ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/modules/profiles/all-hardware.nix Normal file
View File

@@ -0,0 +1,5 @@
# Set `hardware.enableAllHardware = true` instead of importing this file.
# This file provides backwards compatibility for older configurations.
{
hardware.enableAllHardware = true;
}

70
nixos/modules/profiles/base.nix Normal file
View File

@@ -0,0 +1,70 @@
# This module defines the software packages included in the "minimal"
# installation CD. It might be useful elsewhere.
{
config,
lib,
pkgs,
...
}:
{
# Include some utilities that are useful for installing or repairing
# the system.
environment.systemPackages = [
pkgs.w3m-nographics # needed for the manual anyway
pkgs.testdisk # useful for repairing boot problems
pkgs.ms-sys # for writing Microsoft boot sectors / MBRs
pkgs.efibootmgr
pkgs.efivar
pkgs.parted
pkgs.gptfdisk
pkgs.ddrescue
pkgs.ccrypt
pkgs.cryptsetup # needed for dm-crypt volumes
# Some text editors.
pkgs.vim
# Some networking tools.
pkgs.fuse
pkgs.fuse3
pkgs.sshfs-fuse
pkgs.socat
pkgs.screen
pkgs.tcpdump
# Hardware-related tools.
pkgs.sdparm
pkgs.hdparm
pkgs.smartmontools # for diagnosing hard disks
pkgs.pciutils
pkgs.usbutils
pkgs.nvme-cli
# Some compression/archiver tools.
pkgs.unzip
pkgs.zip
# Some utilities
pkgs.jq
];
# Include support for various filesystems and tools to create / manipulate them.
boot.supportedFilesystems = lib.mkMerge [
[
"btrfs"
"cifs"
"f2fs"
"ntfs"
"vfat"
"xfs"
]
(lib.mkIf (lib.meta.availableOn pkgs.stdenv.hostPlatform config.boot.zfs.package) {
zfs = lib.mkDefault true;
})
];
# Configure host id for ZFS to work
networking.hostId = lib.mkDefault "8425e349";
}

120
nixos/modules/profiles/clone-config.nix Normal file
View File

@@ -0,0 +1,120 @@
{
config,
lib,
pkgs,
modules,
...
}:
with lib;
let
# Location of the repository on the harddrive
nixosPath = toString ../..;
# Check if the path is from the NixOS repository
isNixOSFile =
path:
let
s = toString path;
in
removePrefix nixosPath s != s;
# Copy modules given as extra configuration files. Unfortunately, we
# cannot serialized attribute set given in the list of modules (that's why
# you should use files).
moduleFiles =
# FIXME: use typeOf (Nix 1.6.1).
filter (x: !isAttrs x && !lib.isFunction x) modules;
# Partition module files because between NixOS and non-NixOS files. NixOS
# files may change if the repository is updated.
partitionedModuleFiles =
let
p = partition isNixOSFile moduleFiles;
in
{
nixos = p.right;
others = p.wrong;
};
# Path transformed to be valid on the installation device. Thus the
# device configuration could be rebuild.
relocatedModuleFiles =
let
relocateNixOS = path: "<nixpkgs/nixos" + removePrefix nixosPath (toString path) + ">";
in
{
nixos = map relocateNixOS partitionedModuleFiles.nixos;
others = [ ]; # TODO: copy the modules to the install-device repository.
};
# A dummy /etc/nixos/configuration.nix in the booted CD that
# rebuilds the CD's configuration (and allows the configuration to
# be modified, of course, providing a true live CD). Problem is
# that we don't really know how the CD was built - the Nix
# expression language doesn't allow us to query the expression being
# evaluated. So we'll just hope for the best.
configClone = pkgs.writeText "configuration.nix" ''
{ config, pkgs, ... }:
{
imports = [ ${toString config.installer.cloneConfigIncludes} ];
${config.installer.cloneConfigExtra}
}
'';
in
{
options = {
installer.cloneConfig = mkOption {
default = true;
description = ''
Try to clone the installation-device configuration by re-using it's
profile from the list of imported modules.
'';
};
installer.cloneConfigIncludes = mkOption {
default = [ ];
example = [ "./nixos/modules/hardware/network/rt73.nix" ];
description = ''
List of modules used to re-build this installation device profile.
'';
};
installer.cloneConfigExtra = mkOption {
default = "";
description = ''
Extra text to include in the cloned configuration.nix included in this
installer.
'';
};
};
config = {
installer.cloneConfigIncludes = relocatedModuleFiles.nixos ++ relocatedModuleFiles.others;
boot.postBootCommands = ''
# Provide a mount point for nixos-install.
mkdir -p /mnt
${optionalString config.installer.cloneConfig ''
# Provide a configuration for the CD/DVD itself, to allow users
# to run nixos-rebuild to change the configuration of the
# running system on the CD/DVD.
if ! [ -e /etc/nixos/configuration.nix ]; then
cp ${configClone} /etc/nixos/configuration.nix
fi
''}
'';
};
}

