mirror of
https://github.com/NiklasGollenstede/nixos-installer.git
synced 2025-08-09 07:31:24 +02:00
move example hosts and overwrite to /example/, misc
This commit is contained in:
Niklas Gollenstede
@ -52,8 +52,8 @@ function gen-key-home-composite {( set -eu # 1: usage, 2: user
|
||||
if [[ ${!userPasswords[@]} && ${userPasswords[$user]:-} ]] ; then
|
||||
password=${userPasswords[$user]}
|
||||
else
|
||||
password=$(prompt-new-password "for the user account »$user« (as component for key »(@{config.networking.hostName}:)$usage«)")
|
||||
if [[ ! $password ]] ; then \exit 1 ; fi
|
||||
password=$( prompt-new-password "for the user account »$user« (as component for key »(@{config.networking.hostName}:)$usage«)" )
|
||||
if [[ ! $password ]] ; then \exit 1 ; fi ; userPasswords[$user]=$password # TODO: won't propagate
|
||||
fi
|
||||
{ cat "$keystore"/home/"$user".key && cat <<<"$password" ; } | sha256sum | head -c 64
|
||||
)}
|
||||
@ -66,8 +66,8 @@ function gen-key-home-yubikey {( set -eu # 1: usage, 2: serialAndSlotAndUser(as
|
||||
if [[ ${!userPasswords[@]} && ${userPasswords[$user]:-} ]] ; then
|
||||
password=${userPasswords[$user]}
|
||||
else
|
||||
password=$(prompt-new-password "for the user account »$user« (as YubiKey challenge for key »:$usage«)")
|
||||
if [[ ! $password ]] ; then \exit 1 ; fi
|
||||
password=$( prompt-new-password "for the user account »$user« (as YubiKey challenge for key »:$usage«)" )
|
||||
if [[ ! $password ]] ; then \exit 1 ; fi ; userPasswords[$user]=$password # TODO: won't propagate
|
||||
fi
|
||||
gen-key-yubikey-challenge "$usage" "$serial:$slot:home-$user=$password" true "»${user}«'s password (to create key »:${usage}«)"
|
||||
)}
|
||||
|
||||
@ -193,8 +193,8 @@ function format-partitions {
|
||||
elif [[ ${fs[device]} == /dev/mapper/* ]] ; then
|
||||
if [[ ! @{config.boot.initrd.luks.devices!catAttrSets.device[${fs[device]/'/dev/mapper/'/}]:-} ]] ; then echo "LUKS device ${fs[device]} used by mount ${fs[mountPoint]} does not point at one of the device mappings ${!config.boot.initrd.luks.devices!catAttrSets.device[@]}" 1>&2 ; \return 1 ; fi
|
||||
else continue ; fi
|
||||
eval 'declare -a formatArgs='"${fs[formatArgs]}"
|
||||
( PATH=@{native.e2fsprogs}/bin:@{native.f2fs-tools}/bin:@{native.xfsprogs}/bin:@{native.dosfstools}/bin:$PATH ; ${_set_x:-:} ; mkfs."${fs[fsType]}" "${formatArgs[@]}" "${fs[device]}" >$beLoud 2>$beSilent ) || [[ $options == *,nofail,* ]] || return
|
||||
eval 'declare -a formatArgs='"${fs[formatArgs]}" ; eval 'declare -a options='"${fs[options]}"
|
||||
( PATH=@{native.e2fsprogs}/bin:@{native.f2fs-tools}/bin:@{native.xfsprogs}/bin:@{native.dosfstools}/bin:$PATH ; ${_set_x:-:} ; mkfs."${fs[fsType]}" "${formatArgs[@]}" "${fs[device]}" >$beLoud 2>$beSilent ) || [[ ' '${options[@]}' ' == *' 'nofail' '* ]] || return
|
||||
@{native.parted}/bin/partprobe "${fs[device]}" || true
|
||||
done
|
||||
for swapDev in "@{config.swapDevices!catAttrs.device[@]}" ; do
|
||||
|
||||
@ -42,6 +42,8 @@ declare-flag install-system no-vm "" "Never perform the installation in a VM. Fa
|
||||
## Does some argument validation, performs some sanity checks, includes a hack to make installation work when nix isn't installed for root, and runs the installation in qemu (if requested).
