build: create tb14 target

- increased GitHub Action swap
- tweaked disko config
- created tb14 targets (TODO: refactor later)

.github/workflows/buildiso.yaml

@@ -41,7 +41,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: ["imgs.x1c7", "imgs.deck"]
+        target: ["imgs.x1c7", "imgs.deck", "imgs.tb14" ]
         # GitHub Action may not have enough space to build the deck image.
         # target: ["imgs.x1c7"]
 
@@ -52,7 +52,7 @@ jobs:
       with:
         # Reserved for /tmp
         root-reserve-mb: 20480
-        swap-size-mb: 1024
+        swap-size-mb: 4096
         temp-reserve-mb: 100
         build-mount-path: '/nix'
         build-mount-path-ownership: 'root:root'

cfgs/deck/default.nix

@@ -62,7 +62,6 @@
       # We are auto login user.
       security.sudo.wheelNeedsPassword = lib.mkForce true;
 
-      my.disko.enable = true;
       my.gnome-desktop = {
         enable = true;
         enableDisplayManager = false;

cfgs/img-deck/default.nix

@@ -123,7 +123,6 @@ with lib;
       enable = true;
     };
 
-    disko.devices = (import ./../../modules/disko/disk.nix { });
     # This is a LiveCD, please don't enable disk config in NixOS.
     disko.enableConfig = false;
 

cfgs/img-tb14/default.nix

@@ -0,0 +1,150 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+{
+  imports = [
+    ./networking.nix
+  ];
+
+  config = {
+    # To fix home-manager issue
+    # https://github.com/nix-community/home-manager/blob/master/modules/misc/version.nix
+    system.stateVersion = "24.11";
+
+    boot.kernelPackages = pkgs.linuxPackages_latest;
+
+    # This is a dummy key in ISO image, we shall not worry about its security.
+    # Agenix breaks in LiveCD due to https://github.com/ryantm/agenix/issues/165.
+    age.identityPaths = [
+      (pkgs.writeText "img_key_ed25519" (builtins.readFile ../../secrets/raw/img_key_ed25519))
+    ];
+
+    # GPG agent that makes GPG work in LiveCD.
+    programs.gnupg.agent.enable = true;
+
+    # ZFS is currently broken on the latest kernel. Since we don't use it, it's fine to disable it.
+    boot.supportedFilesystems = lib.mkForce [
+      "btrfs"
+      "reiserfs"
+      "vfat"
+      "f2fs"
+      "xfs"
+      "ntfs"
+      "cifs"
+    ];
+
+    # Set internationalisation properties.
+    console = {
+      font = "Lat2-Terminus16";
+      useXkbConfig = true;
+    };
+    i18n = {
+      defaultLocale = "en_US.UTF-8";
+      inputMethod = {
+        enable = true;
+        type = "ibus";
+        ibus.engines = with pkgs.ibus-engines; [
+          libpinyin
+          typing-booster
+        ];
+      };
+    };
+
+    # Fonts
+    fonts.packages = with pkgs; [
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-emoji
+      fira-code
+      fira-code-symbols
+      nerd-fonts.fira-code
+    ];
+
+    isoImage.edition = "gnome";
+
+    # Whitelist wheel users to do anything
+    # This is useful for things like pkexec
+    #
+    # WARNING: this is dangerous for systems
+    # outside the installation-cd and shouldn't
+    # be used anywhere else.
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (subject.isInGroup("wheel")) {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+
+    networking.wireless.enable = mkForce false;
+
+    services.xserver.displayManager = {
+      gdm = {
+        # autoSuspend makes the machine automatically suspend after inactivity.
+        # It's possible someone could/try to ssh'd into the machine and obviously
+        # have issues because it's inactive.
+        # See:
+        # * https://github.com/NixOS/nixpkgs/pull/63790
+        # * https://gitlab.gnome.org/GNOME/gnome-control-center/issues/22
+        autoSuspend = false;
+      };
+    };
+    services.displayManager.autoLogin = {
+      enable = true;
+      user = "nixos";
+    };
+
+    my.gnome-desktop = {
+      enable = true;
+      extraExcludePackages = [ pkgs.orca ];
+    };
+    my.base = {
+      enable = true;
+      hostname = "img";
+    };
+    my.home.nixos = {
+      extraPackages = with pkgs; [
+        firefox-wayland
+        htop
+        dnsutils
+        smartmontools
+      ];
+      extraDconf =
+        let
+          hm = inputs.home-manager.lib.hm;
+        in
+        {
+          "org/gnome/desktop/interface"."scaling-factor" = hm.gvariant.mkUint32 2;
+        };
+    };
+
+    # This is a LiveCD, please don't enable disk config in NixOS.
+    disko.enableConfig = false;
+
+    environment.systemPackages =
+      with pkgs;
+      let
+        create-disko-pkg =
+          name: path:
+          (runCommandLocal "disko-${name}" { } ''
+            mkdir -p $out/bin
+            install ${path} $out/bin/disko-${name}
+          '');
+      in
+      [
+        (writeShellScriptBin "install-script" (builtins.readFile ./install.sh))
+
+        (create-disko-pkg "main" config.system.build.diskoScript)
+        (create-disko-pkg "format" config.system.build.formatScript)
+        (create-disko-pkg "mount" config.system.build.mountScript)
+      ];
+
+    users.users.nixos.shell = pkgs.zsh;
+    programs.zsh.enable = true;
+  };
+}

