nixos/modules/profiles/installation-device.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / profiles / installation-device.nix
at 25.11-pre 4.9 kB view raw
  1# Provide a basic configuration for installation devices like CDs.
  2{
  3  config,
  4  pkgs,
  5  lib,
  6  ...
  7}:
  8
  9with lib;
 10
 11{
 12  imports = [
 13    # Enable devices which are usually scanned, because we don't know the
 14    # target system.
 15    ../installer/scan/detected.nix
 16    ../installer/scan/not-detected.nix
 17
 18    # Allow "nixos-rebuild" to work properly by providing
 19    # /etc/nixos/configuration.nix.
 20    ./clone-config.nix
 21
 22    # Include a copy of Nixpkgs so that nixos-install works out of
 23    # the box.
 24    ../installer/cd-dvd/channel.nix
 25  ];
 26
 27  config = {
 28    system.nixos.variant_id = lib.mkDefault "installer";
 29
 30    # Enable in installer, even if the minimal profile disables it.
 31    documentation.enable = mkImageMediaOverride true;
 32
 33    # Show the manual.
 34    documentation.nixos.enable = mkImageMediaOverride true;
 35
 36    # Use less privileged nixos user
 37    users.users.nixos = {
 38      isNormalUser = true;
 39      extraGroups = [
 40        "wheel"
 41        "networkmanager"
 42        "video"
 43      ];
 44      # Allow the graphical user to login without password
 45      initialHashedPassword = "";
 46    };
 47
 48    # Allow the user to log in as root without a password.
 49    users.users.root.initialHashedPassword = "";
 50
 51    # Don't require sudo/root to `reboot` or `poweroff`.
 52    security.polkit.enable = true;
 53
 54    # Allow passwordless sudo from nixos user
 55    security.sudo = {
 56      enable = mkDefault true;
 57      wheelNeedsPassword = mkImageMediaOverride false;
 58    };
 59
 60    # Automatically log in at the virtual consoles.
 61    services.getty.autologinUser = "nixos";
 62
 63    # Some more help text.
 64    services.getty.helpLine =
 65      ''
 66        The "nixos" and "root" accounts have empty passwords.
 67
 68        To log in over ssh you must set a password for either "nixos" or "root"
 69        with `passwd` (prefix with `sudo` for "root"), or add your public key to
 70        /home/nixos/.ssh/authorized_keys or /root/.ssh/authorized_keys.
 71
 72        If you need a wireless connection, type
 73        `sudo systemctl start wpa_supplicant` and configure a
 74        network using `wpa_cli`. See the NixOS manual for details.
 75      ''
 76      + optionalString config.services.xserver.enable ''
 77
 78        Type `sudo systemctl start display-manager' to
 79        start the graphical user interface.
 80      '';
 81
 82    # We run sshd by default. Login is only possible after adding a
 83    # password via "passwd" or by adding a ssh key to ~/.ssh/authorized_keys.
 84    # The latter one is particular useful if keys are manually added to
 85    # installation device for head-less systems i.e. arm boards by manually
 86    # mounting the storage in a different system.
 87    services.openssh = {
 88      enable = mkDefault true;
 89      settings.PermitRootLogin = mkDefault "yes";
 90    };
 91
 92    # Enable wpa_supplicant, but don't start it by default.
 93    networking.wireless.enable = mkDefault true;
 94    networking.wireless.userControlled.enable = true;
 95    systemd.services.wpa_supplicant.wantedBy = mkOverride 50 [ ];
 96
 97    # Tell the Nix evaluator to garbage collect more aggressively.
 98    # This is desirable in memory-constrained environments that don't
 99    # (yet) have swap set up.
100    environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
101
102    # Make the installer more likely to succeed in low memory
103    # environments.  The kernel's overcommit heustistics bite us
104    # fairly often, preventing processes such as nix-worker or
105    # download-using-manifests.pl from forking even if there is
106    # plenty of free memory.
107    boot.kernel.sysctl."vm.overcommit_memory" = "1";
108
109    # To speed up installation a little bit, include the complete
110    # stdenv in the Nix store on the CD.
111    system.extraDependencies =
112      with pkgs;
113      [
114        stdenv
115        stdenvNoCC # for runCommand
116        busybox
117        # For boot.initrd.systemd
118        makeInitrdNGTool
119      ]
120      ++ jq.all; # for closureInfo
121
122    boot.swraid.enable = true;
123    # remove warning about unset mail
124    boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true";
125
126    # Show all debug messages from the kernel but don't log refused packets
127    # because we have the firewall enabled. This makes installs from the
128    # console less cumbersome if the machine has a public IP.
129    networking.firewall.logRefusedConnections = mkDefault false;
130
131    # Prevent installation media from evacuating persistent storage, as their
132    # var directory is not persistent and it would thus result in deletion of
133    # those entries.
134    environment.etc."systemd/pstore.conf".text = ''
135      [PStore]
136      Unlink=no
137    '';
138
139    # allow nix-copy to live system
140    nix.settings.trusted-users = [ "nixos" ];
141
142    # Install less voices for speechd to save some space
143    nixpkgs.overlays = [
144      (_: prev: {
145        mbrola-voices = prev.mbrola-voices.override {
146          # only ship with one voice per language
147          languages = [ "*1" ];
148        };
149      })
150    ];
151  };
152}