...

author: Gregor Kleen <gkleen@yggdrasil.li> 2024-08-08 10:45:09 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2024-08-08 10:45:09 +0200
commit: 63adb41f1a060c21a68143eb9e86c2790ef66f36 (patch)
tree: 3902b85e7659fd396ded1d2e42ea318153d08a13 /system-profiles
parent: 73b08cbd76d4471c9a6fddd05265d7d7fc4c45ff (diff)
download: nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.gz
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.bz2
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.xz
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.zip
3 files changed, 194 insertions, 165 deletions
diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix
index 6aee221f..c2c821b7 100644
--- a/system-profiles/core/default.nix
+++ b/system-profiles/core/default.nix
@@ -74,7 +74,7 @@ in {
              };
          in foldr (def: mergeConfig def.value) {};
      };
-      description = mdDoc ''
+      description = ''
        The configuration of the Nix Packages collection.  (For
        details, see the Nixpkgs documentation.)  It allows you to set
        package configuration options.
@@ -91,96 +91,113 @@ in {
    };
  };
-  config = {
+  config = foldr recursiveUpdate {} ([
-    networking.hostName = hostName;
+    {
-    system.configurationRevision = mkIf (flake ? rev) flake.rev;
+      networking.hostName = hostName;
+      system.configurationRevision = mkIf (flake ? rev) flake.rev;
-    nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
+      nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
-      overlays = attrValues flake.overlays;
+        overlays = attrValues flake.overlays;
-      config = config.nixpkgs.externalConfig;
+        config = config.nixpkgs.externalConfig;
-      localSystem = config.nixpkgs.system;
+        localSystem = config.nixpkgs.system;
-    };
+      };
-    nix = {
+      nix = {
-      package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
+        package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
-      settings = {
+        settings = {
-        sandbox = true;
+          sandbox = true;
-        allowed-users = [ "*" ];
+          allowed-users = [ "*" ];
-        trusted-users = [ "root" "@wheel" ];
+          trusted-users = [ "root" "@wheel" ];
-        experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
+          experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
-        auto-allocate-uids = true;
+          auto-allocate-uids = true;
-        use-cgroups = true;
+          use-cgroups = true;
-        use-xdg-base-directories = true;
+          use-xdg-base-directories = true;
-        flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
+          flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
+        };
+        nixPath = [
+          "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
+            mkdir $out
+            ln -s ${./nixpkgs.nix} $out/default.nix
+            ln -s /run/nixpkgs/lib $out/lib
+          ''}"
+        ];
+        registry =
+          let override = { self = "nixos"; };
+          in mapAttrs' (inpName: inpFlake: nameValuePair
+            (override.${inpName} or inpName)
+            { flake = inpFlake; } ) flakeInputs;
      };
-      nixPath = [
-        "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
+      systemd.tmpfiles.rules = [
-          mkdir $out
+        "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
-          ln -s ${./nixpkgs.nix} $out/default.nix
+        "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
-          ln -s /run/nixpkgs/lib $out/lib
+          with builtins;
+          attrValues (import
+            (
+              let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
+              fetchTarball {
+                url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
+                sha256 = lock.nodes.flake-compat.locked.narHash;
+              }
+            )
+            { src = ${flake}; }
+          ).defaultNix.overlays
        ''}"
+        "L+ /etc/nixos - - - - ${flake}"
      ];
-      registry =
-        let override = { self = "nixos"; };
-        in mapAttrs' (inpName: inpFlake: nameValuePair
-          (override.${inpName} or inpName)
-          { flake = inpFlake; } ) flakeInputs;
