corpix/Makefile

## Makefile
latest-nixos-minimal-x86_64-linux.iso:
	wget https://channels.nixos.org/nixos-20.03/latest-nixos-minimal-x86_64-linux.iso
	curl -Ls https://channels.nixos.org/nixos-20.03/latest-nixos-minimal-x86_64-linux.iso.sha256 \
		| grep -F .iso | head -n1                                                            \
		| sed 's|nixos-minimal-.\+|latest-nixos-minimal-x86_64-linux.iso|'                   \
		| sha256sum -c -

root.img:
	qemu-img create root.img 10G

.PHONY: install
install: latest-nixos-minimal-x86_64-linux.iso root.img
	qemu-system-x86_64 -cdrom ./latest-nixos-minimal-x86_64-linux.iso -boot d -m 2048 -hda ./root.img

.PHONY: run
run: root.img
	qemu-system-x86_64 -boot d -m 2048 -hda ./root.img

.PHONY: serve
serve:
	python3 -mhttp.server

.PHONY: clean
clean:
	rm -f root.img || true
	rm -f latest-nixos-minimal-x86_64-linux.iso || true

## prepare-host
#!/usr/bin/env bash
set -e

dev=sda
efi=true
boot_fs=vfat
state_version="20.03"
profile="<nixpkgs/nixos/modules/installer/scan/not-detected.nix>"

prompt() {
    echo It is ok if it ends with OK
    echo
    trap '[ $? != 0 ] && echo NOT OK || finish' exit

    [[ "$@" = *"-f"* ]] || {
	echo 'This script prepares a machine for provision'
	echo 'And should be executed in the target environment'
	echo 'Please write uppercase YES to continue'
	echo 'Or Ctrl-C to exit'
	echo
	read yes
	[ "$yes" = "YES" ] || {
            echo 'Canceled'
            exit 1
	}
    }
}

init() {
    ## detecting profile
    ls -1 /dev/disk/by-id/ | grep -vi qemu > /dev/null 2>&1 || {
	profile="<nixpkgs/nixos/modules/profiles/qemu-guest.nix>"
    }

    ##

    ## detecting efi support
    efivar --list > /dev/null || {
	efi=false
	boot_fs=ext4
    }
}

begin() {
    init
    prompt

    umount -R /mnt              || true
    cryptsetup luksClose system || true
    cryptsetup luksClose key    || true
}

finish() {
    echo OK
    echo
    echo You could edit /mnt/etc/nixos/hardware-configuration.nix
    echo You could edit /mnt/etc/nixos/configuration.nix
    echo
    echo After that call nixos-install
    echo You will be prompted for password at the end of the process
    echo
}

uuid_of() {
    blkid "$1" | perl -p -e 's|^.*\sUUID="([0-9a-zA-Z-]+)".*$|\1|g'
}

##

begin

set -x

key_space=64
key_file_size=4096
key_file_luks_size=$((16 * 10 ** 6))
key_file_offset=$(shuf -i 0-$((($key_space * 10 ** 6) - $key_file_size - $key_file_luks_size)) -n 1)

if [ "$efi" = "true" ]
then
    echo -e "x\nz\nY\nY\n" | gdisk /dev/${dev} > /dev/null
    echo -e echo -e "o\nY\nn\n\n\n+500M\nef00\n\nn\n\n\n+${key_space}M\n\nn\n\n\n\n\n\nw\nY\n" \
        | gdisk /dev/${dev} > /dev/null
    mkfs.vfat /dev/${dev}1
else
    dd if=/dev/zero of=/dev/${dev} bs=1M count=15 || true
    echo -e "o\nn\np\n\n\n+500M\n\nn\np\n\n\n+${key_space}M\n\nn\np\n\n\n\n\na\n1\nw\n" \
        | fdisk /dev/${dev} > /dev/null
    mkfs.ext4 -L boot /dev/${dev}1
fi

dd if=/dev/urandom of=/dev/${dev}2 || true

cryptsetup luksFormat /dev/${dev}2
cryptsetup luksOpen   /dev/${dev}2 key

dd if=/dev/urandom of=/dev/mapper/key || true

cryptsetup -y luksFormat --key-file=/dev/mapper/key --keyfile-offset=$key_file_offset --keyfile-size=$key_file_size /dev/${dev}3
cryptsetup    luksOpen   --key-file=/dev/mapper/key --keyfile-offset=$key_file_offset --keyfile-size=$key_file_size /dev/${dev}3 system

