13 files changed, 446 insertions, 147 deletions

diff --git a/accounts/gkleen@eos.nix b/accounts/gkleen@eos.nix
index c157af78..dbe48ead 100644
--- a/accounts/gkleen@eos.nix
+++ b/accounts/gkleen@eos.nix
@@ -1 +1,24 @@
-{ ... }: {}
+{ flake, userName, pkgs, ... }:
+{
+  imports = with flake.nixosModules.userProfiles.${userName}; [
+    zsh utils tmux
+  ];
+
+  config.home-manager.users.${userName} = {
+    nixpkgs.config = {
+      allowUnfree = true;
+    };
+
+    home.packages = with pkgs; [
+      thunderbird libreoffice element-desktop keepassxc
+    ];
+
+    programs.firefox = {
+      enable = true;
+      profiles.default.settings = {
+        "dom.security.https_only_mode" = true;
+        "browser.cache.disk.enable" = false;
+      };
+    };
+  };
+}
diff --git a/accounts/mherold@eos.nix b/accounts/mherold@eos.nix
new file mode 100644
index 00000000..6d376835
--- /dev/null
+++ b/accounts/mherold@eos.nix
@@ -0,0 +1,19 @@
+{ userName, pkgs, ... }: {
+  config.home-manager.users.${userName} = {
+    nixpkgs.config = {
+      allowUnfree = true;
+    };
+
+    home.packages = with pkgs; [
+      thunderbird libreoffice element-desktop keepassxc
+    ];
+
+    programs.firefox = {
+      enable = true;
+      profiles.default.settings = {
+        "dom.security.https_only_mode" = true;
+        "browser.cache.disk.enable" = false;
+      };
+    };
+  };
+}
diff --git a/accounts/mherold@eos/default.nix b/accounts/mherold@eos/default.nix
deleted file mode 100644
index c157af78..00000000
--- a/accounts/mherold@eos/default.nix
+++ /dev/null
@@ -1 +0,0 @@
-{ ... }: {}
diff --git a/deploy/eos.nix b/deploy/eos.nix
new file mode 100644
index 00000000..65a4c7ed
--- /dev/null
+++ b/deploy/eos.nix
@@ -0,0 +1 @@
+{ ... }: { enabled = false; }
diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix
new file mode 100644
index 00000000..1c5347e7
--- /dev/null
+++ b/hosts/eos/default.nix
@@ -0,0 +1,101 @@
+{ flake, config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    nfsroot
+  ];
+
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    boot = {
+      initrd = {
+        availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ];
+        kernelModules = [ "igb" ];
+      };
+      kernelModules = [ "kvm-amd" ];
+      extraModulePackages = [ ];
+
+      plymouth.enable = true;
+
+      tmpOnTmpfs = true;
+    };
+
+    hardware = {
+      enableRedistributableFirmware = true;
+      cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
+
+      nvidia = {
+        modesetting.enable = true;
+        powerManagement.enable = true;
+      };
+
+      opengl.enable = true;
+    };
+
+    environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
+
+    networking = {
+      hostId = "f457b213";
+
+      domain = "asgard.yggdrasil";
+      search = [ "asgard.yggdrasil" "yggdrasil" ];
+
+      hosts = {
+        "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ];
+        "::1" = [ "eos.asgard.yggdrasil" "eos" ];
+      };
+
+      firewall.enable = false;
+      nftables = {
+        enable = true;
+        rulesetFile = ./ruleset.nft;
+      };
+    };
+
+    services.resolved = {
+      llmnr = "false";
+    };
+
+    zramSwap.enable = true;
+
+    system.stateVersion = config.system.nixos.release; # No state
+
+
+    time.timeZone = "Europe/Berlin";
+    time.hardwareClockInLocalTime = true;
+    i18n.defaultLocale = "en_DK.UTF-8";
+
+
+    environment.systemPackages = with pkgs; [ cifs-utils ];
+
+    security.pam.mount = {
+      enable = true;
+      extraVolumes = [
+        "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"home-eos\" mountpoint=\"~\" />"
+        "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"%(USER)\" mountpoint=\"/run/media/%(USER)/vidhar\" />"
+      ];
+    };
+
+
+    services.xserver = {
+      enable = true;
+      displayManager.sddm = {
+        enable = true;
+        settings = {
+          Users.HideUsers = "gkleen";
+        };
+      };
+      desktopManager.plasma5.enable = true;
+
+      videoDrivers = [ "nvidia" ];
+    };
+  };
+}
diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft
new file mode 100644
index 00000000..7b38a059
--- /dev/null
+++ b/hosts/eos/ruleset.nft
@@ -0,0 +1,101 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    limit name lim_arp counter drop
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    limit name lim_arp counter drop
+
+    counter
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid forward: " counter drop
+
+
+    iifname lo counter accept
+
+
+    limit name lim_reject log level debug prefix "drop forward: " counter drop
+    log level debug prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid input: " counter drop
+
+
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+
+    tcp dport 22 counter accept
+    udp dport 60000-61000 counter accept
+
+
+    ct state {established, related} counter accept
+
+
+    limit name lim_reject log level debug prefix "drop input: " counter drop
+    log level debug prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter accept
+
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+
+
+    counter
+  }
+}
\ No newline at end of file
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 3f5d17d5..fc77f03c 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -235,25 +235,30 @@ with lib;