-    };
-    systemd.tmpfiles.rules = [
-      "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
-      "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
-        with builtins;
-        attrValues (import
-          (
-            let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
-            fetchTarball {
-              url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
-              sha256 = lock.nodes.flake-compat.locked.narHash;
-            }
-          )
-          { src = ${flake}; }
-        ).defaultNix.overlays
-      ''}"
-    ];
-    users.mutableUsers = false;
-    # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails)
+      users.mutableUsers = false;
-    home-manager = {
+      documentation.nixos = {
-      useGlobalPkgs = true; # Otherwise home-manager would only work impurely
+        includeAllModules = true;
-      useUserPackages = false;
+        options.warningsAreErrors = false;
-      backupFileExtension = "bak";
+      };
-    };
-    sops = mkIf hasSops {
+      home-manager = {
-      age = {
+        useGlobalPkgs = true; # Otherwise home-manager would only work impurely
-        keyFile = "/var/lib/sops-nix/key.txt";
+        useUserPackages = false;
-        generateKey = false;
+        backupFileExtension = "bak";
-        sshKeyPaths = [];
      };
-      gnupg = {
-        home = null;
+      sops = mkIf hasSops {
-        sshKeyPaths = [];
+        age = {
+          keyFile = "/var/lib/sops-nix/key.txt";
+          generateKey = false;
+          sshKeyPaths = [];
+        };
+        gnupg = {
+          home = null;
+          sshKeyPaths = [];
+        };
      };
-    };
-    programs.git = {
+      programs.git = {
-      enable = true;
+        enable = true;
-      lfs.enable = true;
+        lfs.enable = true;
+      };
+      environment.systemPackages = with pkgs; [ git-annex scutiger ];
+    }
+  ] ++ (optional (options ? system.switch.enableNg) {
+    system.switch = lib.mkDefault {
+      enable = false;
+      enableNg = true;
    };
-    environment.systemPackages = with pkgs; [ git-annex scutiger ];
+  })
+  ++ (optional (options ? system.etc) {
-    system.activationScripts.symlink-flake = ''
+    boot.initrd.systemd.enable = lib.mkDefault true;
-      if test -L /etc/nixos; then
+    system.etc.overlay.enable = lib.mkDefault true;
-        ln -nsf ${flake} /etc/nixos
+    systemd.sysusers.enable = lib.mkDefault true;
-      elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then
-        ln -s ${flake} /etc/nixos
+    # Random perl remnants
-      fi
+    system.disableInstallerTools = lib.mkDefault true;
-    '';
+    programs.less.lessopen = lib.mkDefault null;
-  };
+    programs.command-not-found.enable = lib.mkDefault false;
+    boot.enableContainers = lib.mkDefault false;
+    boot.loader.grub.enable = lib.mkDefault false;
+    environment.defaultPackages = lib.mkDefault [ ];
+    documentation.info.enable = lib.mkDefault false;
+  }));
 }
diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix
index 2e75a8c4..db973b72 100644
--- a/system-profiles/initrd-ssh/module.nix
+++ b/system-profiles/initrd-ssh/module.nix
@@ -15,7 +15,7 @@ in
    enable = mkOption {
      type = types.bool;
      default = false;
-      description = lib.mdDoc ''
+      description = ''
        Start SSH service during initrd boot. It can be used to debug failing
        boot on a remote server, enter pasphrase for an encrypted partition etc.
        Service is killed when stage-1 boot is finished.
@@ -28,7 +28,7 @@ in
    port = mkOption {
      type = types.port;
      default = 22;
-      description = lib.mdDoc ''
+      description = ''
        Port on which SSH initrd service should listen.
      '';
    };
@@ -36,7 +36,7 @@ in
    shell = mkOption {
      type = types.str;
      default = "/bin/ash";
-      description = lib.mdDoc ''
+      description = ''
        Login shell of the remote user. Can be used to limit actions user can do.
      '';
    };
@@ -48,7 +48,7 @@ in
        "/etc/secrets/initrd/ssh_host_rsa_key"
        "/etc/secrets/initrd/ssh_host_ed25519_key"
      ];
-      description = lib.mdDoc ''
+      description = ''
        Specify SSH host keys to import into the initrd.
