Revert "nixosModules,pkgs: remove installer. clanModules: init installer module"

This reverts commit 1090e36cf1.
2024-09-03 07:04:34 +02:00
parent 06c820bded
commit 535a39cff3
13 changed files with 333 additions and 27 deletions
--- a/nixosModules/bcachefs.nix
+++ b/nixosModules/bcachefs.nix
@@ -0,0 +1,16 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  # If we also need zfs, we can use the unstable version as we otherwise don't have a new enough kernel version
+  boot.zfs.package = pkgs.zfsUnstable;
+  boot.kernelPackages = lib.mkIf config.boot.zfs.enabled (
+    lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages
+  );
+
+  # Enable bcachefs support
+  boot.supportedFilesystems.bcachefs = lib.mkDefault true;
+}
--- a/nixosModules/flake-module.nix
+++ b/nixosModules/flake-module.nix
@@ -1,6 +1,15 @@
 { inputs, self, ... }:
 {
  flake.nixosModules = {
+    hidden-ssh-announce.imports = [ ./hidden-ssh-announce.nix ];
+    bcachefs.imports = [ ./bcachefs.nix ];
+    zfs.imports = [ ./zfs.nix ];
+    installer.imports = [
+      ./installer
+      self.nixosModules.hidden-ssh-announce
+      self.nixosModules.bcachefs
+      self.nixosModules.zfs
+    ];
    clanCore.imports = [
      inputs.sops-nix.nixosModules.sops
      inputs.disko.nixosModules.default
--- a/nixosModules/hidden-ssh-announce.nix
+++ b/nixosModules/hidden-ssh-announce.nix
@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.hidden-ssh-announce = {
+    enable = lib.mkEnableOption "hidden-ssh-announce";
+    script = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.writers.writeDash "test-output" "echo $1";
+      description = ''
+        script to run when the hidden tor service was started and they hostname is known.
+        takes the hostname as $1
+      '';
+    };
+  };
+
+  config = lib.mkIf config.hidden-ssh-announce.enable {
+    services.openssh.enable = true;
+    services.tor = {
+      enable = true;
+      relay.onionServices.hidden-ssh = {
+        version = 3;
+        map = [
+          {
+            port = 22;
+            target.port = 22;
+          }
+        ];
+      };
+      client.enable = true;
+    };
+    systemd.services.hidden-ssh-announce = {
+      description = "announce hidden ssh";
+      after = [
+        "tor.service"
+        "network-online.target"
+      ];
+      wants = [
+        "tor.service"
+        "network-online.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # ${pkgs.tor}/bin/torify
+        ExecStart = pkgs.writeShellScript "announce-hidden-service" ''
+          set -efu
+          until test -e ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname; do
+            echo "still waiting for ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname"
+            sleep 1
+          done
+
+          ${config.hidden-ssh-announce.script} "$(cat ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname)"
+        '';
+        PrivateTmp = "true";
+        User = "tor";
+        Type = "oneshot";
+      };
+    };
+  };
+}
--- a/nixosModules/installer/default.nix
+++ b/nixosModules/installer/default.nix
@@ -0,0 +1,125 @@
+{
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+let
+  network-status = pkgs.writeShellScript "network-status" ''
+    export PATH=${
+      lib.makeBinPath (
+        with pkgs;
+        [
+          iproute2
+          coreutils
+          gnugrep
+          nettools
+          gum
+        ]
+      )
+    }
+    set -efu -o pipefail
+    msgs=()
+    if [[ -e /var/shared/qrcode.utf8 ]]; then
+      qrcode=$(gum style --border-foreground 240 --border normal "$(< /var/shared/qrcode.utf8)")
+      msgs+=("$qrcode")
+    fi
+    network_status="Local network addresses:
+    $(ip -brief -color addr | grep -v 127.0.0.1)
+    $([[ -e /var/shared/onion-hostname ]] && echo "Onion address: $(cat /var/shared/onion-hostname)" || echo "Onion address: Waiting for tor network to be ready...")
