From 63adb41f1a060c21a68143eb9e86c2790ef66f36 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 8 Aug 2024 10:45:09 +0200
Subject: ...
---
system-profiles/core/default.nix | 175 +++++++++++++++++++---------------
system-profiles/initrd-ssh/module.nix | 12 +--
system-profiles/nfsroot.nix | 172 +++++++++++++++++----------------
3 files changed, 194 insertions(+), 165 deletions(-)
(limited to 'system-profiles')
diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix
index 6aee221f..c2c821b7 100644
--- a/system-profiles/core/default.nix
+++ b/system-profiles/core/default.nix
@@ -74,7 +74,7 @@ in {
};
in foldr (def: mergeConfig def.value) {};
};
- description = mdDoc ''
+ description = ''
The configuration of the Nix Packages collection. (For
details, see the Nixpkgs documentation.) It allows you to set
package configuration options.
@@ -91,96 +91,113 @@ in {
};
};
- config = {
- networking.hostName = hostName;
- system.configurationRevision = mkIf (flake ? rev) flake.rev;
+ config = foldr recursiveUpdate {} ([
+ {
+ networking.hostName = hostName;
+ system.configurationRevision = mkIf (flake ? rev) flake.rev;
- nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
- overlays = attrValues flake.overlays;
- config = config.nixpkgs.externalConfig;
- localSystem = config.nixpkgs.system;
- };
+ nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
+ overlays = attrValues flake.overlays;
+ config = config.nixpkgs.externalConfig;
+ localSystem = config.nixpkgs.system;
+ };
- nix = {
- package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
- settings = {
- sandbox = true;
- allowed-users = [ "*" ];
- trusted-users = [ "root" "@wheel" ];
+ nix = {
+ package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
+ settings = {
+ sandbox = true;
+ allowed-users = [ "*" ];
+ trusted-users = [ "root" "@wheel" ];
- experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
- auto-allocate-uids = true;
- use-cgroups = true;
- use-xdg-base-directories = true;
+ experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
+ auto-allocate-uids = true;
+ use-cgroups = true;
+ use-xdg-base-directories = true;
- flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
+ flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
+ };
+ nixPath = [
+ "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
+ mkdir $out
+ ln -s ${./nixpkgs.nix} $out/default.nix
+ ln -s /run/nixpkgs/lib $out/lib
+ ''}"
+ ];
+ registry =
+ let override = { self = "nixos"; };
+ in mapAttrs' (inpName: inpFlake: nameValuePair
+ (override.${inpName} or inpName)
+ { flake = inpFlake; } ) flakeInputs;
};
- nixPath = [
- "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
- mkdir $out
- ln -s ${./nixpkgs.nix} $out/default.nix
- ln -s /run/nixpkgs/lib $out/lib
+
+ systemd.tmpfiles.rules = [
+ "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
+ "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
+ with builtins;
+
+ attrValues (import
+ (
+ let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
+ fetchTarball {
+ url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
+ sha256 = lock.nodes.flake-compat.locked.narHash;
+ }
+ )
+ { src = ${flake}; }
+ ).defaultNix.overlays
''}"
+ "L+ /etc/nixos - - - - ${flake}"
];
- registry =
- let override = { self = "nixos"; };
- in mapAttrs' (inpName: inpFlake: nameValuePair
- (override.${inpName} or inpName)
- { flake = inpFlake; } ) flakeInputs;
- };
-
- systemd.tmpfiles.rules = [
- "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
- "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
- with builtins;
-
- attrValues (import
- (
- let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
- fetchTarball {
- url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
- sha256 = lock.nodes.flake-compat.locked.narHash;
- }
- )
- { src = ${flake}; }
- ).defaultNix.overlays
- ''}"
- ];
-
- users.mutableUsers = false;
- # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails)
+ users.mutableUsers = false;
- home-manager = {
- useGlobalPkgs = true; # Otherwise home-manager would only work impurely
- useUserPackages = false;
- backupFileExtension = "bak";
- };
+ documentation.nixos = {
+ includeAllModules = true;
+ options.warningsAreErrors = false;
+ };
- sops = mkIf hasSops {
- age = {
- keyFile = "/var/lib/sops-nix/key.txt";
- generateKey = false;
- sshKeyPaths = [];
+ home-manager = {
+ useGlobalPkgs = true; # Otherwise home-manager would only work impurely
+ useUserPackages = false;
+ backupFileExtension = "bak";
};
- gnupg = {
- home = null;
- sshKeyPaths = [];
+
+ sops = mkIf hasSops {
+ age = {
+ keyFile = "/var/lib/sops-nix/key.txt";
+ generateKey = false;
+ sshKeyPaths = [];
+ };
+ gnupg = {
+ home = null;
+ sshKeyPaths = [];
+ };
};
- };
- programs.git = {
- enable = true;
- lfs.enable = true;
+ programs.git = {
+ enable = true;
+ lfs.enable = true;
+ };
+ environment.systemPackages = with pkgs; [ git-annex scutiger ];
+ }
+ ] ++ (optional (options ? system.switch.enableNg) {
+ system.switch = lib.mkDefault {
+ enable = false;
+ enableNg = true;
};
- environment.systemPackages = with pkgs; [ git-annex scutiger ];
-
- system.activationScripts.symlink-flake = ''
- if test -L /etc/nixos; then
- ln -nsf ${flake} /etc/nixos
- elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then
- ln -s ${flake} /etc/nixos
- fi
- '';
- };
+ })
+ ++ (optional (options ? system.etc) {
+ boot.initrd.systemd.enable = lib.mkDefault true;
+ system.etc.overlay.enable = lib.mkDefault true;
+ systemd.sysusers.enable = lib.mkDefault true;
+
+ # Random perl remnants
+ system.disableInstallerTools = lib.mkDefault true;
+ programs.less.lessopen = lib.mkDefault null;
+ programs.command-not-found.enable = lib.mkDefault false;
+ boot.enableContainers = lib.mkDefault false;
+ boot.loader.grub.enable = lib.mkDefault false;
+ environment.defaultPackages = lib.mkDefault [ ];
+ documentation.info.enable = lib.mkDefault false;
+ }));
}
diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix
index 2e75a8c4..db973b72 100644
--- a/system-profiles/initrd-ssh/module.nix
+++ b/system-profiles/initrd-ssh/module.nix
@@ -15,7 +15,7 @@ in
enable = mkOption {
type = types.bool;
default = false;
- description = lib.mdDoc ''
+ description = ''
Start SSH service during initrd boot. It can be used to debug failing
boot on a remote server, enter pasphrase for an encrypted partition etc.
Service is killed when stage-1 boot is finished.
@@ -28,7 +28,7 @@ in
port = mkOption {
type = types.port;
default = 22;
- description = lib.mdDoc ''
+ description = ''
Port on which SSH initrd service should listen.
'';
};
@@ -36,7 +36,7 @@ in
shell = mkOption {
type = types.str;
default = "/bin/ash";
- description = lib.mdDoc ''
+ description = ''
Login shell of the remote user. Can be used to limit actions user can do.
'';
};
@@ -48,7 +48,7 @@ in
"/etc/secrets/initrd/ssh_host_rsa_key"
"/etc/secrets/initrd/ssh_host_ed25519_key"
];
- description = lib.mdDoc ''
+ description = ''
Specify SSH host keys to import into the initrd.
To generate keys, use
@@ -80,7 +80,7 @@ in
type = types.listOf types.str;
default = config.users.users.root.openssh.authorizedKeys.keys;
defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
- description = lib.mdDoc ''
+ description = ''
Authorized keys for the root user on initrd.
'';
};
@@ -88,7 +88,7 @@ in
extraConfig = mkOption {
type = types.lines;
default = "";
- description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";
+ description = "Verbatim contents of {file}`sshd_config`.";
};
};
diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix
index 4323765b..1cd930d9 100644
--- a/system-profiles/nfsroot.nix
+++ b/system-profiles/nfsroot.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, flake, flakeInputs, ... }:
+{ config, options, pkgs, lib, flake, flakeInputs, ... }:
with lib;
@@ -14,99 +14,111 @@ in {
storeDevice = mkOption {
type = types.str;
default = "nfsroot:nix-store";
+ description = "Nix store device";
};
registrationUrl = mkOption {
type = types.str;
default = "http://nfsroot/nix-registration";
+ description = "Url of nix store registrations";
};
};
system.build = {
- storeContents = mkOption {};
+ storeContents = mkOption {
+ description = "Contents of nix store";
+ };
};
};
- config = {
- # Don't build the GRUB menu builder script, since we don't need it
- # here and it causes a cyclic dependency.
- boot.loader.grub.enable = false;
-
- # !!! Hack - attributes expected by other modules.
- environment.systemPackages = [ pkgs.grub2_efi ]
- ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
- then []
- else [ pkgs.grub2 pkgs.syslinux ]);
-
- # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
- # image) to make this a live CD.
