2022-09-04 14:57:14 +02:00
|
|
|
{ config, lib, modulesPath, pkgs, ... }:
|
2022-11-25 10:08:39 +01:00
|
|
|
let
|
|
|
|
restoreNetwork = pkgs.writers.writePython3Bin "restore-network" {
|
|
|
|
flakeIgnore = ["E501"];
|
|
|
|
} ./restore_routes.py;
|
|
|
|
in {
|
2022-09-04 14:57:14 +02:00
|
|
|
imports = [
|
|
|
|
(modulesPath + "/installer/netboot/netboot-minimal.nix")
|
|
|
|
];
|
|
|
|
|
|
|
|
# We are stateless, so just default to latest.
|
|
|
|
system.stateVersion = config.system.nixos.version;
|
|
|
|
|
|
|
|
# This is a variant of the upstream kexecScript that also allows embedding
|
|
|
|
# a ssh key.
|
2022-09-05 07:35:19 +02:00
|
|
|
system.build.kexecRun = lib.mkForce (pkgs.writeScript "kexec-run" ''
|
2022-09-04 14:57:14 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
set -ex
|
|
|
|
shopt -s nullglob
|
|
|
|
SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
2022-09-05 10:01:53 +02:00
|
|
|
INITRD_TMP=$(TMPDIR=$SCRIPT_DIR mktemp -d)
|
2022-09-04 14:57:14 +02:00
|
|
|
cd "$INITRD_TMP"
|
|
|
|
pwd
|
2022-09-05 07:35:19 +02:00
|
|
|
mkdir -p initrd/ssh
|
2022-09-04 14:57:14 +02:00
|
|
|
pushd initrd
|
|
|
|
if [ -e /root/.ssh/authorized_keys ]; then
|
2022-10-13 14:41:55 +02:00
|
|
|
# workaround for debian shenanigans
|
|
|
|
grep -o '\(ssh-[^ ]* .*\)' /root/.ssh/authorized_keys >> ssh/authorized_keys
|
2022-09-04 14:57:14 +02:00
|
|
|
fi
|
|
|
|
if [ -e /etc/ssh/authorized_keys.d/root ]; then
|
|
|
|
cat /etc/ssh/authorized_keys.d/root >> ssh/authorized_keys
|
|
|
|
fi
|
|
|
|
for p in /etc/ssh/ssh_host_*; do
|
|
|
|
cp -a "$p" ssh
|
|
|
|
done
|
2022-11-24 18:30:37 +01:00
|
|
|
|
|
|
|
# save the networking config for later use
|
2022-11-25 09:58:23 +01:00
|
|
|
if ! type -p ip &>/dev/null; then
|
|
|
|
ip --json addr > addrs.json
|
|
|
|
ip --json route > routes.json
|
|
|
|
else
|
|
|
|
echo "Skip saving static network addresses because no iproute2 binary is available." 2>&1
|
|
|
|
echo "The image can depends only on DHCP to get network after reboot!" 2>&1
|
|
|
|
fi
|
2022-11-24 18:30:37 +01:00
|
|
|
|
2022-09-05 07:35:19 +02:00
|
|
|
find | cpio -o -H newc | gzip -9 > ../extra.gz
|
2022-09-04 14:57:14 +02:00
|
|
|
popd
|
2022-09-05 10:01:53 +02:00
|
|
|
cat "''${SCRIPT_DIR}/initrd" extra.gz > final-initrd
|
2022-09-04 14:57:14 +02:00
|
|
|
|
|
|
|
"$SCRIPT_DIR/kexec" --load "''${SCRIPT_DIR}/bzImage" \
|
2022-09-05 10:01:53 +02:00
|
|
|
--initrd=final-initrd \
|
2022-09-04 14:57:14 +02:00
|
|
|
--command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
|
|
|
|
|
|
|
|
# kexec will map the new kernel in memory so we can remove the kernel at this point
|
|
|
|
rm -r "$INITRD_TMP"
|
|
|
|
|
|
|
|
# Disconnect our background kexec from the terminal
|
2022-09-05 07:35:55 +02:00
|
|
|
echo "machine will boot into nixos in in 6s..."