        To generate keys, use
@@ -80,7 +80,7 @@ in
      type = types.listOf types.str;
      default = config.users.users.root.openssh.authorizedKeys.keys;
      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
-      description = lib.mdDoc ''
+      description = ''
        Authorized keys for the root user on initrd.
      '';
    };
@@ -88,7 +88,7 @@ in
    extraConfig = mkOption {
      type = types.lines;
      default = "";
-      description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";
+      description = "Verbatim contents of {file}`sshd_config`.";
    };
  };
diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix
index 4323765b..1cd930d9 100644
--- a/system-profiles/nfsroot.nix
+++ b/system-profiles/nfsroot.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, flake, flakeInputs, ... }:
+{ config, options, pkgs, lib, flake, flakeInputs, ... }:
 with lib;
@@ -14,99 +14,111 @@ in {
      storeDevice = mkOption {
        type = types.str;
        default = "nfsroot:nix-store";
+        description = "Nix store device";
      };
      registrationUrl = mkOption {
        type = types.str;
        default = "http://nfsroot/nix-registration";
+        description = "Url of nix store registrations";
      };
    };
    system.build = {
-      storeContents = mkOption {};
+      storeContents = mkOption {
+        description = "Contents of nix store";
+      };
    };
  };
-  config = {
+  config = foldr recursiveUpdate {} ([
-    # Don't build the GRUB menu builder script, since we don't need it
+    {
-    # here and it causes a cyclic dependency.
+      # Don't build the GRUB menu builder script, since we don't need it
-    boot.loader.grub.enable = false;
+      # here and it causes a cyclic dependency.
+      boot.loader.grub.enable = false;
-    # !!! Hack - attributes expected by other modules.
-    environment.systemPackages = [ pkgs.grub2_efi ]
+      # !!! Hack - attributes expected by other modules.
-      ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
+      environment.systemPackages = [ pkgs.grub2_efi ]
-          then []
+        ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
-          else [ pkgs.grub2 pkgs.syslinux ]);
+            then []
+            else [ pkgs.grub2 pkgs.syslinux ]);
-    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
-    # image) to make this a live CD.
+      # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
-    fileSystems."/nix/.ro-store" = mkImageMediaOverride
+      # image) to make this a live CD.
-      { fsType = "nfs4";
+      fileSystems."/nix/.ro-store" = mkImageMediaOverride
-        device = cfg.storeDevice;
+        { fsType = "nfs4";
-        options = [ "ro" ];
+          device = cfg.storeDevice;
-        neededForBoot = true;
+          options = [ "ro" ];
-      };
+          neededForBoot = true;
+        };
+      fileSystems."/nix/.rw-store" = mkImageMediaOverride
+        { fsType = "tmpfs";
+          options = [ "mode=0755" ];
+          neededForBoot = true;
+        };
+      fileSystems."/nix/store" = mkImageMediaOverride
+        { fsType = "overlay";
+          device = "overlay";
+          options = [
+            "lowerdir=/nix/.ro-store"
+            "upperdir=/nix/.rw-store/store"
+            "workdir=/nix/.rw-store/work"
+          ];
+          depends = [
+            "/nix/.ro-store"
+            "/nix/.rw-store/store"
+            "/nix/.rw-store/work"
+          ];
+        };
+      nix.settings.use-sqlite-wal = false;
+      boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
+      boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+      services.rpcbind.enable = mkImageMediaOverride false;
+      boot.initrd.network.enable = true;
+      boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
+      boot.initrd.postMountCommands = ''
+        mkdir -p /mnt-root/etc/
+        cp /etc/resolv.conf /mnt-root/etc/resolv.conf
+      '';
+      networking.useDHCP = true;
+      networking.resolvconf.enable = false;
+      networking.dhcpcd.persistent = true;
-    fileSystems."/nix/.rw-store" = mkImageMediaOverride
-      { fsType = "tmpfs";
