{ system, installerName, config , runCommand, makeWrapper, pixiecore, writeShellApplication, coreutils, busybox, nftables, mkShell }: let pxeBuild = config.config.system.build; pixiecore-wrapped = runCommand "pixiecore-${system}-${installerName}" { nativeBuildInputs = [ makeWrapper ]; } '' mkdir -p $out/bin makeWrapper ${pixiecore}/bin/pixiecore $out/bin/pixiecore-${installerName} \ --add-flags boot \ --add-flags "${pxeBuild.kernel}/bzImage" --add-flags "${pxeBuild.netbootRamdisk}/initrd" \ --add-flags "--cmdline \"init=${pxeBuild.toplevel}/init loglevel=4\"" \ --add-flags "-dt" --add-flags "--status-port 64172" --add-flags "--port 64172" --add-flags "--dhcp-no-bind" ''; udhcpd = writeShellApplication { name = "udhcpd"; runtimeInputs = [ coreutils ]; text = '' [[ -n "''${INTERFACE-}" ]] || exit 2 _LEASES_FILE=$(mktemp --tmpdir udhcpd.XXXXXXXXXX.leases) exec ${busybox}/bin/udhcpd -f <(cat <<EOF interface $INTERFACE lease_file $_LEASES_FILE start 10.0.0.128 end 10.0.0.254 max_leases 127 opt dns 8.8.8.8 option subnet 255.255.255.0 opt router 10.0.0.1 option lease 30 EOF ) ''; }; nft_apply = writeShellApplication { name = "pxe-nft-apply"; runtimeInputs = [ nftables ]; text = '' [[ -n "''${INTERFACE-}" ]] || exit 2 exec nft -f - <<EOF table inet filter { chain forward_tmp { iifname $INTERFACE oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4, virbr0} counter accept oifname $INTERFACE ct state {established, related} counter accept } chain input_tmp { iifname $INTERFACE udp dport {67,69,4011} counter accept iifname $INTERFACE tcp dport 64172 counter accept } } table ip nat { chain postrouting_tmp { iifname $INTERFACE oifname != $INTERFACE counter masquerade } } table ip mss_clamp { chain postrouting_tmp { iifname $INTERFACE oifname != $INTERFACE tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu } } EOF ''; }; nft_flush = writeShellApplication { name = "pxe-nft-flush"; runtimeInputs = [ nftables ]; text = '' exec nft -f - <<EOF flush chain inet filter forward_tmp flush chain inet filter input_tmp flush chain ip nat postrouting_tmp flush chain ip mss_clamp postrouting_tmp EOF ''; }; in mkShell { name = installerName; nativeBuildInputs = [ pixiecore-wrapped udhcpd nft_apply nft_flush ]; }