+    Multicast DNS: $(hostname).local"
+    network_status=$(gum style --border-foreground 240 --border normal "$network_status")
+    msgs+=("$network_status")
+    msgs+=("Press 'Ctrl-C' for console access")
+
+    gum join --vertical "''${msgs[@]}"
+  '';
+in
+{
+  ############################################
+  #                                          #
+  # For install image debugging execute:     #
+  # $ qemu-kvm result/stick.raw -snapshot    #
+  #                                          #
+  ############################################
+  imports = [
+    (modulesPath + "/profiles/installation-device.nix")
+    (modulesPath + "/profiles/all-hardware.nix")
+    (modulesPath + "/profiles/base.nix")
+  ];
+
+  ########################################################################################################
+  #                                                                                                      #
+  # Copied from:                                                                                         #
+  # https://github.com/nix-community/nixos-images/blob/main/nix/image-installer/module.nix#L46C3-L117C6  #
+  #                                                                                                      #
+  ########################################################################################################
+  systemd.tmpfiles.rules = [ "d /var/shared 0777 root root - -" ];
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
+
+  hidden-ssh-announce = {
+    enable = true;
+    script = pkgs.writeShellScript "write-hostname" ''
+      set -efu
+      export PATH=${
+        lib.makeBinPath (
+          with pkgs;
+          [
+            iproute2
+            coreutils
+            jq
+            qrencode
+          ]
+        )
+      }
+
+      mkdir -p /var/shared
+      echo "$1" > /var/shared/onion-hostname
+      local_addrs=$(ip -json addr | jq '[map(.addr_info) | flatten | .[] | select(.scope == "global") | .local]')
+      jq -nc \
+        --arg onion_address "$(cat /var/shared/onion-hostname)" \
+        --argjson local_addrs "$local_addrs" \
+        '{ pass: null, tor: $onion_address, addrs: $local_addrs }' \
+        > /var/shared/login.json
+      cat /var/shared/login.json | qrencode -s 2 -m 2 -t utf8 -o /var/shared/qrcode.utf8
+    '';
+  };
+
+  services.getty.autologinUser = lib.mkForce "root";
+
+  console.earlySetup = true;
+  console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u22n.psf.gz";
+
+  # Less ipv6 addresses to reduce the noise
+  networking.tempAddresses = "disabled";
+
+  # Tango theme: https://yayachiken.net/en/posts/tango-colors-in-terminal/
+  console.colors = lib.mkDefault [
+    "000000"
+    "CC0000"
+    "4E9A06"
+    "C4A000"
+    "3465A4"
+    "75507B"
+    "06989A"
+    "D3D7CF"
+    "555753"
+    "EF2929"
+    "8AE234"
+    "FCE94F"
+    "739FCF"
+    "AD7FA8"
+    "34E2E2"
+    "EEEEEC"
+  ];
+
+  programs.bash.interactiveShellInit = ''
+    if [[ "$(tty)" =~ /dev/(tty1|hvc0|ttyS0)$ ]]; then
+      # workaround for https://github.com/NixOS/nixpkgs/issues/219239
+      systemctl restart systemd-vconsole-setup.service
+
+      watch --no-title --color ${network-status}
+    fi
+  '';
+}
--- a/nixosModules/zfs.nix
+++ b/nixosModules/zfs.nix
@@ -0,0 +1,16 @@
+{ lib, config, ... }:
+{
+  # Use the same default hostID as the NixOS install ISO and nixos-anywhere.
+  # This allows us to import zfs pool without using a force import.
+  # ZFS has this as a safety mechanism for networked block storage (ISCSI), but
+  # in practice we found it causes more breakages like unbootable machines,
+  # while people using ZFS on ISCSI is quite rare.
+  networking.hostId = lib.mkDefault "8425e349";
+
+  services.zfs = lib.mkIf (config.boot.zfs.enabled) {
+    autoSnapshot.enable = true;
+    # defaults to 12, which is a bit much given how much data is written
+    autoSnapshot.monthly = lib.mkDefault 1;
+    autoScrub.enable = true;
+  };
+}