centra/photoncloud-monorepo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
photoncloud-monorepo/baremetal/image-builder/examples/custom-netboot.nix
centra d2149b6249 fix(lightningstor): Fix SigV4 canonicalization for AWS S3 auth 
- Replace form_urlencoded with RFC 3986 compliant URI encoding
- Implement aws_uri_encode() matching AWS SigV4 spec exactly
- Unreserved chars (A-Z,a-z,0-9,-,_,.,~) not encoded
- All other chars percent-encoded with uppercase hex
- Preserve slashes in paths, encode in query params
- Normalize empty paths to '/' per AWS spec
- Fix test expectations (body hash, HMAC values)
- Add comprehensive SigV4 signature determinism test

This fixes the canonicalization mismatch that caused signature
validation failures in T047. Auth can now be enabled for production.

Refs: T058.S1
2025-12-12 06:23:46 +09:00

361 lines
11 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
# ==============================================================================
# CUSTOM NETBOOT CONFIGURATION EXAMPLE
# ==============================================================================
# This example demonstrates how to create a custom netboot configuration with:
# - Custom kernel version and modules
# - Additional packages for specialized use cases
# - Hardware-specific drivers
# - Custom network configuration
# - Debugging tools
#
# Usage:
# 1. Copy this file to nix/images/netboot-custom.nix
# 2. Add to flake.nix:
# nixosConfigurations.netboot-custom = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# modules = [ ./nix/images/netboot-custom.nix ];
# };
# 3. Build: ./build-images.sh --profile custom
# ==============================================================================
{
imports = [
../netboot-base.nix # Adjust path as needed
../../modules # PlasmaCloud service modules
];
# ============================================================================
# CUSTOM KERNEL CONFIGURATION
# ============================================================================
# Use specific kernel version instead of latest
boot.kernelPackages = pkgs.linuxPackages_6_6; # LTS kernel
# Add custom kernel modules for specialized hardware
boot.kernelModules = [
# Infiniband/RDMA support
"ib_core"
"ib_uverbs"
"mlx5_core"
"mlx5_ib"
# GPU support (for GPU compute nodes)
"nvidia"
"nvidia_uvm"
# Custom storage controller
"megaraid_sas"
"mpt3sas"
];
# Custom kernel parameters
boot.kernelParams = [
# Default console configuration
"console=ttyS0,115200"
"console=tty0"
"loglevel=4"
# Custom parameters
"intel_iommu=on" # Enable IOMMU for PCI passthrough
"iommu=pt" # Passthrough mode
"hugepagesz=2M" # 2MB hugepages
"hugepages=1024" # Allocate 1024 hugepages (2GB)
"isolcpus=2-7" # CPU isolation for real-time workloads
];
# Blacklist problematic modules
boot.blacklistedKernelModules = [
"nouveau" # Disable nouveau if using proprietary NVIDIA
"i915" # Disable Intel GPU if not needed
];
# ============================================================================
# ADDITIONAL PACKAGES
# ============================================================================
environment.systemPackages = with pkgs; [
# Networking diagnostics
iperf3 # Network performance testing
mtr # Network diagnostic tool
nmap # Network scanner
wireshark-cli # Packet analyzer
# Storage tools
nvme-cli # NVMe management
smartmontools # SMART monitoring
fio # I/O performance testing
sg3_utils # SCSI utilities
# Hardware diagnostics
pciutils # lspci
usbutils # lsusb
dmidecode # Hardware information
lshw # Hardware lister
hwinfo # Hardware info tool
# Debugging tools
strace # System call tracer
ltrace # Library call tracer
gdb # GNU debugger
valgrind # Memory debugger
# Performance tools
perf # Linux perf tool
bpftrace # eBPF tracing
sysstat # System statistics (sar, iostat)
# Container/virtualization tools
qemu_full # Full QEMU with all features
libvirt # Virtualization management
virt-manager # VM management (CLI)
docker # Container runtime
podman # Alternative container runtime
# Development tools (for on-site debugging)
python3Full # Python with all modules
python3Packages.pip
nodejs # Node.js runtime
git # Version control
gcc # C compiler
rustc # Rust compiler
cargo # Rust package manager
# Custom tools
# Add your organization's custom packages here
];
# ============================================================================
# CUSTOM NETWORK CONFIGURATION
# ============================================================================
# Static IP instead of DHCP (example)
networking.useDHCP = lib.mkForce false;
networking.interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = "10.0.1.100";
prefixLength = 24;
}];
};
networking.defaultGateway = "10.0.1.1";
networking.nameservers = [ "10.0.1.1" "8.8.8.8" ];
# Custom DNS domain
networking.domain = "custom.example.com";
# Enable jumbo frames
networking.interfaces.eth0.mtu = 9000;
# ============================================================================
# CUSTOM SSH CONFIGURATION
# ============================================================================
# Multiple SSH keys for different operators
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOperator1Key operator1@example.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOperator2Key operator2@example.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOperator3Key operator3@example.com"