64
nixos/modules/profiles/docker-container.nix Normal file
View File

@@ -0,0 +1,64 @@
{ config, pkgs, ... }:
let
inherit (pkgs) writeScript;
pkgs2storeContents = map (x: {
object = x;
symlink = "none";
});
in
{
# Docker image config.
imports = [
../installer/cd-dvd/channel.nix
./minimal.nix
./clone-config.nix
];
# Create the tarball
system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
contents = [
{
source = "${config.system.build.toplevel}/.";
target = "./";
}
];
extraArgs = "--owner=0";
# Add init script to image
storeContents = pkgs2storeContents [
config.system.build.toplevel
pkgs.stdenv
];
# Some container managers like lxc need these
extraCommands =
let
script = writeScript "extra-commands.sh" ''
rm etc
mkdir -p proc sys dev etc
'';
in
script;
};
boot.isContainer = true;
boot.postBootCommands = ''
# After booting, register the contents of the Nix store in the Nix
# database.
if [ -f /nix-path-registration ]; then
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
rm /nix-path-registration
fi
# nixos-rebuild also requires a "system" profile
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
'';
# Install new init script
system.activationScripts.installInitScript = ''
ln -fs $systemConfig/init /init
'';
}

21
nixos/modules/profiles/graphical.nix Normal file
View File

@@ -0,0 +1,21 @@
# This module defines a NixOS configuration with the Plasma 6 desktop.
# It's used by the graphical installation CD.
{ pkgs, ... }:
{
services.xserver = {
enable = true;
desktopManager.plasma6.enable = true;
};
services = {
displayManager.sddm.enable = true;
libinput.enable = true; # for touchpad support on many laptops
};
environment.systemPackages = [
pkgs.mesa-demos
pkgs.firefox
];
}

137
nixos/modules/profiles/hardened.nix Normal file
View File

@@ -0,0 +1,137 @@
# A profile with most (vanilla) hardening options enabled by default,
# potentially at the cost of stability, features and performance.
#
# This profile enables options that are known to affect system
# stability. If you experience any stability issues when using the
# profile, try disabling it. If you report an issue and use this
# profile, always mention that you do.
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkDefault
mkOverride
mkEnableOption
mkIf
maintainers
;
in
{
options.profiles.hardened = mkEnableOption "hardened" // {
default = true;
example = false;
};
config = mkIf config.profiles.hardened {
meta = {
maintainers = [
maintainers.joachifm
maintainers.emily
];
};
boot.kernelPackages = mkDefault pkgs.linuxKernel.packages.linux_hardened;
nix.settings.allowed-users = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "zero_contents=true";
security.lockKernelModules = mkDefault true;
security.protectKernelImage = mkDefault true;
security.allowSimultaneousMultithreading = mkDefault false;
security.forcePageTableIsolation = mkDefault true;
# This is required by podman to run containers in rootless mode.
security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
security.virtualisation.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true;
security.apparmor.killUnconfinedConfinables = mkDefault true;
boot.kernelParams = [
# Don't merge slabs
"slab_nomerge"
# Overwrite free'd pages
"page_poison=1"
# Enable page allocator randomization
"page_alloc.shuffle=1"
# Disable debugfs
"debugfs=off"
];
boot.blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
# Hide kptrs even for processes with CAP_SYSLOG
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
# Disable bpf() JIT (to eliminate spray attacks)
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
# Ignore outgoing ICMP redirects (this is ipv4 only)
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
};
}

