]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/apu2e4.nix
nix: add openssl shell utilities
[sourcephile-nix.git] / servers / mermet / apu2e4.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins) toPath;
3 inherit (builtins.extraBuiltins) pass pass-to-file;
4 in
5 {
6 imports =
7 [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
8 ];
9
10 hardware.cpu.amd.updateMicrocode = true;
11
12 boot.kernel = {
13 sysctl = {
14 "vm.swappiness" = 10;
15 "vm.vfs_cache_pressure" = 50;
16 };
17 };
18
19 boot.loader = {
20 grub = {
21 enable = true;
22 version = 2;
23 copyKernels = true;
24 # efiSupport = true;
25 devices = [
26 "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
27 ];
28 /*
29 mirroredBoots = [
30 { devices = [ "${disk_id}" ];
31 path = "/boot${bootnum}";
32 }
33 ];
34 */
35 };
36 /*
37 efi = {
38 canTouchEfiVariables = true;
39 efiSysMountPoint = "/boot/efi";
40 efiInstallAsRemovable = false;
41 };
42 */
43 };
44
45 boot.initrd = {
46 availableKernelModules = [
47 "ahci"
48 "ehci_pci"
49 "sd_mod"
50 "uas"
51 # Ethernet driver
52 "igb"
53 # Made the AES modules available at initrd,
54 # to speedup the deciphering of the root.
55 "aes_x86_64"
56 "aesni_intel"
57 "cryptd"
58 ];
59 kernelModules = [ ];
60 network = {
61 enable = true;
62 ssh = {
63 enable = true;
64 # To prevent ssh from freaking out because a different host key is used,
65 # a different port for dropbear is useful
66 # (assuming the same host has also a normal sshd running)
67 port = 2222;
68 # The initrd needs a cleartext key and is built on the host,
69 # hence this key needs to be cleartext on the host.
70 # Moreover building the initrd means that the key will go into the Nix store,
71 # of the host then of the target on deployment,
72 # because GRUB does not support boot.initrd.secrets
73 # (only systemd-boot does, but sticking to GRUB is more reassuring).
74 # In any case, the initrd is sent to a non-encrypted /boot partition
75 # to be able to start unattended, hence the key will be available
76 # to anyone who has physically access to the disk where /boot is.
77 # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
78 #hostECDSAKey = "../../.sec/tmp/dropbear-ecdsa.key";
79 hostECDSAKey = toPath (pass-to-file "servers/mermet/dropbear/ecdsa.key"
80 ".sec/tmp/dropbear-ecdsa.key");
81 # NOTE: ".sec/tmp/" is shred-ed when exiting the nix-shell
82 # (or when… entering the directory with direnv
83 # which spawns a nix-shell just to get the env).
84
85 #hostECDSAKey = ../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
86 authorizedKeys = [
87 (pass "members/julm/ssh.pub")
88 ];
89 };
90 # this will automatically load the zfs password prompt on login
91 # and kill the other prompt so boot can continue
92 # The pkill zfs kills the zfs load-key from the console
93 # allowing the boot to continue.
94 postCommands = ''
95 echo >>/root/.profile "zfs load-key -a && pkill zfs"
96 '';
97 };
98
99 };
100 boot.kernelModules = [ ];
101 boot.extraModulePackages = [ ];
102 boot.kernelParams = [
103 # Always reboot on a kernel panic,
104 # to not have to physically go power cycle the apu2e4.
105 # Which happens if the wrong ZFS password is used
106 # but the boot is manually forced to continue.
107 # Using kernelParams instead of kernel.sysctl
108 # sets this up as soon as the initrd.
109 "panic=10"
110 "gfxpayload=text"
111 #"console=tty0"
112 "console=ttyS0,115200n8"
113 # DEBUG: "boot.shell_on_fail"
114 "zfs.zfs_arc_max=262144000" # 250Mo
115 ];
116
117 fileSystems."/boot" =
118 { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
119 fsType = "ext2";
120 };
121
122 fileSystems."/boot/efi" =
123 { device = "/dev/disk/by-uuid/62E6-E65F";
124 fsType = "vfat";
125 };
126
127 swapDevices =
128 [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
129 randomEncryption = {
130 enable = true;
131 cipher = "aes-xts-plain64";
132 source = "/dev/urandom";
133 };
134 }
135 ];
136
137 nix.maxJobs = lib.mkDefault 4;
138 powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
139
140 environment = {
141 systemPackages = with pkgs; [
142 pciutils
143 flashrom
144 ];
145 };
146 }