diff options
-rw-r--r-- | makefu/1systems/iso/config.nix | 30 | ||||
-rw-r--r-- | makefu/1systems/iso/justdoit.nix | 128 | ||||
-rw-r--r-- | makefu/1systems/iso/target-config.nix | 40 | ||||
-rw-r--r-- | makefu/2configs/nginx/dl.euer.krebsco.de.nix (renamed from makefu/2configs/nginx/share-download.nix) | 0 |
4 files changed, 189 insertions, 9 deletions
diff --git a/makefu/1systems/iso/config.nix b/makefu/1systems/iso/config.nix index fdf203d5b..6c4f62310 100644 --- a/makefu/1systems/iso/config.nix +++ b/makefu/1systems/iso/config.nix @@ -3,20 +3,32 @@ with import <stockholm/lib>; { imports = [ - <stockholm/makefu> + #<stockholm/makefu> <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix> <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix> - <stockholm/makefu/2configs/tools/core.nix> + # <stockholm/makefu/2configs/tools/core.nix> + ./justdoit.nix + { + kexec.justdoit = { + # bootSize = 512; + rootDevice = "/dev/sdb"; + swapSize = 1024; + bootType = "vfat"; + luksEncrypt = true; + uefi = true; + }; + } ]; + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now - # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos - krebs.build.host = { cores = 0; }; + # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso/config.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos + #krebs.build.host = { cores = 0; }; isoImage.isoBaseName = lib.mkForce "stockholm"; - krebs.hidden-ssh.enable = true; - environment.systemPackages = with pkgs; [ - aria2 - ddrescue - ]; + #krebs.hidden-ssh.enable = true; + # environment.systemPackages = with pkgs; [ + # aria2 + # ddrescue + # ]; environment.extraInit = '' EDITOR=vim ''; diff --git a/makefu/1systems/iso/justdoit.nix b/makefu/1systems/iso/justdoit.nix new file mode 100644 index 000000000..7947953f9 --- /dev/null +++ b/makefu/1systems/iso/justdoit.nix @@ -0,0 +1,128 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.kexec.justdoit; + x = if cfg.nvme then "p" else ""; +in { + options = { + kexec.justdoit = { + rootDevice = mkOption { + type = types.str; + default = "/dev/sda"; + description = "the root block device that justdoit will nuke from orbit and force nixos onto"; + }; + bootSize = mkOption { + type = types.int; + default = 256; + description = "size of /boot in mb"; + }; + bootType = mkOption { + type = types.enum [ "ext4" "vfat" "zfs" ]; + default = "ext4"; + }; + swapSize = mkOption { + type = types.int; + default = 1024; + description = "size of swap in mb"; + }; + poolName = mkOption { + type = types.str; + default = "tank"; + description = "zfs pool name"; + }; + luksEncrypt = mkOption { + type = types.bool; + default = false; + description = "encrypt all of zfs and swap"; + }; + uefi = mkOption { + type = types.bool; + default = false; + description = "create a uefi install"; + }; + nvme = mkOption { + type = types.bool; + default = false; + description = "rootDevice is nvme"; + }; + }; + }; + config = let + mkBootTable = { + ext4 = "mkfs.ext4 $NIXOS_BOOT -L NIXOS_BOOT"; + vfat = "mkfs.vfat $NIXOS_BOOT -n NIXOS_BOOT"; + zfs = ""; + }; + in lib.mkIf true { + system.build.justdoit = pkgs.writeScriptBin "justdoit" '' + #!