upgrade to 22.11, add extlinux & hetzner-vps:

- disable wip.fs.disks.devices.*.gptOffset (patch broken with 22.11), - add wip.bootloader.extlinux, - add wip.hardware.hetzner-vps profile, - fix wip.services.dropbear.socketActivation,
2025-08-19 13:14:12 +02:00 · 2022-12-27 15:37:27 +01:00
parent df8c451050
commit a4ae2ab551
29 changed files with 483 additions and 187 deletions
--- a/lib/setup-scripts/maintenance.sh
+++ b/lib/setup-scripts/maintenance.sh
@@ -18,6 +18,7 @@ function register-vbox {( set -eu # 1: diskImages, 2?: bridgeTo
        diskImage=${decl/*=/}
        if [[ ! -e $diskImage.vmdk ]] ; then
            $VBoxManage internalcommands createrawvmdk -filename $diskImage.vmdk -rawdisk $diskImage # pass-through
+            #VBoxManage convertfromraw --format VDI $diskImage $diskImage.vmdk && rm $diskImage # convert
        fi
        $VBoxManage storageattach "$vmName" --storagectl SATA --port $(( index++ )) --device 0 --type hdd --medium $diskImage.vmdk
    done
@@ -133,56 +134,57 @@ function add-bootkey-to-keydev {( set -eu # 1: blockDev, 2?: hostHash
 #  See »open-system«'s implementation for some example calls to this function.
 function mount-keystore-luks { # ...: cryptsetupOptions
    # (For the traps to work, this can't run in a sub shell. The function therefore can't use »( set -eu ; ... )« internally and instead has to use »&&« after every command and in place of most »;«, and the function can't be called from a pipeline.)
-    keystore=keystore-@{config.networking.hostName!hashString.sha256:0:8} &&
-    mkdir -p -- /run/$keystore &&
-    @{native.cryptsetup}/bin/cryptsetup open "$@" /dev/disk/by-partlabel/$keystore $keystore &&
-    mount -o nodev,umask=0077,fmask=0077,dmask=0077,ro /dev/mapper/$keystore /run/$keystore &&
-    prepend_trap "umount /run/$keystore ; @{native.cryptsetup}/bin/cryptsetup close $keystore ; rmdir /run/$keystore" EXIT
+    local keystore=keystore-@{config.networking.hostName!hashString.sha256:0:8}
+    mkdir -p -- /run/$keystore && prepend_trap "[[ ! -e /run/$keystore ]] || rmdir /run/$keystore" EXIT || return
+    @{native.cryptsetup}/bin/cryptsetup open "$@" /dev/disk/by-partlabel/$keystore $keystore && prepend_trap "@{native.cryptsetup}/bin/cryptsetup close $keystore" EXIT || return
+    mount -o nodev,umask=0077,fmask=0077,dmask=0077,ro /dev/mapper/$keystore /run/$keystore && prepend_trap "umount /run/$keystore" EXIT || return
 }

 ## Performs any steps necessary to mount the target system at »/tmp/nixos-install-@{config.networking.hostName}« on the current host.
-#  For any steps taken, it also adds the reaps to undo them on  exit from the calling shell, and it always adds the exit trap to do the unmounting itself.
+#  For any steps taken, it also adds the steps to undo them on exit from the calling shell, and it always adds the exit trap to do the unmounting itself.
 #  »diskImages« may be passed in the same format as to the installer. If so, any image files are ensured to be loop-mounted.
 #  Perfect to inspect/update/amend/repair a system's installation afterwards, e.g.:
 #  $ source ${config_wip_fs_disks_initSystemCommands1writeText_initSystemCommands}
 #  $ source ${config_wip_fs_disks_restoreSystemCommands1writeText_restoreSystemCommands}
-#  $ install-system-to /tmp/nixos-install-${config_networking_hostName}
-#  $ nixos-enter --root /tmp/nixos-install-${config_networking_hostName}
+#  $ install-system-to $mnt
+#  $ nixos-install --system ${config_system_build_toplevel} --no-root-passwd --no-channel-copy --root $mnt
+#  $ nixos-enter --root $mnt
 function open-system { # 1?: diskImages
    # (for the traps to work, this can't run in a sub shell, so also can't »set -eu«, so use »&&« after every command and in place of most »;«)