         ];
       };
     };
-    systemd.services.loki.preStart = let
-      rulesYaml = generators.toYAML {} {
-        groups = [
-          { name = "power-failures";
-            rules = [
-              { record = "apcupsd_power_failures:per_day";
-                expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400";
-              }
-              { record = "apcupsd_power_failures:per_week";
-                expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800";
-              }
-            ];
-          }
-        ];
-      };
-    in ''
-      ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
-      ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
-    '';
+    systemd.services.loki = {
+      preStart = let
+        rulesYaml = generators.toYAML {} {
+          groups = [
+            { name = "power-failures";
+              rules = [
+                { record = "apcupsd_power_failures:per_day";
+                  expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400";
+                }
+                { record = "apcupsd_power_failures:per_week";
+                  expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800";
+                }
+              ];
+            }
+          ];
+        };
+      in ''
+        ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
+        ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
+      '';
+      serviceConfig.Environment = [
+        "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
+      ];
+    };
     services.promtail = {
       enable = true;
       configuration = {
@@ -286,6 +291,9 @@ with lib;
         ];
       };
     };
+    systemd.services.promtail.serviceConfig.Environment = [
+      "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
+    ];
 
     services.apcupsd = {
       enable = true;
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index dfaa4c9f..d3407f1d 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -23,6 +23,12 @@ with lib;
           };
 
           client-classes = [
+            { name = "eos-ipxe";
+              test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";
+              next-server = "10.141.0.1";
+              boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe";
+              only-if-required = true;
+            }
             { name = "ipxe";
               test = "option[77].hex == 'iPXE'";
               next-server = "10.141.0.1";
@@ -85,7 +91,7 @@ with lib;
               ddns-send-updates = true;
               ddns-qualifying-suffix = "lan.yggdrasil";
               pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
-              require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"];
+              require-client-classes = map (cc: cc.name) config.services.kea.dhcp4.settings.client-classes;
               reservations = [
                 { hostname = "sif";
                   hw-address = "3c:e1:a1:52:24:35";
@@ -258,7 +264,25 @@ with lib;
                    ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
                '')
               ) ["x86_64-linux"]
-            );
+            ) ++ [
+              (let
+                 eosBuild = (flake.nixosConfigurations.eos.extendModules {
+                   modules = [
+                     ({ ... }: {
+                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration";
+                     })
+                   ];
+                 }).config.system.build;
+               in builtins.toPath (pkgs.runCommandLocal "eos" {} ''
+                    mkdir -p $out/eos
+                    install -m 0444 -t $out/eos \
+                      ${eosBuild.initialRamdisk}/initrd \
+                      ${eosBuild.kernel}/bzImage \
+                      ${eosBuild.netbootIpxeScript}/netboot.ipxe \
+                      ${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration
+                  ''))
+            ];
         };
       };
     };
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix
index 0ddf56a3..ffca9c6d 100644
--- a/hosts/vidhar/samba.nix
+++ b/hosts/vidhar/samba.nix
@@ -14,28 +14,45 @@
         guest account = nobody
         bind interfaces only = yes
         interfaces = lo lan
+        server signing = mandatory
+        server min protocol = SMB3
+        server smb encrypt = required
       '';
       shares = {
         homes = {
-          comment = "Home Directories";
+          comment = "Home directory for %S";
           path = "/home/%S";
-          browseable = "no";
+          browseable = false;
           "valid users" = "%S";
-          "read only" = "no";
+          "read only" = false;
           "create mask" = "0700";
           "directory mask" = "0700";
           "vfs objects" = "shadow_copy2";
           "shadow:snapdir" = ".zfs/snapshot";
+          "shadow:snapdirseverywhere" = true;
           "shadow:sort" = "desc";
           "shadow:format" = "%Y-%m-%dT%H:%M:%SZ";
         };
         eos = {
-          comment = "Disk image of eos";
+          comment = "Disk image of legacy eos";
           browseable = true;
           "valid users" = "mherold";
           writeable = "true";
           path = "/srv/eos";
         };
