Add a host for testing i_only_boot_zfs.

nix/configuration/configuration.nix

@@ -23,6 +23,7 @@
     ./roles/distributed_build
     ./roles/doas
     ./roles/docker
+    ./roles/dont_use_substituters
     ./roles/ecc
     ./roles/emacs
     ./roles/emulate_isa
@@ -105,13 +106,10 @@
     hardware.enableRedistributableFirmware = true;
 
     # Keep outputs so we can build offline.
-    # Disable substituters to avoid risk of cache poisoning.
     nix.extraOptions = ''
       keep-outputs = true
       keep-derivations = true
-      substitute = false
     '';
-    nix.settings.substituters = lib.mkForce [ ];
 
     # Automatic garbage collection
     nix.gc = lib.mkIf (!config.me.buildingPortable) {

nix/configuration/flake.nix

@@ -53,6 +53,9 @@
         recovery = {
           system = "x86_64-linux";
         };
+        i_only_boot_zfs = {
+          system = "x86_64-linux";
+        };
       };
       nixosConfigs = builtins.mapAttrs (
         hostname: nodeConfig: format:

nix/configuration/formats/iso.nix

@@ -13,6 +13,9 @@
     isoImage.makeEfiBootable = true;
     isoImage.makeUsbBootable = true;
 
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
     me.buildingPortable = true;
     me.disko.enable = true;
     me.disko.offline.enable = true;

nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=i_only_boot_zfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=i_only_boot_zfs
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/ISO

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : "${JOBS:="1"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#iso.ionlybootzfs" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json

nix/configuration/hosts/i_only_boot_zfs/default.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wrapped-disk-config.nix
+    ./distributed_build.nix
+    ./power_management.nix
+  ];
+
+  config = {
+    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+    networking.hostId = "6a05d86e";
+
+    networking.hostName = "i_only_boot_zfs"; # Define your hostname.
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+
+    # Toggle to start writing the extlinux config which will be used by zfsbootmenu
+    # boot.loader.generic-extlinux-compatible.enable = true;
+    # boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    me.optimizations = {
+      # enable = true;
+      arch = "kabylake";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-kabylake"
+        "gccarch-x86-64-v3"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Early KMS
+    # boot.initrd.kernelModules = [ "amdgpu" ];
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # Even when installed, we want to dhcp because this is for a VM.
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/disk-config.nix

@@ -65,8 +65,8 @@
             type = "zfs_fs";
             options.mountpoint = "none";
             options = {
-              encryption = "aes-256-gcm";
+              # encryption = "aes-256-gcm";
-              keyformat = "passphrase";
+              # keyformat = "passphrase";
               # keylocation = "file:///tmp/secret.key";
             };
           };
@@ -138,5 +138,5 @@
   ];
 
   # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
-  boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
+  # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
 }

nix/configuration/hosts/i_only_boot_zfs/distributed_build.nix

@@ -0,0 +1,19 @@
+{
+  imports = [ ];
+
+  config = {
+    me.distributed_build.enable = true;
+    me.distributed_build.machines.hydra = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+    me.distributed_build.machines.quark = {
+      enable = true;
+      additional_config = {
+        speedFactor = 2;
+      };
+    };
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/hardware-configuration.nix

@@ -1,4 +1,5 @@
 {
+  config,
   lib,
   modulesPath,
   ...
@@ -11,12 +12,9 @@
 
   config = {
     boot.initrd.availableKernelModules = [
-      "xhci_pci"
       "nvme"
-      "usbhid"
+      "xhci_pci"
-      "usb_storage"
+      "thunderbolt"
-      "sd_mod"
-      "sdhci_pci"
     ];
     boot.initrd.kernelModules = [ ];
     boot.kernelModules = [ ];
@@ -26,10 +24,11 @@
     # (the default) this is the recommended approach. When using systemd-networkd it's
     # still possible to use this option, but it's recommended to use it in conjunction
     # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-    networking.dhcpcd.enable = lib.mkForce true;
+    # networking.useDHCP = lib.mkDefault true;
-    networking.useDHCP = lib.mkForce true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-    # systemd.network.enable = true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
 
     nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   };
 }

nix/configuration/hosts/i_only_boot_zfs/power_management.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      powertop
+    ];
+
+    # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
+    # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
+    boot.kernelParams = [
+      "pcie_aspm=force"
+      # "pcie_aspm.policy=powersupersave"
+      "nowatchdog"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "w- /sys/firmware/acpi/platform_profile - - - - low-power"
+      "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
+      "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
+      "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
+    ];
+
+    boot.extraModprobeConfig = ''
+      # Sound power-saving was causing chat notifications to be inaudible.
+      # options snd_hda_intel power_save=1
+    '';
+  };
+}

nix/configuration/hosts/i_only_boot_zfs/wrapped-disk-config.nix

@@ -0,0 +1,7 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

nix/configuration/hosts/ionlybootzfs/DEPLOY_BOOT

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-#
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-: "${JOBS:="1"}"
-
-#TARGET=10.216.1.14
-# TARGET=192.168.211.250
-TARGET="ionlybootzfs"
-
-for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-
-nixos-rebuild boot --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
-
-# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#ionlybootzfs'

nix/configuration/hosts/ionlybootzfs/DEPLOY_SWITCH

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-#
-set -euo pipefail
-IFS=$'\n\t'
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-: "${JOBS:="1"}"
-
-#TARGET=10.216.1.14
-# TARGET=192.168.211.250
-TARGET=ionlybootzfs
-
-for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
-
-nixos-rebuild switch --flake "$DIR/../../#ionlybootzfs" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
-
-# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#ionlybootzfs'

nix/configuration/hosts/ionlybootzfs/default.nix

@@ -1,74 +0,0 @@
-#
-# Testing:
-# doas "$(nix-build '<nixpkgs>' --no-out-link -A 'qemu')/bin/qemu-system-x86_64" \
-#      -accel kvm \
-#      -cpu host \
-#      -smp cores=8 \
-#      -m 32768 \
-#      -drive "file=$(nix-build '<nixpkgs>' --no-out-link -A 'OVMF.fd')/FV/OVMF.fd,if=pflash,format=raw,readonly=on" \
-#      -drive file=/tmp/localdisk.img,if=none,id=nvm,format=raw \
-#      -device nvme,serial=deadbeef,drive=nvm \
-#      -nic user,hostfwd=tcp::60022-:22 \
-#      -boot order=d \
-#      -cdrom "$(readlink -f /persist/machine_setup/nix/configuration/result/iso/nixos*.iso)" \
-#      -display vnc=127.0.0.1:0
-#
-
-{
-  imports = [
-    ./wrapped-disk-config.nix
-    ./hardware-configuration.nix
-  ];
-
-  config = {
-    # Generate with `head -c4 /dev/urandom | od -A none -t x4`
-    networking.hostId = "fbd233d8";
-
-    networking.hostName = "ionlybootzfs"; # Define your hostname.
-
-    time.timeZone = "America/New_York";
-    i18n.defaultLocale = "en_US.UTF-8";
-
-    me.boot.secure = true;
-    me.mountPersistence = true;
-
-    me.optimizations = {
-      enable = false;
-      arch = "znver4";
-      system_features = [
-        "gccarch-znver4"
-        "gccarch-skylake"
-        "gccarch-kabylake"
-        # "gccarch-alderlake" missing WAITPKG
-        "gccarch-x86-64-v3"
-        "gccarch-x86-64-v4"
-        "benchmark"
-        "big-parallel"
-        "kvm"
-        "nixos-test"
-      ];
-    };
-
-    # Mount tmpfs at /tmp
-    boot.tmp.useTmpfs = true;
-
-    me.base.enable = true;
-    me.boot.enable = true;
-    me.doas.enable = true;
-    me.emacs_flavor = "plainmacs";
-    me.firewall.enable = true;
-    me.font.enable = true;
-    me.git.enable = true;
-    me.graphical = false;
-    me.memtest.enable = true;
-    me.network.enable = true;
-    me.nvme.enable = true;
-    me.ssh.enable = true;
-    me.sshd.enable = true;
-    me.user.enable = true;
-    me.wireguard.activated = [ ];
-    me.wireguard.deactivated = [ ];
-    me.zfs.enable = true;
-    me.zsh.enable = true;
-  };
-}

nix/configuration/hosts/ionlybootzfs/optimized_build.nix

@@ -1,132 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  pkgs-unoptimized,
-  ...
-}:
-{
-  imports = [ ];
-
-  config = lib.mkMerge [
-    { }
-    (lib.mkIf (!config.me.optimizations.enable) {
-      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_14;
-    })
-    (lib.mkIf (config.me.optimizations.enable) {
-      nixpkgs.hostPlatform = {
-        gcc.arch = "znver4";
-        gcc.tune = "znver4";
-        system = "x86_64-linux";
-      };
-
-      nixpkgs.overlays = [
-        (
-          final: prev:
-          let
-            addConfig =
-              additionalConfig: pkg:
-              pkg.override (oldconfig: {
-                structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
-              });
-          in
-          {
-            linux_me = addConfig {
-              # Full preemption
-              PREEMPT = lib.mkOverride 60 lib.kernel.yes;
-              PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
-
-              # Google's BBRv3 TCP congestion Control
-              TCP_CONG_BBR = lib.kernel.yes;
-              DEFAULT_BBR = lib.kernel.yes;
-
-              # Preemptive Full Tickless Kernel at 300Hz
-              HZ = lib.kernel.freeform "300";
-              HZ_300 = lib.kernel.yes;
-              HZ_1000 = lib.kernel.no;
-            } prev.linux_6_14;
-            # gsl = prev.gsl.overrideAttrs (old: {
-            #   # gsl tests fails when optimizations are enabled.
-            #   # > FAIL: cholesky_invert unscaled hilbert (  4,  4)[0,2]: 2.55795384873636067e-13                        0
-            #   # >  (2.55795384873636067e-13 observed vs 0 expected) [28259614]
-            #   doCheck = false;
-            # });
-          }
-        )
-        (final: prev: {
-          haskellPackages = prev.haskellPackages.extend (
-            final': prev': {
-              inherit (pkgs-unoptimized.haskellPackages)
-                crypton
-                crypton-connection
-                crypton-x509
-                crypton-x509-store
-                crypton-x509-system
-                crypton-x509-validation
-                hspec-wai
-                http-client-tls
-                http2
-                pandoc
-                pandoc-cli
-                pandoc-lua-engine
-                pandoc-server
-                servant-server
-                tls
-                wai-app-static
-                wai-extra
-                warp
-                ;
-            }
-          );
-        })
-        (final: prev: {
-          inherit (pkgs-unoptimized)
-            gsl
-            redis
-            valkey
-            ;
-        })
-      ];
-
-      boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
-    })
-    (lib.mkIf (!config.me.buildingIso) {
-      nix.settings.system-features = lib.mkForce [
-        "gccarch-znver4"
-        "gccarch-skylake"
-        "gccarch-kabylake"
-        # "gccarch-alderlake" missing WAITPKG
-        "gccarch-x86-64-v3"
-        "gccarch-x86-64-v4"
-        "benchmark"
-        "big-parallel"
-        "kvm"
-        "nixos-test"
-      ];
-
-      # Keep ALL dependencies so we can rebuild offline. This DRASTICALLY increase disk usage, but disk space is cheap.
-      # system.includeBuildDependencies = true;
-
-      # This also should enable building offline? TODO: test.
-      nix.extraOptions = ''
-        keep-outputs = true
-        keep-derivations = true
-      '';
-
-      # # building ON
-      # nixpkgs.localSystem = { system = "aarch64-linux"; };
-      # # building FOR
-      # nixpkgs.crossSystem = { system = "aarch64-linux"; };
-
-      # nixpkgs.config = {
-      #   replaceStdenv = ({ pkgs }: pkgs.clangStdenv);
-      # };
-      # or maybe an overlay
-      # stdenv = prev.clangStdenv;
-
-    })
-    (lib.mkIf (config.me.buildingIso) {
-      boot.supportedFilesystems.zfs = true;
-    })
-  ];
-}

nix/configuration/hosts/ionlybootzfs/wrapped-disk-config.nix

@@ -1,7 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-
-lib.mkIf (!config.me.buildingIso) (import ./disk-config.nix)

nix/configuration/hosts/odo/default.nix

@@ -76,6 +76,7 @@
     me.direnv.enable = true;
     me.doas.enable = true;
     me.docker.enable = false;
+    me.dont_use_substituters.enable = true;
     me.ecc.enable = false;
     me.emacs_flavor = "full";
     me.emulate_isa.enable = true;

nix/configuration/hosts/quark/default.nix

@@ -70,6 +70,7 @@
     me.direnv.enable = true;
     me.doas.enable = true;
     me.docker.enable = false;
+    me.dont_use_substituters.enable = true;
     me.ecc.enable = true;
     me.emacs_flavor = "full";
     me.emulate_isa.enable = true;

