diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..f1e5699 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,69 @@ +{ pkgs, lib, ... }: + +{ + # Work-around for running out of space on /boot + disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ]; + imports = [ + ./modules/system/boot/loader/raspberrypi/raspberrypi.nix + ./hardware-configuration.nix + ./inquisitor.nix + ]; + + nix.maxJobs = 2; + + console = { + font = "sun12x22"; + keyMap = "us"; + }; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; + time.timeZone = "America/Los_Angeles"; + + # Hostname, host ID, etc. Note that a host ID (chosen 32-bit integer) is necessary for ZFS. + networking = { + hostName = "conduit"; + hostId = "758371f0"; + firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; + }; + }; + + security = { + hideProcessInformation = true; + }; + + environment.systemPackages = with pkgs; + [ + wget vimHugeX curl git htop tmux manpages + zip unzip + tinc_pre + ]; + + # SSH config. Change passwordAuthentication if you want to log in with a password. + services.openssh = { + enable = true; + passwordAuthentication = false; + permitRootLogin = "prohibit-password"; + forwardX11 = true; + }; + + services.tinc.networks.beatific = { + listenAddress = "0.0.0.0"; + chroot = false; + }; + + users = { + users.tvb = { + uid = 1000; + isNormalUser = true; + extraGroups = ["wheel" "audio" "tty"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCKsKkD9S2gRlRgdf3JD06dRTGUQkDgBMWn+2kqVEPA/K1W/f083+odyXLVeg4IWV/fOwVKBgi9YNTavM8hkKRDGElkVq6Y8slApgu1k51QiKvAqqj4yJKE28pMCeHGGfTBdXbaRAaAfsD7Oh7dHOoadBIxUcq4RjN84+srhR2/p7xN+5rlp/uljU85uPA6JhW4tFEjsAQPUBnlI2EMf6SjKScuYsf5kiyE740NxPPpFSaKIU09dR/oR/nXORqOTzJbWC5tRlpeRFrKDrTeoAZnsl+vjqtVjJRIVjJoON50u3W9qfFKcPcfgtqUbpi1D8Xk8cibGo/0I8ruIwuZrD4Q9v1zGUGbXnAVwoJ5Yn8uVcHnFCbqndN+bDA5M0Fe7zLk6/ui9Z3LJdTWD2aT7mTSmW+5puHlNsAnqD1du1Yh7QbJSBNPdJCq/hceb4JKxUpFH8AXZ6km8j4GTYw0BhPYk2OFrFOG/KUOo1Ez8KRGIkisRTqJU2kFhQ5oSKmD+JbtDA5L6X8ibAUNh67eBJUXRvG/AWUeDDoVdYmEj6yCEi5MrcNJY+b41ywa8mTjjEJlsg+oUdD+1RA9c3px+98ulauhyFw2WfUVQc0ihCDqqqXYkwl0jK3e9Uwlgn4Lkwj9jTsWRwalAoJTXwIPbaAiwDH+UhfiPoLl5yHuoFXdw== tvb@palamas" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAbmOSvKJoW+akurv/tMD/jfaDuDg0S/FvIMAOS9WauBI9JyMaQh5NfV+fhOSbjqmvrdm+dGttthqi56MZ090Qps1340TGjY6mVap36pa+fZWSajnUjCW+Tk5T0CqbWJkeDvKwSxY73lhBG4QG+SUFkDvhR6XZXfVksJZ++3aaoSmw6E0LCVL4+CAjTf7lm6Zs9Tq62Skf/5tKhk9ASk+QwBTKpPj/0ZKtBDLJfzrwvT+6K2jFohWPKMXkgZiVFVhbIMatdyZo+Mi+To4YDicyf4KW8OuE0zYb06naWeCgEKH8nSB6xEnosdzrhNwkyJi1TEJHmsn1+PjJ/KWWBOTDFVgueWF0ql2ERAtY/hbe36lNBf0lLRzxIugbxMdix8Oqjy0E9wI3E9/X7j0JGHkDzbzX6xeaTwIRFEFtKqK4zcqOMbUWVujUEnOvIKS9dP4uP08gH9HaIE/0bTb+6RRLmnDA9T6dVXc+dCGMAeqxhZYwuO9XJNxXp4byPFRC29OdEShNp9Yqt9sgLMepAzzFiIXgzIcjg5AOnn2qv4SId2rslX0hkMN05a+Cxn2qAj1ign3BuYRzMnaHyA+R+oHN9314/hTYF7wlYws6Fu3P229arfE2d4UqvnMRmY8vWAjfJr40FyRCxS/6qdVPgJWVevkPx69MMJ+BKAomc/s7fw== tvb@stagirite" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzx37PqIaJVWdQs5meVgI4Cg1GRGk6srrix0AUvQeaBS9MOVtJLi+HfnNkcW4GPk9qVlz1E7ciQ7YUw+ny7QbHxcbib2Tawwfk3cx9xiNcN6UI9EzF/rTbNB2Cex8A4sEr5UvoE0BjT5yPaXyrjn8vLksGWq4dlZBM3xeJqe3KP+OxPL0vik3SVGOr/6ZQ7H9cwX5+/p6rCWQuVtwZMcaE6QyXYg5J5FQUaIrFvKbOVklJIkQSbXGzIYQO/QlQC0xWGBapJtGQw/lsQ3YqnFSMkkw8qrKbde07rg8p1FSuqTu+a1ePK+/F4klNel174+39YSobY2/6biPP3Uj/Yhorf4Tw141tIT75e3ebtK5faatQmNOyXcA7LULXK7XemJkZy8PmbNNTeBIKyoI6XQdzk95gpb2C4LEJmV040YMgXhOIiKsHQVgss9FuC+oP5jXWU/JuNXBRHa1IpJjcJhIhg7jnh6ZNZHyK0EpeUs3Zp7usv7mz6CGwb04yvTsWOhZRc+6EoHaHyrNvFPfkPeGsZzxhIbprCyDMtKWsI9GCtztcRhQWBgornUVEs5CurLJBbClQTrZLVv2fn9UnXWPYZTLYL7aFwRIGyKr8ZOOMFxbLOGdeFlqc5TGCP416e8PZvhE+BuDmxiKtQJ/dsQFqVzvOZb2WQRsYRPYvvXbvUw== monitor@isidore" + ]; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..e4f66de --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,52 @@ +{ config, pkgs, lib, ... }: + +{ + disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ]; + imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ]; + + boot.loader.grub.enable = false; + boot.loader.raspberryPi = { + enable = true; + version = 3; + firmwareConfig = '' + gpu_mem=192 + dtparam=audio=on + disable_overscan=1 + hdmi_drive=2 + disable_audio_dither=1 + + # Can be shortened if desired. + boot_delay=10 + ''; + }; + boot.loader.systemd-boot.configurationLimit = 1; + + # This is necessary for the rpi3. + boot.kernelPackages = pkgs.linuxPackages_rpi4; + + # Enable nonfree firmware (necessary for the rpi) + hardware.enableRedistributableFirmware = true; + + boot.supportedFilesystems = [ "ext4" ]; + + # Log important messages to the system console. + boot.consoleLogLevel = lib.mkDefault 7; + + # These are the filesystems defined on the SD image. + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + }; + + # Prevent use of swapspace as much as possible + boot.kernel.sysctl = { "vm.swappiness" = 0; }; + + swapDevices = [ { device = "/swap"; size = 2048; } ]; +} diff --git a/inquisitor.nix b/inquisitor.nix new file mode 100644 index 0000000..bcbc0c7 --- /dev/null +++ b/inquisitor.nix @@ -0,0 +1,64 @@ +{pkgs, ...}: + +let + # Import the inquisitor package + inquisitorSource = fetchFromGitHub { + owner = "Jaculabilis"; + repo = "Inquisitor"; + rev = "9001bd8f920cc120f38e998d63a8134969a00032"; + sha256 = "0nx1dszvmn6a86jhj3c9607jqy0bmijjjz3jb3v5lsnpwwkjs5w6"; + }; + inquisitor = callPackage inquisitorSource {}; + + # Create the inquisitor config file in the nix store + inquisitorConfig = pkgs.writeTextFile "inquisitor.conf" '' + DataPath = /var/lib/inquisitor/data/ + SourcePath = /var/lib/inquisitor/sources/ + CachePath = /var/lib/inquisitor/cache/ + Verbose = false + LogFile = /var/log/inquisitor.log + ''; +in +{ + # Create a user for the service + users.users.inquisitor = { + description = "Inquisitor service user"; + isSystemUser = true; + packages = [ inquisitor ]; + }; + + # TODO replace with wrapper that sets envvar + environment.systemPackages = [ inquisitor ]; + + # Set up the inquisitor service + systemd.services.inquisitor = + let + # Inquisitor needs some state set up to work properly + inquisitorSetup = pkgs.writeShellScriptBin "setup.sh" '' + mkdir -p /var/lib/inquisitor/data/inquisitor/ + mkdir -p /var/lib/inquisitor/sources/ + mkdir -p /var/lib/inquisitor/cache/ + echo "{}" > /var/lib/inquisitor/data/inquisitor/state + ''; + # Set up server invocation + #inquisitorRun = pkgs.writeShellScriptBin "run.sh" '' + # ${pkgs.gunicorn}/bin/gunicorn + #''; TODO + inquisitorRun = pkgs.writeShellScriptBin "run.sh" '' + ${inquisitor}/bin/inquisitor run + ''; + in { + description = "Inquisitor server"; + environment = { INQUISITOR_CONFIG = $"{inquisitorConfig}"; }; # TODO gunicorn -e + preStart = "${inquisitorSetup}/bin/setup.sh"; + script = $"${inquisitorRun}/bin/run.sh"; + serviceConfig = { + User = "inquisitor"; + Type = "simple"; + WorkingDirectory = "/var/lib/inquisitor/"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + enable = true; + }; +} diff --git a/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix b/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix new file mode 100644 index 0000000..c19adf4 --- /dev/null +++ b/modules/system/boot/loader/raspberrypi/raspberrypi-builder.nix @@ -0,0 +1,13 @@ +{ pkgs, configTxt }: + +pkgs.substituteAll { + src = ./raspberrypi-builder.sh; + isExecutable = true; + #postInstall = "shellcheck $out"; + #nativeBuildInputs = [ pkgs.buildPackages.shellcheck ]; + + inherit (pkgs.buildPackages) bash; + path = with pkgs.buildPackages; [coreutils gnused gnugrep]; + firmware = pkgs.raspberrypifw; + inherit configTxt; +} diff --git a/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh b/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh new file mode 100644 index 0000000..7751317 --- /dev/null +++ b/modules/system/boot/loader/raspberrypi/raspberrypi-builder.sh @@ -0,0 +1,179 @@ +#! @bash@/bin/bash + +# This can end up being called disregarding the shebang. +set -e + +shopt -s nullglob + +export PATH=/empty +for i in @path@; do PATH=$PATH:$i/bin; done + +usage() { + echo "usage: $0 -c [-d ] [-g ]" >&2 + exit 1 +} + +default= # Default configuration +target=/boot # Target directory +numGenerations=0 # Number of other generations to include in the menu + +while getopts "c:d:g:" opt; do + case "$opt" in + c) default="$OPTARG" ;; + d) target="$OPTARG" ;; + g) numGenerations="$OPTARG" ;; + \?) usage ;; + esac +done + +echo "updating the boot generations directory..." + +mkdir -p "$target/old" + +# Convert a path to a file in the Nix store such as +# /nix/store/-/file to --. +cleanName() { + local path="$1" + echo "$path" | sed 's|^/nix/store/||' | sed 's|/|-|g' +} + +atomicCopy() { + local src="$1" + local dst="$2" + local dstTmp=$dst.tmp.$$ + cp "$src" "$dstTmp" + mv "$dstTmp" "$dst" +} + +# Copy a file from the Nix store to $target/nixos. +declare -A filesCopied + +copyToOldDir() { + local src dst + src=$(readlink -f "$1") + dst="$target/old/$(cleanName "$src")" + # Don't copy the file if $dst already exists. This means that we + # have to create $dst atomically to prevent partially copied + # kernels or initrd if this script is ever interrupted. + if ! test -e "$dst"; then + atomicCopy "$src" "$dst" + fi + filesCopied[$dst]=1 +} + +copyDtbDir() { + local dtb_dir="$1" + local dst_dir="$2" + mkdir -p "$dst_dir" + for dtb in "$dtb_dir"/{broadcom,}/bcm*.dtb; do + local dst + dst="$dst_dir/$(basename "$dtb")" + local dstTmp=$dst.tmp.