Refactor module structure into groups of modules

Refactor module structure into specific groups of modules, which
integrate features from other flakes into the ghaf flake:
* common
* desktop
* disko
* host
* jetpack
* jetpack-microvm
* lanzaboote
* polarfire

Also fix targets to use these new module groups, and export them from
flake.

Signed-off-by: Mika Tammi <[email protected]>

.reuse/dep5

@@ -7,5 +7,5 @@ Copyright: 2022-2024 Technology Innovation Institute (TII) <https://github.com/t
 License: Apache-2.0
 Files: 
   *.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12
-  modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
-  modules/host/ghaf_host_hardened_baseline-jetson-orin
+  modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
+  modules/jetpack/ghaf_host_hardened_baseline-jetson-orin

docs/src/architecture/hardening.md

@@ -25,7 +25,7 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
   ```
   ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86
   ...
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make menuconfig
   ...
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make -j$(nproc)
@@ -42,8 +42,8 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
 * [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker):
 
   ```
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/hardware/x86_64-generic/kernel/host/configs GS=../modules/hardware/x86_64-generic/kernel/guest/configs
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/common/hardware/x86_64-generic/kernel/host/configs GS=../modules/common/hardware/x86_64-generic/kernel/guest/configs
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ ./scripts/kconfig/merge_config.sh .config $HS/virtualization.config $HS/networking.config $HS/usb.config $HS/user-input-devices.config $HS/debug.config $GS/guest.config $GS/display-gpu.config
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config
   [+] Kconfig file to check: .config
@@ -74,7 +74,7 @@ The host kernel runs on bare metal. The kernel is provided either with Linux ups
 The host kernel hardening is based on Linux `make tinyconfig`. The
 default `tinyconfig` fails to assertions on NixOS without
 modifications. Assertions are fixed in the `ghaf_host_hardened_baseline` Linux configuration under Ghaf
-`modules/hardware/x86_64-generic/kernel/configs`. Resulting baseline
+`modules/common/hardware/x86_64-generic/kernel/configs`. Resulting baseline
 kernel configuration is generic for x86_64 hardware architecture devices.
 
 In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1.
@@ -115,4 +115,4 @@ It can be enabled with the following flag `guest.hardening.enable` for Lenovo X1
 
 The Guest Graphics support will add the required kernel config dependency to the Ghaf baseline by which NixOS has guest graphics enabled. The added functionality is for guest with graphics support enabled.
 
-It can be enabled with the following flag `guest.graphics_hardening.enable` for Lenovo X1.
+It can be enabled with the following flag `guest.graphics_hardening.enable` for Lenovo X1.

flake.nix

@@ -168,6 +168,7 @@
 
       imports = [
         ./overlays
+        ./modules
         ./nix
         ./packages
         ./targets

modules/common/common.nix

@@ -0,0 +1,48 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# TODO: Refactor even more.
+#       This is the old "host/default.nix" file.
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # TODO remove this when the minimal config is defined
+    # Replace with the baseModules definition
+    # UPDATE 26.07.2023:
+    # This line breaks build of GUIVM. No investigations of a
+    # root cause are done so far.
+    #(modulesPath + "/profiles/minimal.nix")
+  ];
+
+  config = {
+    system.stateVersion = lib.trivial.release;
+
+    ####
+    # temp means to reduce the image size
+    # TODO remove this when the minimal config is defined
+    appstream.enable = false;
+
+    systemd.package = pkgs.systemd.override ({
+        withCryptsetup = false;
+        withDocumentation = false;
+        withFido2 = false;
+        withHomed = false;
+        withHwdb = false;
+        withLibBPF = true;
+        withLocaled = false;
+        withPCRE2 = false;
+        withPortabled = false;
+        withTpm2Tss = false;
+        withUserDb = false;
+      }
+      // lib.optionalAttrs (lib.hasAttr "withRepart" (lib.functionArgs pkgs.systemd.override)) {
+        withRepart = false;
+      });
+
+    boot.enableContainers = false;
+    ##### Remove to here
+  };
+}

modules/common/default.nix

@@ -0,0 +1,19 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Common ghaf modules
+#
+{
+  imports = [
+    ./boot/systemd-boot-dtb.nix
+    ./common.nix
+    ./development
+    ./firewall
+    ./hardware
+    ./profiles
+    ./tpm2
+    ./users/accounts.nix
+    ./version
+    ./virtualization/docker.nix
+  ];
+}

modules/common/development/default.nix

@@ -0,0 +1,10 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./debug-tools.nix
+    ./usb-serial.nix
+    ./nix.nix
+    ./ssh.nix
+  ];
+}

modules/common/hardware/default.nix

@@ -0,0 +1,9 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./x86_64-linux.nix
+    ./x86_64-generic
+    ./definition.nix
+  ];
+}

modules/common/hardware/x86_64-generic/default.nix

@@ -0,0 +1,10 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./kernel/guest
+    ./kernel/hardening.nix
+    ./kernel/host
+    ./kernel/host/pkvm
+  ];
+}

modules/hardware/x86_64-generic/kernel/host/default.nix → modules/common/hardware/x86_64-generic/kernel/host/default.nix

@@ -7,7 +7,7 @@
   ...
 }: let
   # Importing kernel builder function from packages and checking hardening options
-  buildKernel = import ../../../../../packages/kernel {inherit config pkgs lib;};
+  buildKernel = import ../../../../../../packages/kernel {inherit config pkgs lib;};
   config_baseline = ../configs/ghaf_host_hardened_baseline-x86;
   host_hardened_kernel = buildKernel {
     inherit config_baseline;

modules/profiles/debug.nix → modules/common/profiles/debug.nix

@@ -25,11 +25,6 @@ in
           # Let us in.
           ssh.daemon.enable = true;
         };
-
-        hardware.nvidia.orin.optee = {
-          xtest = true;
-          pkcs11-tool = true;
-        };
       };
     };
   }

modules/common/profiles/default.nix

@@ -0,0 +1,8 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./debug.nix
+    ./release.nix
+  ];
+}

modules/default.nix

@@ -0,0 +1,17 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Modules to be exported from Flake
+#
+_: {
+  flake.nixosModules = {
+    common = import ./common;
+    desktop = import ./desktop;
+    host = import ./host;
+    jetpack = import ./jetpack;
+    jetpack-microvm = import ./jetpack-microvm;
+    lanzaboote = import ./lanzaboote;
+    microvm = import ./microvm;
+    polarfire = import ./polarfire;
+  };
+}

modules/desktop/default.nix

@@ -0,0 +1,12 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Ghaf Desktop Experience
+#
+{
+  imports = [
+    ./graphics
+    ./profiles
+    ./windows-launcher
+  ];
+}

modules/graphics/waybar.config.nix → modules/desktop/graphics/waybar.config.nix

@@ -59,7 +59,7 @@
     }
   ];
 
-  wifi-signal-strength = pkgs.callPackage ../../packages/wifi-signal-strength {wifiDevice = (lib.lists.findFirst (d: d.name != null) null networkDevice).name;};
+  wifi-signal-strength = pkgs.callPackage ../../../packages/wifi-signal-strength {wifiDevice = (lib.lists.findFirst (d: d.name != null) null networkDevice).name;};
 in {
   config = lib.mkIf cfg.enable {
     ghaf.graphics.launchers = defaultLauncher;

modules/graphics/weston.ini.nix → modules/desktop/graphics/weston.ini.nix

@@ -49,7 +49,7 @@ in {
 
           [shell]
           locking=false
-          background-image=${../../assets/wallpaper.png}
+          background-image=${../../../assets/wallpaper.png}
           background-type=scale-crop
           num-workspaces=2
 

modules/desktop/profiles/default.nix

@@ -0,0 +1,8 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./applications.nix
+    ./graphics.nix
+  ];
+}

modules/windows-launcher/default.nix → modules/desktop/windows-launcher/default.nix

