From 6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 8 Aug 2023 21:48:11 +0200
Subject: ...

---
 accounts/gkleen@sif/ssh-hosts.nix |  3 ++
 flake.nix                         |  7 ++-
 hosts/sif/default.nix             |  4 +-
 hosts/sif/ruleset.nft             | 10 +++++
 installer/default.nix             | 19 +++++++-
 installer/shell.nix               | 92 +++++++++++++++++++++++++++++++++++++++
 6 files changed, 130 insertions(+), 5 deletions(-)
 create mode 100644 installer/shell.nix

diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index 5f5d0ddb..de53dce5 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -498,6 +498,9 @@
           bind = { address = "/home/gkleen/.ssh/emacs-server"; };
         }
       ];
+      extraOptions = {
+        StreamLocalBindUnlink = "yes";
+      };
     };
   "gitlab.uniworx.de" =
     { user = "git";
diff --git a/flake.nix b/flake.nix
index fd18ba0b..746c9134 100644
--- a/flake.nix
+++ b/flake.nix
@@ -133,7 +133,7 @@
       utils = import ./utils { inherit lib; };
       inherit (utils) nixImport overrideModule;
       inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr;
-      inherit (lib.strings) escapeNixString;
+      inherit (lib.strings) escapeNixString hasSuffix;
 
       accountUserName = accountName:
         let
@@ -225,6 +225,9 @@
 
       activateNixosConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (mapAttrs' (hostName: nixosConfig: nameValuePair "${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${nixosConfig.config.system.build.toplevel}/bin/switch-to-configuration"; } else null)) self.nixosConfigurations));
       activateHomeManagerConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (listToAttrs (concatLists (mapAttrsToList (hostName: nixosConfig: mapAttrsToList (userName: userCfg: nameValuePair "${userName}@${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${userCfg.home.activationPackage}/activate"; } else null)) nixosConfig.config.home-manager.users) self.nixosConfigurations))));
+      installerShells = system: pkgs: mapAttrs (installerName: config: pkgs.callPackage ./installer/shell.nix {
+        inherit system installerName config;
+      }) (filterAttrs (n: _v: hasSuffix "-netboot" n) installerNixosConfigurations);
 
       overlayPaths = nixImport rec { dir = ./overlays; _import = (path: _name: dir + "/${path}"); };
 
@@ -270,7 +273,7 @@
 
         apps = foldr recursiveUpdate {} [activateNixosConfigurations activateHomeManagerConfigurations];
 
-        devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); });
+        devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); } // installerShells system systemPkgs);
 
         templates.default = {
           path = ./.;
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index c55cc7a8..bde5cdf8 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -288,8 +288,8 @@ in {
         bogus-priv = true;
         no-hosts = true;
         listen-address = [ "192.168.122.1" "fd45:febc:b028::" ];
-        interface = "virbr0";
-        except-interface = "lo";
+        # interface = "virbr0";
+        # except-interface = "lo";
         bind-interfaces = true;
         domain = "libvirt,192.168.122.0/24";
         dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ];
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index e2ac45c6..33c17253 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -90,6 +90,7 @@ table inet filter {
   counter libvirt-dns {}
 
 
+  chain forward_tmp {}
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -100,6 +101,8 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
+    jump forward_tmp
+
     iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
     oifname virbr0 ct state {established, related} counter name fw-libvirt accept
 
@@ -110,6 +113,7 @@ table inet filter {
     ct state new counter name reject-icmp-fw reject
   }
 
+  chain input_tmp {}
   chain input {
     type filter hook input priority filter
     policy drop
@@ -125,6 +129,8 @@ table inet filter {
     meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
     meta l4proto $icmp_protos counter name icmp-rx accept
 
+    jump input_tmp
+
     tcp dport 22 counter name ssh-rx accept
     udp dport 60000-61000 counter name mosh-rx accept
 
@@ -180,11 +186,13 @@ table inet filter {
 table ip nat {
   counter libvirt-nat {}
 
+  chain postrouting_tmp {}
   chain postrouting {
     type nat hook postrouting priority srcnat
     policy accept
 
     iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+    jump postrouting_tmp
   }
 }
 
@@ -202,10 +210,12 @@ table ip6 nat {
 table ip mss_clamp {
   counter libvirt-mss-clamp {}
 