-        options = [ "mode=0755" ];
-        neededForBoot = true;
-      };
-    fileSystems."/nix/store" = mkImageMediaOverride
+      system.build.storeContents = [config.system.build.toplevel];
-      { fsType = "overlay";
-        device = "overlay";
-        options = [
-          "lowerdir=/nix/.ro-store"
-          "upperdir=/nix/.rw-store/store"
-          "workdir=/nix/.rw-store/work"
-        ];
-        depends = [
-          "/nix/.ro-store"
-          "/nix/.rw-store/store"
-          "/nix/.rw-store/work"
-        ];
-      };
-    nix.settings.use-sqlite-wal = false;
+      system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
+        #!ipxe
-    boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
+        # Use the cmdline variable to allow the user to specify custom kernel params
-    boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+        # when chainloading this script from other iPXE scripts like netboot.xyz
-    services.rpcbind.enable = mkImageMediaOverride false;
+        kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
+        initrd initrd
-    boot.initrd.network.enable = true;
+        boot
-    boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
-    boot.initrd.postMountCommands = ''
-      mkdir -p /mnt-root/etc/
-      cp /etc/resolv.conf /mnt-root/etc/resolv.conf
-    '';
-    networking.useDHCP = true;
-    networking.resolvconf.enable = false;
-    networking.dhcpcd.persistent = true;
-    system.build.storeContents = [config.system.build.toplevel];
-    system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
-      #!ipxe
-      # Use the cmdline variable to allow the user to specify custom kernel params
-      # when chainloading this script from other iPXE scripts like netboot.xyz
-      kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
-      initrd initrd
-      boot
-    '';
-    boot.postBootCommands =
-      ''
-        # After booting, register the contents of the Nix store on NFS
-        # in the Nix database in the tmpfs.
-        ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
-        # nixos-rebuild also requires a "system" profile and an
-        # /etc/NIXOS tag.
-        touch /etc/NIXOS
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      '';
-  };
+      boot.postBootCommands =
+        ''
+          # After booting, register the contents of the Nix store on NFS
+          # in the Nix database in the tmpfs.
+          ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
+          # nixos-rebuild also requires a "system" profile and an
+          # /etc/NIXOS tag.
+          touch /etc/NIXOS
+          ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+        '';
+      boot.initrd.systemd.enable = false;
+    }
+  ] ++ (optional (options ? system.etc) {
+    system.etc.overlay.enable = false;
+  }) ++ (optional (options ? system.sysusers) {
+    systemd.sysusers.enable = false;
+  }));
 }
author	Gregor Kleen <gkleen@yggdrasil.li>	2024-08-08 10:45:09 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2024-08-08 10:45:09 +0200
commit	63adb41f1a060c21a68143eb9e86c2790ef66f36 (patch)
tree	3902b85e7659fd396ded1d2e42ea318153d08a13 /system-profiles
parent	73b08cbd76d4471c9a6fddd05265d7d7fc4c45ff (diff)
download	nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.gz nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.bz2 nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.xz nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.zip

diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix index 6aee221f..c2c821b7 100644 --- a/system-profiles/core/default.nix +++ b/system-profiles/core/default.nix
@@ -74,7 +74,7 @@ in {
74	};	74	};
75	in foldr (def: mergeConfig def.value) {};	75	in foldr (def: mergeConfig def.value) {};
76	};	76	};
77	description = mdDoc ''	77	description = ''
78	The configuration of the Nix Packages collection. (For	78	The configuration of the Nix Packages collection. (For
79	details, see the Nixpkgs documentation.) It allows you to set	79	details, see the Nixpkgs documentation.) It allows you to set
80	package configuration options.	80	package configuration options.