26
nixos/modules/profiles/headless.nix Normal file
View File

@@ -0,0 +1,26 @@
# Common configuration for headless machines (e.g., Amazon EC2
# instances).
{ lib, ... }:
{
# Don't start a tty on the serial consoles.
systemd.services."serial-getty@ttyS0".enable = lib.mkDefault false;
systemd.services."serial-getty@hvc0".enable = false;
systemd.services."getty@tty1".enable = false;
systemd.services."autovt@".enable = false;
# Since we can't manually respond to a panic, just reboot.
boot.kernelParams = [
"panic=1"
"boot.panic_on_fail"
"vga=0x317"
"nomodeset"
];
# Don't allow emergency mode, because we don't have a console.
systemd.enableEmergencyMode = false;
# Being headless, we don't need a GRUB splash image.
boot.loader.grub.splashImage = null;
}

26
nixos/modules/profiles/image-based-appliance.nix Normal file
View File

@@ -0,0 +1,26 @@
# This profile sets up a system for image based appliance usage. An appliance is
# installed as an image, cannot be re-built, has no Nix available, and is
# generally not meant for interactive use. Updates to such an appliance are
# handled by updating whole partition images via a tool like systemd-sysupdate.
{ lib, modulesPath, ... }:
{
# Appliances are always "minimal".
imports = [
"${modulesPath}/profiles/minimal.nix"
];
# The system cannot be rebuilt.
nix.enable = false;
system.switch.enable = false;
# The system is static.
users.mutableUsers = false;
# The system avoids interpreters as much as possible to reduce its attack
# surface.
boot.initrd.systemd.enable = lib.mkDefault true;
networking.useNetworkd = lib.mkDefault true;
}

146
nixos/modules/profiles/installation-device.nix Normal file
View File

@@ -0,0 +1,146 @@
# Provide a basic configuration for installation devices like CDs.
{
config,
pkgs,
lib,
...
}:
with lib;
{
imports = [
# Enable devices which are usually scanned, because we don't know the
# target system.
../installer/scan/detected.nix
../installer/scan/not-detected.nix
# Allow "nixos-rebuild" to work properly by providing
# /etc/nixos/configuration.nix.
./clone-config.nix
# Include a copy of Nixpkgs so that nixos-install works out of
# the box.
../installer/cd-dvd/channel.nix
];
config = {
system.nixos.variant_id = lib.mkDefault "installer";
# Enable in installer, even if the minimal profile disables it.
documentation.enable = mkImageMediaOverride true;
# Show the manual.
documentation.nixos.enable = mkImageMediaOverride true;
# Use less privileged nixos user
users.users.nixos = {
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"video"
];
# Allow the graphical user to login without password
initialHashedPassword = "";
};
# Allow the user to log in as root without a password.
users.users.root.initialHashedPassword = "";
# Don't require sudo/root to `reboot` or `poweroff`.
security.polkit.enable = true;
# Allow passwordless sudo from nixos user
security.sudo = {
enable = mkDefault true;
wheelNeedsPassword = mkImageMediaOverride false;
};
# Automatically log in at the virtual consoles.
services.getty.autologinUser = "nixos";
# Some more help text.
services.getty.helpLine = ''
The "nixos" and "root" accounts have empty passwords.
To log in over ssh you must set a password for either "nixos" or "root"
with `passwd` (prefix with `sudo` for "root"), or add your public key to
/home/nixos/.ssh/authorized_keys or /root/.ssh/authorized_keys.
To set up a wireless connection, run `nmtui`.
''
+ optionalString config.services.xserver.enable ''
Type `sudo systemctl start display-manager' to
start the graphical user interface.
'';
# We run sshd by default. Login is only possible after adding a
# password via "passwd" or by adding a ssh key to ~/.ssh/authorized_keys.
# The latter one is particular useful if keys are manually added to
# installation device for head-less systems i.e. arm boards by manually
# mounting the storage in a different system.
services.openssh = {
enable = mkDefault true;
settings.PermitRootLogin = mkDefault "yes";
};
# Provide networkmanager for easy network configuration.
networking.networkmanager.enable = true;
# Tell the Nix evaluator to garbage collect more aggressively.
# This is desirable in memory-constrained environments that don't
# (yet) have swap set up.
environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
# Make the installer more likely to succeed in low memory
# environments. The kernel's overcommit heustistics bite us
# fairly often, preventing processes such as nix-worker or
# download-using-manifests.pl from forking even if there is
# plenty of free memory.
boot.kernel.sysctl."vm.overcommit_memory" = "1";
# To speed up installation a little bit, include the complete
# stdenvNoCC in the Nix store on the CD.
system.extraDependencies =
with pkgs;
[
stdenvNoCC # for runCommand
busybox
# For boot.initrd.systemd
makeInitrdNGTool
]
++ jq.all; # for closureInfo
boot.swraid.enable = true;
# remove warning about unset mail
boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true";
# Show all debug messages from the kernel but don't log refused packets
# because we have the firewall enabled. This makes installs from the
# console less cumbersome if the machine has a public IP.
networking.firewall.logRefusedConnections = mkDefault false;
# Prevent installation media from evacuating persistent storage, as their
# var directory is not persistent and it would thus result in deletion of
# those entries.
environment.etc."systemd/pstore.conf".text = ''
[PStore]
Unlink=no
'';
# allow nix-copy to live system
nix.settings.trusted-users = [ "nixos" ];
# Install less voices for speechd to save some space
nixpkgs.overlays = [
(_: prev: {
mbrola-voices = prev.mbrola-voices.override {
# only ship with one voice per language
languages = [ "*1" ];
};
})
];
};
}

