exarkun/build.sh Secret

## build.sh
#!/bin/bash

if [ -v NIXPKGS ]; then
    # Leave it alone.  This is an aid to development for the case where you
    # may want to try out a different version of nixpkgs.
    :
else
    # Pin the revision of nixpkgs that we want to use.  This effectively pins
    # the versions of all software on the system and of the sd-image building
    # tool.  Ideally, this results in completely deterministic, repeatable
    # builds.  Maybe in reality we at least get pretty close.  This
    # essentially implements "upgrade when you upgrade" (replacing "upgrade
    # when you build").
    NIXPKGS="https://github.com/NixOS/nixpkgs/archive/f15bd3cca3c4dbc2d24f0bb74dda4a35eac11758.tar.gz"
fi

if [ ! -v ARCH ]; then
    ARCH="aarch64"
fi

if [ ! -v PRODUCTION ]; then
    STAGING="true"
else
    STAGING="false"
fi

# Find the location of this script as a way to find the other build inputs we
# need.  They live alongside this script.
HERE=$(dirname $0)

# Build nixos.
# Specifically the config.system.build.sdImage attribute of it.
# Use the nixpkgs we selected above.
# And supply the system configuration that lives alongside this script.
nix-build \
    --show-trace \
    -A config.system.build.sdImage \
    -I nixpkgs="${NIXPKGS}" \
    --arg staging "${STAGING}" \
    -I nixos-config="${HERE}"/sd-image-"${ARCH}".nix \
    '<nixpkgs/nixos>'

## miniconf.nix
{ pkgs, staging ? true, ... }: {
  networking.nftables.enable = true;
  networking.nftables.ruleset =
  let
    dns_servers = [
      "10.0.0.1"
    ];
    commas = xs: builtins.concatStringsSep ", " xs;
  in
    import ./nftables-rules.nix {
      inherit staging;
      storage_node_hosts_string = "";
      wormhole_relay_hosts_string = "";
      dns_servers_string = commas dns_servers;
    };

  # nftables is incompatible with the firewall service!
  networking.firewall.enable = false;
}

## sd-image-x86_64.nix
# Cribbed from https://nixos.wiki/wiki/NixOS_on_ARM#Build_your_own_image
#
# On an x86_64-capable system, build with the build.sh in this directory.
#
# See https://nixos.org/nixos/options.html for documentation of specific
# options being set here.
{ pkgs, ... }: {
  imports = [
    # This x86_64 image can't boot the RPi3.  It serves as a decent test of
    # whether the config is valid, though.  If it builds, the aarch64 image
    # will probably build.  It's easier to build the x86_64 image locally so
    # this is helpful.
    #
    # This import gets us a definition for a bootable system image suitable to
    # be written to an sd card.  The image includes everything we configure
    # below.
    <nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix>

    # All our system configuration comes from this.
    ./miniconf.nix
  ];
}
	#!/bin/bash

	if [ -v NIXPKGS ]; then
	# Leave it alone. This is an aid to development for the case where you
	# may want to try out a different version of nixpkgs.
	:
	else
	# Pin the revision of nixpkgs that we want to use. This effectively pins
	# the versions of all software on the system and of the sd-image building
	# tool. Ideally, this results in completely deterministic, repeatable
	# builds. Maybe in reality we at least get pretty close. This
	# essentially implements "upgrade when you upgrade" (replacing "upgrade
	# when you build").
	NIXPKGS="https://github.com/NixOS/nixpkgs/archive/f15bd3cca3c4dbc2d24f0bb74dda4a35eac11758.tar.gz"
	fi

	if [ ! -v ARCH ]; then
	ARCH="aarch64"
	fi

	if [ ! -v PRODUCTION ]; then
	STAGING="true"
	else
	STAGING="false"
	fi

	# Find the location of this script as a way to find the other build inputs we
	# need. They live alongside this script.
	HERE=$(dirname $0)

	# Build nixos.
	# Specifically the config.system.build.sdImage attribute of it.
	# Use the nixpkgs we selected above.
	# And supply the system configuration that lives alongside this script.
	nix-build \
	--show-trace \
	-A config.system.build.sdImage \
	-I nixpkgs="${NIXPKGS}" \
	--arg staging "${STAGING}" \
	-I nixos-config="${HERE}"/sd-image-"${ARCH}".nix \
	'<nixpkgs/nixos>'
	{ pkgs, staging ? true, ... }: {
	networking.nftables.enable = true;
	networking.nftables.ruleset =
	let
	dns_servers = [
	"10.0.0.1"
	];
	commas = xs: builtins.concatStringsSep ", " xs;
	in
	import ./nftables-rules.nix {
	inherit staging;
	storage_node_hosts_string = "";
	wormhole_relay_hosts_string = "";
	dns_servers_string = commas dns_servers;
	};

	# nftables is incompatible with the firewall service!
	networking.firewall.enable = false;
	}
	# Cribbed from https://nixos.wiki/wiki/NixOS_on_ARM#Build_your_own_image
	#
	# On an x86_64-capable system, build with the build.sh in this directory.
	#
	# See https://nixos.org/nixos/options.html for documentation of specific
	# options being set here.
	{ pkgs, ... }: {
	imports = [
	# This x86_64 image can't boot the RPi3. It serves as a decent test of
	# whether the config is valid, though. If it builds, the aarch64 image
	# will probably build. It's easier to build the x86_64 image locally so
	# this is helpful.
	#
	# This import gets us a definition for a bootable system image suitable to
	# be written to an sd card. The image includes everything we configure
	# below.
	<nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix>

	# All our system configuration comes from this.
	./miniconf.nix
	];
	}