From 2d9c9d481bb89845949ec38a000fc2d00072ff85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Tue, 27 Jan 2026 11:49:20 +0000 Subject: [PATCH] wip mrescue --- flake.nix | 2 + hosts/mtworx/configuration.nix | 40 +++++- pkgs/mrescue.nix | 223 +++++++++++++++++++++++++++++++++ 3 files changed, 264 insertions(+), 1 deletion(-) create mode 100644 pkgs/mrescue.nix diff --git a/flake.nix b/flake.nix index fd8a952..1646d2e 100644 --- a/flake.nix +++ b/flake.nix @@ -105,6 +105,7 @@ tmuxbash = super.callPackage ./pkgs/tmuxbash.nix { }; sentinelone = super.callPackage ./pkgs/sentinelone { }; chronoctl = super.callPackage ./pkgs/chronoctl.nix { }; + mrescue = super.callPackage ./pkgs/mrescue.nix { }; vanta-agent = super.callPackage ./pkgs/vanta-agent.nix { }; gcloud-wrapped = super.callPackage ./pkgs/gcloud-wrapped { }; go-raceless = super.callPackage ./pkgs/go-raceless { inherit (nicer) ; }; @@ -363,6 +364,7 @@ weather gamja chronoctl + mrescue sentinelone ; }; diff --git a/hosts/mtworx/configuration.nix b/hosts/mtworx/configuration.nix index 12ed33e..1615358 100644 --- a/hosts/mtworx/configuration.nix +++ b/hosts/mtworx/configuration.nix @@ -213,6 +213,44 @@ in hostId = "b14a02aa"; hostName = "mtworx"; domain = "jakst.vpn"; - firewall.rejectPackets = true; + + # Configure USB Ethernet interface with internal IP + interfaces.enp0s20f0u2 = { + ipv4.addresses = [ + { + address = "10.14.143.1"; + prefixLength = 24; + } + ]; + }; + + nat = { + enable = true; + externalInterface = "wlp0s20f3"; + internalInterfaces = [ "enp0s20f0u2" ]; + internalIPs = [ "10.14.143.0/24" ]; + }; + + firewall = { + rejectPackets = true; + interfaces.enp0s20f0u2 = { + allowedUDPPorts = [ + 53 + 67 + 69 + ]; + allowedTCPPorts = [ 53 ]; + }; + extraCommands = '' + # Allow only through WiFi interface (to gateway and internet) + iptables -A FORWARD -s 10.14.143.0/24 -o wlp0s20f3 -j ACCEPT + + # Allow established connections back + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + + # Block everything else from 10.14.143.0/24 + iptables -A FORWARD -s 10.14.143.0/24 -j DROP + ''; + }; }; } diff --git a/pkgs/mrescue.nix b/pkgs/mrescue.nix new file mode 100644 index 0000000..82611d1 --- /dev/null +++ b/pkgs/mrescue.nix @@ -0,0 +1,223 @@ +{ + lib, + runCommand, + makeInitrdNG, + uutils-coreutils-noprefix, + bash, + util-linux, + e2fsprogs, + dosfstools, + parted, + vim-full, + findutils, + gnugrep, + procps, + less, + writeScript, + kmod, + linuxPackages_6_18, +}: + +let + # Simple init script + init = writeScript "init" '' + #!${bash}/bin/bash + set -e + + # Mount essential filesystems + ${util-linux}/bin/mount -t proc proc /proc + ${util-linux}/bin/mount -t sysfs sys /sys + ${util-linux}/bin/mount -t devtmpfs dev /dev + + # Set up environment + export PATH=/bin + export HOME=/root + export TERM=linux + + # Load essential kernel modules for hardware support + echo "Loading kernel modules..." + ${kmod}/bin/modprobe -a \ + nvme sd_mod usb_storage ata_piix ahci \ + ext4 vfat btrfs xfs \ + e1000e igb r8169 virtio_net \ + virtio_blk virtio_scsi \ + >/dev/null 2>&1 || true + + # Display welcome message + echo "" + echo "===============================" + echo " Rescue System" + echo "===============================" + echo "" + echo "Available utilities:" + echo " Shell: bash" + echo " Files: ls, cat, less, cp, mv, rm, mkdir (uutils-coreutils)" + echo " Disk: mount, fdisk, parted, mkfs.ext4, mkfs.vfat, blkid" + echo " Text: vim, grep, find, head, tail" + echo " System: ps, kill, chmod, chown" + echo "" + echo "Kernel modules and firmware included." + echo "Type 'exit' or Ctrl+D to reboot" + echo "" + + # Drop to rescue shell + exec ${bash}/bin/bash + ''; + + # Package binaries to include + packageBinaries = [ + # uutils-coreutils (core utilities) + { + pkg = uutils-coreutils-noprefix; + bins = [ + "ls" + "cat" + "cp" + "mv" + "rm" + "mkdir" + "rmdir" + "chmod" + "chown" + "ln" + "touch" + "head" + "tail" + "dd" + "echo" + "pwd" + "true" + "false" + ]; + } + # bash (shell) + { + pkg = bash; + bins = [ + "bash" + "sh" + ]; + } + # util-linux (mount, disk utilities) + { + pkg = util-linux; + bins = [ + "mount" + "umount" + "fdisk" + "blkid" + "mkswap" + "lsblk" + ]; + } + # e2fsprogs (ext filesystem tools) + { + pkg = e2fsprogs; + bins = [ + "mkfs.ext4" + "e2fsck" + "resize2fs" + ]; + } + # dosfstools (FAT filesystem tools) + { + pkg = dosfstools; + bins = [ + "mkfs.vfat" + "fsck.vfat" + ]; + } + # parted (partitioning tool) + { + pkg = parted; + bins = [ "parted" ]; + } + # vim (text editor) + { + pkg = vim-full; + bins = [ + "vim" + "vi" + ]; + } + # findutils (find) + { + pkg = findutils; + bins = [ "find" ]; + } + # gnugrep (grep) + { + pkg = gnugrep; + bins = [ "grep" ]; + } + # procps (process utilities) + { + pkg = procps; + bins = [ + "ps" + "kill" + ]; + } + # less (pager) + { + pkg = less; + bins = [ "less" ]; + } + # kmod (module loading) + { + pkg = kmod; + bins = [ + "modprobe" + "lsmod" + ]; + } + ]; + + # Generate binary entries for makeInitrdNG + binaryEntries = lib.flatten ( + map ( + entry: + map (bin: { + source = "${entry.pkg}/bin/${bin}"; + target = "/bin/${bin}"; + }) entry.bins + ) packageBinaries + ); + + # Build the initrd + initrd = makeInitrdNG { + name = "mrescue-initrd"; + compressor = "zstd"; + compressorArgs = [ + "-19" + "-T0" + ]; # Maximum compression, all threads + + contents = [ + # Init script + { + source = init; + target = "/init"; + } + # Kernel modules + { + source = "${linuxPackages_6_18.kernel.dev}/lib/modules"; + target = "/lib/modules"; + } + # Kernel firmware + { + source = "${linuxPackages_6_18.kernel.dev}/lib/firmware"; + target = "/lib/firmware"; + } + ] + ++ binaryEntries; + }; + +in +# Package both kernel and initrd together +runCommand "mrescue" { } '' + mkdir -p $out + ln -s ${linuxPackages_6_18.kernel}/bzImage $out/bzImage + ln -s ${initrd}/initrd $out/initrd + ln -s ${initrd}/initrd $out/initrd.zst +''