@@ -91,96 +91,113 @@ in {
91	};	91	};
92	};	92	};
93		93
94	config = {	94	config = foldr recursiveUpdate {} ([
95	networking.hostName = hostName;	95	{
96	system.configurationRevision = mkIf (flake ? rev) flake.rev;	96	networking.hostName = hostName;
		97	system.configurationRevision = mkIf (flake ? rev) flake.rev;
97		98
98	nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {	99	nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
99	overlays = attrValues flake.overlays;	100	overlays = attrValues flake.overlays;
100	config = config.nixpkgs.externalConfig;	101	config = config.nixpkgs.externalConfig;
101	localSystem = config.nixpkgs.system;	102	localSystem = config.nixpkgs.system;
102	};	103	};
103		104
104	nix = {	105	nix = {
105	package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;	106	package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
106	settings = {	107	settings = {
107	sandbox = true;	108	sandbox = true;
108	allowed-users = [ "*" ];	109	allowed-users = [ "*" ];
109	trusted-users = [ "root" "@wheel" ];	110	trusted-users = [ "root" "@wheel" ];
110		111
111	experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];	112	experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
112	auto-allocate-uids = true;	113	auto-allocate-uids = true;
113	use-cgroups = true;	114	use-cgroups = true;
114	use-xdg-base-directories = true;	115	use-xdg-base-directories = true;
115		116
116	flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";	117	flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
		118	};
		119	nixPath = [
		120	"nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
		121	mkdir $out
		122	ln -s ${./nixpkgs.nix} $out/default.nix
		123	ln -s /run/nixpkgs/lib $out/lib
		124	''}"
		125	];
		126	registry =
		127	let override = { self = "nixos"; };
		128	in mapAttrs' (inpName: inpFlake: nameValuePair
		129	(override.${inpName} or inpName)
		130	{ flake = inpFlake; } ) flakeInputs;
117	};	131	};
118	nixPath = [	132
119	"nixpkgs=${pkgs.runCommand "nixpkgs" {} ''	133	systemd.tmpfiles.rules = [
120	mkdir $out	134	"L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
121	ln -s ${./nixpkgs.nix} $out/default.nix	135	"L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
122	ln -s /run/nixpkgs/lib $out/lib	136	with builtins;
		137
		138	attrValues (import
		139	(
		140	let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
		141	fetchTarball {
		142	url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
		143	sha256 = lock.nodes.flake-compat.locked.narHash;
		144	}
		145	)
		146	{ src = ${flake}; }
		147	).defaultNix.overlays
123	''}"	148	''}"
		149	"L+ /etc/nixos - - - - ${flake}"
124	];	150	];
125	registry =
126	let override = { self = "nixos"; };
127	in mapAttrs' (inpName: inpFlake: nameValuePair
128	(override.${inpName} or inpName)
129	{ flake = inpFlake; } ) flakeInputs;
130	};
131
132	systemd.tmpfiles.rules = [
133	"L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
134	"L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
135	with builtins;
136
137	attrValues (import
138	(
139	let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
140	fetchTarball {
141	url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
142	sha256 = lock.nodes.flake-compat.locked.narHash;
143	}
144	)
145	{ src = ${flake}; }
146	).defaultNix.overlays
147	''}"
148	];
149
150	users.mutableUsers = false;
151		151
152	# documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails)	152	users.mutableUsers = false;
153		153
154	home-manager = {	154	documentation.nixos = {
155	useGlobalPkgs = true; # Otherwise home-manager would only work impurely	155	includeAllModules = true;
156	useUserPackages = false;	156	options.warningsAreErrors = false;