7
nixos/modules/profiles/keys/ssh_host_ed25519_key Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCQVnMW/wZWqrdWrjrRPhfEFFq1KLYguagSflLhFnVQmwAAAJASuMMnErjD
JwAAAAtzc2gtZWQyNTUxOQAAACCQVnMW/wZWqrdWrjrRPhfEFFq1KLYguagSflLhFnVQmw
AAAEDIN2VWFyggtoSPXcAFy8dtG1uAig8sCuyE21eMDt2GgJBWcxb/Blaqt1auOtE+F8QU
WrUotiC5qBJ+UuEWdVCbAAAACnJvb3RAbml4b3MBAgM=
-----END OPENSSH PRIVATE KEY-----

1
nixos/modules/profiles/keys/ssh_host_ed25519_key.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBWcxb/Blaqt1auOtE+F8QUWrUotiC5qBJ+UuEWdVCb root@nixos

6
nixos/modules/profiles/macos-builder.nix Normal file
View File

@@ -0,0 +1,6 @@
let
lib = import ../../../lib;
in
lib.warnIf (lib.isInOldestRelease 2411)
"nixos/modules/profiles/macos-builder.nix has moved to nixos/modules/profiles/nix-builder-vm.nix; please update your NixOS imports."
./nix-builder-vm.nix

42
nixos/modules/profiles/minimal.nix Normal file
View File

@@ -0,0 +1,42 @@
# This module defines a small NixOS configuration. It does not
# contain any graphical stuff.
{
lib,
...
}:
let
inherit (lib) mkDefault;
in
{
documentation = {
enable = mkDefault false;
doc.enable = mkDefault false;
info.enable = mkDefault false;
man.enable = mkDefault false;
nixos.enable = mkDefault false;
};
environment = {
# Perl is a default package.
defaultPackages = mkDefault [ ];
stub-ld.enable = mkDefault false;
};
programs = {
command-not-found.enable = mkDefault false;
fish.generateCompletions = mkDefault false;
};
services = {
logrotate.enable = mkDefault false;
udisks2.enable = mkDefault false;
};
xdg = {
autostart.enable = mkDefault false;
icons.enable = mkDefault false;
mime.enable = mkDefault false;
sounds.enable = mkDefault false;
};
}