    local diskImages=${1:-} # If »diskImages« were specified and they point at files that aren't loop-mounted yet, then loop-mount them now:
    local images=$( losetup --list --all --raw --noheadings --output BACK-FILE )
-    local decl && for decl in ${diskImages//:/ } ; do
-        local image=${decl/*=/} && if [[ $image != /dev/* ]] && ! <<<$images grep -xF $image ; then
-            local blockDev=$( losetup --show -f "$image" ) && prepend_trap "losetup -d '$blockDev'" EXIT &&
-            @{native.parted}/bin/partprobe "$blockDev" &&
-        :;fi &&
-    :;done &&
-    ( @{native.systemd}/bin/udevadm settle -t 15 || true ) && # sometimes partitions aren't quite made available yet
+    local decl ; for decl in ${diskImages//:/ } ; do
+        local image=${decl/*=/} ; if [[ $image != /dev/* ]] && ! <<<$images grep -xF $image ; then
+            local blockDev=$( losetup --show -f "$image" ) && prepend_trap "losetup -d '$blockDev'" EXIT || return
+            @{native.parted}/bin/partprobe "$blockDev" || return
+
+        fi
+    done
+    @{native.systemd}/bin/udevadm settle -t 15 || true # sometimes partitions aren't quite made available yet

    if [[ @{config.wip.fs.keystore.enable} && ! -e /dev/mapper/keystore-@{config.networking.hostName!hashString.sha256:0:8} ]] ; then # Try a bunch of approaches for opening the keystore:
        mount-keystore-luks --key-file=<( printf %s "@{config.networking.hostName}" ) ||
        mount-keystore-luks --key-file=/dev/disk/by-partlabel/bootkey-@{config.networking.hostName!hashString.sha256:0:8} ||
        mount-keystore-luks --key-file=<( read -s -p PIN: pin && echo ' touch!' >&2 && ykchalresp -2 "$pin" ) ||
        # TODO: try static yubikey challenge
-        mount-keystore-luks
-    fi &&
+        mount-keystore-luks || return
+    fi

-    local mnt=/tmp/nixos-install-@{config.networking.hostName} && if [[ ! -e $mnt ]] ; then mkdir -p "$mnt" && prepend_trap "rmdir '$mnt'" EXIT ; fi &&
+    mnt=/tmp/nixos-install-@{config.networking.hostName} # allow this to leak into the calling scope
+    if [[ ! -e $mnt ]] ; then mkdir -p "$mnt" && prepend_trap "rmdir '$mnt'" EXIT || return ; fi

-    open-luks-layers && # Load crypt layers and zfs pools:
+    open-luks-layers || return # Load crypt layers and zfs pools:
    if [[ $( LC_ALL=C type -t ensure-datasets ) == 'function' ]] ; then
-        local poolName && for poolName in "@{!config.wip.fs.zfs.pools[@]}" ; do
+        local poolName ; for poolName in "@{!config.wip.fs.zfs.pools[@]}" ; do
            if ! zfs get -o value -H name "$poolName" &>/dev/null ; then
-                zpool import -f -N -R "$mnt" "$poolName" && prepend_trap "zpool export '$poolName'" EXIT &&
-            :;fi &&
-            : | zfs load-key -r "$poolName" || true &&
-        :;done &&
-        ensure-datasets "$mnt" &&
-    :;fi &&
+                zpool import -f -N -R "$mnt" "$poolName" ; prepend_trap "zpool export '$poolName'" EXIT || return
+            fi
+            : | zfs load-key -r "$poolName" || true
+        done
+        ensure-datasets "$mnt" || return
+    fi

-    prepend_trap "unmount-system '$mnt'" EXIT && mount-system "$mnt" &&
-
-    true # (success)
+    prepend_trap "unmount-system '$mnt'" EXIT && mount-system "$mnt" '' 1 || return
+    df -h | grep $mnt | cat
 }