move out code from kexec-installer into its own module
This commit is contained in:
parent
3758c6481c
commit
9089946fc0
2 changed files with 63 additions and 63 deletions
56
nix/installer.nix
Normal file
56
nix/installer.nix
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{ config, lib, pkgs, ... }: {
|
||||||
|
# We are stateless, so just default to latest.
|
||||||
|
system.stateVersion = config.system.nixos.version;
|
||||||
|
|
||||||
|
# use latest kernel we can support to get more hardware support
|
||||||
|
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||||
|
|
||||||
|
# IPMI SOL console redirection stuff
|
||||||
|
boot.kernelParams =
|
||||||
|
[ "console=tty0" ] ++
|
||||||
|
(lib.optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) "console=ttyAMA0,115200") ++
|
||||||
|
(lib.optional (pkgs.stdenv.hostPlatform.isRiscV) "console=ttySIF0,115200") ++
|
||||||
|
[ "console=ttyS0,115200" ];
|
||||||
|
|
||||||
|
documentation.enable = false;
|
||||||
|
# Not really needed. Saves a few bytes and the only service we are running is sshd, which we want to be reachable.
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
|
||||||
|
systemd.network.enable = true;
|
||||||
|
networking.dhcpcd.enable = false;
|
||||||
|
|
||||||
|
# for zapping of disko
|
||||||
|
environment.systemPackages = [ pkgs.jq ];
|
||||||
|
|
||||||
|
systemd.services.log-network-status = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
# No point in restarting this. We just need this after boot
|
||||||
|
restartIfChanged = false;
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
StandardOutput = "journal+console";
|
||||||
|
ExecStart = [
|
||||||
|
# Allow failures, so it still prints what interfaces we have even if we
|
||||||
|
# not get online
|
||||||
|
"-${pkgs.systemd}/lib/systemd/systemd-networkd-wait-online"
|
||||||
|
"${pkgs.iproute2}/bin/ip -c addr"
|
||||||
|
"${pkgs.iproute2}/bin/ip -c -6 route"
|
||||||
|
"${pkgs.iproute2}/bin/ip -c -4 route"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Restore ssh host and user keys if they are available.
|
||||||
|
# This avoids warnings of unknown ssh keys.
|
||||||
|
boot.initrd.postMountCommands = ''
|
||||||
|
mkdir -m 700 -p /mnt-root/root/.ssh
|
||||||
|
mkdir -m 755 -p /mnt-root/etc/ssh
|
||||||
|
mkdir -m 755 -p /mnt-root/root/network
|
||||||
|
if [[ -f ssh/authorized_keys ]]; then
|
||||||
|
install -m 400 ssh/authorized_keys /mnt-root/root/.ssh
|
||||||
|
fi
|
||||||
|
install -m 400 ssh/ssh_host_* /mnt-root/etc/ssh
|
||||||
|
cp *.json /mnt-root/root/network/
|
||||||
|
'';
|
||||||
|
}
|
|
@ -1,14 +1,15 @@
|
||||||
{ config, lib, modulesPath, pkgs, ... }:
|
{ config, lib, modulesPath, pkgs, ... }:
|
||||||
let
|
let
|
||||||
restore-network = pkgs.writers.writePython3 "restore-network" {
|
restore-network = pkgs.writers.writePython3 "restore-network" { flakeIgnore = [ "E501" ]; }
|
||||||
flakeIgnore = ["E501"];
|
./restore_routes.py;
|
||||||
} ./restore_routes.py;
|
|
||||||
|
|
||||||
# does not link with iptables enabled
|
# does not link with iptables enabled
|
||||||
iprouteStatic = pkgs.pkgsStatic.iproute2.override { iptables = null; };
|
iprouteStatic = pkgs.pkgsStatic.iproute2.override { iptables = null; };
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/installer/netboot/netboot-minimal.nix")
|
(modulesPath + "/installer/netboot/netboot-minimal.nix")
|
||||||
|
../installer.nix
|
||||||
];
|
];