];
# Custom SSH port (for security through obscurity - not recommended for production)
# services.openssh.ports = [ 2222 ];
# ============================================================================
# CUSTOM SERVICES
# ============================================================================
# Enable only specific PlasmaCloud services
services.plasmavmc = {
enable = lib.mkDefault false;
port = 8081;
};
services.prismnet = {
enable = lib.mkDefault false;
port = 8082;
};
# ============================================================================
# DEBUGGING AND LOGGING
# ============================================================================
# Enable verbose boot logging
boot.kernelParams = lib.mkAfter [ "loglevel=7" "debug" ];
# Enable systemd debug logging
systemd.services."serial-getty@ttyS0".environment = {
SYSTEMD_LOG_LEVEL = "debug";
};
# Enable additional logging
services.journald.extraConfig = ''
Storage=persistent
MaxRetentionSec=7day
SystemMaxUse=1G
'';
# ============================================================================
# PERFORMANCE TUNING
# ============================================================================
# Custom sysctl settings for high-performance networking
boot.kernel.sysctl = {
# Network buffer sizes
"net.core.rmem_max" = 268435456; # 256 MB
"net.core.wmem_max" = 268435456; # 256 MB
"net.core.rmem_default" = 67108864; # 64 MB
"net.core.wmem_default" = 67108864; # 64 MB
# TCP tuning
"net.ipv4.tcp_rmem" = "4096 87380 134217728";
"net.ipv4.tcp_wmem" = "4096 65536 134217728";
"net.ipv4.tcp_congestion_control" = "bbr";
# Connection tracking
"net.netfilter.nf_conntrack_max" = 1048576;
# File descriptor limits
"fs.file-max" = 2097152;
# Virtual memory
"vm.swappiness" = 1;
"vm.vfs_cache_pressure" = 50;
"vm.dirty_ratio" = 10;
"vm.dirty_background_ratio" = 5;
# Kernel
"kernel.pid_max" = 4194304;
};
# Increase systemd limits
systemd.extraConfig = ''
DefaultLimitNOFILE=1048576
DefaultLimitNPROC=1048576
'';
# ============================================================================
# HARDWARE-SPECIFIC CONFIGURATION
# ============================================================================
# Enable CPU microcode updates
hardware.cpu.intel.updateMicrocode = true;
hardware.cpu.amd.updateMicrocode = true;
# Enable firmware updates
hardware.enableRedistributableFirmware = true;
# GPU support (example for NVIDIA)
# Uncomment if using NVIDIA GPUs
# hardware.nvidia.modesetting.enable = true;
# services.xserver.videoDrivers = [ "nvidia" ];
# ============================================================================
# CUSTOM INITIALIZATION
# ============================================================================
# Run custom script on boot
systemd.services.custom-init = {
description = "Custom initialization script";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
echo "Running custom initialization..."
# Example: Configure network interfaces
${pkgs.iproute2}/bin/ip link set dev eth1 up
# Example: Load custom kernel modules
${pkgs.kmod}/bin/modprobe custom_driver || true
# Example: Call home to provisioning server
${pkgs.curl}/bin/curl -X POST http://provisioning.example.com/api/register \
-d "hostname=$(hostname)" \
-d "ip=$(${pkgs.iproute2}/bin/ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')" \
|| true
echo "Custom initialization complete"
'';
};
# ============================================================================
# FIREWALL CONFIGURATION
# ============================================================================
# Custom firewall rules (disabled by default in netboot, but example provided)
networking.firewall = {
enable = lib.mkDefault false; # Disabled during provisioning
# When enabled, allow these ports
allowedTCPPorts = [
22 # SSH
8081 # PlasmaVMC
8082 # PrismNET
];
# Custom iptables rules
extraCommands = ''
# Allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
# Rate limit SSH connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
'';
};
# ============================================================================
# NIX CONFIGURATION
# ============================================================================
# Custom binary caches
nix.settings = {
substituters = [
"https://cache.nixos.org"
"https://custom-cache.example.com" # Your organization's cache
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"custom-cache.example.com:YourPublicKeyHere"
];
# Build settings
max-jobs = "auto";
cores = 0; # Use all available cores
# Experimental features
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
};
# ============================================================================
# TIMEZONE AND LOCALE
# ============================================================================
# Custom timezone (instead of UTC)
time.timeZone = lib.mkForce "America/New_York";
# Additional locale support
i18n.supportedLocales = [
"en_US.UTF-8/UTF-8"
"ja_JP.UTF-8/UTF-8" # Japanese support
];
i18n.defaultLocale = "en_US.UTF-8";
# ============================================================================
# SYSTEM STATE VERSION
# ============================================================================
system.stateVersion = "24.11";
}
Reference in a new issue View git blame Copy permalink