Merge pull request #624 from genebean/kiosk

Setup remote builds and set Pi mostly readonly

flake.lock

@@ -658,11 +658,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774233120,
+        "lastModified": 1775077724,
-        "narHash": "sha256-txGwTNKNYQT1rFPkxd6imEvQ03SmIyKAXNBaYtB3Jes=",
+        "narHash": "sha256-LGifKfUhZr99hX+vRZZhDDT6+6AyjTbqomq2SgL/Pv8=",
         "owner": "genebean",
         "repo": "private-flake",
-        "rev": "45fca86f711966ee29add03027ee3ffc48992110",
+        "rev": "aef30e8ac1ae465de8d5747931bea4402d042113",
         "type": "github"
       },
       "original": {

modules/hosts/nixos/kiosk-gene-desk/default.nix

@@ -10,6 +10,7 @@
   imports = [
     # SD card image
     "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+    ./read-only-root.nix
   ];
 
   system.stateVersion = "24.11";
@@ -49,6 +50,29 @@
     };
   };
 
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "hetznix02.technicalissues.us";
+        system = "aarch64-linux";
+        protocol = "ssh-ng";
+        maxJobs = 4;
+        speedFactor = 2;
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+        ];
+        sshUser = "gene";
+        sshKey = "/root/.ssh/id_ed25519";
+      }
+    ];
+    extraOptions = ''
+      builders-use-substitutes = true
+    '';
+  };
+
   nixpkgs.overlays = [
     (_final: super: {
       makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });

modules/hosts/nixos/kiosk-gene-desk/home-gene.nix

@@ -17,6 +17,7 @@
         "--hide-crash-restore-bubble"
       ];
     };
+    zsh.history.path = "/tmp/zsh_history_gene"; # needed becaues of read only fs
   };
 
 }

modules/hosts/nixos/kiosk-gene-desk/read-only-root.nix

@@ -0,0 +1,126 @@
+{
+  lib,
+  pkgs,
+  username,
+  ...
+}:
+{
+  # ------------------------------------------------------------------ #
+  # Read-only SD card mounts and tmpfs for writable paths
+  # ------------------------------------------------------------------ #
+  fileSystems = {
+    "/" = lib.mkForce {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [
+        "ro"
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/boot/firmware" = lib.mkForce {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      options = [
+        "ro"
+        "noatime"
+        "nofail"
+        "noauto"
+      ];
+    };
+
+    "/var/log" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=64m"
+        "mode=0755"
+        "nosuid"
+        "nodev"
+      ];
+      neededForBoot = true;
+    };
+
+    "/var/lib" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=256m"
+        "mode=0755"
+        "nosuid"
+        "nodev"
+      ];
+      neededForBoot = true;
+    };
+
+    "/home/${username}/.cache" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=256m"
+        "mode=0700"
+        "uid=1000"
+        "nosuid"
+        "nodev"
+      ];
+    };
+
+    "/home/${username}/.local" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=256m"
+        "mode=0700"
+        "uid=1000"
+        "nosuid"
+        "nodev"
+      ];
+    };
+
+    "/home/${username}/.config/chromium" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=128m"
+        "mode=0700"
+        "uid=1000"
+        "nosuid"
+        "nodev"
+      ];
+    };
+  };
+
+  # ------------------------------------------------------------------ #
+  # tmpfs for paths that need to be writable at runtime
+  # ------------------------------------------------------------------ #
+
+  # /tmp - NixOS built-in option, cleaner than a manual fileSystems entry
+  boot.tmp.useTmpfs = true;
+  boot.tmp.tmpfsSize = "20%";
+
+  # ------------------------------------------------------------------ #
+  # systemd-journal needs its directory to exist after /var/log tmpfs
+  # is mounted
+  # ------------------------------------------------------------------ #
+  systemd.tmpfiles.rules = [
+    "d /var/log/journal 0755 root systemd-journal -"
+    # create a writable zsh history file in /tmp for gene
+    "f /tmp/zsh_history_gene 0600 ${username} users -"
+  ];
+
+  # ------------------------------------------------------------------ #
+  # Helper scripts for doing a nixos-rebuild
+  # ------------------------------------------------------------------ #
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "remount-rw" ''
+      echo "Remounting / read-write..."
+      sudo mount -o remount,rw /
+
+      echo "Starting nix-daemon..."
+      systemctl start nix-daemon.socket nix-daemon.service
+
+      echo "Done. Run 'reboot' when finished."
+    '')
+  ];
+}