mkfs.btrfs -L system /dev/mapper/system
mount /dev/mapper/system /mnt

mkdir /mnt/boot
mount /dev/${dev}1 /mnt/boot


nixos-generate-config --root /mnt

cat <<EOF > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:
{
  imports = [ ./hardware-configuration.nix ];
  services.openssh.enable = true;
  services.openssh.passwordAuthentication = true;
  services.openssh.permitRootLogin = "yes";
  system.stateVersion = "${state_version}";
}
EOF

cat <<EOF > /mnt/etc/nixos/hardware-configuration.nix
{ config
, lib ? (import <nixpkgs> { }).lib
, pkgs ? (import <nixpkgs> { }).pkgs
, ... }: let
  systemPartition = "system";
in {
 imports = [ $profile ];

  boot = {
    loader = {
      grub.device              = "/dev/${dev}";
      systemd-boot.enable      = ${efi};
      efi.canTouchEfiVariables = ${efi};
    };

    initrd.luks.devices = {
      key = {
        name = "key";
        device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}2")";
      };
      system = {
        name = "system";
        device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}3")";
        keyFile = "/dev/mapper/key";
        keyFileSize = ${key_file_size};
        keyFileOffset = ${key_file_offset};
      };
    };

    initrd.postDeviceCommands = lib.mkAfter "cryptsetup luksClose key";
  };

  fileSystems."/" = {
    device = "/dev/mapper/system";
    fsType = "btrfs";
    options = ["noatime"];
  };
  fileSystems."/boot" = rec {
    device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}1")";
    fsType = "${boot_fs}";
  };

  powerManagement.cpuFreqGovernor = "ondemand";
}
EOF

set +x
	latest-nixos-minimal-x86_64-linux.iso:
	wget https://channels.nixos.org/nixos-20.03/latest-nixos-minimal-x86_64-linux.iso
	curl -Ls https://channels.nixos.org/nixos-20.03/latest-nixos-minimal-x86_64-linux.iso.sha256 \
	\| grep -F .iso \| head -n1 \
	\| sed 's\|nixos-minimal-.\+\|latest-nixos-minimal-x86_64-linux.iso\|' \
	\| sha256sum -c -

	root.img:
	qemu-img create root.img 10G

	.PHONY: install
	install: latest-nixos-minimal-x86_64-linux.iso root.img
	qemu-system-x86_64 -cdrom ./latest-nixos-minimal-x86_64-linux.iso -boot d -m 2048 -hda ./root.img

	.PHONY: run
	run: root.img
	qemu-system-x86_64 -boot d -m 2048 -hda ./root.img

	.PHONY: serve
	serve:
	python3 -mhttp.server

	.PHONY: clean
	clean:
	rm -f root.img \|\| true
	rm -f latest-nixos-minimal-x86_64-linux.iso \|\| true
	#!/usr/bin/env bash
	set -e

	dev=sda
	efi=true
	boot_fs=vfat
	state_version="20.03"
	profile="<nixpkgs/nixos/modules/installer/scan/not-detected.nix>"

	prompt() {
	echo It is ok if it ends with OK
	echo
	trap '[ $? != 0 ] && echo NOT OK \|\| finish' exit

	[[ "$@" = "-f" ]] \|\| {
	echo 'This script prepares a machine for provision'
	echo 'And should be executed in the target environment'
	echo 'Please write uppercase YES to continue'
	echo 'Or Ctrl-C to exit'
	echo
	read yes
	[ "$yes" = "YES" ] \|\| {
	echo 'Canceled'
	exit 1
	}
	}
	}

	init() {
	## detecting profile
	ls -1 /dev/disk/by-id/ \| grep -vi qemu > /dev/null 2>&1 \|\| {
	profile="<nixpkgs/nixos/modules/profiles/qemu-guest.nix>"
	}

