small fixes, esp. for cross-building

lib/setup-scripts/install.sh

@@ -16,12 +16,13 @@ function prepare-installer { # (void)
 
     : ${argv[0]:?"Required: Target disk or image paths."}
 
+    umask g-w,o-w # Ensure that files created without explicit permissions are not writable for group and other (0022).
+
     if [[ "$(id -u)" != '0' ]] ; then
         if [[ ! ${args[no-vm]:-} ]] ; then reexec-in-qemu || return ; \exit 0 ; fi
         echo 'Script must be run as root or in qemu (without »--no-vm«).' 1>&2 ; \return 1
     fi
     if [[ ${args[vm]:-} ]] ; then reexec-in-qemu || return ; \exit 0 ; fi
-    umask 0022 # Ensure consistent umask (default permissions for new files).
 
     if [[ -e "/run/keystore-@{config.networking.hostName!hashString.sha256:0:8}" ]] ; then echo "Keystore »/run/keystore-@{config.networking.hostName!hashString.sha256:0:8}/« is already open. Close it and remove the mountpoint before running the installer." 1>&2 ; \return 1 ; fi
 
@@ -33,7 +34,7 @@ function prepare-installer { # (void)
         if @{native.zfs}/bin/zfs get -o value -H name "$poolName" &>/dev/null ; then echo "ZFS pool »$poolName« is already imported. Export the pool before running the installer." 1>&2 ; \return 1 ; fi
     done
 
-    if [[ ${SUDO_USER:-} ]] ; then # use Nix as the user who called this script, as Nix may not be set up for root
+    if [[ ${SUDO_USER:-} && $( PATH=$hostPath which su 2>/dev/null ) ]] ; then # use Nix as the user who called this script, as Nix may not be set up for root
         function nix {( set +x ; declare -a args=("$@") ; PATH=$hostPath su - "$SUDO_USER" -c "$(declare -p args)"' ; nix "${args[@]}"' )}
     else # use Nix by absolute path, as it won't be on »$PATH«
         PATH=$PATH:@{native.nix}/bin
@@ -50,6 +51,8 @@ function prepare-installer { # (void)
 ## Re-executes the current system's installation in a qemu VM.
 function reexec-in-qemu {
 
+    if [[ @{pkgs.buildPackages.system} != "@{native.system}" ]] ; then echo "VM installation (implicit when not running as root) of a system built on a different ISA than the current host's is not supported (yet)." 1>&2 ; \return 1 ; fi
+
     # (not sure whether this works for block devices)
     ensure-disks "${argv[0]}" 1 || return
     qemu=( -m 2048 ) ; declare -A qemuDevs=( )
@@ -65,16 +68,19 @@ function reexec-in-qemu {
         let index+=1
     done
 
-    args[vm]=''
+    args[vm]='' ; args[no-vm]=1
     newArgs=( ) ; for arg in "${!args[@]}" ; do newArgs+=( --"$arg"="${args[$arg]}" ) ; done
     devSpec= ; for name in "${!qemuDevs[@]}" ; do devSpec+="$name"="${qemuDevs[$name]}": ; done
     newArgs+=( ${devSpec%:} ) ; (( ${#argv[@]} > 1 )) && args+=( "${argv[@]:1}" )
 
     #local output=@{inputs.self}'#'nixosConfigurations.@{outputName:?}.config.system.build.vmExec
-    local output=@{config.system.build.vmExec.drvPath} # this is more accurate, but also means another system needs to get evaluated every time
-    local command="$0 install-system $( printf '%q ' "${newArgs[@]}" ) || exit"
+    local output=@{config.system.build.vmExec.drvPath!unsafeDiscardStringContext} # this is more accurate, but also means another system needs to get evaluated every time
+    local scripts=$0 ; if [[ @{pkgs.system} != "@{native.system}" ]] ; then
+        scripts=$( build-lazy @{inputs.self}'#'apps.@{pkgs.system}.@{outputName:?}.derivation )
+    fi
+    local command="$scripts install-system $( printf '%q ' "${newArgs[@]}" ) || exit"
 
-    local runInVm ; runInVm=$( @{native.nix}/bin/nix --extra-experimental-features nix-command build --no-link --json ${args[quiet]:+--quiet} $output | @{native.jq}/bin/jq -r .[0].outputs.out )/bin/run-@{config.system.name}-vm-exec || return
+    local runInVm ; runInVm=$( build-lazy $output )/bin/run-@{config.system.name}-vm-exec || return
 
     $runInVm ${args[vm-shared]:+--shared="${args[vm-shared]}"} ${args[debug]:+--initrd-console} ${args[trace]:+--initrd-console} ${args[quiet]:+--quiet} -- "$command" "${qemu[@]}" || return # --initrd-console
 }
@@ -118,8 +124,8 @@ function install-system-to {( set -u # 1: mnt
 
     # Support cross architecture installation (not sure if this is actually required)
     if [[ $(cat /run/current-system/system 2>/dev/null || echo "x86_64-linux") != "@{config.wip.preface.hardware}"-linux ]] ; then
-        mkdir -p $mnt/run/binfmt || exit ; [[ ! -e /run/binfmt/"@{config.wip.preface.hardware}"-linux ]] || cp -a {,$mnt}/run/binfmt/"@{config.wip.preface.hardware}"-linux || exit
-        # Ubuntu (by default) expects the "interpreter" at »/usr/bin/qemu-@{config.wip.preface.hardware}-static«.
+        mkdir -p $mnt/run/binfmt || exit ; [[ ! -e /run/binfmt/"@{config.wip.preface.hardware}"-linux ]] || cp -a {,$mnt}/run/binfmt/"@{config.wip.preface.hardware}"-linux || exit # On NixOS, this is a symlink or wrapper script, pointing to the store.
+        # Ubuntu (20.04, by default) uses a statically linked, already loaded qemu binary (F-flag), which therefore does not need to be reference-able from within the chroot.
     fi
 
     # Copy system closure to new nix store:

lib/setup-scripts/maintenance.sh

@@ -54,7 +54,7 @@ function run-qemu { # 1: diskImages, ...: qemuArgs
     local qemu=( )
 
     if [[ @{pkgs.system} == "@{native.system}" ]] ; then
-        qemu=( $( @{native.nix}/bin/nix --extra-experimental-features nix-command build --no-link --json @{native.qemu_kvm.drvPath} | @{native.jq}/bin/jq -r .[0].outputs.out )/bin/qemu-kvm ) || return
+        qemu=( $( build-lazy @{native.qemu_kvm.drvPath!unsafeDiscardStringContext} )/bin/qemu-kvm ) || return
         if [[ ! ${args[no-kvm]:-} && -r /dev/kvm && -w /dev/kvm ]] ; then
             # For KVM to work, vBox must not be running anything at the same time (and vBox hangs on start if qemu runs). Pass »--no-kvm« and accept ~10x slowdown, or stop vBox.
             qemu+=( -enable-kvm -cpu host )
@@ -64,32 +64,25 @@ function run-qemu { # 1: diskImages, ...: qemuArgs
                 echo "KVM is not available (for the current user). Running without hardware acceleration." 1>&2
             fi
             qemu+=( -machine accel=tcg ) # this may suppress warnings that qemu is using tcg (slow) instead of kvm
-            if [[ @{pkgs.system} == aarch64-* ]] ; then qemu+=( -cpu max ) ; fi
-        fi
-        if [[ @{pkgs.system} == aarch64-* ]] ; then
-            qemu+=( -machine type=virt -cpu max ) # aarch64 has no default, but this seems good
         fi
     else
-        qemu=( $( @{native.nix}/bin/nix --extra-experimental-features nix-command build --no-link --json @{native.qemu_full.drvPath} | @{native.jq}/bin/jq -r .[0].outputs.out )/bin/qemu-system-@{config.wip.preface.hardware} ) || return
-        if [[ @{config.wip.preface.hardware} == aarch64 ]] ; then # assume it's a raspberry PI (or compatible)
-            # TODO: this does not work yet:
-            qemu+=( -machine type=raspi3b -m 1024 ) ; args[no-nat]=1
-            # ... and neither does this:
-            #qemu+=( -machine type=virt -m 1024 -smp 4 -cpu cortex-a53  ) ; args[no-nat]=1
-        fi
+        qemu=( $( build-lazy @{native.qemu_full.drvPath!unsafeDiscardStringContext} )/bin/qemu-system-@{config.wip.preface.hardware} ) || return
     fi
+    if [[ @{pkgs.system} == aarch64-* ]] ; then
+        qemu+=( -machine type=virt ) # aarch64 has no default, but this seems good
+    fi ; qemu+=( -cpu max )
 
     qemu+=( -m ${args[mem]:-2048} )
     if [[ ${args[smp]:-} ]] ; then qemu+=( -smp ${args[smp]} ) ; fi
 
