-
-
Save exarkun/4876938fb24465ac718e4b9d39567593 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ -v NIXPKGS ]; then | |
# Leave it alone. This is an aid to development for the case where you | |
# may want to try out a different version of nixpkgs. | |
: | |
else | |
# Pin the revision of nixpkgs that we want to use. This effectively pins | |
# the versions of all software on the system and of the sd-image building | |
# tool. Ideally, this results in completely deterministic, repeatable | |
# builds. Maybe in reality we at least get pretty close. This | |
# essentially implements "upgrade when you upgrade" (replacing "upgrade | |
# when you build"). | |
NIXPKGS="https://github.com/NixOS/nixpkgs/archive/f15bd3cca3c4dbc2d24f0bb74dda4a35eac11758.tar.gz" | |
fi | |
if [ ! -v ARCH ]; then | |
ARCH="aarch64" | |
fi | |
if [ ! -v PRODUCTION ]; then | |
STAGING="true" | |
else | |
STAGING="false" | |
fi | |
# Find the location of this script as a way to find the other build inputs we | |
# need. They live alongside this script. | |
HERE=$(dirname $0) | |
# Build nixos. | |
# Specifically the config.system.build.sdImage attribute of it. | |
# Use the nixpkgs we selected above. | |
# And supply the system configuration that lives alongside this script. | |
nix-build \ | |
--show-trace \ | |
-A config.system.build.sdImage \ | |
-I nixpkgs="${NIXPKGS}" \ | |
--arg staging "${STAGING}" \ | |
-I nixos-config="${HERE}"/sd-image-"${ARCH}".nix \ | |
'<nixpkgs/nixos>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ pkgs, staging ? true, ... }: { | |
networking.nftables.enable = true; | |
networking.nftables.ruleset = | |
let | |
dns_servers = [ | |
"10.0.0.1" | |
]; | |
commas = xs: builtins.concatStringsSep ", " xs; | |
in | |
import ./nftables-rules.nix { | |
inherit staging; | |
storage_node_hosts_string = ""; | |
wormhole_relay_hosts_string = ""; | |
dns_servers_string = commas dns_servers; | |
}; | |
# nftables is incompatible with the firewall service! | |
networking.firewall.enable = false; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Cribbed from https://nixos.wiki/wiki/NixOS_on_ARM#Build_your_own_image | |
# | |
# On an x86_64-capable system, build with the build.sh in this directory. | |
# | |
# See https://nixos.org/nixos/options.html for documentation of specific | |
# options being set here. | |
{ pkgs, ... }: { | |
imports = [ | |
# This x86_64 image can't boot the RPi3. It serves as a decent test of | |
# whether the config is valid, though. If it builds, the aarch64 image | |
# will probably build. It's easier to build the x86_64 image locally so | |
# this is helpful. | |
# | |
# This import gets us a definition for a bootable system image suitable to | |
# be written to an sd card. The image includes everything we configure | |
# below. | |
<nixpkgs/nixos/modules/installer/cd-dvd/sd-image.nix> | |
# All our system configuration comes from this. | |
./miniconf.nix | |
]; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment