BIOS boot, ESP sync, debug improvements

Author: Plopmenz

.github/workflows/installer.yml

@@ -43,7 +43,7 @@ jobs:
       - name: Add kexec installer to release
         uses: softprops/action-gh-release@v2
         with:
-          make_latest: false
+          prerelease: true
           files: ./result/xnodeos-kexec-installer-*.tar.gz
 
       # - name: Build iso installer
@@ -52,5 +52,5 @@ jobs:
       # - name: Add iso installer to release
       #   uses: softprops/action-gh-release@v2
       #   with:
-      #     make_latest: false
+      #     prerelease: true
       #     files: ./result/iso/xnodeos-iso-installer-*.iso

config/xnode-config/boot

@@ -0,0 +1 @@
+BIOS

install.sh

@@ -3,7 +3,13 @@
 set -e # Stop on error
 
 # Download and extract kexec archive
-curl -L "https://github.com/Openmesh-Network/xnodeos/releases/${VERSION:=latest}/download/xnodeos-kexec-installer-$(uname -m)-linux.tar.gz" | tar -xzf- -C /root
+if [[ $VERSION ]]; then
+    URL="https://github.com/Openmesh-Network/xnodeos/releases/download/${VERSION}/xnodeos-kexec-installer-$(uname -m)-linux.tar.gz"
+else
+    URL="https://github.com/Openmesh-Network/xnodeos/releases/latest/download/xnodeos-kexec-installer-$(uname -m)-linux.tar.gz"
+    export VERSION="latest"
+fi
+curl -L "$URL" | tar -xzf- -C /root
 
 # Boot into kexec
 /root/xnodeos/install

installer/config.nix

@@ -9,11 +9,6 @@
   config = {
     services.getty.greetingLine = ''<<< Welcome to Openmesh XnodeOS Installer ${config.system.nixos.label} (\m) - \l >>>'';
     services.getty.autologinUser = lib.mkForce "root";
-    users.users.root.shell = lib.getExe (
-      pkgs.writeShellScriptBin "install-xnodeos-progress" ''
-        ${config.systemd.package}/bin/journalctl -u install-xnodeos.service -f
-      ''
-    );
 
     nix =
       let
@@ -35,7 +30,7 @@
       };
 
     boot.initrd.systemd.enable = true;
-    environment.etc."pcrlock.d".source = "${pkgs.systemd}/lib/pcrlock.d";
+    environment.etc."pcrlock.d".source = "${config.systemd.package}/lib/pcrlock.d";
     environment.etc."xnodeos-config-cache".source =
       inputs.config.nixosConfigurations.xnode.config.system.build.toplevel;
     environment.etc."xnodeos-config-file".text = builtins.readFile ../config/flake.nix;
@@ -44,12 +39,6 @@
     services.resolved.enable = true;
     zramSwap.enable = true;
     services.dbus.implementation = "broker";
-    boot.swraid = {
-      enable = true;
-      mdadmConf = ''
-        MAILADDR samuel.mens@openmesh.network
-      '';
-    };
 
     systemd.services.install-xnodeos = {
       wantedBy = [ "multi-user.target" ];
@@ -116,13 +105,43 @@
           pkgs.gptfdisk
           pkgs.parted
           pkgs.dosfstools
-          # pkgs.mdadm
           pkgs.cryptsetup
           pkgs.btrfs-progs
         ];
       script = lib.readFile ./install.sh;
     };
 
+    systemd.paths.esp-sync = {
+      wantedBy = [ "multi-user.target" ];
+      description = "Watch for /mnt/boot changes";
+      pathConfig = {
+        PathModified = "/mnt/boot/";
+      };
+    };
+
+    systemd.services.esp-sync = {
+      description = "Sync /mnt/boot to all ESPs";
+      serviceConfig = {
+        KillMode = "none";
+      };
+      path = [
+        pkgs.util-linux
+        pkgs.rsync
+      ];
+      script = ''
+        for target in /mnt/boot*; do
+          [ "$target" = "/mnt/boot" ] && continue
+
+          if mountpoint -q "$target"; then
+            echo "Syncing /mnt/boot -> $target"
+            rsync -a --delete --inplace /mnt/boot/ "$target/"
+          else
+            echo "Skipping $target (not mounted)"
+          fi
+        done
+      '';
+    };
+
     system.stateVersion = config.system.nixos.release;
 
     # Reduce closure size (https://github.com/nix-community/nixos-images/blob/main/nix/noninteractive.nix)

installer/install.sh

@@ -33,6 +33,9 @@ sbctl enroll-keys || true
 # Detect if system contains TPM
 TPM=$(cat /sys/class/tpm/tpm0/tpm_version_major) || TPM=""
 
