summaryrefslogtreecommitdiffstats
path: root/makefu/1systems/iso
diff options
context:
space:
mode:
authorJeschli <jeschli@gmail.com>2019-12-20 08:56:54 +0100
committerJeschli <jeschli@gmail.com>2019-12-20 08:56:54 +0100
commitea5522e2e048cbdac5184803040e314f84472f4f (patch)
tree52cd5a95d9a3d3c276b485f970b0d1cebf2d26ec /makefu/1systems/iso
parent555e4f0825da1b06be97e1d487c800145c51c9f6 (diff)
parente2a43e1e30b635b85a79bedb3d40cd8a888a1d49 (diff)
Merge branch 'master' of https://cgit.lassul.us/stockholm
Diffstat (limited to 'makefu/1systems/iso')
-rw-r--r--makefu/1systems/iso/config.nix30
-rw-r--r--makefu/1systems/iso/justdoit.nix128
-rw-r--r--makefu/1systems/iso/target-config.nix40
3 files changed, 189 insertions, 9 deletions
diff --git a/makefu/1systems/iso/config.nix b/makefu/1systems/iso/config.nix
index fdf203d5b..6c4f62310 100644
--- a/makefu/1systems/iso/config.nix
+++ b/makefu/1systems/iso/config.nix
@@ -3,20 +3,32 @@
with import <stockholm/lib>;
{
imports = [
- <stockholm/makefu>
+ #<stockholm/makefu>
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
- <stockholm/makefu/2configs/tools/core.nix>
+ # <stockholm/makefu/2configs/tools/core.nix>
+ ./justdoit.nix
+ {
+ kexec.justdoit = {
+ # bootSize = 512;
+ rootDevice = "/dev/sdb";
+ swapSize = 1024;
+ bootType = "vfat";
+ luksEncrypt = true;
+ uefi = true;
+ };
+ }
];
+ boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
- # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
- krebs.build.host = { cores = 0; };
+ # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso/config.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
+ #krebs.build.host = { cores = 0; };
isoImage.isoBaseName = lib.mkForce "stockholm";
- krebs.hidden-ssh.enable = true;
- environment.systemPackages = with pkgs; [
- aria2
- ddrescue
- ];
+ #krebs.hidden-ssh.enable = true;
+ # environment.systemPackages = with pkgs; [
+ # aria2
+ # ddrescue
+ # ];
environment.extraInit = ''
EDITOR=vim
'';
diff --git a/makefu/1systems/iso/justdoit.nix b/makefu/1systems/iso/justdoit.nix
new file mode 100644
index 000000000..7947953f9
--- /dev/null
+++ b/makefu/1systems/iso/justdoit.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+ cfg = config.kexec.justdoit;
+ x = if cfg.nvme then "p" else "";
+in {
+ options = {
+ kexec.justdoit = {
+ rootDevice = mkOption {
+ type = types.str;
+ default = "/dev/sda";
+ description = "the root block device that justdoit will nuke from orbit and force nixos onto";
+ };
+ bootSize = mkOption {
+ type = types.int;
+ default = 256;
+ description = "size of /boot in mb";
+ };
+ bootType = mkOption {
+ type = types.enum [ "ext4" "vfat" "zfs" ];
+ default = "ext4";
+ };
+ swapSize = mkOption {
+ type = types.int;
+ default = 1024;
+ description = "size of swap in mb";
+ };
+ poolName = mkOption {
+ type = types.str;
+ default = "tank";
+ description = "zfs pool name";
+ };
+ luksEncrypt = mkOption {
+ type = types.bool;
+ default = false;
+ description = "encrypt all of zfs and swap";
+ };
+ uefi = mkOption {
+ type = types.bool;
+ default = false;
+ description = "create a uefi install";
+ };
+ nvme = mkOption {
+ type = types.bool;
+ default = false;
+ description = "rootDevice is nvme";
+ };
+ };
+ };
+ config = let
+ mkBootTable = {
+ ext4 = "mkfs.ext4 $NIXOS_BOOT -L NIXOS_BOOT";
+ vfat = "mkfs.vfat $NIXOS_BOOT -n NIXOS_BOOT";
+ zfs = "";
+ };
+ in lib.mkIf true {
+ system.build.justdoit = pkgs.writeScriptBin "justdoit" ''
+ #!${pkgs.stdenv.shell}
+ set -e
+ vgchange -a n
+ wipefs -a ${cfg.rootDevice}
+ dd if=/dev/zero of=${cfg.rootDevice} bs=512 count=10000
+ sfdisk ${cfg.rootDevice} <<EOF
+ label: gpt
+ device: ${cfg.rootDevice}
+ unit: sectors
