added stuff

nyx/modules/core/roles/iso/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./image
+    ./system
+  ];
+
+  system.nixos.tags = ["iso-image"];
+}

nyx/modules/core/roles/iso/image/default.nix

@@ -0,0 +1,71 @@
+{
+  modulesPath,
+  self,
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib) mkImageMediaOverride;
+in {
+  imports = [
+    "${modulesPath}/installer/cd-dvd/iso-image.nix"
+
+    # make sure our installer can detect and interact with all hardware that is supported in Nixpkgs
+    # this loads basically every hardware related kernel module
+    "${modulesPath}/profiles/all-hardware.nix"
+  ];
+
+  # the ISO image must be completely immutable in the sense that we do not
+  # want the user to be able modify the ISO image after booting into it
+  # the below option will disable rebuild switches (i.e nixos-rebuild switch)
+  system.switch.enable = false;
+
+  isoImage = let
+    # hostname will be set as a "top-level" attribute in hosts.nix, per-host.
+    # therefore we can use the networking.hostName to get the hostname of the live
+    # system without defining it explicitly in the system-agnostic ISO role module
+    hostname = config.networking.hostName or "nixos";
+
+    # if the system is built from a git repository, we want to include the git revision
+    # in the ISO name. if the tree is dirty, we use the term "dirty" to make it explicit
+    rev = self.shortRev or "dirty";
+
+    # the format of the iso will always be uniform:
+    # $hostname-$release-$rev-$arch
+    # therefore we can set it once to avoid repetition later on
+    name = "${hostname}-${config.system.nixos.release}-${rev}-${pkgs.stdenv.hostPlatform.uname.processor}";
+  in {
+    # this will cause the resulting .iso file to be named as follows:
+    # $hostname-$release-$rev-$arch.iso
+    isoName = mkImageMediaOverride "${name}.iso";
+    # this will cause the label or volume ID of the generated ISO image to be as follows:
+    # $hostname-$release-$rev-$arch
+    # volumeID is used is used by stage 1 of the boot process, so it must be distintctive
+    volumeID = mkImageMediaOverride "${name}";
+
+    # maximum compression, in exchange for build speed
+    squashfsCompression = "zstd -Xcompression-level 10"; # default uses gzip
+
+    # ISO image should be an EFI-bootable volume
+    makeEfiBootable = true;
+
+    # ISO image should be bootable from USB
+    # FIXME: the module decription is as follows:
+    # "Whether the ISO image should be bootable from CD as well as USB."
+    # is this supposed to make the ISO image bootable from *CD* instead of USB?
+    makeUsbBootable = true;
+
+    # my module system already contains an option to add memtest86+
+    # to the boot menu at will but in case our system is unbootable
+    # lets include memtest86+ in the ISO image
+    # so that we may test the memory of the system
+    # exclusively from the ISO image
+    contents = [
+      {
+        source = pkgs.memtest86plus + "/memtest.bin";
+        target = "boot/memtest.bin";
+      }
+    ];
+  };
+}

nyx/modules/core/roles/iso/system/boot.nix

@@ -0,0 +1,37 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
+  boot = {
+    # use the latest Linux kernel
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    # talk to me kernel
+    kernelParams = lib.mkAfter ["noquiet"];
+
+    # no need for systemd in the initrd stage on an installation media
+    # being put in to recovery mode, or having systemd in stage one is
+    # entirely pointless
+    initrd.systemd = {
+      enable = lib.mkImageMediaOverride false;
+      emergencyAccess = lib.mkImageMediaOverride true;
+    };
+
+    # Needed for https://github.com/NixOS/nixpkgs/issues/58959
+    # tl;dr: ZFS is problematic and we don't want it
+    supportedFilesystems = mkForce [
+      "btrfs"
+      "vfat"
+      "f2fs"
+      "xfs"
+      "ntfs"
+      "cifs"
+    ];
+
+    # disable software RAID
+    swraid.enable = mkForce false;
+  };
+}

nyx/modules/core/roles/iso/system/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./misc
+    ./services
+
+    ./boot.nix
+    ./environment.nix
+    ./hardware.nix
+    ./networking.nix
+    ./nix.nix
+    ./users.nix
+  ];
+}

nyx/modules/core/roles/iso/system/environment.nix

@@ -0,0 +1,46 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
+  environment = {
+    # our installer is a minimal, TUI-only environment. I don't find any
+    # good reason to keep X11 libs around while we will not be depending
+    # on any GUI frameworks.
+    noXlibs = true;
+
+    # 24.04 has brought in a stub-ld that will throw a warning if you try to run a
+    # dynamically linked binary. This is an installer, so we probably won't try to run
+    # dynamically linked binaries on this system. Besides, it's annoying.
+    stub-ld.enable = mkForce false;
+
+    # NixOS bundles a few packages by default
+    # it's not too large of a list, but I don't need it and I prefer
+    # my system containing only the packages I've declared.
+    defaultPackages = mkForce [];
+
+    # packages I might want on an installer environment
+    systemPackages = with pkgs; [
+      gitMinimal
+      curl
+      wget
+      pciutils
+      lshw
+      rsync
+      nixos-install-tools
+    ];
+
+    etc = {
+      # link a copy of our nixpkgs input as the nixpkgs channel
+      "nix/flake-channels/nixpkgs".source = inputs.nixpkgs;
+
+      # fix an annoying warning
+      "mdadm.conf".text = ''
+        MAILADDR root
+      '';
+    };
+  };
+}