@@ -7,7 +7,7 @@
   ...
 }: let
   cfg = config.ghaf.windows-launcher;
-  windows-launcher = pkgs.callPackage ../../packages/windows-launcher {enableSpice = cfg.spice;};
+  windows-launcher = pkgs.callPackage ../../../packages/windows-launcher {enableSpice = cfg.spice;};
 in {
   options.ghaf.windows-launcher = {
     enable = lib.mkEnableOption "Windows launcher";

modules/host/default.nix

@@ -1,53 +1,15 @@
-# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{
-  lib,
-  pkgs,
-  ...
-}: {
-  imports = [
-    # TODO remove this when the minimal config is defined
-    # Replace with the baseModules definition
-    # UPDATE 26.07.2023:
-    # This line breaks build of GUIVM. No investigations of a
-    # root cause are done so far.
-    #(modulesPath + "/profiles/minimal.nix")
-
-    # TODO: Refactor this under virtualization/microvm/host/networking.nix
-    ./networking.nix
+#
+# Modules that should be only imported to host
+#
+{lib, ...}: {
+  networking.hostName = lib.mkDefault "ghaf-host";
+
+  # Overlays should be only defined for host, because microvm.nix uses the
+  # pkgs that already has overlays in place. Otherwise the overlay will be
+  # applied twice.
+  nixpkgs.overlays = [
+    (import ../../overlays/custom-packages)
   ];
-
-  config = {
-    networking.hostName = "ghaf-host";
-    system.stateVersion = lib.trivial.release;
-
-    nixpkgs.overlays = [
-      (import ../../overlays/custom-packages)
-    ];
-
-    ####
-    # temp means to reduce the image size
-    # TODO remove this when the minimal config is defined
-    appstream.enable = false;
-
-    systemd.package = pkgs.systemd.override ({
-        withCryptsetup = false;
-        withDocumentation = false;
-        withFido2 = false;
-        withHomed = false;
-        withHwdb = false;
-        withLibBPF = true;
-        withLocaled = false;
-        withPCRE2 = false;
-        withPortabled = false;
-        withTpm2Tss = false;
-        withUserDb = false;
-      }
-      // lib.optionalAttrs (lib.hasAttr "withRepart" (lib.functionArgs pkgs.systemd.override)) {
-        withRepart = false;
-      });
-
-    boot.enableContainers = false;
-    ##### Remove to here
-  };
 }

modules/jetpack-microvm/default.nix

@@ -0,0 +1,8 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./nx-netvm-ethernet-pci-passthrough.nix
+    ./agx-netvm-wlan-pci-passthrough.nix
+  ];
+}

modules/jetpack/default.nix

@@ -0,0 +1,11 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# ghaf's integration to jetpack-nixos
+#
+{
+  imports = [
+    ./profiles
+    ./nvidia-jetson-orin
+  ];
+}

modules/hardware/nvidia-jetson-orin/default.nix → modules/jetpack/nvidia-jetson-orin/default.nix

@@ -5,14 +5,13 @@
 {
   imports = [
     ./partition-template.nix
-    ../../boot/systemd-boot-dtb.nix
     ./jetson-orin.nix
 
     ./pci-passthrough-common.nix
-    ./agx-netvm-wlan-pci-passthrough.nix
-    ./nx-netvm-ethernet-pci-passthrough.nix
 
     ./ota-utils-fix.nix
     ./virtualization
+
+    ./optee.nix
   ];
 }

modules/jetpack/profiles/debug.nix

@@ -0,0 +1,18 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.ghaf.profiles.debug;
+in {
+  config = lib.mkIf cfg.enable {
+    # Enable default accounts and passwords
+    ghaf.hardware.nvidia.orin.optee = {
+      xtest = true;
+      pkcs11-tool = true;
+    };
+  };
+}

modules/jetpack/profiles/default.nix

@@ -0,0 +1,7 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./debug.nix
+  ];
+}

modules/host/secureboot.nix → modules/lanzaboote/default.nix

@@ -1,5 +1,7 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
+#
+# ghaf's integration to lanzaboote
 {
   lib,
   pkgs,