|
2022-09-04 14:57:14 +02:00
|
|
|
if [[ -e /dev/kmsg ]]; then
|
|
|
|
# this makes logging visible in `dmesg`, or the system consol or tools like journald
|
|
|
|
exec > /dev/kmsg 2>&1
|
|
|
|
else
|
|
|
|
exec > /dev/null 2>&1
|
|
|
|
fi
|
|
|
|
# We will kexec in background so we can cleanly finish the script before the hosts go down.
|
|
|
|
# This makes integration with tools like terraform easier.
|
|
|
|
nohup bash -c "sleep 6 && '$SCRIPT_DIR/kexec' -e" &
|
|
|
|
'');
|
|
|
|
|
2022-09-05 10:01:53 +02:00
|
|
|
system.build.kexecTarball = pkgs.runCommand "kexec-tarball" {} ''
|
|
|
|
mkdir kexec $out
|
|
|
|
cp "${config.system.build.netbootRamdisk}/initrd" kexec/initrd
|
|
|
|
cp "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}" kexec/bzImage
|
|
|
|
cp "${config.system.build.kexecRun}" kexec/run
|
|
|
|
cp "${pkgs.pkgsStatic.kexec-tools}/bin/kexec" kexec/kexec
|
|
|
|
tar -czvf $out/nixos-kexec-installer-${pkgs.stdenv.hostPlatform.system}.tar.gz kexec
|
|
|
|
'';
|
|
|
|
|
|
|
|
# IPMI SOL console redirection stuff
|
|
|
|
boot.kernelParams = [
|
|
|
|
"console=ttyS0,115200n8"
|
|
|
|
"console=ttyAMA0,115200n8"
|
|
|
|
"console=tty0"
|
|
|
|
];
|
2022-09-04 14:57:14 +02:00
|
|
|
|
|
|
|
documentation.enable = false;
|
|
|
|
# Not really needed. Saves a few bytes and the only service we are running is sshd, which we want to be reachable.
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
|
2022-11-10 12:02:05 +01:00
|
|
|
# for detection if we are on kexec
|
|
|
|
environment.etc.is_kexec.text = "true";
|
|
|
|
|
2022-11-24 18:30:37 +01:00
|
|
|
systemd.services.restoreNetwork = {
|
|
|
|
path = [
|
|
|
|
pkgs.iproute2
|
|
|
|
];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
after = [ "network.target" ];
|
2022-11-25 10:08:39 +01:00
|
|
|
serviceConfig.ExecStart = "${restoreNetwork} /root/network/addrs.json /root/network/routes.json";
|
2022-11-25 09:58:23 +01:00
|
|
|
|
|
|
|
unitConfig.ConditionPathExists = [
|
|
|
|
"/root/network/addrs.json"
|
|
|
|
"/root/network/routes.json"
|
|
|
|
];
|
2022-11-24 18:30:37 +01:00
|
|
|
};
|
|
|
|
|
2022-09-04 14:57:14 +02:00
|
|
|
# Restore ssh host and user keys if they are available.
|
|
|
|
# This avoids warnings of unknown ssh keys.
|
|
|
|
boot.initrd.postMountCommands = ''
|
2022-11-10 17:09:44 +01:00
|
|
|
mkdir -m 700 -p /mnt-root/root/.ssh
|
|
|
|
mkdir -m 755 -p /mnt-root/etc/ssh
|
2022-11-24 18:30:37 +01:00
|
|
|
mkdir -m 755 -p /mnt-root/root/network
|
2022-11-23 17:11:58 +01:00
|
|
|
if [[ -f ssh/authorized_keys ]]; then
|
2022-11-10 17:09:44 +01:00
|
|
|
install -m 400 ssh/authorized_keys /mnt-root/root/.ssh
|
2022-09-04 14:57:14 +02:00
|
|
|
fi
|
2022-11-10 14:54:41 +01:00
|
|
|
install -m 400 ssh/ssh_host_* /mnt-root/etc/ssh
|
2022-11-24 18:30:37 +01:00
|
|
|
cp *.json /mnt-root/root/network/
|
2022-09-04 14:57:14 +02:00
|
|
|
'';
|
|
|
|
}
|