ma iso: add justdoit,target-config.nix

author: makefu <github@syntax-fehler.de> 2019-11-29 13:43:27 +0100
committer: makefu <github@syntax-fehler.de> 2019-11-29 13:43:27 +0100
commit: 001acc5a523db45414ebfdca808e308f027e39b5 (patch)
tree: 30ba360c98dd6e3a6aca55f8c0c07206ecb60ef1
parent: 71d782a50a52f1db917aabec71ce924bd7416904 (diff)
4 files changed, 189 insertions, 9 deletions
diff --git a/makefu/1systems/iso/config.nix b/makefu/1systems/iso/config.nix
index fdf203d5b..6c4f62310 100644
--- a/makefu/1systems/iso/config.nix
+++ b/makefu/1systems/iso/config.nix
@@ -3,20 +3,32 @@
 with import <stockholm/lib>;
 {
   imports = [
-    <stockholm/makefu>
+    #<stockholm/makefu>
     <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
     <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
-    <stockholm/makefu/2configs/tools/core.nix>
+    # <stockholm/makefu/2configs/tools/core.nix>
+    ./justdoit.nix
+    {
+      kexec.justdoit = {
+        # bootSize = 512;
+        rootDevice = "/dev/sdb";
+        swapSize = 1024;
+        bootType = "vfat";
+        luksEncrypt = true;
+        uefi = true;
+      };
+    }
   ];
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
   # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
-  # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
-  krebs.build.host = { cores = 0; };
+  # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso/config.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
+  #krebs.build.host = { cores = 0; };
   isoImage.isoBaseName = lib.mkForce "stockholm";
-  krebs.hidden-ssh.enable = true;
-  environment.systemPackages = with pkgs; [
-    aria2
-    ddrescue
-  ];
+  #krebs.hidden-ssh.enable = true;
+  # environment.systemPackages = with pkgs; [
+  #   aria2
+  #   ddrescue
+  # ];
   environment.extraInit = ''
     EDITOR=vim
   '';
diff --git a/makefu/1systems/iso/justdoit.nix b/makefu/1systems/iso/justdoit.nix
new file mode 100644
index 000000000..7947953f9
--- /dev/null
+++ b/makefu/1systems/iso/justdoit.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.kexec.justdoit;
+  x = if cfg.nvme then "p" else "";
+in {
+  options = {
+    kexec.justdoit = {
+      rootDevice = mkOption {
+        type = types.str;
+        default = "/dev/sda";
+        description = "the root block device that justdoit will nuke from orbit and force nixos onto";
+      };
+      bootSize = mkOption {
+        type = types.int;
+        default = 256;
+        description = "size of /boot in mb";
+      };
+      bootType = mkOption {
+        type = types.enum [ "ext4" "vfat" "zfs" ];
+        default = "ext4";
+      };
+      swapSize = mkOption {
+        type = types.int;
+        default = 1024;
+        description = "size of swap in mb";
+      };
+      poolName = mkOption {
+        type = types.str;
+        default = "tank";
+        description = "zfs pool name";
+      };
+      luksEncrypt = mkOption {
+        type = types.bool;
+        default = false;
+        description = "encrypt all of zfs and swap";
+      };
+      uefi = mkOption {
+        type = types.bool;
+        default = false;
+        description = "create a uefi install";
+      };
+      nvme = mkOption {
+        type = types.bool;
+        default = false;
+        description = "rootDevice is nvme";
+      };
+    };
+  };
+  config = let
+    mkBootTable = {
+      ext4 = "mkfs.ext4 $NIXOS_BOOT -L NIXOS_BOOT";
+      vfat = "mkfs.vfat $NIXOS_BOOT -n NIXOS_BOOT";
+      zfs = "";
+    };
+  in lib.mkIf true {
+    system.build.justdoit = pkgs.writeScriptBin "justdoit" ''
+      #!${pkgs.stdenv.shell}
+      set -e
+      vgchange -a n
+      wipefs -a ${cfg.rootDevice}
+      dd if=/dev/zero of=${cfg.rootDevice} bs=512 count=10000
+      sfdisk ${cfg.rootDevice} <<EOF
+      label: gpt
+      device: ${cfg.rootDevice}
+      unit: sectors
+      ${lib.optionalString (cfg.bootType != "zfs") "1 : size=${toString (2048 * cfg.bootSize)}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4"}
+      ${lib.optionalString (! cfg.uefi) "4 : size=4096, type=21686148-6449-6E6F-744E-656564454649"}
+      2 : size=${toString (2048 * cfg.swapSize)}, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
+      3 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
