From c69d8b169f6a4bfc35a7d6906ebc062e76197528 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 27 Oct 2016 19:32:48 +0200
Subject: init

---
 .gitignore       |  1 +
 .rsync-filter    |  4 ++++
 Makefile         | 32 ++++++++++++++++++++++++++++++
 README           | 17 ++++++++++++++++
 base.nix         | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 default.nix      | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++
 install.nix      | 40 +++++++++++++++++++++++++++++++++++++
 local-upload-iso | 17 ++++++++++++++++
 8 files changed, 226 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .rsync-filter
 create mode 100644 Makefile
 create mode 100644 README
 create mode 100644 base.nix
 create mode 100644 default.nix
 create mode 100644 install.nix
 create mode 100755 local-upload-iso

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..1fe19f6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/keys
diff --git a/.rsync-filter b/.rsync-filter
new file mode 100644
index 0000000..0c858e9
--- /dev/null
+++ b/.rsync-filter
@@ -0,0 +1,4 @@
++ /*.nix
+- /*
+- /.git
+- /.graveyard
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..6b86d4d
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,32 @@
+default: fantasy
+
+serverId := 45474
+
+
+deploy upload-iso: target := root@ni.i
+format mount install: target := root@188.68.36.196
+populate: target ?= root@ni.i
+
+deploy install upload-iso: populate
+
+deploy:
+	ssh "$(target)" nixos-rebuild switch -I /root/config
+
+install:
+	ssh "$(target)" env NIXOS_CONFIG=/root/config/nixos-config \
+		nixos-install -I /root/config
+
+format mount upload-iso: populate
+	ssh "$(target)" ni-$@
+
+populate:
+	rsync -Flprtvz --delete-excluded keys/ $(target):/root/keys
+	rsync -Flprtvz --delete-excluded ./ $(target):/root/config/nixos-config
+	rsync -Flprtvz --delete-excluded ~/stockholm/ $(target):/root/config/stockholm
+	rsync -Flprtvz --delete-excluded --exclude /.git  /var/src/nixpkgs/ $(target):/root/config/nixpkgs
+
+kvm-info:
+	umask 0077; vcp kvmInformation $(serverId) > keys/kvm-info.json
+	jq -r '.ftp | "machine \(.host) login \(.user) password \(.pass)"' \
+		< keys/kvm-info.json \
+		> keys/upload-iso.netrc
diff --git a/README b/README
new file mode 100644
index 0000000..e3fa356
--- /dev/null
+++ b/README
@@ -0,0 +1,17 @@
+2016-10-24 installation
+
+    vcp login
+
+    make kvm-info
+    ./local-upload-iso
+
+    vcp attachCdrom 45474 ni-install.iso
+    vcp setBootOrder 45474 cdrom,hd
+    vcp controlAction RESET
+
+    make format
+    make mount
+    make install
+
+    vcp detachCdrom 45474
+    vcp controlAction RESET
diff --git a/base.nix b/base.nix
new file mode 100644
index 0000000..0db539a
--- /dev/null
+++ b/base.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+{
+  options = {
+    ni-disk = lib.mkOption {
+      default = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
+    };
+    ni-key-path = lib.mkOption {
+      # TODO type = types.absolute-path
+      default = "/root/keys";
+    };
+    ni-nix-path = lib.mkOption {
+      # TODO type = types.absolute-path
+      default = "/root/config";
+    };
+  };
+  config = {
+    boot.initrd.availableKernelModules = [
+      "virtio_balloon"
+      "virtio_blk"
+      "virtio_console"
+      "virtio_net"
+      "virtio_pci"
+      "virtio_scsi"
+    ];
+    users.users.root.openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu"
+    ];
+
+    #
+    # XXX following stuff is not necessary for install
+    # XXX but there's stuff that will reduce it's size
+    #
+    environment.systemPackages = [
+      pkgs.rsync
+      pkgs.rxvt_unicode.terminfo
+    ];
+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.use_tempaddr" = 2;
+      "net.ipv6.conf.default.use_tempaddr" = 2;
+    };
+    environment.noXlibs = true;
+    environment.profileRelativeEnvVars.PATH = lib.mkForce [ "/bin" ];
+    i18n.defaultLocale = "en_US.UTF-8";
+    i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+    nix.binaryCaches = [ "https://cache.nixos.org" ];
+    nix.requireSignedBinaryCaches = true;
+    #nix.sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+    nix.useSandbox = true;
+    programs.info.enable = false;
+    programs.man.enable = false;
+    security.hideProcessInformation = true;
+    services.nixosManual.enable = false;
+    services.nscd.enable = false;
+    services.ntp.enable = false;
+    services.openssh.enable = true;
+    services.udisks2.enable = false;
+    sound.enable = false;
+    users.mutableUsers = false;
+  };
+}
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..b582d8e
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/krebs/5pkgs>
+    <stockholm/tv/3modules/iptables.nix>
+    <stockholm/tv/5pkgs>
+    ./base.nix
+  ];
+
+  boot.loader.grub.devices = [ config.ni-disk ];
+  boot.loader.grub.splashImage = null;
+
+  environment.systemPackages = [
+    pkgs.htop
+    pkgs.iptables
+    (pkgs.writeDashBin "ni-upload-iso" ''
+      export NIX_PATH=${config.ni-nix-path}
+      set -efux
+      ${pkgs.nix}/bin/nix-build \
+          -A config.system.build.isoImage \
+          -I nixos-config=${config.ni-nix-path}/nixos-config/install.nix \
+          -o ${config.ni-nix-path}/isoImage \
+          ${config.ni-nix-path}/nixpkgs/nixos
+      ftpHost=$(${pkgs.jq}/bin/jq -r .ftp.host ${config.ni-key-path}/kvm-info.json); \
+      ${pkgs.curl}/bin/curl -n --netrc-file ${config.ni-key-path}/upload-iso.netrc \
+          -T ${config.ni-nix-path}/isoImage/iso/ni-install.iso \
+          "ftp://$ftpHost/cdrom/ni-install.iso"
+    '')
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "${config.ni-disk}-part1";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+  };
+
+  networking.hostName = "ni";
+
+  services.timesyncd.enable = true;
+
+  services.openssh = {
+    enable = true;
+    hostKeys = lib.singleton ({
+      type = "ed25519";
+      path = "${config.ni-key-path}/ssh.id_ed25519";
+    });
+  };
+
+  tv.iptables.enable = true;
+  tv.iptables.accept-echo-request = "internet";
+  tv.iptables.input-internet-accept-tcp = [ "ssh" ];
+}
diff --git a/install.nix b/install.nix
new file mode 100644
index 0000000..3217cb5
--- /dev/null
+++ b/install.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix>
+    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+    <stockholm/krebs/5pkgs>
+    ./base.nix
+  ];
+
+  environment.systemPackages = [
+    (pkgs.writeDashBin "ni-format" ''
+      set -efux
+      ${pkgs.parted}/bin/parted ${config.ni-disk} mktable msdos
+      ${pkgs.parted}/bin/parted ${config.ni-disk} mkpart primary 1MiB 100%
+      ${pkgs.parted}/bin/parted ${config.ni-disk} print
+      ${pkgs.btrfs-progs}/bin/mkfs.btrfs ${config.ni-disk}-part1
+    '')
+
+    (pkgs.writeDashBin "ni-mount" ''
+      set -efux
+      if ! ${pkgs.utillinux}/bin/mountpoint /mnt; then
+        ${pkgs.coreutils}/bin/install -m 0000 -d /mnt
+        ${pkgs.utillinux}/bin/mount ${config.ni-disk}-part1 /mnt
+      fi
+      if ! ${pkgs.utillinux}/bin/mountpoint ${config.ni-path}; then
+        ${pkgs.coreutils}/bin/install -m 0700 -d /mnt${config.ni-path}
+        ${pkgs.coreutils}/bin/install -m 0000 -d ${config.ni-path}
+        ${pkgs.utillinux}/bin/mount --bind /mnt${config.ni-path} ${config.ni-path}
+        ${pkgs.coreutils}/bin/touch /mnt/${config.ni-path}/.populate
+      fi
+    '')
+
+    # TODO ni-upload-iso
+  ];
+
+  isoImage.isoName = "ni-install.iso";
+  isoImage.volumeID = "NI_INSTALL_ISO";
+  networking.hostName = "ni-install";
+}
diff --git a/local-upload-iso b/local-upload-iso
new file mode 100755
index 0000000..26c2358
--- /dev/null
+++ b/local-upload-iso
@@ -0,0 +1,17 @@
+#! /bin/sh
+# XXX DRY, see default.nix's ni-upload-iso
+
+keys=$PWD/keys
+nixos_config=$PWD
+nixpkgs=/var/src/nixpkgs
+
+set -efux
+isoImage=$(nix-build \
+    -A config.system.build.isoImage \
+    -I nixos-config="$nixos_config/install.nix" \
+    --no-out-link \
+    "$nixpkgs"/nixos); \
+ftpHost=$(jq -r .ftp.host "$keys/kvm-info.json"); \
+curl -n --netrc-file "$keys/upload-iso.netrc" \
+    -T $isoImage/iso/ni-install.iso \
+    "ftp://$ftpHost/cdrom/ni-install.iso"
-- 
cgit v1.2.3