314
nixos/modules/profiles/nix-builder-vm.nix Normal file
View File

@@ -0,0 +1,314 @@
/*
This profile uses NixOS to create a remote builder VM to build Linux packages,
which can be used to build packages for Linux on other operating systems;
primarily macOS.
It contains both the relevant guest settings as well as an installer script
that manages it as a QEMU virtual machine on the host.
*/
{
config,
lib,
options,
...
}:
let
keysDirectory = "/var/keys";
user = "builder";
keyType = "ed25519";
cfg = config.virtualisation.darwin-builder;
in
{
imports = [
../virtualisation/qemu-vm.nix
# Avoid a dependency on stateVersion
{
disabledModules = [
../virtualisation/nixos-containers.nix
../services/x11/desktop-managers/xterm.nix
];
# swraid's default depends on stateVersion
config.boot.swraid.enable = false;
options.boot.isContainer = lib.mkOption {
default = false;
internal = true;
};
options.boot.isNspawnContainer = lib.mkOption {
default = false;
internal = true;
};
}
];
options.virtualisation.darwin-builder = with lib; {
diskSize = mkOption {
default = 20 * 1024;
type = types.int;
example = 30720;
description = "The maximum disk space allocated to the runner in MiB (1024×1024 bytes).";
};
memorySize = mkOption {
default = 3 * 1024;
type = types.int;
example = 8192;
description = "The runner's memory in MiB (1024×1024 bytes).";
};
min-free = mkOption {
default = 1024 * 1024 * 1024;
type = types.int;
example = 1073741824;
description = ''
The threshold (in bytes) of free disk space left at which to
start garbage collection on the runner
'';
};
max-free = mkOption {
default = 3 * 1024 * 1024 * 1024;
type = types.int;
example = 3221225472;
description = ''
The threshold (in bytes) of free disk space left at which to
stop garbage collection on the runner
'';
};
workingDirectory = mkOption {
default = ".";
type = types.str;
example = "/var/lib/darwin-builder";
description = ''
The working directory to use to run the script. When running
as part of a flake will need to be set to a non read-only filesystem.
'';
};
hostPort = mkOption {
default = 31022;
type = types.port;
example = 22;
description = ''
The localhost host port to forward TCP to the guest port.
'';
};
};
config = {
# The builder is not intended to be used interactively
documentation.enable = false;
environment.etc = {
"ssh/ssh_host_ed25519_key" = {
mode = "0600";
source = ./keys/ssh_host_ed25519_key;
};
"ssh/ssh_host_ed25519_key.pub" = {
mode = "0644";
source = ./keys/ssh_host_ed25519_key.pub;
};
};
# DNS fails for QEMU user networking (SLiRP) on macOS. See:
#
# https://github.com/utmapp/UTM/issues/2353
#
# This works around that by using a public DNS server other than the DNS
# server that QEMU provides (normally 10.0.2.3)
networking.nameservers = [ "8.8.8.8" ];
# The linux builder is a lightweight VM for remote building; not evaluation.
nix.channel.enable = false;
# Deployment is by image.
# TODO system.switch.enable = false;?
system.disableInstallerTools = true;
# Allow the system derivation to be substituted, so that
# users are less likely to run into a state where they need
# the builder running to build the builder if they just want
# to make a tweak that only affects the macOS side of things,
# like changing the QEMU args.
#
# TODO(winter): Move to qemu-vm? Trying it here for now as a
# low impact change that'll probably improve people's experience.
#
# (I have no clue what is going on in https://github.com/nix-darwin/nix-darwin/issues/1081
# though, as this fix would only apply to one person in that thread... hopefully someone
# comes across with a reproducer if this doesn't do it.)
system.systemBuilderArgs.allowSubstitutes = true;
nix.settings = {
min-free = cfg.min-free;
max-free = cfg.max-free;
trusted-users = [ user ];
};
services = {
getty.autologinUser = user;
openssh = {
enable = true;
authorizedKeysFiles = [ "${keysDirectory}/%u_${keyType}.pub" ];
};
};
system.build.macos-builder-installer =
let
privateKey = "/etc/nix/${user}_${keyType}";
publicKey = "${privateKey}.pub";
# This installCredentials script is written so that it's as easy as
# possible for a user to audit before confirming the `sudo`
installCredentials = hostPkgs.writeShellScript "install-credentials" ''
set -euo pipefail
KEYS="''${1}"
INSTALL=${hostPkgs.coreutils}/bin/install
"''${INSTALL}" -g nixbld -m 600 "''${KEYS}/${user}_${keyType}" ${privateKey}