     if [[ @{config.boot.loader.systemd-boot.enable} || ${args[efi]:-} ]] ; then # UEFI. Otherwise it boots SeaBIOS.
-        local ovmf ; ovmf=$( @{native.nix}/bin/nix --extra-experimental-features nix-command build --no-link --json @{native.OVMF.drvPath} | @{native.jq}/bin/jq -r .[0].outputs.fd ) || return
+        local ovmf ; ovmf=$( build-lazy @{pkgs.OVMF.drvPath!unsafeDiscardStringContext} fd ) || return
         #qemu+=( -bios ${ovmf}/FV/OVMF.fd ) # This works, but is a legacy fallback that stores the EFI vars in /NvVars on the EFI partition (which is really bad).
         local fwName=OVMF ; if [[ @{pkgs.system} == aarch64-* ]] ; then fwName=AAVMF ; fi # fwName=QEMU
         qemu+=( -drive file=${ovmf}/FV/${fwName}_CODE.fd,if=pflash,format=raw,unit=0,readonly=on )
         local efiVars=${args[efi-vars]:-${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/qemu-@{outputName:-@{config.system.name}}-VARS.fd}
         qemu+=( -drive file="$efiVars",if=pflash,format=raw,unit=1 )
-        if [[ ! -e "$efiVars" ]] ; then cat ${ovmf}/FV/${fwName}_VARS.fd >"$efiVars" || return ; fi
+        if [[ ! -e "$efiVars" ]] ; then mkdir -pm700 "$( dirname "$efiVars" )" ; cat ${ovmf}/FV/${fwName}_VARS.fd >"$efiVars" || return ; fi
         # https://lists.gnu.org/archive/html/qemu-discuss/2018-04/msg00045.html
     fi
 #   if [[ @{config.wip.preface.hardware} == aarch64 ]] ; then
@@ -99,14 +92,18 @@ function run-qemu { # 1: diskImages, ...: qemuArgs
     if [[ $diskImages == */ ]] ; then
         disks=( ${diskImages}primary.img ) ; for name in "@{!config.wip.fs.disks.devices[@]}" ; do if [[ $name != primary ]] ; then disks+=( ${diskImages}${name}.img ) ; fi ; done
     else disks=( ${diskImages//:/ } ) ; fi
+
+    [[ ' '"@{boot.initrd.availableKernelModules[@]}"' ' != *' 'virtio_blk' '* ]] || args[virtio-blk]=1
     local index ; for index in ${!disks[@]} ; do
 #       qemu+=( -drive format=raw,if=ide,file="${disks[$index]/*=/}" ) # »if=ide« is the default, which these days isn't great for driver support inside the VM
-        qemu+=( # not sure how correct the interpretations of the command are
-            -drive format=raw,file="${disks[$index]/*=/}",media=disk,if=none,index=${index},id=drive${index} # create the disk drive, without attaching it, name it driveX
-            #-device ahci,acpi-index=${index},id=ahci${index} # create an (ich9-)AHCI bus named »ahciX«
-            #-device ide-hd,drive=drive${index},bus=ahci${index}.${index} # attach IDE?! disk driveX as device X on bus »ahciX«
-            -device virtio-blk-pci,drive=drive${index},disable-modern=on,disable-legacy=off # alternative to the two lines above (implies to be faster, but seems to require guest drivers)
-        )
+        qemu+=( -drive format=raw,file="${disks[$index]/*=/}",media=disk,if=none,index=${index},id=drive${index} ) # create the disk drive, without attaching it, name it driveX
+
+        if [[ ! ${args[virtio-blk]:-} ]] ; then
+            qemu+=( -device ahci,acpi-index=${index},id=ahci${index} ) # create an (ich9-)AHCI bus named »ahciX«
+            qemu+=( -device ide-hd,drive=drive${index},bus=ahci${index}.${index} ) # attach IDE?! disk driveX as device X on bus »ahciX«
+        else
+            qemu+=( -device virtio-blk-pci,drive=drive${index},disable-modern=on,disable-legacy=off ) # this should be faster, but seems to require guest drivers
+        fi
     done
 
     if [[ ${args[share]:-} ]] ; then # e.g. --share='foo:/home/user/foo,readonly=on bar:/tmp/bar'
@@ -144,8 +141,8 @@ function run-qemu { # 1: diskImages, ...: qemuArgs
         if [[ ! -e $disk ]] ; then args[install]=always ; fi
     done ; fi
     if [[ ${args[install]:-} == always ]] ; then
-        local verbosity=--quiet ; if [[ ${args[debug]:-} ]] ; then verbosity=--debug ; fi
-        ${args[dry-run]:+echo} $0 install-system "$diskImages" $verbosity --no-inspect || return
+        local verbosity=--quiet ; if [[ ${args[trace]:-} ]] ; then verbosity=--trace ; fi ; if [[ ${args[debug]:-} ]] ; then verbosity=--debug ; fi
+        hostPath=${hostPath:-} ${args[dry-run]:+echo} $0 install-system "$diskImages" $verbosity --no-inspect || return
     fi
 
     qemu+=( "${argv[@]}" )

lib/setup-scripts/utils.sh

@@ -102,3 +102,9 @@ function run-hook-script {( set -eu # 1: title, 2: scriptPath
     fi
     source "$2"
 )}
+
+## Lazily builds a nix derivation at run time, instead of when building the script.
+#  When maybe-using packages that take long to build, instead of »at{some.package.out}«, use: »$( build-lazy at{some.package.drvPath!unsafeDiscardStringContext} out )«
+function build-lazy { # 1: drvPath, 2?: output
+    PATH=$PATH:@{native.openssh}/bin @{native.nix}/bin/nix --extra-experimental-features nix-command build --no-link --json ${args[quiet]:+--quiet} $1 | @{native.jq}/bin/jq -r .[0].outputs.${2:-out}
+}