diff options
Diffstat (limited to 'installer/shell.nix')
-rw-r--r-- | installer/shell.nix | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/installer/shell.nix b/installer/shell.nix new file mode 100644 index 00000000..043f0ddc --- /dev/null +++ b/installer/shell.nix | |||
@@ -0,0 +1,92 @@ | |||
1 | { system, installerName, config | ||
2 | , runCommand, makeWrapper, pixiecore, writeShellApplication, coreutils, busybox, nftables, mkShell | ||
3 | }: | ||
4 | |||
5 | let | ||
6 | pxeBuild = config.config.system.build; | ||
7 | pixiecore-wrapped = runCommand "pixiecore-${system}-${installerName}" { | ||
8 | nativeBuildInputs = [ makeWrapper ]; | ||
9 | } '' | ||
10 | mkdir -p $out/bin | ||
11 | makeWrapper ${pixiecore}/bin/pixiecore $out/bin/pixiecore-${installerName} \ | ||
12 | --add-flags boot \ | ||
13 | --add-flags "${pxeBuild.kernel}/bzImage" --add-flags "${pxeBuild.netbootRamdisk}/initrd" \ | ||
14 | --add-flags "--cmdline \"init=${pxeBuild.toplevel}/init loglevel=4\"" \ | ||
15 | --add-flags "-dt" --add-flags "--status-port 64172" --add-flags "--port 64172" --add-flags "--dhcp-no-bind" | ||
16 | ''; | ||
17 | udhcpd = writeShellApplication { | ||
18 | name = "udhcpd"; | ||
19 | |||
20 | runtimeInputs = [ coreutils ]; | ||
21 | |||
22 | text = '' | ||
23 | [[ -n "''${INTERFACE-}" ]] || exit 2 | ||
24 | |||
25 | _LEASES_FILE=$(mktemp --tmpdir udhcpd.XXXXXXXXXX.leases) | ||
26 | exec ${busybox}/bin/udhcpd -f <(cat <<EOF | ||
27 | interface $INTERFACE | ||
28 | lease_file $_LEASES_FILE | ||
29 | start 10.0.0.128 | ||
30 | end 10.0.0.254 | ||
31 | max_leases 127 | ||
32 | opt dns 8.8.8.8 | ||
33 | option subnet 255.255.255.0 | ||
34 | opt router 10.0.0.1 | ||
35 | option lease 30 | ||
36 | EOF | ||
37 | ) | ||
38 | ''; | ||
39 | }; | ||
40 | nft_apply = writeShellApplication { | ||
41 | name = "pxe-nft-apply"; | ||
42 | |||
43 | runtimeInputs = [ nftables ]; | ||
44 | |||
45 | text = '' | ||
46 | [[ -n "''${INTERFACE-}" ]] || exit 2 | ||
47 | |||
48 | exec nft -f - <<EOF | ||
49 | table inet filter { | ||
50 | chain forward_tmp { | ||
51 | iifname $INTERFACE oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4, virbr0} counter accept | ||
52 | oifname $INTERFACE ct state {established, related} counter accept | ||
53 | } | ||
54 | |||
55 | chain input_tmp { | ||
56 | iifname $INTERFACE udp dport {67,69,4011} counter accept | ||
57 | iifname $INTERFACE tcp dport 64172 counter accept | ||
58 | } | ||
59 | } | ||
60 | |||
61 | table ip nat { | ||
62 | chain postrouting_tmp { | ||
63 | iifname $INTERFACE oifname != $INTERFACE counter masquerade | ||
64 | } | ||
65 | } | ||
66 | |||
67 | table ip mss_clamp { | ||
68 | chain postrouting_tmp { | ||
69 | iifname $INTERFACE oifname != $INTERFACE tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu | ||
70 | } | ||
71 | } | ||
72 | EOF | ||
73 | ''; | ||
74 | }; | ||
75 | nft_flush = writeShellApplication { | ||
76 | name = "pxe-nft-flush"; | ||
77 | |||
78 | runtimeInputs = [ nftables ]; | ||
79 | |||
80 | text = '' | ||
81 | exec nft -f - <<EOF | ||
82 | flush chain inet filter forward_tmp | ||
83 | flush chain inet filter input_tmp | ||
84 | flush chain ip nat postrouting_tmp | ||
85 | flush chain ip mss_clamp postrouting_tmp | ||
86 | EOF | ||
87 | ''; | ||
88 | }; | ||
89 | in mkShell { | ||
90 | name = installerName; | ||
91 | nativeBuildInputs = [ pixiecore-wrapped udhcpd nft_apply nft_flush ]; | ||
92 | } | ||