nyx/modules/core/roles/iso/system/hardware.nix

@@ -0,0 +1,6 @@
+{
+  # provide all hardware drivers, including proprietary ones
+  hardware = {
+    enableRedistributableFirmware = true;
+  };
+}

nyx/modules/core/roles/iso/system/misc/console.nix

@@ -0,0 +1,10 @@
+{pkgs, ...}: {
+  # console locale
+  console = let
+    variant = "u24n";
+  in {
+    # hidpi terminal font
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-${variant}.psf.gz";
+    keyMap = "trq";
+  };
+}

nyx/modules/core/roles/iso/system/misc/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./console.nix
+    ./sound.nix
+  ];
+}

nyx/modules/core/roles/iso/system/misc/sound.nix

@@ -0,0 +1,4 @@
+{
+  # disable sound related programs
+  sound.enable = false;
+}

nyx/modules/core/roles/iso/system/networking.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
+  networking.networkmanager = {
+    enable = true;
+    plugins = mkForce [];
+  };
+
+  networking.wireless.enable = mkForce false;
+
+  # Enable SSH in the boot process.
+  systemd.services.sshd.wantedBy = mkForce ["multi-user.target"];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHRDg2lu1rXKP4OfyghP17ZVL2csnyJEJcy9Km3LQm4r notashelf@enyo"
+  ];
+}

nyx/modules/core/roles/iso/system/nix.nix

@@ -0,0 +1,12 @@
+{
+  nix = {
+    settings = {
+      experimental-features = ["nix-command" "flakes" "repl-flake"];
+      log-lines = 30;
+      warn-dirty = false;
+      http-connections = 50;
+      accept-flake-config = true;
+      auto-optimise-store = true;
+    };
+  };
+}

nyx/modules/core/roles/iso/system/security.nix

@@ -0,0 +1,11 @@
+{
+  # attempt to fix "too many open files"
+  security.pam.loginLimits = [
+    {
+      domain = "*";
+      item = "nofile";
+      type = "-";
+      value = "65536";
+    }
+  ];
+}

nyx/modules/core/roles/iso/system/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./openssh.nix
+  ];
+}

nyx/modules/core/roles/iso/system/services/openssh.nix

@@ -0,0 +1,88 @@
+{
+  # Hardened SSH configuration
+  services.openssh = {
+    extraConfig = ''
+      AllowTcpForwarding no
+      HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
+      PermitTunnel no
+    '';
+    settings = {
+      Ciphers = [
+        "aes256-gcm@openssh.com"
+        "aes256-ctr,aes192-ctr"
+        "aes128-ctr"
+        "aes128-gcm@openssh.com"
+        "chacha20-poly1305@openssh.com"
+      ];
+      KbdInteractiveAuthentication = false;
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
+      X11Forwarding = false;
+    };
+  };
+
+  # Client side SSH configuration
+  programs.ssh = {
+    ciphers = [
+      "aes256-gcm@openssh.com"
+      "aes256-ctr,aes192-ctr"
+      "aes128-ctr"
+      "aes128-gcm@openssh.com"
+      "chacha20-poly1305@openssh.com"
+    ];
+
+    hostKeyAlgorithms = [
+      "ssh-ed25519"
+      "ssh-ed25519-cert-v01@openssh.com"
+      "sk-ssh-ed25519@openssh.com"
+      "sk-ssh-ed25519-cert-v01@openssh.com"
+      "rsa-sha2-512"
+      "rsa-sha2-512-cert-v01@openssh.com"
+      "rsa-sha2-256"
+      "rsa-sha2-256-cert-v01@openssh.com"
+    ];
+
+    kexAlgorithms = [
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group16-sha512"
+      "diffie-hellman-group18-sha512"
+      "sntrup761x25519-sha512@openssh.com"
+    ];
+
+    knownHosts = {
+      github-rsa = {
+        hostNames = ["github.com"];
+        publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=";
+      };
+      github-ed25519 = {
+        hostNames = ["github.com"];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+      };
+      gitlab-rsa = {
+        hostNames = ["gitlab.com"];
+        publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9";
+      };
+      gitlab-ed25519 = {
+        hostNames = ["gitlab.com"];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+      };
+    };
+
+    macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+    ];
+  };
+}

nyx/modules/core/roles/iso/system/users.nix

@@ -0,0 +1,11 @@
+{
+  users.extraUsers.root.password = "";
+
+  users.users.nixos = {
+    uid = 1000;
+    password = "nixos";
+    description = "default";
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+  };
+}