summaryrefslogtreecommitdiff
path: root/installer/shell.nix
blob: 043f0ddc334cfe4865c4857ccdc236cc3bbfd5c0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
{ system, installerName, config
, runCommand, makeWrapper, pixiecore, writeShellApplication, coreutils, busybox, nftables, mkShell
}:

let
  pxeBuild = config.config.system.build;
  pixiecore-wrapped = runCommand "pixiecore-${system}-${installerName}" {
    nativeBuildInputs = [ makeWrapper ];
  } ''
    mkdir -p $out/bin
    makeWrapper ${pixiecore}/bin/pixiecore $out/bin/pixiecore-${installerName} \
      --add-flags boot \
      --add-flags "${pxeBuild.kernel}/bzImage" --add-flags "${pxeBuild.netbootRamdisk}/initrd" \
      --add-flags "--cmdline \"init=${pxeBuild.toplevel}/init loglevel=4\"" \
      --add-flags "-dt" --add-flags "--status-port 64172" --add-flags "--port 64172" --add-flags "--dhcp-no-bind"
  '';
  udhcpd = writeShellApplication {
    name = "udhcpd";

    runtimeInputs = [ coreutils ];

    text = ''
      [[ -n "''${INTERFACE-}" ]] || exit 2

      _LEASES_FILE=$(mktemp --tmpdir udhcpd.XXXXXXXXXX.leases)
      exec ${busybox}/bin/udhcpd -f <(cat <<EOF
        interface $INTERFACE
        lease_file $_LEASES_FILE
        start 10.0.0.128
        end 10.0.0.254
        max_leases 127
        opt dns 8.8.8.8
        option subnet 255.255.255.0
        opt router 10.0.0.1
        option lease 30
      EOF
      )
    '';
  };
  nft_apply = writeShellApplication {
    name = "pxe-nft-apply";

    runtimeInputs = [ nftables ];

    text = ''
      [[ -n "''${INTERFACE-}" ]] || exit 2

      exec nft -f - <<EOF
        table inet filter {
          chain forward_tmp {
            iifname $INTERFACE oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4, virbr0} counter accept
            oifname $INTERFACE ct state {established, related} counter accept
          }

          chain input_tmp {
            iifname $INTERFACE udp dport {67,69,4011} counter accept
            iifname $INTERFACE tcp dport 64172 counter accept
          }
        }

        table ip nat {
          chain postrouting_tmp {
            iifname $INTERFACE oifname != $INTERFACE counter masquerade
          }
        }

        table ip mss_clamp {
          chain postrouting_tmp {
            iifname $INTERFACE oifname != $INTERFACE tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
          }
        }
      EOF
    '';
  };
  nft_flush = writeShellApplication {
    name = "pxe-nft-flush";

    runtimeInputs = [ nftables ];

    text = ''
      exec nft -f - <<EOF
        flush chain inet filter forward_tmp
        flush chain inet filter input_tmp
        flush chain ip nat postrouting_tmp
        flush chain ip mss_clamp postrouting_tmp
      EOF
    '';
  };
in mkShell {
  name = installerName;
  nativeBuildInputs = [ pixiecore-wrapped udhcpd nft_apply nft_flush ];
}