]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/apu2e4.nix
mermet: add unbound and nsd
[sourcephile-nix.git] / servers / mermet / apu2e4.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins.extraBuiltins) pass;
3 in
4 {
5 imports =
6 [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
7 ];
8
9 boot.kernel = {
10 sysctl = {
11 "vm.swappiness" = 10;
12 "vm.vfs_cache_pressure" = 50;
13 };
14 };
15
16 boot.loader = {
17 grub = {
18 enable = true;
19 version = 2;
20 copyKernels = true;
21 # efiSupport = true;
22 devices = [
23 "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
24 ];
25 /*
26 mirroredBoots = [
27 { devices = [ "${disk_id}" ];
28 path = "/boot${bootnum}";
29 }
30 ];
31 */
32 };
33 /*
34 efi = {
35 canTouchEfiVariables = true;
36 efiSysMountPoint = "/boot/efi";
37 efiInstallAsRemovable = false;
38 };
39 */
40 };
41
42 boot.initrd = {
43 availableKernelModules = [
44 "ahci"
45 "ehci_pci"
46 "sd_mod"
47 "uas"
48 # Ethernet driver
49 "igb"
50 # Made the AES modules available at initrd,
51 # to speedup the deciphering of the root.
52 "aes_x86_64"
53 "aesni_intel"
54 "cryptd"
55 ];
56 kernelModules = [ ];
57 network = {
58 # This will use udhcp to get an ip address.
59 # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
60 # so your initrd can load it!
61 # Static ip addresses might be configured using the ip argument in kernel command line:
62 # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
63 enable = true;
64 ssh = {
65 enable = true;
66 # To prevent ssh from freaking out because a different host key is used,
67 # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
68 port = 2222;
69 # dropbear uses key format different from openssh; can be generated by using:
70 # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
71 # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
72 # Unfortunately pass cannot be used here because the key is not a valid Nix string.
73 hostECDSAKey = ../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
74 # public ssh key used for login
75 authorizedKeys = [
76 (pass "members/julm/ssh.pub")
77 ];
78 };
79 # this will automatically load the zfs password prompt on login
80 # and kill the other prompt so boot can continue
81 # The pkill zfs kills the zfs load-key from the console
82 # allowing the boot to continue.
83 postCommands = ''
84 echo >>/root/.profile "zfs load-key -a && pkill zfs"
85 '';
86 };
87
88 };
89 boot.kernelModules = [ ];
90 boot.extraModulePackages = [ ];
91 boot.kernelParams = [
92 # Always reboot on a kernel panic,
93 # to not have to physically go power cycle the apu2e4.
94 # Which happens if the wrong ZFS password is used
95 # but the boot is manually forced to continue.
96 # Using kernelParams instead of kernel.sysctl
97 # sets this up as soon as the initrd.
98 "panic=10"
99 "gfxpayload=text"
100 "console=tty0"
101 "console=ttyS0,115200n8"
102 # DEBUG: "boot.shell_on_fail"
103 "zfs.zfs_arc_max=262144000" # 250Mo
104 ];
105
106 fileSystems."/boot" =
107 { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
108 fsType = "ext2";
109 };
110
111 fileSystems."/boot/efi" =
112 { device = "/dev/disk/by-uuid/62E6-E65F";
113 fsType = "vfat";
114 };
115
116 swapDevices =
117 [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
118 randomEncryption = {
119 enable = true;
120 cipher = "aes-xts-plain64";
121 source = "/dev/urandom";
122 };
123 }
124 ];
125
126 nix.maxJobs = lib.mkDefault 4;
127 powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
128
129 environment = {
130 systemPackages = with pkgs; [
131 pciutils
132 flashrom
133 ];
134 };
135 }