80 lines
2.8 KiB
Nix
80 lines
2.8 KiB
Nix
{ lib, config, pkgs, self, ... }:
|
|
|
|
let
|
|
cfg = config.services.every-channel.runner;
|
|
in
|
|
{
|
|
options.services.every-channel.runner = {
|
|
enable = lib.mkEnableOption "every.channel runner base system profile";
|
|
|
|
overlayRoot = {
|
|
enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
If enabled, mount the real root filesystem read-only and layer a tmpfs-backed
|
|
overlayfs upperdir on top. This makes runtime mutations non-persistent while
|
|
still allowing normal operation.
|
|
|
|
Note: for reliable in-place upgrades, mount `/boot` and `/nix` as separate
|
|
persistent filesystems outside the overlay.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# Minimal, conservative baseline for headless runners.
|
|
networking.useDHCP = lib.mkDefault true;
|
|
services.openssh.enable = lib.mkDefault true;
|
|
|
|
# Keep Nix flakes available on the runner itself.
|
|
nix.settings.experimental-features = lib.mkDefault [ "nix-command" "flakes" ];
|
|
|
|
# Provide the flake source tree at a stable path (symlink into /nix/store).
|
|
environment.etc."every-channel/flake".source = self;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
git
|
|
jq
|
|
curl
|
|
];
|
|
|
|
# Appliance defaults: avoid persistence-by-accident in logs.
|
|
services.journald.storage = lib.mkDefault "volatile";
|
|
|
|
# GC defaults to keep store growth bounded on unattended boxes.
|
|
nix.gc.automatic = lib.mkDefault true;
|
|
nix.gc.dates = lib.mkDefault "weekly";
|
|
nix.gc.options = lib.mkDefault "--delete-older-than 14d";
|
|
boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
|
|
|
|
boot.initrd.kernelModules = lib.mkIf cfg.overlayRoot.enable [ "overlay" ];
|
|
|
|
# Make the on-disk root read-only and provide a tmpfs-backed writable layer.
|
|
# This runs after the real root has been mounted at /mnt-root by stage-1.
|
|
boot.initrd.postMountCommands = lib.mkIf cfg.overlayRoot.enable ''
|
|
set -euo pipefail
|
|
|
|
# If something else already overlaid the root (e.g. installer media), do nothing.
|
|
if mountpoint -q /mnt-root; then
|
|
if grep -q " /mnt-root overlay " /proc/mounts; then
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
mkdir -p /mnt-root/.ec-overlay/ro /mnt-root/.ec-overlay/rw
|
|
|
|
# Move the real root mount out of the way, then remount it read-only.
|
|
mount --move /mnt-root /mnt-root/.ec-overlay/ro
|
|
mount -o remount,ro /mnt-root/.ec-overlay/ro
|
|
|
|
# Upper/work go on tmpfs so mutations disappear on reboot.
|
|
mount -t tmpfs tmpfs /mnt-root/.ec-overlay/rw -o mode=0755
|
|
mkdir -p /mnt-root/.ec-overlay/rw/upper /mnt-root/.ec-overlay/rw/work
|
|
|
|
mount -t overlay overlay /mnt-root \
|
|
-o lowerdir=/mnt-root/.ec-overlay/ro,upperdir=/mnt-root/.ec-overlay/rw/upper,workdir=/mnt-root/.ec-overlay/rw/work
|
|
'';
|
|
};
|
|
}
|