nix/configuration/hosts/recovery/default.nix

@@ -49,6 +49,7 @@
     # services.fstrim.enable = lib.mkDefault true;
 
     me.build_in_ram.enable = true;
+    me.dont_use_substituters.enable = true;
     me.minimal_base.enable = true;
     me.recovery.enable = true;
   };

nix/configuration/roles/base/default.nix

@@ -49,7 +49,6 @@ in
       nix-tree
       libarchive # bsdtar
       lsof
-      doas-sudo-shim # To support --sudo for remote builds
       dmidecode # Read SMBIOS information.
       ipcalc
       gptfdisk # for cgdisk

nix/configuration/roles/boot/default.nix

@@ -33,6 +33,7 @@
           # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
           # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
           sbctl # For debugging and troubleshooting Secure Boot.
+          efibootmgr # To set EFI boot order.
         ];
       }
       (lib.mkIf (!config.me.buildingPortable) {

nix/configuration/roles/disko/default.nix

@@ -19,18 +19,18 @@ let
     in
     lib.unique (lib.flatten (collector self));
   dependencies = [
-    this_nixos_config.config.system.build.toplevel
-    this_nixos_config.config.system.build.diskoScript
-    # this_nixos_config.config.system.build.diskoScript.drvPath
     this_nixos_config.pkgs.stdenv.drvPath
+    (this_nixos_config.pkgs.closureInfo { rootPaths = [ ]; }).drvPath
 
     # https://github.com/NixOS/nixpkgs/blob/f2fd33a198a58c4f3d53213f01432e4d88474956/nixos/modules/system/activation/top-level.nix#L342
     this_nixos_config.pkgs.perlPackages.ConfigIniFiles
     this_nixos_config.pkgs.perlPackages.FileSlurp
 
-    (this_nixos_config.pkgs.closureInfo { rootPaths = [ ]; }).drvPath
+    this_nixos_config.config.system.build.toplevel
+    this_nixos_config.config.system.build.diskoScript
   ]
-  ++ flakeOutPaths;
+  ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+  # ++ flakeOutPaths;
   closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
 in
 {
@@ -64,7 +64,9 @@ in
           (pkgs.writeShellScriptBin "install-nixos-unattended" ''
             set -xeuo pipefail
             IFS=$'\n\t'
-            exec ${pkgs.disko}/bin/disko-install --flake '${self}#${config.networking.hostName}' --disk main '/dev/nvme0n1'
+            # exec ${pkgs.disko}/bin/disko-install --flake '${self}#${config.networking.hostName}' --disk main '/dev/nvme0n1' --write-efi-boot-entries
+            ${pkgs.disko}/bin/disko --mode destroy,format,mount '${self}/hosts/${config.networking.hostName}/disk-config.nix'
+            ${pkgs.nixos-install}/bin/nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --no-channel-copy --no-root-password --flake '${self}#${config.networking.hostName}'
           '')
         ];
 

nix/configuration/roles/doas/default.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
@@ -28,5 +29,8 @@
         persist = true; # Only ask for a password the first time.
       }
     ];
+    environment.systemPackages = with pkgs; [
+      doas-sudo-shim # To support --sudo for remote builds
+    ];
   };
 }

nix/configuration/roles/dont_use_substituters/default.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    dont_use_substituters.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install dont_use_substituters.";
+    };
+  };
+
+  config = lib.mkIf config.me.dont_use_substituters.enable {
+    # Disable substituters to avoid risk of cache poisoning.
+    nix.extraOptions = ''
+      substitute = false
+    '';
+
+    nix.settings.substituters = lib.mkForce [ ];
+  };
+}

nix/configuration/roles/minimal_base/default.nix

@@ -27,5 +27,7 @@
     me.zfs.enable = true;
     me.zrepl.enable = true;
     me.zsh.enable = true;
+
+    # TODO: Maybe add me.boot.enable ?
   };
 }

nix/configuration/roles/ssh/files/ssh_config

@@ -34,7 +34,7 @@ Host hydra
   ProxyJump talexander@mrmanager
   HostName 10.215.1.219
 
-Host ionlybootzfs
+Host i_only_boot_zfs
   HostName 127.0.0.1
   Port 60022