feat: add boot.kernel.sysctl and boot.kernelModules

yuxqiu · yuxqiu · commit e0412d6b84cf · 2026-03-06T20:28:18.000+08:00
diff --git a/nix/modules/upstream/nixpkgs/default.nix b/nix/modules/upstream/nixpkgs/default.nix
@@ -1,8 +1,24 @@
 {
   nixosModulesPath,
   lib,
+  pkgs,
+  config,
   ...
 }:
+let
+  modulesTypeDesc = ''
+    This can either be a list of modules, or an attrset. In an
+    attrset, names that are set to `true` represent modules that will
+    be included. Note that setting these names to `false` does not
+    prevent the module from being loaded.
+  '';
+  kernelModulesConf = pkgs.writeText "nixos.conf" ''
+    ${lib.concatStringsSep "\n" config.boot.kernelModules}
+  '';
+  attrNamesToTrue = lib.types.coercedTo (lib.types.listOf lib.types.str) (
+    enabledList: lib.genAttrs enabledList (_attrName: true)
+  ) (lib.types.attrsOf lib.types.bool);
+in
 {
   imports = [
     ./firewall.nix
@@ -20,6 +36,7 @@
       "/misc/ids.nix"
       "/security/acme/"
       "/services/web-servers/nginx/"
+      "/config/sysctl.nix"
       # nix settings
       "/config/nix.nix"
       "/services/system/userborn.nix"
@@ -29,11 +46,25 @@
   options =
     # We need to ignore a bunch of options that are used in NixOS modules but
     # that don't apply to system-manager configs.
-    # TODO: can we print an informational message for things like kernel modules
-    # to inform users that they need to be enabled in the host system?
     {
       boot = lib.mkOption {
-        type = lib.types.raw;
+        type = lib.types.submodule {
+          freeformType = lib.types.attrsOf lib.types.raw;
+          options = {
+            kernelModules = lib.mkOption {
+              type = attrNamesToTrue;
+              default = { };
+              description = ''
+                The set of kernel modules to be loaded in the second stage of
+                the boot process.
+
+                ${modulesTypeDesc}
+              '';
+              apply = mods: lib.attrNames (lib.filterAttrs (_: v: v) mods);
+            };
+          };
+        };
+        default = { };
       };
 
       # nixos/modules/services/system/userborn.nix still depends on activation scripts
@@ -64,4 +95,17 @@
         };
       };
     };
+
+  config = {
+    # Create /etc/modules-load.d/system-manager.conf, which is read by
+    # systemd-modules-load.service to load required kernel modules.
+    environment.etc = lib.mkIf (config.boot.kernelModules != { }) {
+      "modules-load.d/system-manager.conf".source = kernelModulesConf;
+    };
+
+    # config/sysctl.nix assumes it can freely configure systemd-sysctl.service.
+    # However, in our case, the service is managed by the host system,
+    # so we default to enable = false; to avoid unintended interference.
+    systemd.services.systemd-sysctl.enable = lib.mkDefault false;
+  };
 }
