servers/mermet/apu2e4.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins) toPath;
   3     inherit (builtins.extraBuiltins) pass pass-to-file;
   4 in
   5 {
   6   imports =
   7     [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
   8     ];
   9
  10   hardware.cpu.amd.updateMicrocode = true;
  11
  12   boot.kernel = {
  13     sysctl = {
  14       "vm.swappiness" = 10;
  15       "vm.vfs_cache_pressure" = 50;
  16     };
  17   };
  18
  19   boot.loader = {
  20     grub = {
  21       enable = true;
  22       version = 2;
  23       copyKernels = true;
  24       # efiSupport = true;
  25       devices = [
  26         "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
  27       ];
  28       /*
  29       mirroredBoots = [
  30         { devices = [ "${disk_id}" ];
  31           path    = "/boot${bootnum}";
  32         }
  33       ];
  34       */
  35     };
  36     /*
  37     efi = {
  38       canTouchEfiVariables = true;
  39       efiSysMountPoint = "/boot/efi";
  40       efiInstallAsRemovable = false;
  41     };
  42     */
  43   };
  44
  45   boot.initrd = {
  46     availableKernelModules = [
  47       "ahci"
  48       "ehci_pci"
  49       "sd_mod"
  50       "uas"
  51       # Ethernet driver
  52       "igb"
  53       # Made the AES modules available at initrd,
  54       # to speedup the deciphering of the root.
  55       "aes_x86_64"
  56       "aesni_intel"
  57       "cryptd"
  58     ];
  59     kernelModules = [ ];
  60     network = {
  61       enable = true;
  62       ssh = {
  63          enable = true;
  64          # To prevent ssh from freaking out because a different host key is used,
  65          # a different port for dropbear is useful
  66          # (assuming the same host has also a normal sshd running)
  67          port = 2222;
  68          # The initrd needs a cleartext key and is built on the host,
  69          # hence this key needs to be cleartext on the host.
  70          # Moreover building the initrd means that the key will go into the Nix store,
  71          # of the host then of the target on deployment,
  72          # because GRUB does not support boot.initrd.secrets
  73          # (only systemd-boot does, but sticking to GRUB is more reassuring).
  74          # In any case, the initrd is sent to a non-encrypted /boot partition
  75          # to be able to start unattended, hence the key will be available
  76          # to anyone who has physically access to the disk where /boot is.
  77          # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
  78          #hostECDSAKey = "../../.sec/tmp/dropbear-ecdsa.key";
  79          hostECDSAKey = toPath (pass-to-file "servers/mermet/dropbear/ecdsa.key"
  80                                              ".sec/tmp/dropbear-ecdsa.key");
  81          # NOTE: ".sec/tmp/" is shred-ed when exiting the nix-shell
  82          # (or when… entering the directory with direnv
  83          # which spawns a nix-shell just to get the env).
  84
  85          #hostECDSAKey = ../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
  86          authorizedKeys = [
  87            (pass "members/julm/ssh.pub")
  88          ];
  89       };
  90       # this will automatically load the zfs password prompt on login
  91       # and kill the other prompt so boot can continue
  92       # The pkill zfs kills the zfs load-key from the console
  93       # allowing the boot to continue.
  94       postCommands = ''
  95         echo >>/root/.profile "zfs load-key -a && pkill zfs"
  96       '';
  97     };
  98
  99   };
 100   boot.kernelModules = [ ];
 101   boot.extraModulePackages = [ ];
 102   boot.kernelParams = [
 103     # Always reboot on a kernel panic,
 104     # to not have to physically go power cycle the apu2e4.
 105     # Which happens if the wrong ZFS password is used
 106     # but the boot is manually forced to continue.
 107     # Using kernelParams instead of kernel.sysctl
 108     # sets this up as soon as the initrd.
 109     "panic=10"
 110     "gfxpayload=text"
 111     #"console=tty0"
 112     "console=ttyS0,115200n8"
 113     # DEBUG: "boot.shell_on_fail"
 114     "zfs.zfs_arc_max=262144000" # 250Mo
 115   ];
 116
 117   fileSystems."/boot" =
 118     { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
 119       fsType = "ext2";
 120     };
 121
 122   fileSystems."/boot/efi" =
 123     { device = "/dev/disk/by-uuid/62E6-E65F";
 124       fsType = "vfat";
 125     };
 126
 127   swapDevices =
 128     [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
 129         randomEncryption = {
 130           enable = true;
 131           cipher = "aes-xts-plain64";
 132           source = "/dev/urandom";
 133         };
 134       }
 135     ];
 136
 137   nix.maxJobs = lib.mkDefault 4;
 138   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 139
 140   environment = {
 141     systemPackages = with pkgs; [
 142       pciutils
 143       flashrom
 144     ];
 145   };
 146 }