|
||||
function prepare-installer { # 1: diskPaths
|
||||
|
||||
run-hook-script 'Prepare Installer' @{config.installer.commands.prepareInstaller!writeText.prepareInstallerCommands} || exit
|
||||
|
||||
if [[ ! ${args[disks]:-} ]] ; then args[disks]=${1:?"The disks flag or the first positional argument must specify the path(s) to the disk(s) and/or image file(s) to install to"} ; shift ; fi
|
||||
|
||||
umask g-w,o-w # Ensure that files created without explicit permissions are not writable for group and other.
|
||||
|
||||
@ -7,10 +7,7 @@ function prompt-for-user-passwords { # (void)
|
||||
userPasswords[$user]=@{config.users.users!catAttrSets.password[$user]}
|
||||
done
|
||||
local user ; for user in "@{!config.users.users!catAttrSets.hashedPasswordFile[@]}" "@{!config.users.users!catAttrSets.passwordFile[@]}" ; do
|
||||
for attempt in 2 3 x ; do
|
||||
if userPasswords[$user]=$(prompt-new-password "for the user account »$user«") ; then break ; fi
|
||||
if [[ $attempt == x ]] ; then \return 1 ; fi ; echo "Retrying ($attempt/3):"
|
||||
done
|
||||
prompt-new-password-thrice "for the user account »$user«"
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
@ -68,7 +68,7 @@ Example 2 (connect many VMs, unprivileged):
|
||||
$ nix shell nixpkgs#vde2 --command vde_switch -sock /tmp/vm-net
|
||||
$ ... --nic=vde,sock=/tmp/vm-net # multiple times"
|
||||
declare-flag run-qemu no-serial "" "Do not connect the calling terminal to a serial adapter the guest can log to and open a terminal on the guests serial, as would be the default if the guests logs to ttyS0."
|
||||
declare-flag run-qemu share "decls" "Host dirs to make available as network shares for the guest, as space separated list of »name:host-path,options. E.g. »--share='foo:/home/user/foo,readonly=on bar:/tmp/bar«. In the VM hte share can be mounted with: »$ mount -t 9p -o trans=virtio -o version=9p2000.L -o msize=4194304 -o ro foo /foo«."
|
||||
declare-flag run-qemu share "decls" "Host dirs to make available as network shares for the guest, as space separated list of »name:host-path,options«. E.g. »--share='foo:/home/user/foo,readonly=on bar:/tmp/bar«. In the VM the share can be mounted with: »$ mount -t 9p -o trans=virtio -o version=9p2000.L -o msize=4194304 -o ro foo /foo«."
|
||||
declare-flag run-qemu virtio-blk "" "Pass the system's disks/images as virtio disks, instead of using AHCI+IDE. Default iff »boot.initrd.availableKernelModules« includes »virtio_blk« (because it requires that driver)."
|
||||
function run-qemu {
|
||||
if [[ ${args[install]:-} && ! ${argv[0]:-} ]] ; then argv[0]=/tmp/nixos-vm/@{config.installer.outputName:-@{config.system.name}}/ ; fi
|
||||
@ -158,7 +158,7 @@ function run-qemu {
|
||||
if [[ ! -e $disk ]] ; then args[install]=always ; fi
|
||||
done ; fi
|
||||
if [[ ${args[install]:-} == always ]] && [[ ! ${args[dry-run]:-} ]] ; then (
|
||||
if [[ ! ${args[trace]:-} ]] && [[! ${args[debug]:-} ]] ; then args[quiet]=1 ; fi
|
||||
if [[ ! ${args[trace]:-} ]] && [[ ! ${args[debug]:-} ]] ; then args[quiet]=1 ; fi
|
||||
args[no-inspect]=1 ; install-system "$diskImages" || exit
|
||||
) || return ; fi
|
||||
|
||||
@ -176,7 +176,7 @@ declare-flag run-qemu,install-system,'*' vm-mem "num" "VM RAM in MiB (»
|
||||
declare-flag run-qemu,install-system,'*' vm-smp "num" "Number of guest CPU cores."
