nixosModules,pkgs: remove installer. clanModules: init installer module

clanModules/flake-module.nix

@@ -11,6 +11,7 @@
     golem-provider = ./golem-provider;
     heisenbridge = ./heisenbridge;
     iwd = ./iwd;
+    installer = ./installer;
     localbackup = ./localbackup;
     localsend = ./localsend;
     matrix-synapse = ./matrix-synapse;

clanModules/installer/README.md

@@ -0,0 +1,3 @@
+---
+description = "Module to convert machine to an installer image"
+---

clanModules/installer/bcachefs.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  # If we also need zfs, we can use the unstable version as we otherwise don't have a new enough kernel version
+  boot.zfs.package = pkgs.zfsUnstable;
+  boot.kernelPackages = lib.mkIf config.boot.zfs.enabled (
+    lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages
+  );
+
+  # Enable bcachefs support
+  boot.supportedFilesystems.bcachefs = lib.mkDefault true;
+}

clanModules/installer/default.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  ...
+}:
+
+{
+  options.clan.installer =
+    {
+    };
+
+  imports = [
+    ../iwd
+    ./bcachefs.nix
+    ./zfs.nix
+    ./hidden-ssh-announce.nix
+    ../trusted-nix-caches
+  ];
+
+  config = {
+    system.stateVersion = config.system.nixos.version;
+  };
+}

clanModules/installer/hidden-ssh-announce.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.hidden-ssh-announce = {
+    enable = lib.mkEnableOption "hidden-ssh-announce";
+    script = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.writers.writeDash "test-output" "echo $1";
+      description = ''
+        script to run when the hidden tor service was started and they hostname is known.
+        takes the hostname as $1
+      '';
+    };
+  };
+
+  config = lib.mkIf config.hidden-ssh-announce.enable {
+    services.openssh.enable = true;
+    services.tor = {
+      enable = true;
+      relay.onionServices.hidden-ssh = {
+        version = 3;
+        map = [
+          {
+            port = 22;
+            target.port = 22;
+          }
+        ];
+      };
+      client.enable = true;
+    };
+    systemd.services.hidden-ssh-announce = {
+      description = "announce hidden ssh";
+      after = [
+        "tor.service"
+        "network-online.target"
+      ];
+      wants = [
+        "tor.service"
+        "network-online.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # ${pkgs.tor}/bin/torify
+        ExecStart = pkgs.writeShellScript "announce-hidden-service" ''
+          set -efu
+          until test -e ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname; do
+            echo "still waiting for ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname"
+            sleep 1
+          done
+
+          ${config.hidden-ssh-announce.script} "$(cat ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname)"
+        '';
+        PrivateTmp = "true";
+        User = "tor";
+        Type = "oneshot";
+      };
+    };
+  };
+}

clanModules/installer/zfs.nix

@@ -0,0 +1,16 @@
+{ lib, config, ... }:
+{
+  # Use the same default hostID as the NixOS install ISO and nixos-anywhere.
+  # This allows us to import zfs pool without using a force import.
+  # ZFS has this as a safety mechanism for networked block storage (ISCSI), but
+  # in practice we found it causes more breakages like unbootable machines,
+  # while people using ZFS on ISCSI is quite rare.
+  networking.hostId = lib.mkDefault "8425e349";
+
+  services.zfs = lib.mkIf (config.boot.zfs.enabled) {
+    autoSnapshot.enable = true;
+    # defaults to 12, which is a bit much given how much data is written
+    autoSnapshot.monthly = lib.mkDefault 1;
+    autoScrub.enable = true;
+  };
+}