"''${INSTALL}" -g nixbld -m 644 "''${KEYS}/${user}_${keyType}.pub" ${publicKey}
'';
hostPkgs = config.virtualisation.host.pkgs;
add-keys = hostPkgs.writeShellScriptBin "add-keys" (
''
set -euo pipefail
''
+
# When running as non-interactively as part of a DarwinConfiguration the working directory
# must be set to a writeable directory.
(
if cfg.workingDirectory != "." then
''
${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}"
cd "${cfg.workingDirectory}"
''
else
""
)
+ ''
KEYS="''${KEYS:-./keys}"
${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}"
PRIVATE_KEY="''${KEYS}/${user}_${keyType}"
PUBLIC_KEY="''${PRIVATE_KEY}.pub"
if [ ! -e "''${PRIVATE_KEY}" ] || [ ! -e "''${PUBLIC_KEY}" ]; then
${hostPkgs.coreutils}/bin/rm --force -- "''${PRIVATE_KEY}" "''${PUBLIC_KEY}"
${hostPkgs.openssh}/bin/ssh-keygen -q -f "''${PRIVATE_KEY}" -t ${keyType} -N "" -C 'builder@localhost'
fi
if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then
(set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}")
fi
''
);
run-builder = hostPkgs.writeShellScriptBin "run-builder" ''
set -euo pipefail
KEYS="''${KEYS:-./keys}"
KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm}
'';
script = hostPkgs.writeShellScriptBin "create-builder" ''
set -euo pipefail
export KEYS="''${KEYS:-./keys}"
${lib.getExe add-keys}
${lib.getExe run-builder}
'';
in
script.overrideAttrs (old: {
pos = __curPos; # sets meta.position to point here; see script binding above for package definition
meta = (old.meta or { }) // {
platforms = lib.platforms.darwin;
};
passthru = (old.passthru or { }) // {
# Let users in the repl inspect the config
nixosConfig = config;
nixosOptions = options;
inherit add-keys run-builder;
};
});
system = {
# To prevent gratuitous rebuilds on each change to Nixpkgs
nixos.revision = null;
# to be updated by module maintainers, see nixpkgs#325610
stateVersion = "24.05";
};
users.users."${user}" = {
isNormalUser = true;
};
security.polkit.enable = true;
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id === "org.freedesktop.login1.power-off" && subject.user === "${user}") {
return "yes";
} else {
return "no";
}
})
'';
virtualisation = {
diskSize = cfg.diskSize;
memorySize = cfg.memorySize;
forwardPorts = [
{
from = "host";
guest.port = 22;
host.port = cfg.hostPort;
}
];
# Disable graphics for the builder since users will likely want to run it
# non-interactively in the background.
graphics = false;
sharedDirectories.keys = {
source = "\"$KEYS\"";
target = keysDirectory;
};
# If we don't enable this option then the host will fail to delegate builds
# to the guest, because:
#
# - The host will lock the path to build
# - The host will delegate the build to the guest
# - The guest will attempt to lock the same path and fail because
# the lockfile on the host is visible on the guest
#
# Snapshotting the host's /nix/store as an image isolates the guest VM's
# /nix/store from the host's /nix/store, preventing this problem.
useNixStoreImage = true;
# Obviously the /nix/store needs to be writable on the guest in order for it
# to perform builds.
writableStore = true;
# This ensures that anything built on the guest isn't lost when the guest is
# restarted.
writableStoreUseTmpfs = false;
# Pass certificates from host to the guest otherwise when custom CA certificates
# are required we can't use the cached builder.
useHostCerts = true;
};
};
}

19
nixos/modules/profiles/perlless.nix Normal file
View File

@@ -0,0 +1,19 @@
{ lib, pkgs, ... }:
{
# Remove perl from activation
boot.initrd.systemd.enable = lib.mkDefault true;
system.etc.overlay.enable = lib.mkDefault true;
services.userborn.enable = lib.mkDefault true;
# Random perl remnants
system.tools.nixos-generate-config.enable = lib.mkDefault false;
boot.loader.grub.enable = lib.mkDefault false;
environment.defaultPackages = lib.mkDefault [ ];
documentation.info.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;
# Check that the system does not contain a Nix store path that contains the
# string "perl".
system.forbiddenDependenciesRegexes = [ "perl" ];
}

22
nixos/modules/profiles/qemu-guest.nix Normal file
View File

@@ -0,0 +1,22 @@
# Common configuration for virtual machines running under QEMU (using
# virtio).
{ ... }:
{
boot.initrd.availableKernelModules = [
"virtio_net"
"virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
];
boot.initrd.kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
];
}