From 63adb41f1a060c21a68143eb9e86c2790ef66f36 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 8 Aug 2024 10:45:09 +0200 Subject: ... --- system-profiles/core/default.nix | 175 +++++++++++++++++++--------------- system-profiles/initrd-ssh/module.nix | 12 +-- system-profiles/nfsroot.nix | 172 +++++++++++++++++---------------- 3 files changed, 194 insertions(+), 165 deletions(-) (limited to 'system-profiles') diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix index 6aee221f..c2c821b7 100644 --- a/system-profiles/core/default.nix +++ b/system-profiles/core/default.nix @@ -74,7 +74,7 @@ in { }; in foldr (def: mergeConfig def.value) {}; }; - description = mdDoc '' + description = '' The configuration of the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to set package configuration options. @@ -91,96 +91,113 @@ in { }; }; - config = { - networking.hostName = hostName; - system.configurationRevision = mkIf (flake ? rev) flake.rev; + config = foldr recursiveUpdate {} ([ + { + networking.hostName = hostName; + system.configurationRevision = mkIf (flake ? rev) flake.rev; - nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") { - overlays = attrValues flake.overlays; - config = config.nixpkgs.externalConfig; - localSystem = config.nixpkgs.system; - }; + nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") { + overlays = attrValues flake.overlays; + config = config.nixpkgs.externalConfig; + localSystem = config.nixpkgs.system; + }; - nix = { - package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable; - settings = { - sandbox = true; - allowed-users = [ "*" ]; - trusted-users = [ "root" "@wheel" ]; + nix = { + package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable; + settings = { + sandbox = true; + allowed-users = [ "*" ]; + trusted-users = [ "root" "@wheel" ]; - experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"]; - auto-allocate-uids = true; - use-cgroups = true; - use-xdg-base-directories = true; + experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"]; + auto-allocate-uids = true; + use-cgroups = true; + use-xdg-base-directories = true; - flake-registry = "${flakeInputs.flake-registry}/flake-registry.json"; + flake-registry = "${flakeInputs.flake-registry}/flake-registry.json"; + }; + nixPath = [ + "nixpkgs=${pkgs.runCommand "nixpkgs" {} '' + mkdir $out + ln -s ${./nixpkgs.nix} $out/default.nix + ln -s /run/nixpkgs/lib $out/lib + ''}" + ]; + registry = + let override = { self = "nixos"; }; + in mapAttrs' (inpName: inpFlake: nameValuePair + (override.${inpName} or inpName) + { flake = inpFlake; } ) flakeInputs; }; - nixPath = [ - "nixpkgs=${pkgs.runCommand "nixpkgs" {} '' - mkdir $out - ln -s ${./nixpkgs.nix} $out/default.nix - ln -s /run/nixpkgs/lib $out/lib + + systemd.tmpfiles.rules = [ + "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}" + "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" '' + with builtins; + + attrValues (import + ( + let lock = fromJSON (readFile ${flake + "/flake.lock"}); in + fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + { src = ${flake}; } + ).defaultNix.overlays ''}" + "L+ /etc/nixos - - - - ${flake}" ]; - registry = - let override = { self = "nixos"; }; - in mapAttrs' (inpName: inpFlake: nameValuePair - (override.${inpName} or inpName) - { flake = inpFlake; } ) flakeInputs; - }; - - systemd.tmpfiles.rules = [ - "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}" - "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" '' - with builtins; - - attrValues (import - ( - let lock = fromJSON (readFile ${flake + "/flake.lock"}); in - fetchTarball { - url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - } - ) - { src = ${flake}; } - ).defaultNix.overlays - ''}" - ]; - - users.mutableUsers = false; - # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails) + users.mutableUsers = false; - home-manager = { - useGlobalPkgs = true; # Otherwise home-manager would only work impurely - useUserPackages = false; - backupFileExtension = "bak"; - }; + documentation.nixos = { + includeAllModules = true; + options.warningsAreErrors = false; + }; - sops = mkIf hasSops { - age = { - keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = false; - sshKeyPaths = []; + home-manager = { + useGlobalPkgs = true; # Otherwise home-manager would only work impurely + useUserPackages = false; + backupFileExtension = "bak"; }; - gnupg = { - home = null; - sshKeyPaths = []; + + sops = mkIf hasSops { + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = false; + sshKeyPaths = []; + }; + gnupg = { + home = null; + sshKeyPaths = []; + }; }; - }; - programs.git = { - enable = true; - lfs.enable = true; + programs.git = { + enable = true; + lfs.enable = true; + }; + environment.systemPackages = with pkgs; [ git-annex scutiger ]; + } + ] ++ (optional (options ? system.switch.enableNg) { + system.switch = lib.mkDefault { + enable = false; + enableNg = true; }; - environment.systemPackages = with pkgs; [ git-annex scutiger ]; - - system.activationScripts.symlink-flake = '' - if test -L /etc/nixos; then - ln -nsf ${flake} /etc/nixos - elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then - ln -s ${flake} /etc/nixos - fi - ''; - }; + }) + ++ (optional (options ? system.etc) { + boot.initrd.systemd.enable = lib.mkDefault true; + system.etc.overlay.enable = lib.mkDefault true; + systemd.sysusers.enable = lib.mkDefault true; + + # Random perl remnants + system.disableInstallerTools = lib.mkDefault true; + programs.less.lessopen = lib.mkDefault null; + programs.command-not-found.enable = lib.mkDefault false; + boot.enableContainers = lib.mkDefault false; + boot.loader.grub.enable = lib.mkDefault false; + environment.defaultPackages = lib.mkDefault [ ]; + documentation.info.enable = lib.mkDefault false; + })); } diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix index 2e75a8c4..db973b72 100644 --- a/system-profiles/initrd-ssh/module.nix +++ b/system-profiles/initrd-ssh/module.nix @@ -15,7 +15,7 @@ in enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished. @@ -28,7 +28,7 @@ in port = mkOption { type = types.port; default = 22; - description = lib.mdDoc '' + description = '' Port on which SSH initrd service should listen. ''; }; @@ -36,7 +36,7 @@ in shell = mkOption { type = types.str; default = "/bin/ash"; - description = lib.mdDoc '' + description = '' Login shell of the remote user. Can be used to limit actions user can do. ''; }; @@ -48,7 +48,7 @@ in "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - description = lib.mdDoc '' + description = '' Specify SSH host keys to import into the initrd. To generate keys, use @@ -80,7 +80,7 @@ in type = types.listOf types.str; default = config.users.users.root.openssh.authorizedKeys.keys; defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; - description = lib.mdDoc '' + description = '' Authorized keys for the root user on initrd. ''; }; @@ -88,7 +88,7 @@ in extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc "Verbatim contents of {file}`sshd_config`."; + description = "Verbatim contents of {file}`sshd_config`."; }; }; diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix index 4323765b..1cd930d9 100644 --- a/system-profiles/nfsroot.nix +++ b/system-profiles/nfsroot.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, flake, flakeInputs, ... }: +{ config, options, pkgs, lib, flake, flakeInputs, ... }: with lib; @@ -14,99 +14,111 @@ in { storeDevice = mkOption { type = types.str; default = "nfsroot:nix-store"; + description = "Nix store device"; }; registrationUrl = mkOption { type = types.str; default = "http://nfsroot/nix-registration"; + description = "Url of nix store registrations"; }; }; system.build = { - storeContents = mkOption {}; + storeContents = mkOption { + description = "Contents of nix store"; + }; }; }; - config = { - # Don't build the GRUB menu builder script, since we don't need it - # here and it causes a cyclic dependency. - boot.loader.grub.enable = false; - - # !!! Hack - attributes expected by other modules. - environment.systemPackages = [ pkgs.grub2_efi ] - ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" - then [] - else [ pkgs.grub2 pkgs.syslinux ]); - - # In stage 1, mount a tmpfs on top of /nix/store (the squashfs - # image) to make this a live CD. - fileSystems."