$$ + cp "$dtb" "$dstTmp" + mv "$dstTmp" "$dst" + filesCopied[$dst]=1 + done + filesCopied[$dst_dir]=1 +} + +cpMarked() { + local src="$1" + local dst="$2" + cp "$src" "$dst" + filesCopied[$dst]=1 +} + +echoMarked() { + local src="$1" + local dst="$2" + echo "$src" >"$dst" + filesCopied[$dst]=1 +} + +# Copy its kernel, initrd and dtbs to $target/old +addEntry() { + local path + path=$(readlink -f "$1") + local tag="$2" # Generation number or 'default' + + if ! test -e "$path/kernel" -a -e "$path/initrd"; then + return + fi + + local kernel initrd dtb_path init kernel_params + kernel=$(readlink -f "$path/kernel") + initrd=$(readlink -f "$path/initrd") + dtb_path=$(readlink -f "$path/dtbs") + init=$(readlink -f "$path/init") + kernel_params=$(readlink -f "$path/kernel-params") + + if [ "$tag" = "default" ]; then + atomicCopy "$kernel" "$target/kernel.img" + atomicCopy "$initrd" "$target/initrd" + copyDtbDir "$dtb_path" "$target" + atomicCopy "$init" "$target/nixos-init" + + tmpFile="$target/cmdline.txt.$$" + echo "$(cat "$kernel_params") init=$init" >"$tmpFile" + mv -f "$tmpFile" "$target/cmdline.txt" + else + copyToOldDir "$kernel" + copyToOldDir "$initrd" + + copyDtbDir "$dtb_path" "$target/old/$(cleanName "$dtb_path")" + + echoMarked "$path" "$target/old/$generation-system" + echoMarked "$init" "$target/old/$generation-init" + cpMarked "$kernel_params" "$target/old/$generation-cmdline.txt" + echoMarked "$initrd" "$target/old/$generation-initrd" + echoMarked "$kernel" "$target/old/$generation-kernel" + echoMarked "$dtb_path" "$target/old/$generation-dtbs" + fi +} + +addEntry "$default" default + +if [ "$numGenerations" -gt 0 ]; then + # Add up to $numGenerations generations of the system profile to $target/old, + # in reverse (most recent to least recent) order. + for generation in $( + (cd /nix/var/nix/profiles && ls -d system-*-link) \ + | sed 's/system-\([0-9]\+\)-link/\1/' \ + | sort -n -r \ + | head -n "$numGenerations"); do + link=/nix/var/nix/profiles/system-$generation-link + addEntry "$link" "$generation" + done +fi + +# Add the firmware files +fwdir=@firmware@/share/raspberrypi/boot/ +atomicCopy $fwdir/bootcode.bin "$target/bootcode.bin" +atomicCopy $fwdir/fixup.dat "$target/fixup.dat" +atomicCopy $fwdir/fixup4.dat "$target/fixup4.dat" +atomicCopy $fwdir/fixup4cd.dat "$target/fixup4cd.dat" +atomicCopy $fwdir/fixup4db.dat "$target/fixup4db.dat" +atomicCopy $fwdir/fixup4x.dat "$target/fixup4x.dat" +atomicCopy $fwdir/fixup_cd.dat "$target/fixup_cd.dat" +atomicCopy $fwdir/fixup_db.dat "$target/fixup_db.dat" +atomicCopy $fwdir/fixup_x.dat "$target/fixup_x.dat" +atomicCopy $fwdir/start.elf "$target/start.elf" +atomicCopy $fwdir/start4.elf "$target/start4.elf" +atomicCopy $fwdir/start4cd.elf "$target/start4cd.elf" +atomicCopy $fwdir/start4db.elf "$target/start4db.elf" +atomicCopy $fwdir/start4x.elf "$target/start4x.elf" +atomicCopy $fwdir/start_cd.elf "$target/start_cd.elf" +atomicCopy $fwdir/start_db.elf "$target/start_db.elf" +atomicCopy $fwdir/start_x.elf "$target/start_x.elf" + +# Add the config.txt +atomicCopy @configTxt@ "$target/config.txt" + +# Remove obsolete files from $target and $target/nixos. +for fn in "$target"/old/* "$target"/bcm*.dtb "$target"/cmdline.txt.