157	backupFileExtension = "bak";	157	};
158	};
159		158
160	sops = mkIf hasSops {	159	home-manager = {
161	age = {	160	useGlobalPkgs = true; # Otherwise home-manager would only work impurely
162	keyFile = "/var/lib/sops-nix/key.txt";	161	useUserPackages = false;
163	generateKey = false;	162	backupFileExtension = "bak";
164	sshKeyPaths = [];
165	};	163	};
166	gnupg = {	164
167	home = null;	165	sops = mkIf hasSops {
168	sshKeyPaths = [];	166	age = {
		167	keyFile = "/var/lib/sops-nix/key.txt";
		168	generateKey = false;
		169	sshKeyPaths = [];
		170	};
		171	gnupg = {
		172	home = null;
		173	sshKeyPaths = [];
		174	};
169	};	175	};
170	};
171		176
172	programs.git = {	177	programs.git = {
173	enable = true;	178	enable = true;
174	lfs.enable = true;	179	lfs.enable = true;
		180	};
		181	environment.systemPackages = with pkgs; [ git-annex scutiger ];
		182	}
		183	] ++ (optional (options ? system.switch.enableNg) {
		184	system.switch = lib.mkDefault {
		185	enable = false;
		186	enableNg = true;
175	};	187	};
176	environment.systemPackages = with pkgs; [ git-annex scutiger ];	188	})
177		189	++ (optional (options ? system.etc) {
178	system.activationScripts.symlink-flake = ''	190	boot.initrd.systemd.enable = lib.mkDefault true;
179	if test -L /etc/nixos; then	191	system.etc.overlay.enable = lib.mkDefault true;
180	ln -nsf ${flake} /etc/nixos	192	systemd.sysusers.enable = lib.mkDefault true;
181	elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then	193
182	ln -s ${flake} /etc/nixos	194	# Random perl remnants
183	fi	195	system.disableInstallerTools = lib.mkDefault true;
184	'';	196	programs.less.lessopen = lib.mkDefault null;
185	};	197	programs.command-not-found.enable = lib.mkDefault false;
		198	boot.enableContainers = lib.mkDefault false;
		199	boot.loader.grub.enable = lib.mkDefault false;
		200	environment.defaultPackages = lib.mkDefault [ ];
		201	documentation.info.enable = lib.mkDefault false;
		202	}));
186	}	203	}


diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix index 2e75a8c4..db973b72 100644 --- a/system-profiles/initrd-ssh/module.nix +++ b/system-profiles/initrd-ssh/module.nix
@@ -15,7 +15,7 @@ in
15	enable = mkOption {	15	enable = mkOption {
16	type = types.bool;	16	type = types.bool;
17	default = false;	17	default = false;
18	description = lib.mdDoc ''	18	description = ''
19	Start SSH service during initrd boot. It can be used to debug failing	19	Start SSH service during initrd boot. It can be used to debug failing
20	boot on a remote server, enter pasphrase for an encrypted partition etc.	20	boot on a remote server, enter pasphrase for an encrypted partition etc.
21	Service is killed when stage-1 boot is finished.	21	Service is killed when stage-1 boot is finished.
@@ -28,7 +28,7 @@ in
28	port = mkOption {	28	port = mkOption {
29	type = types.port;	29	type = types.port;
30	default = 22;	30	default = 22;
31	description = lib.mdDoc ''	31	description = ''
32	Port on which SSH initrd service should listen.	32	Port on which SSH initrd service should listen.
33	'';	33	'';
34	};	34	};
@@ -36,7 +36,7 @@ in
36	shell = mkOption {	36	shell = mkOption {
37	type = types.str;	37	type = types.str;
38	default = "/bin/ash";	38	default = "/bin/ash";
39	description = lib.mdDoc ''	39	description = ''
40	Login shell of the remote user. Can be used to limit actions user can do.	40	Login shell of the remote user. Can be used to limit actions user can do.
41	'';	41	'';
42	};	42	};
@@ -48,7 +48,7 @@ in
48	"/etc/secrets/initrd/ssh_host_rsa_key"	48	"/etc/secrets/initrd/ssh_host_rsa_key"
49	"/etc/secrets/initrd/ssh_host_ed25519_key"	49	"/etc/secrets/initrd/ssh_host_ed25519_key"
50	];	50	];
51	description = lib.mdDoc ''	51	description = ''
