{ description = "The simple provisioning service"; inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = { self, nixpkgs, nixos-generators, ... }: let lastModifiedDate = self.lastModifiedDate or self.lastModified or "19700101"; version = builtins.substring 0 8 lastModifiedDate; supportedSystems = [ "x86_64-linux" "aarch64-linux" ]; forAllSystems = nixpkgs.lib.genAttrs supportedSystems; nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; }); in { packages = forAllSystems (system: let pkgs = nixpkgsFor.${system}; clientPackage = pkgs.buildGoModule { pname = "client"; inherit version; src = ./client; vendorHash = null; }; in { default = clientPackage; boot-env-iso = nixos-generators.nixosGenerate { inherit system; format = "iso"; modules = [ ({modulesPath, ...}: { imports = [ (modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/base.nix") ]; system.stateVersion = "25.05"; boot.initrd.kernelModules = ["hv_vmbus" "hv_storvsc"]; # Hyper-V Support # Disable unneeded features documentation.enable = false; fonts.fontconfig.enable = false; services.udisks2.enable = false; networking.firewall.enable = false; # Technically we COULD use the firewall, but given that this is a network-dependent, one-time-use service, it would cause more issues services.getty.autologinUser = "root"; environment.systemPackages = [ clientPackage ]; environment.etc."profile.local".text = '' client ''; isoImage.squashfsCompression = "gzip -Xcompression-level 1"; }) ]; }; boot-env-pxe = let systemConfig = nixpkgs.lib.nixosSystem { inherit system; modules = [ ({modulesPath, ...}: { imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") ]; system.stateVersion = "25.05"; boot.initrd.kernelModules = ["hv_vmbus" "hv_storvsc"]; # Hyper-V Support # Disable unneeded features documentation.enable = nixpkgs.lib.mkForce false; documentation.nixos.enable = nixpkgs.lib.mkForce false; fonts.fontconfig.enable = false; services.udisks2.enable = false; users.allowNoPasswordLogin = true; users.mutableUsers = false; security.sudo.enable = false; services.getty.helpLine = nixpkgs.lib.mkForce ""; nix.enable = false; networking.firewall.enable = false; # Technically we COULD use the firewall, but given that this is a network-dependent, one-time-use service, it would cause more issues services.getty.autologinUser = nixpkgs.lib.mkForce "root"; environment.systemPackages = [ clientPackage ]; environment.etc."profile.local".text = '' client ''; }) ]; }; in pkgs.stdenv.mkDerivation { name = "boot-env-pxe"; buildCommand = '' mkdir -p $out cp -r ${systemConfig.config.system.build.kernel}/bzImage $out/kernel cp -r ${systemConfig.config.system.build.netbootRamdisk} $out/initrd cat < $out/boot.ipxe #!ipxe imgfree kernel http://127.0.0.1:8081/kernel init=${systemConfig.config.system.build.toplevel}/init initrd=initrd ${toString systemConfig.config.boot.kernelParams} ''${cmdline} initrd http://127.0.0.1:8081/initrd boot EOF ''; }; }); apps = forAllSystems (system: let pkgs = nixpkgsFor.x86_64-linux; iso = self.packages.x86_64-linux.boot-env-iso; in { test-iso-x86_64 = { type = "app"; program = "${pkgs.writeScriptBin "test-iso" '' #!/bin/sh ${pkgs.qemu}/bin/qemu-system-x86_64 -cdrom ${iso}/iso/*.iso -m 1G \ -net nic,model=rtl8139 -net user,hostfwd=tcp::8080-:8080 ''}/bin/test-iso"; }; }); devShells = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in { default = pkgs.mkShell { hardeningDisable = [ "fortify" ]; buildInputs = [ pkgs.bashInteractive pkgs.go pkgs.delve pkgs.qemu_kvm ]; }; }); }; }