/nix/.ro-store" = mkImageMediaOverride - { fsType = "nfs4"; - device = cfg.storeDevice; - options = [ "ro" ]; - neededForBoot = true; - }; + config = foldr recursiveUpdate {} ([ + { + # Don't build the GRUB menu builder script, since we don't need it + # here and it causes a cyclic dependency. + boot.loader.grub.enable = false; + + # !!! Hack - attributes expected by other modules. + environment.systemPackages = [ pkgs.grub2_efi ] + ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" + then [] + else [ pkgs.grub2 pkgs.syslinux ]); + + # In stage 1, mount a tmpfs on top of /nix/store (the squashfs + # image) to make this a live CD. + fileSystems."/nix/.ro-store" = mkImageMediaOverride + { fsType = "nfs4"; + device = cfg.storeDevice; + options = [ "ro" ]; + neededForBoot = true; + }; + + fileSystems."/nix/.rw-store" = mkImageMediaOverride + { fsType = "tmpfs"; + options = [ "mode=0755" ]; + neededForBoot = true; + }; + + fileSystems."/nix/store" = mkImageMediaOverride + { fsType = "overlay"; + device = "overlay"; + options = [ + "lowerdir=/nix/.ro-store" + "upperdir=/nix/.rw-store/store" + "workdir=/nix/.rw-store/work" + ]; + + depends = [ + "/nix/.ro-store" + "/nix/.rw-store/store" + "/nix/.rw-store/work" + ]; + }; + + nix.settings.use-sqlite-wal = false; + + boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; + boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; + services.rpcbind.enable = mkImageMediaOverride false; + + boot.initrd.network.enable = true; + boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work + boot.initrd.postMountCommands = '' + mkdir -p /mnt-root/etc/ + cp /etc/resolv.conf /mnt-root/etc/resolv.conf + ''; + networking.useDHCP = true; + networking.resolvconf.enable = false; + networking.dhcpcd.persistent = true; - fileSystems."/nix/.rw-store" = mkImageMediaOverride - { fsType = "tmpfs"; - options = [ "mode=0755" ]; - neededForBoot = true; - }; - fileSystems."/nix/store" = mkImageMediaOverride - { fsType = "overlay"; - device = "overlay"; - options = [ - "lowerdir=/nix/.ro-store" - "upperdir=/nix/.rw-store/store" - "workdir=/nix/.rw-store/work" - ]; - - depends = [ - "/nix/.ro-store" - "/nix/.rw-store/store" - "/nix/.rw-store/work" - ]; - }; + system.build.storeContents = [config.system.build.toplevel]; - nix.settings.use-sqlite-wal = false; - - boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; - boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; - services.rpcbind.enable = mkImageMediaOverride false; - - boot.initrd.network.enable = true; - boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work - boot.initrd.postMountCommands = '' - mkdir -p /mnt-root/etc/ - cp /etc/resolv.conf /mnt-root/etc/resolv.conf - ''; - networking.useDHCP = true; - networking.resolvconf.enable = false; - networking.dhcpcd.persistent = true; - - - system.build.storeContents = [config.system.build.toplevel]; - - system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' - #!ipxe - # Use the cmdline variable to allow the user to specify custom kernel params - # when chainloading this script from other iPXE scripts like netboot.xyz - kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline} - initrd initrd - boot - ''; - - boot.postBootCommands = - '' - # After booting, register the contents of the Nix store on NFS - # in the Nix database in the tmpfs. - ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db - - # nixos-rebuild also requires a "system" profile and an - # /etc/NIXOS tag. - touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' + #!ipxe + # Use the cmdline variable to allow the user to specify custom kernel params + # when chainloading this script from other iPXE scripts like netboot.xyz + kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline} + initrd initrd + boot ''; - }; + + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store on NFS + # in the Nix database in the tmpfs. + ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db + + # nixos-rebuild also requires a "system" profile and an + # /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + + boot.initrd.systemd.enable = false; + } + ] ++ (optional (options ? system.etc) { + system.etc.overlay.enable = false; + }) ++ (optional (options ? system.sysusers) { + systemd.sysusers.enable = false; + })); } -- cgit v1.2.3