	##

	## detecting efi support
	efivar --list > /dev/null \|\| {
	efi=false
	boot_fs=ext4
	}
	}

	begin() {
	init
	prompt

	umount -R /mnt \|\| true
	cryptsetup luksClose system \|\| true
	cryptsetup luksClose key \|\| true
	}

	finish() {
	echo OK
	echo
	echo You could edit /mnt/etc/nixos/hardware-configuration.nix
	echo You could edit /mnt/etc/nixos/configuration.nix
	echo
	echo After that call nixos-install
	echo You will be prompted for password at the end of the process
	echo
	}

	uuid_of() {
	blkid "$1" \| perl -p -e 's\|^.\sUUID="([0-9a-zA-Z-]+)".$\|\1\|g'
	}

	##

	begin

	set -x

	key_space=64
	key_file_size=4096
	key_file_luks_size=$((16 * 10 ** 6))
	key_file_offset=$(shuf -i 0-$((($key_space * 10 ** 6) - $key_file_size - $key_file_luks_size)) -n 1)

	if [ "$efi" = "true" ]
	then
	echo -e "x\nz\nY\nY\n" \| gdisk /dev/${dev} > /dev/null
	echo -e echo -e "o\nY\nn\n\n\n+500M\nef00\n\nn\n\n\n+${key_space}M\n\nn\n\n\n\n\n\nw\nY\n" \
	\| gdisk /dev/${dev} > /dev/null
	mkfs.vfat /dev/${dev}1
	else
	dd if=/dev/zero of=/dev/${dev} bs=1M count=15 \|\| true
	echo -e "o\nn\np\n\n\n+500M\n\nn\np\n\n\n+${key_space}M\n\nn\np\n\n\n\n\na\n1\nw\n" \
	\| fdisk /dev/${dev} > /dev/null
	mkfs.ext4 -L boot /dev/${dev}1
	fi

	dd if=/dev/urandom of=/dev/${dev}2 \|\| true

	cryptsetup luksFormat /dev/${dev}2
	cryptsetup luksOpen /dev/${dev}2 key

	dd if=/dev/urandom of=/dev/mapper/key \|\| true

	cryptsetup -y luksFormat --key-file=/dev/mapper/key --keyfile-offset=$key_file_offset --keyfile-size=$key_file_size /dev/${dev}3
	cryptsetup luksOpen --key-file=/dev/mapper/key --keyfile-offset=$key_file_offset --keyfile-size=$key_file_size /dev/${dev}3 system

	mkfs.btrfs -L system /dev/mapper/system
	mount /dev/mapper/system /mnt

	mkdir /mnt/boot
	mount /dev/${dev}1 /mnt/boot


	nixos-generate-config --root /mnt

	cat <<EOF > /mnt/etc/nixos/configuration.nix
	{ config, pkgs, ... }:
	{
	imports = [ ./hardware-configuration.nix ];
	services.openssh.enable = true;
	services.openssh.passwordAuthentication = true;
	services.openssh.permitRootLogin = "yes";
	system.stateVersion = "${state_version}";
	}
	EOF

	cat <<EOF > /mnt/etc/nixos/hardware-configuration.nix
	{ config
	, lib ? (import <nixpkgs> { }).lib
	, pkgs ? (import <nixpkgs> { }).pkgs
	, ... }: let
	systemPartition = "system";
	in {
	imports = [ $profile ];

	boot = {
	loader = {
	grub.device = "/dev/${dev}";
	systemd-boot.enable = ${efi};
	efi.canTouchEfiVariables = ${efi};
	};

	initrd.luks.devices = {
	key = {
	name = "key";
	device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}2")";
	};
	system = {
	name = "system";
	device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}3")";
	keyFile = "/dev/mapper/key";
	keyFileSize = ${key_file_size};
	keyFileOffset = ${key_file_offset};
	};
	};

	initrd.postDeviceCommands = lib.mkAfter "cryptsetup luksClose key";
	};

	fileSystems."/" = {
	device = "/dev/mapper/system";
	fsType = "btrfs";
	options = ["noatime"];
	};
	fileSystems."/boot" = rec {
	device = "/dev/disk/by-uuid/$(uuid_of "/dev/${dev}1")";
	fsType = "${boot_fs}";
	};

	powerManagement.cpuFreqGovernor = "ondemand";
	}
	EOF

	set +x