cfgs/img-tb14/install.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+MOUNTPOINT="/mnt"
+
+set -e
+
+sudo -u nixos git clone https://github.com/LEXUGE/flake
+
+# Create secureboot keys
+mkdir -p /etc/secureboot/keys/db
+
+# start using user "nixos" is necessary, otherwise pinetry cannot work
+# we cannot directly output the decrypted files to /etc due to permission issue
+sudo -u nixos gpg -o db.pem -d flake/secrets/raw/db.pem.asc
+sudo -u nixos gpg -o db.key -d flake/secrets/raw/db.key.asc
+
+mv db.pem /etc/secureboot/keys/db/db.pem
+mv db.key /etc/secureboot/keys/db/db.key
+
+chmod 400 /etc/secureboot
+
+disko-main
+
+mkdir -p ${MOUNTPOINT}/persist/secrets/
+
+sudo -u nixos gpg -o ash_ed25519 -d flake/secrets/raw/ash_ed25519.asc
+mv ash_ed25519 "${MOUNTPOINT}"/persist/secrets/
+
+# secrets folder not be accessible by anybody
+chmod 700 "${MOUNTPOINT}"/persist/secrets/
+
+nixos-install --flake "./flake#tb14" --no-root-passwd --no-channel-copy

cfgs/img-tb14/networking.nix

@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+{
+  # Use local DNS server all the time
+  networking.resolvconf.useLocalResolver = true;
+
+  networking.networkmanager = {
+    # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
+    enable = true;
+    # Don't use DNS advertised by connected network. Use local configuration
+    dns = "none";
+    # Use the random MAC Address when scan
+    wifi.scanRandMacAddress = true;
+  };
+
+  # Setup our local DNS
+  my.dcompass = {
+    enable = true;
+    package = pkgs.dcompass.dcompass-maxmind;
+    settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; });
+  };
+}

cfgs/img-x1c7/default.nix

@@ -123,7 +123,6 @@ with lib;
         };
     };
 
-    disko.devices = (import ./../../modules/disko/disk.nix { });
     # This is a LiveCD, please don't enable disk config in NixOS.
     disko.enableConfig = false;
 

cfgs/tb14/boot.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  my.lanzaboote.enable = true;
+
+  # Clean tmp folder which is a btrfs subvol
+  boot.tmp.cleanOnBoot = true;
+
+  # Create root on tmpfs
+  fileSystems."/" = {
+    fsType = "tmpfs";
+    options = [
+      "defaults"
+      "size=2G"
+      "mode=755"
+    ];
+  };
+
+  fileSystems."/persist".neededForBoot = true;
+
+  # LUKS device registration and swap registration are already handled by disko
+  # fallBackToPassword is implied by systemd-initrd
+  boot.initrd.luks.devices."cryptroot" = {
+    # keyFile = "/keyfile.bin";
+    allowDiscards = true;
+    # fallbackToPassword = true;
+  };
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+}