+# Detect if system is booted into UEFI or Legacy
+[ -d /sys/firmware/efi ] && BOOT="UEFI" || BOOT="BIOS"
+
 # Perform hardware scan
 nixos-facter -o /etc/nixos/xnode-config/hardware
 
@@ -41,13 +44,16 @@ cp /etc/xnodeos-config-file /etc/nixos/flake.nix
 cp /etc/xnodeos-config-lock /etc/nixos/flake.lock
 if [[ $VERSION == "latest" ]]; then
   # Remove version lock
-  sed -i -e "s|\"github:Openmesh-Network/xnodeos/[^\"]*\"|\"github:Openmesh-Network/xnodeos\"|g" ./config/flake.nix
+  sed -i -e "s|\"github:Openmesh-Network/xnodeos/[^\"]*\"|\"github:Openmesh-Network/xnodeos\"|g" /etc/nixos/flake.nix
 fi
 
 # Apply environmental variable configuration
 if [[ $TPM ]]; then
   echo -n "${TPM}" > /etc/nixos/xnode-config/tpm
 fi
+if [[ $BOOT ]]; then
+  echo -n "${BOOT}" > /etc/nixos/xnode-config/boot
+fi
 if [[ $OWNER ]]; then
   echo -n "${OWNER}" > /etc/nixos/xnode-config/owner
 fi
@@ -83,10 +89,15 @@ sleep 1 # /dev/disk/by-label/ROOT isn't available instantly
 mount --mkdir /dev/disk/by-label/ROOT /mnt
 btrfs subvolume create /mnt/root
 btrfs subvolume create /mnt/nix
+btrfs subvolume create /mnt/boot
 umount /mnt
 mount --mkdir -o lazytime,noatime,compress-force=zstd:1,subvol=root /dev/disk/by-label/ROOT /mnt
 mount --mkdir -o lazytime,noatime,compress-force=zstd:1,subvol=nix /dev/disk/by-label/ROOT /mnt/nix
-mount --mkdir -o umask=0077 /dev/md/BOOT /mnt/boot
+mount --mkdir -o lazytime,noatime,compress-force=zstd:1,subvol=boot /dev/disk/by-label/ROOT /mnt/boot
+for i in "${!DISKS[@]}"; do
+  mount --mkdir -o umask=0077 "/dev/disk/by-partlabel/disk-disk${i}-ESP" "/mnt/boot${i}"
+done
+systemctl restart esp-sync.path
 
 if [[ $TPM == "2" ]]; then
   # Define policy of allowed TPM2 values
@@ -132,4 +143,6 @@ EOL
 )"
 
 # Boot into new OS
-reboot
+if [ -z "$DEBUG" ]; then
+  reboot
+fi

installer/kexec.nix

@@ -71,6 +71,18 @@
       '';
     };
 
+    users.users.root.shell = lib.getExe (
+      pkgs.writeShellScriptBin "install-xnodeos-shell" ''
+        source /xnode-config/env || true
+
+        if [[ -n "$DEBUG" ]]; then
+          exec ${lib.getExe pkgs.bash}
+        else
+          exec ${config.systemd.package}/bin/journalctl -u install-xnodeos.service -f
+        fi
+      ''
+    );
+
     systemd.services.install-xnodeos.script = lib.mkBefore ''
       # Extract environmental variables
       source /xnode-config/env

nix/os/base.nix

@@ -1,13 +1,21 @@
 { inputs }:
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   config = {
     boot.enableContainers = true; # Enable nixos containers
-    services.fwupd.enable = true; # Allow applications to update firmware
+    users.mutableUsers = false; # Prevent non-declarative users
+    users.allowNoPasswordLogin = true; # Allow a system without any users that can be logged into
+    services.getty.greetingLine = ''<<< Welcome to Openmesh XnodeOS ${config.system.nixos.label} (\m) - \l >>>''; # Change greeting to specify XnodeOS
     zramSwap.enable = true; # Compress memory
+    services.fwupd.enable = true; # Allow applications to update firmware
     services.dbus.implementation = "broker"; # High performance and reliability implementation of D-Bus
 
-    # Default limit easily exhausted
+    # Update limits
     boot.kernel.sysctl = {
       "fs.inotify.max_user_instances" = 2147483647;
       "net.core.rmem_max" = 16777216;
@@ -19,6 +27,7 @@
     systemd.services.nginx.serviceConfig.LimitNOFILE = 65536;
     systemd.services.dbus-broker.serviceConfig.LimitNOFILE = 65536;
 
+    # Nix config
     nix =
       let
         flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
@@ -46,10 +55,5 @@
           options = "--delete-old";
         };
       };
-
-    users.mutableUsers = false;
-    users.allowNoPasswordLogin = true;
-
-    services.getty.greetingLine = ''<<< Welcome to Openmesh XnodeOS ${config.system.nixos.label} (\m) - \l >>>'';
   };
 }