add barebones installer, not tested yet

flake.lock

@@ -0,0 +1,86 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688466019,
+        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1688259758,
+        "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688460648,
+        "narHash": "sha256-yax5BYOfpE0+95kyJmEcfKEdZBaFvCENDogBB4VQB3Q=",
+        "owner": "davhau",
+        "repo": "nixos-generators",
+        "rev": "34bbb3e12b75576f61770e995ea9a1cac0c36c25",
+        "type": "github"
+      },
+      "original": {
+        "owner": "davhau",
+        "ref": "all-formats",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1688590700,
+        "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixos-generators": "nixos-generators",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,38 @@
+{
+  description = "clan.lol base operating system";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixos-generators.url = "github:davhau/nixos-generators/all-formats";
+    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+  };
+
+  outputs = inputs@{ flake-parts, ... }:
+    flake-parts.lib.mkFlake { inherit inputs; } ({ lib, config, ... }: {
+      systems = lib.systems.flakeExposed;
+      flake = {
+        nixosConfigurations.installer = lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            config.flake.nixosModules.installer
+            inputs.nixos-generators.nixosModules.all-formats
+          ];
+        };
+        nixosModules = {
+          installer = {
+            imports = [
+              ./installer.nix
+              ./hidden-announce.nix
+            ];
+          };
+          hidden-announce = {
+            imports = [
+              ./hidden-announce.nix
+            ];
+          };
+        };
+      };
+    });
+}

hidden-announce.nix

@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+{
+  options.hidden-announce = {
+    enable = lib.mkEnableOption "hidden-announce";
+    script = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.writers.writeDash "test-output";
+      description = ''
+        script to run when the hidden tor service was started and they hostname is known.
+        takes the hostname as $1
+      '';
+    };
+  };
+
+  config = lib.mkIf config.hidden-announce.enable {
+    services.tor = {
+      enable = true;
+      relay.onionServices.hidden-ssh = {
+        version = 3;
+        map = [{
+          port = 22;
+          target.port = 22;
+        }];
+      };
+      client.enable = true;
+    };
+    systemd.services.hidden-ssh-announce = {
+      description = "irc announce hidden ssh";
+      after = [ "tor.service" "network-online.target" ];
+      wants = [ "tor.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # ${pkgs.tor}/bin/torify
+        ExecStart = pkgs.writers.writeDash "announce-hidden-service" ''
+          set -efu
+          until test -e ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname; do
+            echo "still waiting for ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname"
+            sleep 1
+          done
+
+          ${config.hidden-announce.script} "$(cat ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname)"
+        '';
+        PrivateTmp = "true";
+        User = "tor";
+        Type = "oneshot";
+      };
+    };
+  };
+}

installer.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+{
+  systemd.tmpfiles.rules = [
+    "d /var/shared 0777 root root - -"
+  ];
+  services.openssh.settings.PermitRootLogin = "yes";
+  system.activationScripts.root-password = ''
+    ${pkgs.pwgen}/bin/pwgen -s 16 1 > /var/shared/root-password
+    echo "root:$(cat /var/shared/root-password)" | chpasswd
+  '';
+  hidden-announce = {
+    enable = true;
+    script = pkgs.writers.writeDash "write-hostname" ''
+      echo "$1" > /var/shared/onion-hostname
+    '';
+  };
+  services.getty.autologinUser = lib.mkForce "root";
+  programs.bash.interactiveShellInit = ''
+    if [ "$(tty)" = "/dev/tty1" ]; then
+      echo "ssh://root:$(cat /var/shared/root-password)@$(cat /var/shared/onion-hostname)"
+    fi
+  '';
+  # TODO find a place to put this
+  # isoImage.squashfsCompression = "zstd -Xcompression-level 1";
+}