${pkgs.stdenv.shell} + set -e + vgchange -a n + wipefs -a ${cfg.rootDevice} + dd if=/dev/zero of=${cfg.rootDevice} bs=512 count=10000 + sfdisk ${cfg.rootDevice} <<EOF + label: gpt + device: ${cfg.rootDevice} + unit: sectors + ${lib.optionalString (cfg.bootType != "zfs") "1 : size=${toString (2048 * cfg.bootSize)}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4"} + ${lib.optionalString (! cfg.uefi) "4 : size=4096, type=21686148-6449-6E6F-744E-656564454649"} + 2 : size=${toString (2048 * cfg.swapSize)}, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F + 3 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4 + EOF + ${if cfg.luksEncrypt then '' + cryptsetup luksFormat ${cfg.rootDevice}${x}2 + cryptsetup open --type luks ${cfg.rootDevice}${x}2 swap + cryptsetup luksFormat ${cfg.rootDevice}${x}3 + cryptsetup open --type luks ${cfg.rootDevice}${x}3 root + export ROOT_DEVICE=/dev/mapper/root + export SWAP_DEVICE=/dev/mapper/swap + '' else '' + export ROOT_DEVICE=${cfg.rootDevice}${x}3 + export SWAP_DEVICE=${cfg.rootDevice}${x}2 + ''} + ${lib.optionalString (cfg.bootType != "zfs") "export NIXOS_BOOT=${cfg.rootDevice}${x}1"} + mkdir -p /mnt + ${mkBootTable.${cfg.bootType}} + mkswap $SWAP_DEVICE -L NIXOS_SWAP + zpool create -o ashift=12 -o altroot=/mnt ${cfg.poolName} $ROOT_DEVICE + zfs create -o mountpoint=legacy ${cfg.poolName}/root + zfs create -o mountpoint=legacy ${cfg.poolName}/home + zfs create -o mountpoint=legacy ${cfg.poolName}/nix + swapon $SWAP_DEVICE + mount -t zfs ${cfg.poolName}/root /mnt/ + mkdir /mnt/{home,nix,boot} + mount -t zfs ${cfg.poolName}/home /mnt/home/ + mount -t zfs ${cfg.poolName}/nix /mnt/nix/ + ${lib.optionalString (cfg.bootType != "zfs") "mount $NIXOS_BOOT /mnt/boot/"} + nixos-generate-config --root /mnt/ + hostId=$(echo $(head -c4 /dev/urandom | od -A none -t x4)) + cp ${./target-config.nix} /mnt/etc/nixos/configuration.nix + cat > /mnt/etc/nixos/generated.nix <<EOF + { ... }: + { + ${if cfg.uefi then '' + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.device = "nodev"; + '' else '' + boot.loader.grub.device = "${cfg.rootDevice}"; + ''} + networking.hostId = "$hostId"; # required for zfs use + ${lib.optionalString cfg.luksEncrypt '' + boot.initrd.luks.devices = [ + { name = "swap"; device = "${cfg.rootDevice}${x}2"; preLVM = true; } + { name = "root"; device = "${cfg.rootDevice}${x}3"; preLVM = true; } + ]; + ''} + } + EOF + nixos-install + umount /mnt/home /mnt/nix ${lib.optionalString (cfg.bootType != "zfs") "/mnt/boot"} /mnt + zpool export ${cfg.poolName} + swapoff $SWAP_DEVICE + ''; + environment.systemPackages = [ config.system.build.justdoit ]; + boot.supportedFilesystems = [ "zfs" ]; + }; +} diff --git a/makefu/1systems/iso/target-config.nix b/makefu/1systems/iso/target-config.nix new file mode 100644 index 000000000..ba4e3207b --- /dev/null +++ b/makefu/1systems/iso/target-config.nix @@ -0,0 +1,40 @@ +{ ... }: + +{ + imports = [ ./hardware-configuration.nix ./generated.nix ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues + boot.zfs.forceImportRoot = false; + boot.zfs.forceImportAll = false; + boot.kernelParams = [ + "boot.shell_on_fail" + "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues + ]; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ]; + boot.tmpOnTmpfs = true; + programs.bash.enableCompletion = true; + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # minimal + programs.command-not-found.enable = false; + time.timeZone = "Europe/Berlin"; + programs.ssh.startAgent = false; + nix.useSandbox = true; + users.mutableUsers = false; + networking.firewall.rejectPackets = true; + networking.firewall.allowPing = true; + services.openssh.enable = true; + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; + boot.kernel.sysctl = { + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + services.nscd.enable = false; +} diff --git a/makefu/2configs/nginx/share-download.nix b/makefu/2configs/nginx/dl.euer.krebsco.de.nix index 828a66a74..828a66a74 100644 --- a/makefu/2configs/nginx/share-download.nix +++ b/makefu/2configs/nginx/dl.euer.krebsco.de.nix |