52	Specify SSH host keys to import into the initrd.	52	Specify SSH host keys to import into the initrd.
53		53
54	To generate keys, use	54	To generate keys, use
@@ -80,7 +80,7 @@ in
80	type = types.listOf types.str;	80	type = types.listOf types.str;
81	default = config.users.users.root.openssh.authorizedKeys.keys;	81	default = config.users.users.root.openssh.authorizedKeys.keys;
82	defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";	82	defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
83	description = lib.mdDoc ''	83	description = ''
84	Authorized keys for the root user on initrd.	84	Authorized keys for the root user on initrd.
85	'';	85	'';
86	};	86	};
@@ -88,7 +88,7 @@ in
88	extraConfig = mkOption {	88	extraConfig = mkOption {
89	type = types.lines;	89	type = types.lines;
90	default = "";	90	default = "";
91	description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";	91	description = "Verbatim contents of {file}`sshd_config`.";
92	};	92	};
93	};	93	};
94		94


diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix index 4323765b..1cd930d9 100644 --- a/system-profiles/nfsroot.nix +++ b/system-profiles/nfsroot.nix
@@ -1,4 +1,4 @@
1	{ config, pkgs, lib, flake, flakeInputs, ... }:	1	{ config, options, pkgs, lib, flake, flakeInputs, ... }:
2		2
3	with lib;	3	with lib;
4		4
@@ -14,99 +14,111 @@ in {
14	storeDevice = mkOption {	14	storeDevice = mkOption {
15	type = types.str;	15	type = types.str;
16	default = "nfsroot:nix-store";	16	default = "nfsroot:nix-store";
		17	description = "Nix store device";
17	};	18	};
18		19
19	registrationUrl = mkOption {	20	registrationUrl = mkOption {
20	type = types.str;	21	type = types.str;
21	default = "http://nfsroot/nix-registration";	22	default = "http://nfsroot/nix-registration";
		23	description = "Url of nix store registrations";
22	};	24	};
23	};	25	};
24		26
25	system.build = {	27	system.build = {
26	storeContents = mkOption {};	28	storeContents = mkOption {
		29	description = "Contents of nix store";
		30	};
27	};	31	};
28	};	32	};
29		33
30	config = {	34	config = foldr recursiveUpdate {} ([
31	# Don't build the GRUB menu builder script, since we don't need it	35	{
32	# here and it causes a cyclic dependency.	36	# Don't build the GRUB menu builder script, since we don't need it
33	boot.loader.grub.enable = false;	37	# here and it causes a cyclic dependency.
34		38	boot.loader.grub.enable = false;
35	# !!! Hack - attributes expected by other modules.	39
36	environment.systemPackages = [ pkgs.grub2_efi ]	40	# !!! Hack - attributes expected by other modules.
37	++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"	41	environment.systemPackages = [ pkgs.grub2_efi ]
38	then []	42	++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
39	else [ pkgs.grub2 pkgs.syslinux ]);	43	then []
40		44	else [ pkgs.grub2 pkgs.syslinux ]);
41	# In stage 1, mount a tmpfs on top of /nix/store (the squashfs	45
42	# image) to make this a live CD.	46	# In stage 1, mount a tmpfs on top of /nix/store (the squashfs
43	fileSystems."/nix/.ro-store" = mkImageMediaOverride	47	# image) to make this a live CD.