+        home-eos = {
+          comment = "Home directoriy for %u on PXE booted EOS";
+          path = "/srv/cifs/home-eos/%u";
+          volume = "%u@eos";
+          browseable = true;
+          "read only" = false;
+          "create mask" = "0700";
+          "directory mask" = "0700";
+          "vfs objects" = "shadow_copy2";
+          "shadow:snapdir" = ".zfs/snapshot";
+          "shadow:sort" = "desc";
+          "shadow:format" = "%Y-%m-%dT%H:%M:%SZ";
+        };
       };
     };
     services.samba-wsdd = {
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 52b48aca..1de4b9b7 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -23,7 +23,7 @@
           fsType = "zfs";
           neededForBoot = true;
         };
-      
+
       "/var/lib/nixos" =
         { device = "ssd-raid1/local/var-lib-nixos";
           fsType = "zfs";
@@ -34,22 +34,22 @@
         { device = "ssd-raid1/local/var-lib-unbound";
           fsType = "zfs";
         };
-      
+
       # "/var/lib/dhcp" =
       #   { device = "ssd-raid1/local/var-lib-dhcp";
       #     fsType = "zfs";
       #   };
-      
+
       "/var/lib/chrony" =
         { device = "ssd-raid1/local/var-lib-chrony";
           fsType = "zfs";
         };
-      
+
       "/var/lib/samba" =
         { device = "ssd-raid1/local/var-lib-samba";
           fsType = "zfs";
         };
-      
+
       # "/var/lib/prometheus2" =
       #   { device = "ssd-raid1/local/var-lib-prometheus2";
       #     fsType = "zfs";
@@ -67,7 +67,7 @@
       #     fsType = "zfs";
       #     options = [ "zfsutil" ];
       #   };
-      
+
       # "/srv/tftp" =
       #   { device = "ssd-raid1/local/srv-tftp";
       #     fsType = "zfs";
diff --git a/installer-profiles/nfsroot.nix b/installer-profiles/nfsroot.nix
index 2688a8d0..6bd875b4 100644
--- a/installer-profiles/nfsroot.nix
+++ b/installer-profiles/nfsroot.nix
@@ -1,121 +1,11 @@
-{ config, pkgs, lib, flakeInputs, ... }:
+{ flakeInputs, flake, ... }:
 
-with lib;
-
-let
-  cfg = config.nfsroot;
-in {
-  imports = [
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    nfsroot
     "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/minimal.nix"
     "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/all-hardware.nix"
     "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/base.nix"
     "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/installation-device.nix"
   ];
-
-  options = {
-    nfsroot = {
-      storeDevice = mkOption {
-        type = types.str;
-        default = "nfsroot:nix-store";
-      };
-
-      registrationUrl = mkOption {
-        type = types.str;
-        default = "http://nfsroot/nix-registration";
-      };
-    };
-
-    system.build = {
-      storeContents = mkOption {};
-    };
-  };
-
-  config = {
-    # Don't build the GRUB menu builder script, since we don't need it
-    # here and it causes a cyclic dependency.
-    boot.loader.grub.enable = false;
-
-    # !!! Hack - attributes expected by other modules.
-    environment.systemPackages = [ pkgs.grub2_efi ]
-      ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
-          then []
-          else [ pkgs.grub2 pkgs.syslinux ]);
-
-    fileSystems."/" = mkImageMediaOverride
-      { fsType = "tmpfs";
-        options = [ "mode=0755" ];
-      };
-
-    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
-    # image) to make this a live CD.
-    fileSystems."/nix/.ro-store" = mkImageMediaOverride
-      { fsType = "nfs4";
-        device = cfg.storeDevice;
-        options = [ "ro" ];
-        neededForBoot = true;
-      };
-
-    fileSystems."/nix/.rw-store" = mkImageMediaOverride
-      { fsType = "tmpfs";
-        options = [ "mode=0755" ];
-        neededForBoot = true;
-      };
-
-    fileSystems."/nix/store" = mkImageMediaOverride
-      { fsType = "overlay";
-        device = "overlay";
-        options = [
-          "lowerdir=/nix/.ro-store"
-          "upperdir=/nix/.rw-store/store"
-          "workdir=/nix/.rw-store/work"
-        ];
-
-        depends = [
-          "/nix/.ro-store"
-          "/nix/.rw-store/store"
-          "/nix/.rw-store/work"
-        ];
-      };
-
-    nix.extraOptions = ''
-      use-sqlite-wal = false
-    '';
-
-    boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
-    boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
-    services.rpcbind.enable = mkImageMediaOverride false;
-
-    boot.initrd.network.enable = true;
-    boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
-    boot.initrd.postMountCommands = ''
-      mkdir -p /mnt-root/etc/
-      cp /etc/resolv.conf /mnt-root/etc/resolv.conf
-    '';
-    networking.useDHCP = true;
-    networking.resolvconf.enable = false;
-
-
-    system.build.storeContents = [config.system.build.toplevel];
-
-    system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
-      #!ipxe
-      # Use the cmdline variable to allow the user to specify custom kernel params
-      # when chainloading this script from other iPXE scripts like netboot.xyz
-      kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
-      initrd initrd
-      boot
-    '';
-
-    boot.postBootCommands =
-      ''
-        # After booting, register the contents of the Nix store on NFS
-        # in the Nix database in the tmpfs.