|
||||
declare-flag run-qemu,install-system,'*' vm-usb-port "path" "A physical USB port (or hub) to pass to the guest (e.g. a YubiKey for unlocking). Specified as »<bus>-<port>«, where bus and port refer to the physical USB port »/sys/bus/usb/devices/<bus>-<port>« (see »lsusb -tvv«). E.g.: »--vm-usb-port=3-1.1.1.4«."
|
||||
function apply-vm-args {
|
||||
qemu+=( -m ${args[vm-mem]:-2048} )
|
||||
qemu+=( -m ${args[vm-mem]:-4096} )
|
||||
if [[ ${args[vm-smp]:-} ]] ; then qemu+=( -smp ${args[vm-smp]} ) ; fi
|
||||
|
||||
if [[ ${args[vm-usb-port]:-} ]] ; then local decl ; for decl in ${args[vm-usb-port]//:/ } ; do
|
||||
|
||||
@ -45,6 +45,12 @@ function prompt-new-password {( set -u # 1: usage
|
||||
if [[ "$password1" != "$password2" ]] ; then printf 'Passwords mismatch.\n' 1>&2 ; \exit 1 ; fi
|
||||
printf %s "$password1" || exit
|
||||
)}
|
||||
function prompt-new-password-thrice {
|
||||
local attempt ; for attempt in 2 3 x ; do
|
||||
if userPasswords[$user]=$( prompt-new-password "$@" ) ; then break ; fi
|
||||
if [[ $attempt == x ]] ; then \return 1 ; fi ; echo "Retrying ($attempt/3):"
|
||||
done
|
||||
}
|
||||
|
||||
## If »secretFile« does not exist, interactively prompts up to three times for the secret to be stored in that file.
|
||||
declare-flag '*' no-optional-prompts "" "Skip prompting for (and thus saving) secret marked as optional."
|
||||
@ -67,16 +73,15 @@ function prompt-secret-as {( set -u # 1: what, 2: secretFile, 3?: owner[:[group]
|
||||
declare-flag install-system inspectScripts "" "When running installation hooks (»...*Commands« composed as Nix strings) print out and pause before each command. This works ... semi-well."
|
||||
|
||||
## Runs an installer hook script, optionally stepping through the script.
|
||||
function run-hook-script {( # 1: title, 2: scriptPath
|
||||
trap - EXIT # start with empty traps for sub-shell
|
||||
function run-hook-script { # 1: title, 2: scriptPath
|
||||
if [[ ${args[inspectScripts]:-} && "$(cat "$2")" != $'' ]] ; then
|
||||
echo "Running $1 commands. For each command printed, press Enter to continue or Ctrl+C to abort the installation:" 1>&2
|
||||
# (this does not help against intentionally malicious scripts, it's quite easy to trick this)
|
||||
BASH_PREV_COMMAND= ; set -o functrace ; trap 'if [[ $BASH_COMMAND != "$BASH_PREV_COMMAND" ]] ; then echo -n "> $BASH_COMMAND" >&2 ; read ; fi ; BASH_PREV_COMMAND=$BASH_COMMAND' debug
|
||||
fi
|
||||
set -e # The called script snippets should not rely on this, but neither should this function rely on the scripts correctly exiting on errors.
|
||||
source "$2"
|
||||
)}
|
||||
set +o functrace ; trap - debug
|
||||
}
|
||||
|
||||
## Lazily builds a nix derivation at run time, instead of when building the script.
|
||||
# When maybe-using packages that take long to build, instead of »at{some.package.out}«, use: »$( build-lazy at{some.package.drvPath!unsafeDiscardStringContext} out )«
|
||||
|
||||
Reference in New Issue
Block a user