44	{ fsType = "nfs4";	48	fileSystems."/nix/.ro-store" = mkImageMediaOverride
45	device = cfg.storeDevice;	49	{ fsType = "nfs4";
46	options = [ "ro" ];	50	device = cfg.storeDevice;
47	neededForBoot = true;	51	options = [ "ro" ];
48	};	52	neededForBoot = true;
		53	};
		54
		55	fileSystems."/nix/.rw-store" = mkImageMediaOverride
		56	{ fsType = "tmpfs";
		57	options = [ "mode=0755" ];
		58	neededForBoot = true;
		59	};
		60
		61	fileSystems."/nix/store" = mkImageMediaOverride
		62	{ fsType = "overlay";
		63	device = "overlay";
		64	options = [
		65	"lowerdir=/nix/.ro-store"
		66	"upperdir=/nix/.rw-store/store"
		67	"workdir=/nix/.rw-store/work"
		68	];
		69
		70	depends = [
		71	"/nix/.ro-store"
		72	"/nix/.rw-store/store"
		73	"/nix/.rw-store/work"
		74	];
		75	};
		76
		77	nix.settings.use-sqlite-wal = false;
		78
		79	boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
		80	boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
		81	services.rpcbind.enable = mkImageMediaOverride false;
		82
		83	boot.initrd.network.enable = true;
		84	boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
		85	boot.initrd.postMountCommands = ''
		86	mkdir -p /mnt-root/etc/
		87	cp /etc/resolv.conf /mnt-root/etc/resolv.conf
		88	'';
		89	networking.useDHCP = true;
		90	networking.resolvconf.enable = false;
		91	networking.dhcpcd.persistent = true;
49		92
50	fileSystems."/nix/.rw-store" = mkImageMediaOverride
51	{ fsType = "tmpfs";
52	options = [ "mode=0755" ];
53	neededForBoot = true;
54	};
55		93
56	fileSystems."/nix/store" = mkImageMediaOverride	94	system.build.storeContents = [config.system.build.toplevel];
57	{ fsType = "overlay";
58	device = "overlay";
59	options = [
60	"lowerdir=/nix/.ro-store"
61	"upperdir=/nix/.rw-store/store"
62	"workdir=/nix/.rw-store/work"
63	];
64
65	depends = [
66	"/nix/.ro-store"
67	"/nix/.rw-store/store"
68	"/nix/.rw-store/work"
69	];
70	};
71		95
72	nix.settings.use-sqlite-wal = false;	96	system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
73		97	#!ipxe
74	boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];	98	# Use the cmdline variable to allow the user to specify custom kernel params
75	boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];	99	# when chainloading this script from other iPXE scripts like netboot.xyz
76	services.rpcbind.enable = mkImageMediaOverride false;	100	kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
77		101	initrd initrd
78	boot.initrd.network.enable = true;	102	boot
79	boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
80	boot.initrd.postMountCommands = ''
81	mkdir -p /mnt-root/etc/
82	cp /etc/resolv.conf /mnt-root/etc/resolv.conf
83	'';
84	networking.useDHCP = true;
85	networking.resolvconf.enable = false;
86	networking.dhcpcd.persistent = true;
87
88
89	system.build.storeContents = [config.system.build.toplevel];
90
91	system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
92	#!ipxe
93	# Use the cmdline variable to allow the user to specify custom kernel params
94	# when chainloading this script from other iPXE scripts like netboot.xyz
95	kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
96	initrd initrd
97	boot
98	'';
99
100	boot.postBootCommands =
101	''
102	# After booting, register the contents of the Nix store on NFS
103	# in the Nix database in the tmpfs.
104	${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} \| ${config.nix.package.out}/bin/nix-store --load-db
105
106	# nixos-rebuild also requires a "system" profile and an
107	# /etc/NIXOS tag.
108	touch /etc/NIXOS
109	${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
110	'';	103	'';
111	};	104
		105	boot.postBootCommands =
		106	''
		107	# After booting, register the contents of the Nix store on NFS
		108	# in the Nix database in the tmpfs.
		109	${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} \| ${config.nix.package.out}/bin/nix-store --load-db
		110
		111	# nixos-rebuild also requires a "system" profile and an
		112	# /etc/NIXOS tag.
		113	touch /etc/NIXOS
		114	${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
		115	'';
		116
		117	boot.initrd.systemd.enable = false;
		118	}
		119	] ++ (optional (options ? system.etc) {
		120	system.etc.overlay.enable = false;
		121	}) ++ (optional (options ? system.sysusers) {
		122	systemd.sysusers.enable = false;
		123	}));
112	}	124	}