+      EOF
+      ${if cfg.luksEncrypt then ''
+        cryptsetup luksFormat ${cfg.rootDevice}${x}2
+        cryptsetup open --type luks ${cfg.rootDevice}${x}2 swap
+        cryptsetup luksFormat ${cfg.rootDevice}${x}3
+        cryptsetup open --type luks ${cfg.rootDevice}${x}3 root
+        export ROOT_DEVICE=/dev/mapper/root
+        export SWAP_DEVICE=/dev/mapper/swap
+      '' else ''
+        export ROOT_DEVICE=${cfg.rootDevice}${x}3
+        export SWAP_DEVICE=${cfg.rootDevice}${x}2
+      ''}
+      ${lib.optionalString (cfg.bootType != "zfs") "export NIXOS_BOOT=${cfg.rootDevice}${x}1"}
+      mkdir -p /mnt
+      ${mkBootTable.${cfg.bootType}}
+      mkswap $SWAP_DEVICE -L NIXOS_SWAP
+      zpool create -o ashift=12 -o altroot=/mnt ${cfg.poolName} $ROOT_DEVICE
+      zfs create -o mountpoint=legacy ${cfg.poolName}/root
+      zfs create -o mountpoint=legacy ${cfg.poolName}/home
+      zfs create -o mountpoint=legacy ${cfg.poolName}/nix
+      swapon $SWAP_DEVICE
+      mount -t zfs ${cfg.poolName}/root /mnt/
+      mkdir /mnt/{home,nix,boot}
+      mount -t zfs ${cfg.poolName}/home /mnt/home/
+      mount -t zfs ${cfg.poolName}/nix /mnt/nix/
+      ${lib.optionalString (cfg.bootType != "zfs") "mount $NIXOS_BOOT /mnt/boot/"}
+      nixos-generate-config --root /mnt/
+      hostId=$(echo $(head -c4 /dev/urandom | od -A none -t x4))
+      cp ${./target-config.nix} /mnt/etc/nixos/configuration.nix
+      cat > /mnt/etc/nixos/generated.nix <<EOF
+      { ... }:
+      {
+        ${if cfg.uefi then ''
+          boot.loader.grub.efiInstallAsRemovable = true;
+          boot.loader.grub.efiSupport = true;
+          boot.loader.grub.device = "nodev";
+        '' else ''
+          boot.loader.grub.device = "${cfg.rootDevice}";
+        ''}
+        networking.hostId = "$hostId"; # required for zfs use
+      ${lib.optionalString cfg.luksEncrypt ''
+        boot.initrd.luks.devices = [
+          { name = "swap"; device = "${cfg.rootDevice}${x}2"; preLVM = true; }
+          { name = "root"; device = "${cfg.rootDevice}${x}3"; preLVM = true; }
+        ];
+      ''}
+      }
+      EOF
+      nixos-install
+      umount /mnt/home /mnt/nix ${lib.optionalString (cfg.bootType != "zfs") "/mnt/boot"} /mnt
+      zpool export ${cfg.poolName}
+      swapoff $SWAP_DEVICE
+    '';
+    environment.systemPackages = [ config.system.build.justdoit ];
+    boot.supportedFilesystems = [ "zfs" ];
+  };
+}
diff --git a/makefu/1systems/iso/target-config.nix b/makefu/1systems/iso/target-config.nix
new file mode 100644
index 000000000..ba4e3207b
--- /dev/null
+++ b/makefu/1systems/iso/target-config.nix
@@ -0,0 +1,40 @@
+{ ... }:
+
+{
+  imports = [ ./hardware-configuration.nix ./generated.nix ];
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
+  boot.zfs.forceImportRoot = false;
+  boot.zfs.forceImportAll = false;
+  boot.kernelParams = [
+    "boot.shell_on_fail"
+    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+  ];
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ];
+  boot.tmpOnTmpfs = true;
+  programs.bash.enableCompletion = true;
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  # minimal
+  programs.command-not-found.enable = false;
+  time.timeZone = "Europe/Berlin";
+  programs.ssh.startAgent = false;
+  nix.useSandbox = true;
+  users.mutableUsers = false;
+  networking.firewall.rejectPackets = true;
+  networking.firewall.allowPing = true;
+  services.openssh.enable = true;
+  i18n = {
+    consoleKeyMap = "us";
+    defaultLocale = "en_US.UTF-8";
+  };
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.use_tempaddr" = 2;
+    "net.ipv6.conf.default.use_tempaddr" = 2;
+  };
+  services.nscd.enable = false;
+}
diff --git a/makefu/2configs/nginx/share-download.nix b/makefu/2configs/nginx/dl.euer.krebsco.de.nix
index 828a66a74..828a66a74 100644
--- a/makefu/2configs/nginx/share-download.nix
+++ b/makefu/2configs/nginx/dl.euer.krebsco.de.nix
author	makefu <github@syntax-fehler.de>	2019-11-29 13:43:27 +0100
committer	makefu <github@syntax-fehler.de>	2019-11-29 13:43:27 +0100
commit	001acc5a523db45414ebfdca808e308f027e39b5 (patch)
tree	30ba360c98dd6e3a6aca55f8c0c07206ecb60ef1
parent	71d782a50a52f1db917aabec71ce924bd7416904 (diff)