Last active
October 25, 2023 18:25
-
-
Save corpix/ad476f77017ed57bed9858123d2cc56c to your computer and use it in GitHub Desktop.
prepare host for nixos
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
latest-nixos-minimal-x86_64-linux.iso: | |
wget https://channels.nixos.org/nixos-20.03/latest-nixos-minimal-x86_64-linux.iso | |
curl -Ls https://channels.nixos.org/nixos-20.03/latest-nixos-minimal-x86_64-linux.iso.sha256 \ | |
| grep -F .iso | head -n1 \ | |
| sed 's|nixos-minimal-.\+|latest-nixos-minimal-x86_64-linux.iso|' \ | |
| sha256sum -c - | |
root.img: | |
qemu-img create root.img 10G | |
.PHONY: install | |
install: latest-nixos-minimal-x86_64-linux.iso root.img | |
qemu-system-x86_64 -cdrom ./latest-nixos-minimal-x86_64-linux.iso -boot d -m 2048 -hda ./root.img | |
.PHONY: run | |
run: root.img | |
qemu-system-x86_64 -boot d -m 2048 -hda ./root.img | |
.PHONY: serve | |
serve: | |
python3 -mhttp.server | |
.PHONY: clean | |
clean: | |
rm -f root.img || true | |
rm -f latest-nixos-minimal-x86_64-linux.iso || true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -e | |
dev=sda | |
efi=true | |
boot_fs=vfat | |
state_version="20.03" | |
profile="<nixpkgs/nixos/modules/installer/scan/not-detected.nix>" | |
prompt() { | |
echo It is ok if it ends with OK | |
echo | |
trap '[ $? != 0 ] && echo NOT OK || finish' exit | |
[[ "$@" = *"-f"* ]] || { | |
echo 'This script prepares a machine for provision' | |
echo 'And should be executed in the target environment' | |
echo 'Please write uppercase YES to continue' | |
echo 'Or Ctrl-C to exit' | |
echo | |
read yes | |
[ "$yes" = "YES" ] || { | |
echo 'Canceled' | |
exit 1 | |
} | |
} | |
} | |
init() { | |
## detecting profile | |
ls -1 /dev/disk/by-id/ | grep -vi qemu > /dev/null 2>&1 || { | |
profile="<nixpkgs/nixos/modules/profiles/qemu-guest.nix>" | |
} | |
## | |
## detecting efi support | |
efivar --list > /dev/null || { | |
efi=false | |
boot_fs=ext4 | |
} | |
} | |
begin() { | |
init | |
prompt | |
umount -R /mnt || true | |
cryptsetup luksClose system || true | |
cryptsetup luksClose key || true | |
} | |
finish() { | |
echo OK | |
echo | |
echo You could edit /mnt/etc/nixos/hardware-configuration.nix | |
echo You could edit /mnt/etc/nixos/configuration.nix | |
echo | |
echo After that call nixos-install | |
echo You will be prompted for password at the end of the process | |
echo | |
} | |
uuid_of() { | |
blkid "$1" | perl -p -e 's|^.*\sUUID="([0-9a-zA-Z-]+)".*$|\1|g' | |
} | |
## | |
begin | |
set -x | |
key_space=64 | |
key_file_size=4096 | |
key_file_luks_size=$((16 * 10 ** 6)) | |
key_file_offset=$(shuf -i 0-$((($key_space * 10 ** 6) - $key_file_size - $key_file_luks_size)) -n 1) | |
if [ "$efi" = "true" ] | |
then | |
echo -e "x\nz\nY\nY\n" | gdisk /dev/${dev} > /dev/null | |
echo -e echo -e "o\nY\nn\n\n\n+500M\nef00\n\nn\n\n\n+${key_space}M\n\nn\n\n\n\n\n\nw\nY\n" \ | |
| gdisk /dev/${dev} > /dev/null | |
mkfs.vfat /dev/${dev}1 | |
else | |
dd if=/dev/zero of=/dev/${dev} bs=1M count=15 || true | |
echo -e "o\nn\np\n\n\n+500M\n\nn\np\n\n\n+${key_space}M\n\nn\np\n\n\n\n\na\n1\nw\n" \ | |
| fdisk /dev/${dev} > /dev/null | |
mkfs.ext4 -L boot /dev/${dev}1 | |
fi | |
dd if=/dev/urandom of=/dev/${dev}2 || true | |
cryptsetup luksFormat /dev/${dev}2 | |
cryptsetup luksOpen /dev/${dev}2 key | |
dd if=/dev/urandom of=/dev/mapper/key || true | |
cryptsetup -y luksFormat --key-file=/dev/mapper/key --keyfile-offset=$key_file_offset --keyfile-size=$key_file_size /dev/${dev}3 | |
cryptsetup luksOpen --key-file=/dev/mapper/key --keyfile-offset=$key_file_offset --keyfile-size=$key_file_size /dev/${dev}3 system | |
mkfs.btrfs -L system /dev/mapper/system | |
mount /dev/mapper/system /mnt | |
mkdir /mnt/boot | |
mount /dev/${dev}1 /mnt/boot | |
nixos-generate-config --root /mnt | |
cat <<EOF > /mnt/etc/nixos/configuration.nix | |
{ config, pkgs, ... }: | |
{ | |
imports = [ ./hardware-configuration.nix ]; | |
services.openssh.enable = true; | |
services.openssh.passwordAuthentication = true; | |
services.openssh.permitRootLogin = "yes"; | |
system.stateVersion = "${state_version}"; | |
} | |
EOF | |
cat <<EOF > /mnt/etc/nixos/hardware-configuration.nix | |
{ config | |
, lib ? (import <nixpkgs> { }).lib | |
, pkgs ? (import <nixpkgs> { }).pkgs | |
, ... }: let | |
systemPartition = "system"; | |
in { | |
imports = [ $profile ]; | |
boot = { | |
loader = { | |
grub.device = "/dev/${dev}"; | |
systemd-boot.enable = ${efi}; | |
efi.canTouchEfiVariables = ${efi}; | |
}; | |
initrd.luks.devices = { | |
key = { | |
name = "key"; | |
device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}2")"; | |
}; | |
system = { | |
name = "system"; | |
device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}3")"; | |
keyFile = "/dev/mapper/key"; | |
keyFileSize = ${key_file_size}; | |
keyFileOffset = ${key_file_offset}; | |
}; | |
}; | |
initrd.postDeviceCommands = lib.mkAfter "cryptsetup luksClose key"; | |
}; | |
fileSystems."/" = { | |
device = "/dev/mapper/system"; | |
fsType = "btrfs"; | |
options = ["noatime"]; | |
}; | |
fileSystems."/boot" = rec { | |
device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}1")"; | |
fsType = "${boot_fs}"; | |
}; | |
powerManagement.cpuFreqGovernor = "ondemand"; | |
} | |
EOF | |
set +x |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment