without a merge feature, it would be too easy to break kernel configs and one of my goal was to make kernel configs more composable. I believe it's of higher priority to ease enabling stuff vs disabling stuff hence the default merge favors enabling feature. I would say it is mostly a matter of documentation as it should be possible to switch the behavior quite easily (change the order to have "n" first in:

          merge = mergeAnswer [ "y" "m" "n" ];

whole common-config.nix should be a mkDefault IMO.

If you are interested, I had a roadmap here #69014

Do you have a use case where a feature is explicitly disabled somewhere, enabled somewhere else and yet you want the result to be that the feature gets enabled?

This is exactly what we don't want to happen in the use case I mentioned before (when someone wants to disable a feature for security reasons).

IMO it's better for the build to break if there are conflicting definitions inside nixpkgs so that the issue can be investigated and the appropriate result can be selected on a case-by-case basis using priorities, since in some cases we may want the result to be enabled and in other cases to be disabled.

IMO the current merge strategy of silently choosing one value when there are conflicting definitions is extremely unintuitive, has led to undesired configurations for quite a long time (in hardened kernels and also for user configs, although I understand the latter will be fixed with mkDefault) and will very likely lead to the same problem in the future.

I agree that using mkDefault in nixpkgs is better so that user configurations take priority by default.

I marked this as stale due to inactivity. → More info

I would like to keep the merging functions to provide different strategies. I will write some doc about kernel configuration now that it looks easier to do so. I can try to use mkDefault as discussed instead.

@teto if multiple places with the same priority disagree on what the option should be set to, I do think it should complain and require a human to decide what should be used.

Alternatively, common-config could have mkDefault mapped over it, so the result is as if it were written as

{
  IKCONFIG = mkDefault yes;
  IKCONFIG_PROC = mkDefault yes;
  …
}

rather than mkDefault over the whole set as in mkDefault { IKCONFIG = yes; IKCONFIG_PROC = yes; } — that way only the individual settings will be overridden, rather than having a single setting completely disable common-config. I still prefer only using mkDefault for ones that we know need to be overridden elsewhere in nixpkgs though: using a different value than what nixpkgs usually would should be a conscious decision on the user's behalf.

I would suggest adding mkDefault all over common-config.nix to be honest. The hardened config should also have MODULES = n and that is going to cause all kinds of messes anyways :)

Additionally, I would add a subtest to the test latestKernel.hardened. Even if it is a simple check again /proc/config.gz and maybe make sure the ss command fails (which should rely on INET_DIAG)

I'd prefer using mkDefault only where something like the hardened config requires a different setting: that way, setting options to non-stock-NixOS values will make it extra clear to the user (unlike for completely unrelated options like hardware support flags which NixOS is simply missing) that they're contradicting the "preferred" nixpkgs way.

I can agree with that reasoning. Sounds good to me.
What else do we need for this?

• Addressing review comments
• Fixing merge conflicts
• Merging :)

@wizeman are you willing to do this? If not I'll pick it up sometime soon probably.

Sounds good, ping me when you want another review :)

@lheckemann Please, feel free to pick up. I don't think I will be able to finish this anytime soon.

Done, @NeQuissimus what do you think?

@ofborg test kernel-latest kernel-lts latestKernel.login kernel-latest-ath-user-regd latestKernel.hardened