From 3d16af70bf894ce15ec9bdcad3c9ac736dc43630 Mon Sep 17 00:00:00 2001
From: obadz <obadz-git@obadz.com>
Date: Mon, 22 Aug 2016 01:15:13 +0100
Subject: nixos/stage-1: add mechanism which lustrates all impurities from /
 (#17784)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lustrate /ˈlʌstreɪt/ verb.
  purify by expiatory sacrifice, ceremonial washing, or some other
  ritual action.

- sudo touch /etc/NIXOS_LUSTRATE
  ⇒ on next reboot, during stage 1, everything but /nix and /boot
  is moved to /old-root
- echo "etc/passwd" | sudo tee -a /etc/NIXOS_LUSTRATE
  ⇒ on next reboot, during stage 1, everything but /nix and /boot
  is moved to /old-root; except /etc/passwd is copied back.

Useful for installing NixOS in place on another distro. For instance:

$ nix-env -iE '_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config manual.manpages ]'
$ sudo mkdir /etc/nixos
$ sudo `which nixos-generate-config`

… edit the configuration files in /etc/nixos using man configuration.nix
  if needed

  maybe add: users.extraUsers.root.initialHashedPassword = "" ?

… Build the entire NixOS system and link it to the system profile:
$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -A system --set

… If you were using a single user install:
$ sudo chown -R 0.0 /nix

… NixOS is about to take over
$ sudo touch /etc/NIXOS
$ sudo touch /etc/NIXOS_LUSTRATE

… Let's keep the configuration files we just created
$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE

$ sudo mv -v /boot /boot.bak &&
  sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
$ sudo reboot

… NixOS boots, Stage 1 moves all the old distro stuff in /old-root.
---
 nixos/modules/system/boot/stage-1.nix | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'nixos/modules/system/boot/stage-1.nix')

diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
index baeba1d6b31d..9be7ad4ae077 100644
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -131,9 +131,16 @@ let
   # The initrd only has to mount / or any FS marked as necessary for
   # booting (such as the FS containing /nix/store, or an FS needed for
   # mounting /, like / on a loopback).
-  fileSystems = filter
-    (fs: fs.neededForBoot || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
-    (attrValues config.fileSystems);
+  #
+  # We need to guarantee that / is the first filesystem in the list so
+  # that if and when lustrateRoot is invoked, nothing else is mounted
+  fileSystems = let
+    filterNeeded = filter
+      (fs: fs.mountPoint != "/" && (fs.neededForBoot || elem fs.mountPoint [ "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ]));
+    filterRoot = filter
+      (fs: fs.mountPoint == "/");
+    allFileSystems = attrValues config.fileSystems;
+  in (filterRoot allFileSystems) ++ (filterNeeded allFileSystems);
 
 
   udevRules = pkgs.stdenv.mkDerivation {
-- 
cgit 1.4.1