable systemd EFI functionality."; @@ -283,59 +259,23 @@ in default = pkgs.stdenv.hostPlatform.isEfi; }; - withApparmor = mkOption { - description = "Enable systemd apparmor functionality."; - type = types.bool; - default = false; - }; + withApparmor = mkEnableOption "systemd apparmor functionality"; - withMachines = mkOption { - description = "Enable systemd container and VM functionality."; - type = types.bool; - default = false; - }; + withMachines = mkEnableOption "systemd container and VM functionality"; - withAudit = mkOption { - description = "Enable systemd audit functionality."; - type = types.bool; - default = false; - }; + withAudit = mkEnableOption "systemd audit functionality"; - withCryptsetup = mkOption { - description = "Enable systemd LUKS2 functionality."; - type = types.bool; - default = false; - }; + withCryptsetup = mkEnableOption "systemd LUKS2 functionality"; - withFido2 = mkOption { - description = "Enable systemd Fido2 token functionality."; - type = types.bool; - default = false; - }; + withFido2 = mkEnableOption "systemd Fido2 token functionality"; - withTpm2Tss = mkOption { - description = "Enable systemd TPM functionality."; - type = types.bool; - default = false; - }; + withTpm2Tss = mkEnableOption "systemd TPM functionality"; - withPolkit = mkOption { - description = "Enable systemd polkit functionality."; - type = types.bool; - default = false; - }; + withPolkit = mkEnableOption "systemd polkit functionality"; - withSerial = mkOption { - description = "Enable systemd serial console."; - type = types.bool; - default = false; - }; + withSerial = mkEnableOption "systemd serial console"; - withSysupdate = mkOption { - description = "Enable systemd system update functionality."; - type = types.bool; - default = false; - }; + withSysupdate = mkEnableOption "systemd system update functionality"; withLocaled = mkOption { description = "Enable systemd locale daemon."; @@ -343,23 +283,11 @@ in default = true; }; - withAudio = mkOption { - description = "Enable audio functionality."; - type = types.bool; - default = false; - }; + withAudio = mkEnableOption "audio functionality"; - withBluetooth = mkOption { - description = "Enable bluetooth functionality."; - type = types.bool; - default = false; - }; + withBluetooth = mkEnableOption "bluetooth functionality"; - withDebug = mkOption { - description = "Enable systemd debug functionality."; - type = types.bool; - default = false; - }; + withDebug = mkEnableOption "systemd debug functionality"; withHwdb = mkOption { description = "Enable systemd hwdb functionality."; diff --git a/modules/common/systemd/harden.nix b/modules/common/systemd/harden.nix index 902bee85e7..39a86b6fb1 100644 --- a/modules/common/systemd/harden.nix +++ b/modules/common/systemd/harden.nix @@ -4,17 +4,13 @@ let # Ghaf systemd config cfg = config.ghaf.systemd; - inherit (lib) mkIf mkOption types; + inherit (lib) mkEnableOption mkIf; in { _file = ./harden.nix; options.ghaf.systemd = { - withHardenedConfigs = mkOption { - description = "Enable common hardened configs."; - type = types.bool; - default = false; - }; + withHardenedConfigs = mkEnableOption "common hardened configs"; }; config = mkIf cfg.withHardenedConfigs { diff --git a/modules/common/users/active-directory.nix b/modules/common/users/active-directory.nix index 6e9a5e10d0..0d6534993d 100644 --- a/modules/common/users/active-directory.nix +++ b/modules/common/users/active-directory.nix @@ -10,6 +10,7 @@ let inherit (lib) foldr + mkEnableOption mkIf mkOption recursiveUpdate @@ -108,21 +109,9 @@ in description = "DNS provider for the domain."; }; - useFullyQualifiedNames = mkOption { - type = types.bool; - default = false; - description = '' - Whether to use fully qualified names (e.g., user@DOMAIN) for user accounts. - Note that the behavior is different depending on the identity provider used. - A value of 'false' may break functionality in multi-domain setups. - ''; - }; + useFullyQualifiedNames = mkEnableOption "fully qualified names (e.g., user@DOMAIN) for user accounts"; - enableGlobalCatalog = mkOption { - type = types.bool; - default = false; - description = "Enable use of the Active Directory Global Catalog for this domain."; - }; + enableGlobalCatalog = mkEnableOption "use of the Active Directory Global Catalog for this domain"; cacheCredentials = mkOption { type = types.bool; @@ -179,11 +168,7 @@ in `enforcing`: Users are denied unless explicitly allowed by a GPO. ''; }; - dyndnsUpdate = mkOption { - type = types.bool; - default = false; - description = "Whether to automatically update DNS records in AD for this client."; - }; + dyndnsUpdate = mkEnableOption "automatic DNS record updates in AD for this client"; extraConfig = mkOption { type = types.nullOr types.lines; default = null; @@ -228,11 +213,7 @@ in the global certificate store at '/etc/ssl/certs/ca-certificates.crt'. ''; }; - useStartTls = mkOption { - type = types.bool; - default = false; - description = "Use StartTLS for LDAP connections for ldap:// URIs. Requires tlsCaCert to be set."; - }; + useStartTls = mkEnableOption "StartTLS for LDAP connections for ldap:// URIs"; enableSasl = mkOption { type = types.bool; default = true; diff --git a/modules/common/users/admin.nix b/modules/common/users/admin.nix index f15c35eb95..9845c3ea90 100644 --- a/modules/common/users/admin.nix +++ b/modules/common/users/admin.nix @@ -8,6 +8,7 @@ let cfg = config.ghaf.users.admin; inherit (lib) + mkEnableOption mkIf types mkOption @@ -53,11 +54,7 @@ in type = types.nullOr types.str; default = null; }; - enableUILogin = mkOption { - description = "Allow the admin user to login via the graphical login manager."; - type = types.bool; - default = false; - }; + enableUILogin = mkEnableOption "admin user login via the graphical login manager"; createHome = mkOption { description = '' Boolean value whether to create admin home folder. Defaults to `config.ghaf.users.admin.enableUILogin`. diff --git a/modules/desktop/graphics/boot.nix b/modules/desktop/graphics/boot.nix index 74ef904df1..e4b7d90d52 100644 --- a/modules/desktop/graphics/boot.nix +++ b/modules/desktop/graphics/boot.nix @@ -9,6 +9,7 @@ let inherit (lib) mkDefault + mkEnableOption mkIf mkOption mkForce @@ -47,13 +48,7 @@ in _file = ./boot.nix; options.ghaf.graphics.boot = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enables graphical boot with plymouth. - ''; - }; + enable = mkEnableOption "graphical boot with plymouth"; waitForService = mkOption { type = types.nullOr types.str; @@ -102,14 +97,7 @@ in }; logo = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to show a custom logo at the bottom of the splash screen. - If left disabled, no logo is shown. - ''; - }; + enable = mkEnableOption "custom logo at the bottom of the splash screen"; image = mkOption { type = types.path; @@ -151,14 +139,7 @@ in ''; }; - debug = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable plymouth debug logs. - Plymouth debug logs are stored in /var/log/plymouth-debug.log. - ''; - }; + debug = mkEnableOption "plymouth debug logs"; }; config = mkIf cfg.enable { diff --git a/modules/desktop/graphics/screen-recorder.nix b/modules/desktop/graphics/screen-recorder.nix index ca53a8d2e4..7b8ebc1ffe 100644 --- a/modules/desktop/graphics/screen-recorder.nix +++ b/modules/desktop/graphics/screen-recorder.nix @@ -62,9 +62,8 @@ in { _file = ./screen-recorder.nix; - options.ghaf.graphics.screen-recorder = { - enable = lib.mkEnableOption "Whether to enable screen recording capabilities using gpu-screen-recorder."; - }; + options.ghaf.graphics.screen-recorder.enable = + lib.mkEnableOption "screen recording capabilities using gpu-screen-recorder"; config = lib.mkIf cfg.enable { # XDG desktop portal screen capture requires pipewire and wireplumber to be enabled diff --git a/modules/desktop/hybrid-gpu/prime.nix b/modules/desktop/hybrid-gpu/prime.nix index ba3b3277f0..c1e350967c 100644 --- a/modules/desktop/hybrid-gpu/prime.nix +++ b/modules/desktop/hybrid-gpu/prime.nix @@ -5,7 +5,7 @@ # from https://github.com/TLATER/dotfiles { config, lib, ... }: let - inherit (lib) mkOption types; + inherit (lib) mkEnableOption mkOption types; inherit (config.ghaf.graphics.hybrid-setup.prime) nvidiaBusId intelBusId; cfg = config.ghaf.graphics.hybrid-setup.prime; environmentVariables = { @@ -17,21 +17,7 @@ in _file = ./prime.nix; options.ghaf.graphics.hybrid-setup.prime = { - enable = mkOption { - description = '' - prime offload. This will allow on-demand offloading - of rendering tasks to the NVIDIA GPU, all other - rendering will happen on the GPU integrated in the CPU. - - The GPU *should* be turned off whenever it is not in use, so - this shouldn't cause increased battery drain, but there are - some reports floating around that this isn't always the case - - likely especially for older devices. Feel free to turn it off - if you find this doesn't work properly for you. - ''; - type = types.bool; - default = false; - }; + enable = mkEnableOption "NVIDIA PRIME offload rendering"; nvidiaBusId = mkOption { description = '' diff --git a/modules/development/cuda.nix b/modules/development/cuda.nix index 3bf19a3de9..dc6bd3a201 100644 --- a/modules/development/cuda.nix +++ b/modules/development/cuda.nix @@ -8,9 +8,7 @@ in { _file = ./cuda.nix; - options.ghaf.development.cuda = { - enable = mkEnableOption "CUDA Support"; - }; + options.ghaf.development.cuda.enable = mkEnableOption "CUDA Support"; config = mkIf cfg.enable { #Enabling CUDA on any supported system requires below settings. diff --git a/modules/development/debug-tools.nix b/modules/development/debug-tools.nix index 4b3f9b1c9a..dbf57331ed 100644 --- a/modules/development/debug-tools.nix +++ b/modules/development/debug-tools.nix @@ -19,9 +19,7 @@ in { _file = ./debug-tools.nix; - options.ghaf.development.debug.tools = { - enable = mkEnableOption "Debug Tools"; - }; + options.ghaf.development.debug.tools.enable = mkEnableOption "Debug Tools"; config = mkIf cfg.enable { environment.etc = { diff --git a/modules/development/dt-av.nix b/modules/development/dt-av.nix index 6a82ff2a80..bd728eb605 100644 --- a/modules/development/dt-av.nix +++ b/modules/development/dt-av.nix @@ -13,9 +13,7 @@ in { _file = ./dt-av.nix; - options.ghaf.development.debug.tools.av = { - enable = lib.mkEnableOption "Camera Debugging Tools"; - }; + options.ghaf.development.debug.tools.av.enable = lib.mkEnableOption "Camera Debugging Tools"; config = lib.mkIf cfg.enable { environment.systemPackages = diff --git a/modules/development/dt-gui.nix b/modules/development/dt-gui.nix index 8b9f61654d..1ed60ef810 100644 --- a/modules/development/dt-gui.nix +++ b/modules/development/dt-gui.nix @@ -13,9 +13,7 @@ in { _file = ./dt-gui.nix; - options.ghaf.development.debug.tools.gui = { - enable = lib.mkEnableOption "GUI Debugging Tools"; - }; + options.ghaf.development.debug.tools.gui.enable = lib.mkEnableOption "GUI Debugging Tools"; config = lib.mkIf cfg.enable { environment.systemPackages = diff --git a/modules/development/dt-host.nix b/modules/development/dt-host.nix index b76ec9929b..0bb84f69d1 100644 --- a/modules/development/dt-host.nix +++ b/modules/development/dt-host.nix @@ -16,9 +16,7 @@ in { _file = ./dt-host.nix; - options.ghaf.development.debug.tools.host = { - enable = lib.mkEnableOption "Host Debugging Tools"; - }; + options.ghaf.development.debug.tools.host.enable = lib.mkEnableOption "Host Debugging Tools"; config = lib.mkIf cfg.enable { environment.systemPackages = diff --git a/modules/development/dt-net.nix b/modules/development/dt-net.nix index 1079f1b142..dbffd24901 100644 --- a/modules/development/dt-net.nix +++ b/modules/development/dt-net.nix @@ -13,9 +13,7 @@ in { _file = ./dt-net.nix; - options.ghaf.development.debug.tools.net = { - enable = lib.mkEnableOption "Network Debugging Tools"; - }; + options.ghaf.development.debug.tools.net.enable = lib.mkEnableOption "Network Debugging Tools"; config = lib.mkIf cfg.enable { environment.systemPackages = diff --git a/modules/development/nix.nix b/modules/development/nix.nix index 99d7176c45..e42d25bad5 100644 --- a/modules/development/nix.nix +++ b/modules/development/nix.nix @@ -20,9 +20,7 @@ in default = null; description = "Path to the nixpkgs repository"; }; - automatic-gc = { - enable = mkEnableOption "Enable automatic garbage collection"; - }; + automatic-gc.enable = mkEnableOption "Enable automatic garbage collection"; }; config.nix = { diff --git a/modules/development/ssh.nix b/modules/development/ssh.nix index d0fa6208dc..c9bf776335 100644 --- a/modules/development/ssh.nix +++ b/modules/development/ssh.nix @@ -8,9 +8,7 @@ in { _file = ./ssh.nix; - options.ghaf.development.ssh.daemon = { - enable = mkEnableOption "ssh daemon"; - }; + options.ghaf.development.ssh.daemon.enable = mkEnableOption "ssh daemon"; config = mkIf cfg.enable { diff --git a/modules/development/usb-serial.nix b/modules/development/usb-serial.nix index dae617f577..a9d800d6f6 100644 --- a/modules/development/usb-serial.nix +++ b/modules/development/usb-serial.nix @@ -8,9 +8,7 @@ in { _file = ./usb-serial.nix; - options.ghaf.development.usb-serial = { - enable = mkEnableOption "Usb-Serial"; - }; + options.ghaf.development.usb-serial.enable = mkEnableOption "Usb-Serial"; #TODO Should this be alos bound to only x86? config = mkIf cfg.enable { diff --git a/modules/hardware/passthrough/pci-rules.nix b/modules/hardware/passthrough/pci-rules.nix index e64c455143..cb224dfe71 100644 --- a/modules/hardware/passthrough/pci-rules.nix +++ b/modules/hardware/passthrough/pci-rules.nix @@ -10,6 +10,7 @@ }: let inherit (lib) + mkEnableOption mkOption types mkIf @@ -151,29 +152,11 @@ in default = defaultAudiovmPciRules; }; - autoDetectGpu = mkOption { - description = '' - Auto-detect GPU PCI devices. - ''; - type = types.bool; - default = false; - }; + autoDetectGpu = mkEnableOption "auto-detection of GPU PCI devices"; - autoDetectNet = mkOption { - description = '' - Auto-detect network PCI devices. - ''; - type = types.bool; - default = false; - }; + autoDetectNet = mkEnableOption "auto-detection of network PCI devices"; - autoDetectAudio = mkOption { - description = '' - Auto-detect audio PCI devices. - ''; - type = types.bool; - default = false; - }; + autoDetectAudio = mkEnableOption "auto-detection of audio PCI devices"; }; config = lib.mkMerge [ diff --git a/modules/hardware/x86_64-generic/kernel/host/default.nix b/modules/hardware/x86_64-generic/kernel/host/default.nix index adea9b865a..618f3140ed 100644 --- a/modules/hardware/x86_64-generic/kernel/host/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/default.nix @@ -7,7 +7,7 @@ ... }: let - inherit (lib) types mkOption mkIf; + inherit (lib) mkEnableOption mkIf; # Importing kernel builder function from packages and checking hardening options # TODO: why is the kernek in packages and not in a central place to define the kernels @@ -25,41 +25,17 @@ in _file = ./default.nix; options.ghaf.host.kernel.hardening = { - enable = mkOption { - description = "Enable Ghaf Host hardening feature"; - type = types.bool; - default = false; - }; + enable = mkEnableOption "Ghaf Host hardening feature"; - virtualization.enable = mkOption { - description = "Enable support for virtualization in the Ghaf Host"; - type = types.bool; - default = false; - }; + virtualization.enable = mkEnableOption "support for virtualization in the Ghaf Host"; - networking.enable = mkOption { - description = "Enable support for networking in the Ghaf Host"; - type = types.bool; - default = false; - }; + networking.enable = mkEnableOption "support for networking in the Ghaf Host"; - usb.enable = mkOption { - description = "Enable support for USB in the Ghaf Host"; - type = types.bool; - default = false; - }; + usb.enable = mkEnableOption "support for USB in the Ghaf Host"; - inputdevices.enable = mkOption { - description = "Enable support for input devices in the Ghaf Host"; - type = types.bool; - default = false; - }; + inputdevices.enable = mkEnableOption "support for input devices in the Ghaf Host"; - debug.enable = mkOption { - description = "Enable support for debug features in the Ghaf Host"; - type = types.bool; - default = false; - }; + debug.enable = mkEnableOption "support for debug features in the Ghaf Host"; }; config = mkIf pkgs.stdenv.hostPlatform.isx86_64 { diff --git a/modules/microvm/common/microvm-store-mode.nix b/modules/microvm/common/microvm-store-mode.nix index d317e95292..8913868f9b 100644 --- a/modules/microvm/common/microvm-store-mode.nix +++ b/modules/microvm/common/microvm-store-mode.nix @@ -7,24 +7,10 @@ ... }: let - inherit (lib) mkOption types; + inherit (lib) mkEnableOption; in { _file = ./microvm-store-mode.nix; - options.ghaf.virtualization.microvm.storeOnDisk = mkOption { - type = types.bool; - default = false; - description = '' - Global setting for all MicroVMs: use storeOnDisk (erofs compressed image) - instead of shared virtiofs /nix/store. - - When true: All VMs use storeOnDisk (compressed, less memory) - When false: All VMs use sharedStore (virtiofs, more memory) - - Default is false (shared store for easier development experience). - - This setting is read by MicroVMs via configHost.ghaf.virtualization.microvm.storeOnDisk - to configure their /nix/store access method. - ''; - }; + options.ghaf.virtualization.microvm.storeOnDisk = + mkEnableOption "storeOnDisk (erofs compressed image) for all MicroVMs"; } diff --git a/modules/microvm/common/storagevm.nix b/modules/microvm/common/storagevm.nix index 4f097a1062..9345b44103 100644 --- a/modules/microvm/common/storagevm.nix +++ b/modules/microvm/common/storagevm.nix @@ -157,14 +157,7 @@ in example = "7+11+14"; }; - keepDefaultPassword = mkOption { - type = types.bool; - description = '' - Whether to keep the default password (empty string) that unlocks the VM storage partition. - Useful for debugging or to recover guest data from the host. - ''; - default = false; - }; + keepDefaultPassword = mkEnableOption "keeping the default password (empty string) that unlocks the VM storage partition"; serial = mkOption { type = types.str; diff --git a/modules/microvm/common/vm-tpm.nix b/modules/microvm/common/vm-tpm.nix index aa451dea07..c78ae16a6f 100644 --- a/modules/microvm/common/vm-tpm.nix +++ b/modules/microvm/common/vm-tpm.nix @@ -31,17 +31,7 @@ in emulated = { enable = mkEnableOption "Emulated TPM with swtpm"; - runInVM = mkOption { - description = '' - Whether to run the swtpm instance on a separate VM or on the host. - If set to false, the daemon runs on the host and keys are stored on - the host filesystem. - If true, the swtpm daemon runs in the admin VM. This setup makes it - harder for a host process to access the guest keys. - ''; - type = types.bool; - default = false; - }; + runInVM = mkEnableOption "running swtpm in a separate VM instead of on the host"; name = mkOption { description = "Name of the VM"; diff --git a/modules/microvm/host/shared-mem.nix b/modules/microvm/host/shared-mem.nix index c683659990..e36e1d97f6 100644 --- a/modules/microvm/host/shared-mem.nix +++ b/modules/microvm/host/shared-mem.nix @@ -13,6 +13,7 @@ let cfg = config.ghaf.shm; inherit (lib) lists + mkEnableOption mkMerge mkIf mkOption @@ -23,13 +24,7 @@ in _file = ./shared-mem.nix; options.ghaf.shm = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enables shared memory communication between virtual machines (VMs) - ''; - }; + enable = mkEnableOption "shared memory communication between virtual machines (VMs)"; memSize = mkOption { type = types.int; default = 16; @@ -72,13 +67,7 @@ in List of vms having access to shared memory ''; }; - enable_host = mkOption { - type = types.bool; - default = false; - description = '' - Enables the memsocket functionality on the host system - ''; - }; + enable_host = mkEnableOption "memsocket functionality on the host system"; instancesCount = mkOption { type = types.int; default = @@ -105,15 +94,7 @@ in another application, such as Waypipe, when operating in client mode ''; }; - display = mkOption { - type = types.bool; - default = false; - description = '' - Enables the use of shared memory with Waypipe for Wayland-enabled - applications running on virtual machines (VMs), facilitating - efficient inter-VM communication - ''; - }; + display = mkEnableOption "shared memory with Waypipe for Wayland-enabled applications on VMs"; }; config = let diff --git a/modules/profiles/graphics.nix b/modules/profiles/graphics.nix index c46e298ae8..e3d3ef3d18 100644 --- a/modules/profiles/graphics.nix +++ b/modules/profiles/graphics.nix @@ -40,16 +40,7 @@ in }; }; autoLogin = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable automatic login. - - When enabled, the system will automatically log in the specified user - without requiring credentials at the login screen. - ''; - }; + enable = mkEnableOption "automatic login"; user = mkOption { type = types.nullOr types.str; @@ -65,11 +56,7 @@ in # If needed we can add an option to enable networkManager via cosmic, # which may be wanted in scenarios where net-vm is not used networkManager = { - enable = mkOption { - type = types.bool; - default = false; - description = "Whether to use NetworkManager on the system where graphics profile is applied."; - }; + enable = mkEnableOption "NetworkManager on the system where graphics profile is applied"; applet = { enable = mkOption { type = types.bool; @@ -89,11 +76,7 @@ in # If needed we can add an option to enable bluetooth via cosmic, # which may be wanted in scenarios where audio-vm is not used bluetooth = { - enable = mkOption { - type = types.bool; - default = false; - description = "Whether to enable support for Bluetooth on the system where graphics profile is applied."; - }; + enable = mkEnableOption "support for Bluetooth on the system where graphics profile is applied"; applet = { enable = mkOption { type = types.bool;