|
||||||
options = {
|
options = {
|
||||||
system.kexec-installer.name = lib.mkOption {
|
system.kexec-installer.name = lib.mkOption {
|
||||||
|
@ -21,12 +22,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
# We are stateless, so just default to latest.
|
|
||||||
system.stateVersion = config.system.nixos.version;
|
|
||||||
|
|
||||||
# use latest kernel we can support to get more hardware support
|
|
||||||
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
|
||||||
|
|
||||||
# This is a variant of the upstream kexecScript that also allows embedding
|
# This is a variant of the upstream kexecScript that also allows embedding
|
||||||
# a ssh key.
|
# a ssh key.
|
||||||
system.build.kexecRun = pkgs.runCommand "kexec-run" { } ''
|
system.build.kexecRun = pkgs.runCommand "kexec-run" { } ''
|
||||||
|
@ -54,28 +49,9 @@ in {
|
||||||
tar -czvf $out/${config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz kexec
|
tar -czvf $out/${config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz kexec
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# IPMI SOL console redirection stuff
|
|
||||||
boot.kernelParams =
|
|
||||||
[ "console=tty0" ] ++
|
|
||||||
(lib.optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) "console=ttyAMA0,115200") ++
|
|
||||||
(lib.optional (pkgs.stdenv.hostPlatform.isRiscV) "console=ttySIF0,115200") ++
|
|
||||||
[ "console=ttyS0,115200" ];
|
|
||||||
|
|
||||||
documentation.enable = false;
|
|
||||||
# Not really needed. Saves a few bytes and the only service we are running is sshd, which we want to be reachable.
|
|
||||||
networking.firewall.enable = false;
|
|
||||||
|
|
||||||
systemd.network.enable = true;
|
|
||||||
networking.dhcpcd.enable = false;
|
|
||||||
|
|
||||||
# for detection if we are on kexec
|
# for detection if we are on kexec
|
||||||
environment.etc.is_kexec.text = "true";
|
environment.etc.is_kexec.text = "true";
|
||||||
|
|
||||||
# for zapping of disko
|
|
||||||
environment.systemPackages = [
|
|
||||||
pkgs.jq
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.services.restore-network = {
|
systemd.services.restore-network = {
|
||||||
before = [ "network-pre.target" ];
|
before = [ "network-pre.target" ];
|
||||||
wants = [ "network-pre.target" ];
|
wants = [ "network-pre.target" ];
|
||||||
|
@ -95,37 +71,5 @@ in {
|
||||||
"/root/network/routes-v6.json"
|
"/root/network/routes-v6.json"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.log-network-status = {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
# No point in restarting this. We just need this after boot
|
|
||||||
restartIfChanged = false;
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
StandardOutput = "journal+console";
|
|
||||||
ExecStart = [
|
|
||||||
# Allow failures, so it still prints what interfaces we have even if we
|
|
||||||
# not get online
|
|
||||||
"-${pkgs.systemd}/lib/systemd/systemd-networkd-wait-online"
|
|
||||||
"${pkgs.iproute2}/bin/ip -c addr"
|
|
||||||
"${pkgs.iproute2}/bin/ip -c -6 route"
|
|
||||||
"${pkgs.iproute2}/bin/ip -c -4 route"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Restore ssh host and user keys if they are available.
|
|
||||||
# This avoids warnings of unknown ssh keys.
|
|
||||||
boot.initrd.postMountCommands = ''
|
|
||||||
mkdir -m 700 -p /mnt-root/root/.ssh
|
|
||||||
mkdir -m 755 -p /mnt-root/etc/ssh
|
|
||||||
mkdir -m 755 -p /mnt-root/root/network
|
|
||||||
if [[ -f ssh/authorized_keys ]]; then
|
|
||||||
install -m 400 ssh/authorized_keys /mnt-root/root/.ssh
|
|
||||||
fi
|
|
||||||
install -m 400 ssh/ssh_host_* /mnt-root/etc/ssh
|
|
||||||
cp *.json /mnt-root/root/network/
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue