shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stuff

Browse Source
This commit is contained in:
Shelvacu
2025-05-10 22:34:03 -07:00
committed by Shelvacu on fw
parent cdae755642
commit 2665071518
7 changed files with 172 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
archive.nix Normal file
View File

@@ -0,0 +1,43 @@
{
self,
lib,
pkgs,
...
}:
let
ignoreList = [
"iso"
"host-pxe-installer"
"host-pxe-installer-aarch64"
"pxe-initrd"
];
# We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
isoContentsStr = lib.concatStringsSep "\n" (
map (
c: "${c.source} => ${c.target}"
) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
);
isoContents = pkgs.writeText "iso-contents" isoContentsStr;
pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
inherit (pxeConfig.boot.initrd) compressor;
inherit (pxeConfig.system.build) initialRamdisk;
storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
};
extraBuilds = { inherit isoContents pxeContents; };
buildListWithout = builtins.filter (v: !builtins.elem v ignoreList) (builtins.attrNames self.buildList);
allBuilds = self.buildList // extraBuilds;
in
rec {
archiveList = map (
name:
{
inherit name;
broken = builtins.elem name self.brokenBuilds;
impure = builtins.elem name self.impureBuilds;
}
) (buildListWithout ++ builtins.attrNames extraBuilds);
drvs = allBuilds;
buildDepsDrvs = builtins.mapAttrs (_: v: pkgs.closureInfo { rootPaths = [ v.drvPath ]; }) drvs;
}

159
flake.nix
View File

@@ -224,10 +224,6 @@
system = "aarch64-linux";
unstable = true;
};
toptop = mkNixosConfig {
module = ./toptop;
system = "x86_64-linux";
};
prophecy = mkNixosConfig {
module = ./prophecy;
system = "x86_64-linux";
@@ -282,7 +278,7 @@
}
);
qb = # qb is "quick build"
buildList =
let
toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
@@ -290,35 +286,28 @@
name: value: lib.nameValuePair (name + "-aarch64") value
) self.packages.aarch64-linux;
packages = self.packages.x86_64-linux // renamedAarchPackages;
pxe-build = self.nixosConfigurations.shel-installer-pxe.config.system.build;
in
rec {
{
fw = toplevelOf "fw";
triple-dezert = toplevelOf "triple-dezert";
trip = triple-dezert;
compute-deck = toplevelOf "compute-deck";
cd = compute-deck;
liam = toplevelOf "liam";
lp0 = toplevelOf "lp0";
legtop = toplevelOf "legtop";
lt = legtop;
mmm = toplevelOf "mmm";
shel-installer-iso = toplevelOf "shel-installer-iso";
shel-installer-pxe = toplevelOf "shel-installer-pxe";
toptop = toplevelOf "toptop";
tt = toptop;
prophecy = toplevelOf "prophecy";
prop = prophecy;
iso = self.nixosConfigurations.shel-installer-iso.config.system.build.isoImage;
pxe-toplevel = toplevelOf "shel-installer-pxe";
pxe-kernel = self.nixosConfigurations.shel-installer-pxe.config.system.build.kernel;
pxe-initrd = self.nixosConfigurations.shel-installer-pxe.config.system.build.netbootRamdisk;
pxe-kernel = pxe-build.kernel;
pxe-initrd = pxe-build.netbootRamdisk;
check-triple-dezert = self.checks.x86_64-linux.triple-dezert.driver;
check-trip = check-triple-dezert;
check-liam = self.checks.x86_64-linux.liam.driver;
liam-sieve = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
nod = nix-on-droid;
nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
@@ -326,10 +315,6 @@
dc-priv = deterministicCerts.privKeyFile "test";
dc-cert = deterministicCerts.selfSigned "test" { };
# sm64 = packages.sm64coopdx;
ak = packages.authorizedKeys;
my-sops = packages.wrappedSops;
inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
m1n1
uboot-asahi
@@ -340,29 +325,22 @@
}
// packages;
qb = self.buildList // (with self.buildList; {
trip = triple-dezert;
cd = compute-deck;
lt = legtop;
prop = prophecy;
check-trip = check-triple-dezert;
nod = nix-on-droid;
ak = authorizedKeys;
my-sops = wrappedSops;
});
brokenBuilds = [
"sm64coopdx-aarch64"
"installer-bootstrap"
];
all =
let
linksNoContext = removeAttrs self.qb self.brokenBuilds;
links = builtins.mapAttrs (
name: val: builtins.addErrorContext "while evaluating link ${name}" val
) linksNoContext;
in
pkgs.runCommand "nix-stuff-all"
{
__structuredAttrs = true;
inherit links;
}
''
mkdir $out
cd $out
eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
'';
impureBuilds = [
"nix-on-droid"
"nod"
@@ -370,49 +348,69 @@
"nod-bootstrap-aarch64"
];
allPure = self.all.overrideAttrs (prev: {
links = removeAttrs prev.links self.impureBuilds;
});
archival = import ./archive.nix { inherit self pkgs lib; };
archiveSmall =
let
ignoreList = [
"iso"
"host-pxe-installer"
"host-pxe-installer-aarch64"
"pxe-initrd"
];
# We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
isoContents = lib.concatStringsSep "\n" (
map (
c: "${c.source} => ${c.target}"
) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
);
isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
inherit (pxeConfig.boot.initrd) compressor;
inherit (pxeConfig.system.build) initialRamdisk;
storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
};
allButImgs = self.all.overrideAttrs (prev: {
links = (removeAttrs prev.links ignoreList) // {
iso-contents = isoContentsPkg;
pxe-contents = pxeContents;
};
});
in
allButImgs;
# all =
# let
# linksNoContext = removeAttrs self.qb self.brokenBuilds;
# links = builtins.mapAttrs (
# name: val: builtins.addErrorContext "while evaluating link ${name}" val
# ) linksNoContext;
# in
# pkgs.runCommand "nix-stuff-all"
# {
# __structuredAttrs = true;
# inherit links;
# }
# ''
# mkdir $out
# cd $out
# eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
# '';
archive =
let
inherit (self) archiveSmall;
in
archiveSmall.overrideAttrs (prev: {
links = prev.links // {
build-deps = pkgs.closureInfo { rootPaths = [ archiveSmall.drvPath ]; };
};
});
# allPure = self.all.overrideAttrs (prev: {
# links = removeAttrs prev.links self.impureBuilds;
# });
# archiveSmall =
# let
# ignoreList = [
# "iso"
# "host-pxe-installer"
# "host-pxe-installer-aarch64"
# "pxe-initrd"
# ];
# # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
# isoContents = lib.concatStringsSep "\n" (
# map (
# c: "${c.source} => ${c.target}"
# ) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
# );
# isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
# pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
# pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
# inherit (pxeConfig.boot.initrd) compressor;
# inherit (pxeConfig.system.build) initialRamdisk;
# storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
# };
# allButImgs = self.all.overrideAttrs (prev: {
# links = (removeAttrs prev.links ignoreList) // {
# iso-contents = isoContentsPkg;
# pxe-contents = pxeContents;
# };
# });
# in
# allButImgs;
#
# archive =
# let
# inherit (self) archiveSmall;
# in
# archiveSmall.overrideAttrs (prev: {
# links = prev.links // {
# build-deps = pkgs.closureInfo { rootPaths = [ archiveSmall.drvPath ]; };
# };
# });
}
// (inputs.flake-utils.lib.eachDefaultSystem (
system:
@@ -454,6 +452,7 @@
stable = pkgs-stable;
};
packages = rec {
archive = pkgs-stable.callPackage ./scripts/archive { };
authorizedKeys = pkgs-stable.writeText "authorizedKeys" (
lib.concatStringsSep "\n" (
lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
@@ -463,7 +462,7 @@
inherit pkgs lib inputs;
inherit (plain) config;
};
generated = pkgs.linkFarm "generated" {
generated = pkgs-stable.linkFarm "generated" {
nixpkgs = "${inputs.nixpkgs}";
"liam-test/hints.py" = pkgs.writeText "hints.py" (
import ./typesForTest.nix {

32
nixos-modules/genieacs.nix
View File

@@ -34,29 +34,36 @@ let
accessLogFile = mkOption {
type = types.nullOr types.path;
default = "/var/log/genieacs/genieacs-${serviceShortName}-access.log";
description = "File to log incoming requests for genieacs-${serviceShortName}. If `null`, logs will go to stdout. This sets `GENIEACS_${serviceNameCaps}_ACCESS_LOG_FILE`";
};
workerProcesses = mkOption {
type = types.int;
default = 0;
description = "The number of worker processes to spawn for genieacs-${serviceShortName}. A value of 0 means as many as there are CPU cores available. This sets `GENIEACS_${serviceNameCaps}_WORKER_PROCESSES`";
};
port = mkOption {
type = types.port;
description = "The TCP port that genieacs-${serviceShortName} listens on. This sets `GENIEACS_${serviceNameCaps}_PORT`";
};
interface = mkOption {
type = types.str;
default = "::";
description = "The network interface (ip address, really) that genieacs-${serviceShortName} binds to. This sets `GENIEACS_${serviceNameCaps}_INTERFACE`";
};
sslCert = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to certificate file. If `null`, non-secure HTTP will be used. This sets `GENIEACS_${serviceNameCaps}_SSL_CERT`";
};
sslKey = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to certificate key file. If `null`, non-secure HTTP will be used. This sets `GENIEACS_${serviceNameCaps}_SSL_KEY`";
};
eventLogFile = mkOption {
type = types.nullOr types.path;
default = "/var/log/genieacs/genieacs-${serviceShortName}-events.log";
default = null;
description = "File to log process related events for genieacs-${serviceShortName}. If `null`, logs will go to stderr. This sets `GENIEACS_${serviceNameCaps}_LOG_FILE`";
};
extraEnv = mkOption {
type = envVarsType;
@@ -116,11 +123,13 @@ in
user = mkOption {
type = types.str;
default = "genieacs";
description = "The user name under which to run GenieACS services";
};
group = mkOption {
type = types.str;
default = cfg.user;
defaultText = ''{option}`user`'';
description = "The group under which to run GenieACS services";
};
package = lib.mkPackageOption pkgs "genieacs" { };
extensions = mkOption {
@@ -130,31 +139,44 @@ in
mongodbConnectionUrl = mkOption {
type = types.str;
example = "mongodb://127.0.0.1/genieacs";
description = "The connection URL for the mongodb server. This sets `GENIEACS_MONGODB_CONNECTION_URL`";
};
extensionTimeout = mkOption {
type = types.int;
default = 3000;
description = "Timeout (in milliseconds) to allow for calls to extensions to return a response. This sets `GENIEACS_EXT_TIMEOUT`";
};
debugFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "File to dump CPE debug log. No debug log is dumped if set to `null`. This sets `GENIEACS_DEBUG_FILE`";
};
debugFormat = mkOption {
type = types.enum [ "yaml" "json" ];
default = "yaml";
description = "Debug log format. This sets `GENIEACS_DEBUG_FORMAT`";
};
eventLogFormat = mkOption {
type = types.enum [ "simple" "json" ];
default = "simple";
description = "The format used for the log entries in {option}`eventLogFile`. This sets `GENIEACS_LOG_FORMAT`";
};
accessLogFormat = mkOption {
type = types.enum [ "simple" "json" ];
default = "simple";
description = "The format used for the log entries in {option}`accessLogFile`. This sets `GENIEACS_ACCESS_LOG_FORMAT`";
};
urlPrefix = mkOption {
type = types.nullOr types.str;
default = null;
example = "https://my-genieacs-install.example.com:4567/";
description = ''
The URL prefix to use when generating the file URL for TR-069 Download requests. Set this if genieacs-fs and genieacs-cwmp are behind a proxy or running on different servers.
If `null` (default): auto generated based on the hostname from the ACS URL, FS_PORT config, and whether or not SSL is enabled for genieacs-fs.
This sets `GENIEACS_FS_URL_PREFIX`
'';
};
jwtSecret.path = mkOption {
type = types.path;
@@ -236,16 +258,16 @@ in
#mkDefault so genieacs-ui.script can override it
ExecStart = lib.mkDefault "${cfg.package}/bin/genieacs-${name}";
StateDirectory = "genieacs-${name}";
StateDirectoryMode = "0700";
BindReadOnlyPaths = [
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
];
BindPaths = []
++ lib.optional (config.accessLogFile != null) config.accessLogFile
++ lib.optional (config.eventLogFile != null) config.eventLogFile
;
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

19
scripts/archive/archive.py Normal file
View File

@@ -0,0 +1,19 @@
# flake8: noqa
import json
import os
build_list = json.loads(os.popen("nix eval .#. --apply 'f: f.archival.archiveList' --json").read())
for info in build_list:
name = info["name"]
if info["broken"]:
print(f"Skipping {name}, marked broken")
continue
maybeImpureFlags = ""
if info["impure"]:
maybeImpureFlags = " --impure"
print(f"Going to build {name}")
os.system(f"nix build -j1 --keep-going --no-link{maybeImpureFlags} .#archival.drvs.{name}")
os.system(f"into-nix-cache .#archival.drvs.{name}")
os.system(f"nix build -j1 --keep-going --no-link{maybeImpureFlags} .#archival.buildDepsDrvs.{name}")
os.system(f"into-nix-cache .#archival.buildDepsDrvs.{name}")

4
scripts/archive/default.nix Normal file
View File

@@ -0,0 +1,4 @@
{
writers,
}:
writers.writePython3Bin "vacu-flake-archive" { } (builtins.readFile ./archive.py)

22
toptop/default.nix
View File

@@ -1,22 +0,0 @@
{ ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/EFI";
vacu.hostName = "toptop";
vacu.shortHostName = "tt";
vacu.shell.color = "blue";
vacu.verifySystem.expectedMac = "28:f5:2b:7a:f6:75";
vacu.systemKind = "desktop";
networking.networkmanager.enable = true;
services.openssh.enable = true;
system.stateVersion = "24.05";
}

77
toptop/hardware-configuration.nix
View File

@@ -1,77 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/2a7b5b23-9e6a-4169-8e45-07a7a1d57eaa";
fsType = "btrfs";
options = [ "subvol=root" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/9bc6de32-17c1-42fc-9d14-c32ed55f4a75";
fileSystems."/home" = {
device = "/dev/disk/by-uuid/2a7b5b23-9e6a-4169-8e45-07a7a1d57eaa";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/2a7b5b23-9e6a-4169-8e45-07a7a1d57eaa";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2a7b5b23-9e6a-4169-8e45-07a7a1d57eaa";
fsType = "btrfs";
options = [
"subvol=boot"
"nofail"
];
};
fileSystems."/btrfs" = {
device = "/dev/disk/by-uuid/2a7b5b23-9e6a-4169-8e45-07a7a1d57eaa";
fsType = "btrfs";
options = [ "nofail" ];
};
fileSystems."/boot/EFI" = {
device = "/dev/disk/by-uuid/8371-A7B8";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}