+  chain postrouting_tmp {}
   chain postrouting {
     type filter hook postrouting priority mangle
     policy accept
 
     iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
+    jump postrouting_tmp
   }
 }
diff --git a/installer/default.nix b/installer/default.nix
index a0c84182..9043d59b 100644
--- a/installer/default.nix
+++ b/installer/default.nix
@@ -26,11 +26,28 @@
     };
 
     environment.systemPackages = with pkgs; [
-      nvme-cli iotop mosh
+      nvme-cli iotop pciutils bottom
+
+      cudatoolkit
     ];
 
     zramSwap.enable = true;
 
+    users.defaultUserShell = pkgs.zsh;
+    programs = {
+      mosh.enable = true;
+      tmux.enable = true;
+      zsh.enable = true;
+    };
+
+    # nvidia
+    services.xserver.videoDrivers = [ "nvidia" ];
+    systemd.services.nvidia-control-devices = {
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${pkgs.linuxPackages.nvidia_x11.bin}/bin/nvidia-smi";
+    };
+    nixpkgs.config.allowUnfree = true;
+
     system.stateVersion = config.system.nixos.release; # No state in installer
   };
 }
diff --git a/installer/shell.nix b/installer/shell.nix
new file mode 100644
index 00000000..043f0ddc
--- /dev/null
+++ b/installer/shell.nix
@@ -0,0 +1,92 @@
+{ system, installerName, config
+, runCommand, makeWrapper, pixiecore, writeShellApplication, coreutils, busybox, nftables, mkShell
+}:
+
+let
+  pxeBuild = config.config.system.build;
+  pixiecore-wrapped = runCommand "pixiecore-${system}-${installerName}" {
+    nativeBuildInputs = [ makeWrapper ];
+  } ''
+    mkdir -p $out/bin
+    makeWrapper ${pixiecore}/bin/pixiecore $out/bin/pixiecore-${installerName} \
+      --add-flags boot \
+      --add-flags "${pxeBuild.kernel}/bzImage" --add-flags "${pxeBuild.netbootRamdisk}/initrd" \
+      --add-flags "--cmdline \"init=${pxeBuild.toplevel}/init loglevel=4\"" \
+      --add-flags "-dt" --add-flags "--status-port 64172" --add-flags "--port 64172" --add-flags "--dhcp-no-bind"
+  '';
+  udhcpd = writeShellApplication {
+    name = "udhcpd";
+
+    runtimeInputs = [ coreutils ];
+
+    text = ''
+      [[ -n "''${INTERFACE-}" ]] || exit 2
+
+      _LEASES_FILE=$(mktemp --tmpdir udhcpd.XXXXXXXXXX.leases)
+      exec ${busybox}/bin/udhcpd -f <(cat <<EOF
+        interface $INTERFACE
+        lease_file $_LEASES_FILE
+        start 10.0.0.128
+        end 10.0.0.254
+        max_leases 127
+        opt dns 8.8.8.8
+        option subnet 255.255.255.0
+        opt router 10.0.0.1
+        option lease 30
+      EOF
+      )
+    '';
+  };
+  nft_apply = writeShellApplication {
+    name = "pxe-nft-apply";
+
+    runtimeInputs = [ nftables ];
+
+    text = ''
+      [[ -n "''${INTERFACE-}" ]] || exit 2
+
+      exec nft -f - <<EOF
+        table inet filter {
+          chain forward_tmp {
+            iifname $INTERFACE oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4, virbr0} counter accept
+            oifname $INTERFACE ct state {established, related} counter accept
+          }
+
+          chain input_tmp {
+            iifname $INTERFACE udp dport {67,69,4011} counter accept
+            iifname $INTERFACE tcp dport 64172 counter accept
+          }
+        }
+
+        table ip nat {
+          chain postrouting_tmp {
+            iifname $INTERFACE oifname != $INTERFACE counter masquerade
+          }
+        }
+
+        table ip mss_clamp {
+          chain postrouting_tmp {
+            iifname $INTERFACE oifname != $INTERFACE tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+          }
+        }
+      EOF
+    '';
+  };
+  nft_flush = writeShellApplication {
+    name = "pxe-nft-flush";
+
+    runtimeInputs = [ nftables ];
+
+    text = ''
+      exec nft -f - <<EOF
+        flush chain inet filter forward_tmp
+        flush chain inet filter input_tmp
+        flush chain ip nat postrouting_tmp
+        flush chain ip mss_clamp postrouting_tmp
+      EOF
+    '';
+  };
+in mkShell {
+  name = installerName;
+  nativeBuildInputs = [ pixiecore-wrapped udhcpd nft_apply nft_flush ];
+}
-- 
cgit v1.2.3