nixos/modules/profiles/installation-device.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / profiles / installation-device.nix
at 24.11-pre 4.6 kB view raw
  1# Provide a basic configuration for installation devices like CDs.
  2{ config, pkgs, lib, ... }:
  3
  4with lib;
  5
  6{
  7  imports =
  8    [ # Enable devices which are usually scanned, because we don't know the
  9      # target system.
 10      ../installer/scan/detected.nix
 11      ../installer/scan/not-detected.nix
 12
 13      # Allow "nixos-rebuild" to work properly by providing
 14      # /etc/nixos/configuration.nix.
 15      ./clone-config.nix
 16
 17      # Include a copy of Nixpkgs so that nixos-install works out of
 18      # the box.
 19      ../installer/cd-dvd/channel.nix
 20    ];
 21
 22  config = {
 23    system.nixos.variant_id = lib.mkDefault "installer";
 24
 25    # Enable in installer, even if the minimal profile disables it.
 26    documentation.enable = mkImageMediaOverride true;
 27
 28    # Show the manual.
 29    documentation.nixos.enable = mkImageMediaOverride true;
 30
 31    # Use less privileged nixos user
 32    users.users.nixos = {
 33      isNormalUser = true;
 34      extraGroups = [ "wheel" "networkmanager" "video" ];
 35      # Allow the graphical user to login without password
 36      initialHashedPassword = "";
 37    };
 38
 39    # Allow the user to log in as root without a password.
 40    users.users.root.initialHashedPassword = "";
 41
 42    # Don't require sudo/root to `reboot` or `poweroff`.
 43    security.polkit.enable = true;
 44
 45    # Allow passwordless sudo from nixos user
 46    security.sudo = {
 47      enable = mkDefault true;
 48      wheelNeedsPassword = mkImageMediaOverride false;
 49    };
 50
 51    # Automatically log in at the virtual consoles.
 52    services.getty.autologinUser = "nixos";
 53
 54    # Some more help text.
 55    services.getty.helpLine = ''
 56      The "nixos" and "root" accounts have empty passwords.
 57
 58      To log in over ssh you must set a password for either "nixos" or "root"
 59      with `passwd` (prefix with `sudo` for "root"), or add your public key to
 60      /home/nixos/.ssh/authorized_keys or /root/.ssh/authorized_keys.
 61
 62      If you need a wireless connection, type
 63      `sudo systemctl start wpa_supplicant` and configure a
 64      network using `wpa_cli`. See the NixOS manual for details.
 65    '' + optionalString config.services.xserver.enable ''
 66
 67      Type `sudo systemctl start display-manager' to
 68      start the graphical user interface.
 69    '';
 70
 71    # We run sshd by default. Login is only possible after adding a
 72    # password via "passwd" or by adding a ssh key to ~/.ssh/authorized_keys.
 73    # The latter one is particular useful if keys are manually added to
 74    # installation device for head-less systems i.e. arm boards by manually
 75    # mounting the storage in a different system.
 76    services.openssh = {
 77      enable = true;
 78      settings.PermitRootLogin = "yes";
 79    };
 80
 81    # Enable wpa_supplicant, but don't start it by default.
 82    networking.wireless.enable = mkDefault true;
 83    networking.wireless.userControlled.enable = true;
 84    systemd.services.wpa_supplicant.wantedBy = mkOverride 50 [];
 85
 86    # Tell the Nix evaluator to garbage collect more aggressively.
 87    # This is desirable in memory-constrained environments that don't
 88    # (yet) have swap set up.
 89    environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
 90
 91    # Make the installer more likely to succeed in low memory
 92    # environments.  The kernel's overcommit heustistics bite us
 93    # fairly often, preventing processes such as nix-worker or
 94    # download-using-manifests.pl from forking even if there is
 95    # plenty of free memory.
 96    boot.kernel.sysctl."vm.overcommit_memory" = "1";
 97
 98    # To speed up installation a little bit, include the complete
 99    # stdenv in the Nix store on the CD.
100    system.extraDependencies = with pkgs;
101      [
102        stdenv
103        stdenvNoCC # for runCommand
104        busybox
105        jq # for closureInfo
106        # For boot.initrd.systemd
107        makeInitrdNGTool
108      ];
109
110    boot.swraid.enable = true;
111    # remove warning about unset mail
112    boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true";
113
114    # Show all debug messages from the kernel but don't log refused packets
115    # because we have the firewall enabled. This makes installs from the
116    # console less cumbersome if the machine has a public IP.
117    networking.firewall.logRefusedConnections = mkDefault false;
118
119    # Prevent installation media from evacuating persistent storage, as their
120    # var directory is not persistent and it would thus result in deletion of
121    # those entries.
122    environment.etc."systemd/pstore.conf".text = ''
123      [PStore]
124      Unlink=no
125    '';
126
127    # allow nix-copy to live system
128    nix.settings.trusted-users = [ "root" "nixos" ];
129  };
130}