+ ${lib.optionalString (cfg.bootType != "zfs") "1 : size=${toString (2048 * cfg.bootSize)}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4"}
+ ${lib.optionalString (! cfg.uefi) "4 : size=4096, type=21686148-6449-6E6F-744E-656564454649"}
+ 2 : size=${toString (2048 * cfg.swapSize)}, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
+ 3 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ EOF
+ ${if cfg.luksEncrypt then ''
+ cryptsetup luksFormat ${cfg.rootDevice}${x}2
+ cryptsetup open --type luks ${cfg.rootDevice}${x}2 swap
+ cryptsetup luksFormat ${cfg.rootDevice}${x}3
+ cryptsetup open --type luks ${cfg.rootDevice}${x}3 root
+ export ROOT_DEVICE=/dev/mapper/root
+ export SWAP_DEVICE=/dev/mapper/swap
+ '' else ''
+ export ROOT_DEVICE=${cfg.rootDevice}${x}3
+ export SWAP_DEVICE=${cfg.rootDevice}${x}2
+ ''}
+ ${lib.optionalString (cfg.bootType != "zfs") "export NIXOS_BOOT=${cfg.rootDevice}${x}1"}
+ mkdir -p /mnt
+ ${mkBootTable.${cfg.bootType}}
+ mkswap $SWAP_DEVICE -L NIXOS_SWAP
+ zpool create -o ashift=12 -o altroot=/mnt ${cfg.poolName} $ROOT_DEVICE
+ zfs create -o mountpoint=legacy ${cfg.poolName}/root
+ zfs create -o mountpoint=legacy ${cfg.poolName}/home
+ zfs create -o mountpoint=legacy ${cfg.poolName}/nix
+ swapon $SWAP_DEVICE
+ mount -t zfs ${cfg.poolName}/root /mnt/
+ mkdir /mnt/{home,nix,boot}
+ mount -t zfs ${cfg.poolName}/home /mnt/home/
+ mount -t zfs ${cfg.poolName}/nix /mnt/nix/
+ ${lib.optionalString (cfg.bootType != "zfs") "mount $NIXOS_BOOT /mnt/boot/"}
+ nixos-generate-config --root /mnt/
+ hostId=$(echo $(head -c4 /dev/urandom | od -A none -t x4))
+ cp ${./target-config.nix} /mnt/etc/nixos/configuration.nix
+ cat > /mnt/etc/nixos/generated.nix <<EOF
+ { ... }:
+ {
+ ${if cfg.uefi then ''
+ boot.loader.grub.efiInstallAsRemovable = true;
+ boot.loader.grub.efiSupport = true;
+ boot.loader.grub.device = "nodev";
+ '' else ''
+ boot.loader.grub.device = "${cfg.rootDevice}";
+ ''}
+ networking.hostId = "$hostId"; # required for zfs use
+ ${lib.optionalString cfg.luksEncrypt ''
+ boot.initrd.luks.devices = [
+ { name = "swap"; device = "${cfg.rootDevice}${x}2"; preLVM = true; }
+ { name = "root"; device = "${cfg.rootDevice}${x}3"; preLVM = true; }
+ ];
+ ''}
+ }
+ EOF
+ nixos-install
+ umount /mnt/home /mnt/nix ${lib.optionalString (cfg.bootType != "zfs") "/mnt/boot"} /mnt
+ zpool export ${cfg.poolName}
+ swapoff $SWAP_DEVICE
+ '';
+ environment.systemPackages = [ config.system.build.justdoit ];
+ boot.supportedFilesystems = [ "zfs" ];
+ };
+}
diff --git a/makefu/1systems/iso/target-config.nix b/makefu/1systems/iso/target-config.nix
new file mode 100644
index 000000000..ba4e3207b
--- /dev/null
+++ b/makefu/1systems/iso/target-config.nix
@@ -0,0 +1,40 @@
+{ ... }:
+
+{
+ imports = [ ./hardware-configuration.nix ./generated.nix ];
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
+ boot.zfs.forceImportRoot = false;
+ boot.zfs.forceImportAll = false;
+ boot.kernelParams = [
+ "boot.shell_on_fail"
+ "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+ ];
+ users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ];
+ boot.tmpOnTmpfs = true;
+ programs.bash.enableCompletion = true;
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ # minimal
+ programs.command-not-found.enable = false;
+ time.timeZone = "Europe/Berlin";
+ programs.ssh.startAgent = false;
+ nix.useSandbox = true;
+ users.mutableUsers = false;
+ networking.firewall.rejectPackets = true;
+ networking.firewall.allowPing = true;
+ services.openssh.enable = true;
+ i18n = {
+ consoleKeyMap = "us";
+ defaultLocale = "en_US.UTF-8";
+ };
+ boot.kernel.sysctl = {
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+ services.nscd.enable = false;
+}