minimal profile: start defining a minimal profile

brianmcgillion · brianmcgillion · commit 65af7bf9996d · 2025-12-01T18:05:22.000+04:00
Signed-off-by: Brian McGillion &lt;bmg.avoin@gmail.com&gt;
diff --git a/modules/profiles/debug.nix b/modules/profiles/debug.nix
@@ -17,6 +17,9 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Enable minimal profile as base
+    ghaf.profiles.minimal.enable = true;
+
     # Enable default accounts and passwords
     ghaf = {
       # Enable development on target
diff --git a/modules/profiles/flake-module.nix b/modules/profiles/flake-module.nix
@@ -13,6 +13,7 @@
       ./graphics.nix
       ./debug.nix
       ./release.nix
+      ./minimal.nix
       ./host-hardening.nix
       # NOTE: kernel-hardening is NOT included here because it requires specific kernel
       # hardening options that don't exist in all configurations. Import it explicitly
diff --git a/modules/profiles/minimal.nix b/modules/profiles/minimal.nix
@@ -0,0 +1,82 @@
+# SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ghaf.profiles.minimal;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkDefault
+    ;
+in
+{
+  options.ghaf.profiles.minimal = {
+    enable = (mkEnableOption "minimal profile") // {
+      default = false;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Minimal profile provides the base configuration that all other profiles build upon
+    # This profile should contain only the essential settings needed for a basic Ghaf system
+    # As the upstream changes such as bashless, minimal and other optimizations are too drastic
+    # we will manually add the ones here that are deemed safe and useful for all profiles.
+
+    documentation = {
+      enable = mkDefault false;
+      doc.enable = mkDefault false;
+      info.enable = mkDefault false;
+      man.enable = mkDefault false;
+      man.man-db.enable = mkDefault false;
+      nixos.enable = mkDefault false;
+    };
+
+    environment = {
+      # Perl is a default package.
+      # TODO: reenable the below, once we sync with the test teams-for-linux
+      #defaultPackages = mkForce [ ];
+      #corePackages = mkForce [ ];
+      #stub-ld.enable = mkDefault false;
+    };
+
+    programs = {
+      command-not-found.enable = mkDefault false;
+      fish.generateCompletions = mkDefault false;
+      # The lessopen package pulls in Perl.
+      less.lessopen = mkDefault null;
+    };
+
+    # Disable automatic config generation
+    system.tools.nixos-generate-config.enable = mkDefault false;
+
+    boot = {
+      loader.grub.enable = mkDefault false;
+      # This pulls in nixos-containers which depends on Perl.
+      enableContainers = mkDefault false;
+    };
+
+    # Provide a minimal set of system packages
+    environment.systemPackages = [
+      # TODO: will need to define the base set of packages
+      #pkgs.busybox
+      pkgs.openssh
+    ];
+
+    # The system cannot be rebuilt, these should be enabled
+    # especially when making the storeDiskImages
+    # TODO: enable this for storeDiskImages only
+    #nix.enable = mkDefault false;
+    #system.switch.enable = mkDefault false;
+
+    ghaf = {
+      # Add minimal base configuration here
+      # Currently empty - will be populated as we move common settings from debug/release
+    };
+  };
+}
diff --git a/modules/profiles/release.nix b/modules/profiles/release.nix
@@ -14,6 +14,9 @@ in
   };
 
   config = mkIf cfg.enable {
+    # Enable minimal profile as base
+    ghaf.profiles.minimal.enable = true;
+
     # Enable default accounts and passwords
     # TODO this needs to be refined when we define a policy for the
     # processes and the UID/groups that should be enabled by default