*; do + if ! test "${filesCopied[$fn]}" = 1; then + echo "Removing no longer needed boot file: $fn" + chmod +w -- "$fn" + rm -rf -- "$fn" + fi +done diff --git a/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/modules/system/boot/loader/raspberrypi/raspberrypi.nix new file mode 100644 index 0000000..45665dc --- /dev/null +++ b/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.boot.loader.raspberryPi; + + inherit (pkgs.stdenv.hostPlatform) platform; + + builderUboot = import ./uboot-builder.nix { inherit pkgs configTxt; inherit (cfg) version; }; + builderGeneric = import ./raspberrypi-builder.nix { inherit pkgs configTxt; }; + + builder = + if cfg.uboot.enable then + "${builderUboot} -g ${toString cfg.configurationLimit} -t ${timeoutStr} -c" + else + "${builderGeneric} -g ${toString cfg.configurationLimit} -c"; + + blCfg = config.boot.loader; + timeoutStr = if blCfg.timeout == null then "-1" else toString blCfg.timeout; + + isAarch64 = pkgs.stdenv.hostPlatform.isAarch64; + optional = pkgs.stdenv.lib.optionalString; + + configTxt = + pkgs.writeText "config.txt" ('' + # U-Boot used to need this to work, regardless of whether UART is actually used or not. + # TODO: check when/if this can be removed. + enable_uart=1 + + # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel + # when attempting to show low-voltage or overtemperature warnings. + avoid_warnings=1 + '' + optional isAarch64 '' + # Boot in 64-bit mode. + arm_64bit=1 + '' + (if cfg.uboot.enable then '' + kernel=u-boot-rpi.bin + '' else '' + kernel=kernel.img + initramfs initrd followkernel + '') + optional (cfg.firmwareConfig != null) cfg.firmwareConfig); + +in + +{ + options = { + + boot.loader.raspberryPi = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to create files with the system generations in + /boot. + /boot/old will hold files from old generations. + ''; + }; + + version = mkOption { + default = 2; + type = types.enum [ 0 1 2 3 4 ]; + description = '' + ''; + }; + + configurationLimit = mkOption { + default = 20; + example = 10; + type = types.int; + description = '' + Maximum number of configurations in the boot menu. + ''; + }; + + uboot = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable using uboot as bootmanager for the raspberry pi. + ''; + }; + }; + + firmwareConfig = mkOption { + default = null; + type = types.nullOr types.lines; + description = '' + Extra options that will be appended to /boot/config.txt file. + For possible values, see: https://www.raspberrypi.org/documentation/configuration/config-txt/ + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = singleton { + assertion = !pkgs.stdenv.hostPlatform.isAarch64 || cfg.version >= 3; + message = "Only Raspberry Pi >= 3 supports aarch64."; + }; + + system.build.installBootLoader = builder; + system.boot.loader.id = "raspberrypi"; + system.boot.loader.kernelFile = platform.kernelTarget; + }; +}