- fileSystems."/nix/.ro-store" = mkImageMediaOverride
- { fsType = "nfs4";
- device = cfg.storeDevice;
- options = [ "ro" ];
- neededForBoot = true;
- };
+ config = foldr recursiveUpdate {} ([
+ {
+ # Don't build the GRUB menu builder script, since we don't need it
+ # here and it causes a cyclic dependency.
+ boot.loader.grub.enable = false;
+
+ # !!! Hack - attributes expected by other modules.
+ environment.systemPackages = [ pkgs.grub2_efi ]
+ ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
+ then []
+ else [ pkgs.grub2 pkgs.syslinux ]);
+
+ # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
+ # image) to make this a live CD.
+ fileSystems."/nix/.ro-store" = mkImageMediaOverride
+ { fsType = "nfs4";
+ device = cfg.storeDevice;
+ options = [ "ro" ];
+ neededForBoot = true;
+ };
+
+ fileSystems."/nix/.rw-store" = mkImageMediaOverride
+ { fsType = "tmpfs";
+ options = [ "mode=0755" ];
+ neededForBoot = true;
+ };
+
+ fileSystems."/nix/store" = mkImageMediaOverride
+ { fsType = "overlay";
+ device = "overlay";
+ options = [
+ "lowerdir=/nix/.ro-store"
+ "upperdir=/nix/.rw-store/store"
+ "workdir=/nix/.rw-store/work"
+ ];
+
+ depends = [
+ "/nix/.ro-store"
+ "/nix/.rw-store/store"
+ "/nix/.rw-store/work"
+ ];
+ };
+
+ nix.settings.use-sqlite-wal = false;
+
+ boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
+ boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+ services.rpcbind.enable = mkImageMediaOverride false;
+
+ boot.initrd.network.enable = true;
+ boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
+ boot.initrd.postMountCommands = ''
+ mkdir -p /mnt-root/etc/
+ cp /etc/resolv.conf /mnt-root/etc/resolv.conf
+ '';
+ networking.useDHCP = true;
+ networking.resolvconf.enable = false;
+ networking.dhcpcd.persistent = true;
- fileSystems."/nix/.rw-store" = mkImageMediaOverride
- { fsType = "tmpfs";
- options = [ "mode=0755" ];
- neededForBoot = true;
- };
- fileSystems."/nix/store" = mkImageMediaOverride
- { fsType = "overlay";
- device = "overlay";
- options = [
- "lowerdir=/nix/.ro-store"
- "upperdir=/nix/.rw-store/store"
- "workdir=/nix/.rw-store/work"
- ];
-
- depends = [
- "/nix/.ro-store"
- "/nix/.rw-store/store"
- "/nix/.rw-store/work"
- ];
- };
+ system.build.storeContents = [config.system.build.toplevel];
- nix.settings.use-sqlite-wal = false;
-
- boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
- boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
- services.rpcbind.enable = mkImageMediaOverride false;
-
- boot.initrd.network.enable = true;
- boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
- boot.initrd.postMountCommands = ''
- mkdir -p /mnt-root/etc/
- cp /etc/resolv.conf /mnt-root/etc/resolv.conf
- '';
- networking.useDHCP = true;
- networking.resolvconf.enable = false;
- networking.dhcpcd.persistent = true;
-
-
- system.build.storeContents = [config.system.build.toplevel];
-
- system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
- #!ipxe
- # Use the cmdline variable to allow the user to specify custom kernel params
- # when chainloading this script from other iPXE scripts like netboot.xyz
- kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
- initrd initrd
- boot
- '';
-
- boot.postBootCommands =
- ''
- # After booting, register the contents of the Nix store on NFS
- # in the Nix database in the tmpfs.
- ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
-
- # nixos-rebuild also requires a "system" profile and an
- # /etc/NIXOS tag.
- touch /etc/NIXOS
- ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+ system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
+ #!ipxe
+ # Use the cmdline variable to allow the user to specify custom kernel params
+ # when chainloading this script from other iPXE scripts like netboot.xyz
+ kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
+ initrd initrd
+ boot
'';
- };
+
+ boot.postBootCommands =
+ ''
+ # After booting, register the contents of the Nix store on NFS
+ # in the Nix database in the tmpfs.
+ ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
+
+ # nixos-rebuild also requires a "system" profile and an
+ # /etc/NIXOS tag.
+ touch /etc/NIXOS
+ ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+ '';
+
+ boot.initrd.systemd.enable = false;
+ }
+ ] ++ (optional (options ? system.etc) {
+ system.etc.overlay.enable = false;
+ }) ++ (optional (options ? system.sysusers) {
+ systemd.sysusers.enable = false;
+ }));
}
--
cgit v1.2.3