-        ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
-
-        # nixos-rebuild also requires a "system" profile and an
-        # /etc/NIXOS tag.
-        touch /etc/NIXOS
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
-      '';
-  };
 }
diff --git a/installer/default.nix b/installer/default.nix
index f882b22d..a0c84182 100644
--- a/installer/default.nix
+++ b/installer/default.nix
@@ -4,6 +4,8 @@
   ];
 
   config = {
+    hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
+
     networking = {
       firewall.enable = false;
       nftables = {
diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix
new file mode 100644
index 00000000..92cf98de
--- /dev/null
+++ b/system-profiles/nfsroot.nix
@@ -0,0 +1,114 @@
+{ config, pkgs, lib, flakeInputs, ... }:
+
+with lib;
+
+let
+  cfg = config.nfsroot;
+in {
+  options = {
+    nfsroot = {
+      storeDevice = mkOption {
+        type = types.str;
+        default = "nfsroot:nix-store";
+      };
+
+      registrationUrl = mkOption {
+        type = types.str;
+        default = "http://nfsroot/nix-registration";
+      };
+    };
+
+    system.build = {
+      storeContents = mkOption {};
+    };
+  };
+
+  config = {
+    # Don't build the GRUB menu builder script, since we don't need it
+    # here and it causes a cyclic dependency.
+    boot.loader.grub.enable = false;
+
+    # !!! Hack - attributes expected by other modules.
+    environment.systemPackages = [ pkgs.grub2_efi ]
+      ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
+          then []
+          else [ pkgs.grub2 pkgs.syslinux ]);
+
+    fileSystems."/" = mkImageMediaOverride
+      { fsType = "tmpfs";
+        options = [ "mode=0755" ];
+      };
+
+    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
+    # image) to make this a live CD.
+    fileSystems."/nix/.ro-store" = mkImageMediaOverride
+      { fsType = "nfs4";
+        device = cfg.storeDevice;
+        options = [ "ro" ];
+        neededForBoot = true;
+      };
+
+    fileSystems."/nix/.rw-store" = mkImageMediaOverride
+      { fsType = "tmpfs";
+        options = [ "mode=0755" ];
+        neededForBoot = true;
+      };
+
+    fileSystems."/nix/store" = mkImageMediaOverride
+      { fsType = "overlay";
+        device = "overlay";
+        options = [
+          "lowerdir=/nix/.ro-store"
+          "upperdir=/nix/.rw-store/store"
+          "workdir=/nix/.rw-store/work"
+        ];
+
+        depends = [
+          "/nix/.ro-store"
+          "/nix/.rw-store/store"
+          "/nix/.rw-store/work"
+        ];
+      };
+
+    nix.extraOptions = ''
+      use-sqlite-wal = false
+    '';
+
+    boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
+    boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+    services.rpcbind.enable = mkImageMediaOverride false;
+
+    boot.initrd.network.enable = true;
+    boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
+    boot.initrd.postMountCommands = ''
+      mkdir -p /mnt-root/etc/
+      cp /etc/resolv.conf /mnt-root/etc/resolv.conf
+    '';
+    networking.useDHCP = true;
+    networking.resolvconf.enable = false;
+
+
+    system.build.storeContents = [config.system.build.toplevel];
+
+    system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
+      #!ipxe
+      # Use the cmdline variable to allow the user to specify custom kernel params
+      # when chainloading this script from other iPXE scripts like netboot.xyz
+      kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
+      initrd initrd
+      boot
+    '';
+
+    boot.postBootCommands =
+      ''
+        # After booting, register the contents of the Nix store on NFS
+        # in the Nix database in the tmpfs.
+        ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
+
+        # nixos-rebuild also requires a "system" profile and an
+        # /etc/NIXOS tag.
+        touch /etc/NIXOS
+        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+      '';
+  };
+}