]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/machine/apu2e4.nix
mermet: add unlock target.
[sourcephile-nix.git] / servers / mermet / machine / apu2e4.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins.extraBuiltins) pass pass-to-file;
3 inherit (config) networking;
4 userPass = name: pass "${networking.domainBase}/${networking.hostName}/login/${name}";
5 in
6 {
7 imports =
8 [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
9 ];
10
11 boot.kernel = {
12 sysctl = {
13 # Always reboot on a kernel panic,
14 # to not have to physically go power cycle the apu2e4.
15 # Which happens if the wrong ZFS password is used
16 # but the boot is manually forced to continue.
17 "kernel.panic" = 20;
18
19 "vm.swappiness" = 10;
20 "vm.vfs_cache_pressure" = 50;
21 };
22 };
23
24 boot.loader = {
25 grub = {
26 enable = true;
27 version = 2;
28 copyKernels = true;
29 # efiSupport = true;
30 devices = [
31 "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
32 ];
33 /*
34 mirroredBoots = [
35 { devices = [ "${disk_id}" ];
36 path = "/boot${bootnum}";
37 }
38 ];
39 */
40 };
41 /*
42 efi = {
43 canTouchEfiVariables = true;
44 efiSysMountPoint = "/boot/efi";
45 efiInstallAsRemovable = false;
46 };
47 */
48 };
49
50 boot.initrd = {
51 availableKernelModules = [
52 "ahci"
53 "ehci_pci"
54 "sd_mod"
55 "uas"
56 # Ethernet driver
57 "igb"
58 # Made the AES modules available at initrd,
59 # to speedup the deciphering of the root.
60 "aes_x86_64"
61 "aesni_intel"
62 "cryptd"
63 ];
64 kernelModules = [ ];
65 network = {
66 # This will use udhcp to get an ip address.
67 # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
68 # so your initrd can load it!
69 # Static ip addresses might be configured using the ip argument in kernel command line:
70 # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
71 enable = true;
72 ssh = {
73 enable = true;
74 # To prevent ssh from freaking out because a different host key is used,
75 # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
76 port = 2222;
77 # dropbear uses key format different from openssh; can be generated by using:
78 # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
79 # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
80 # Unfortunately pass cannot be used here because the key is not a valid Nix string.
81 hostECDSAKey = ../../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
82 # public ssh key used for login
83 authorizedKeys = [
84 # julm
85 # readFile ../../../.pub/ssh/julm.ssh-rsa.pub
86 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD5FtR++UPEg/5wFeyb2JSS09idTaDb4tMIRf1yxCsyIJEp5LQMif/fIptDeHoYc55lwy8vnWWN9PJpb6PS8YSaLLFV5tn8esR8Ml+evNCAD52Tdu1kPRXGLCSF5kSVnbAMoxqiNi8vRRKXwAzGgXmIUzDAE4QTsq3EwZM6cBnDx5O79wBIZ9va2TObL52qv+Vpi+QyINuslKKc+Osu92pdwceIGZUcwA6Y8aH6lavaTyDUQdSjMRMTAiXSPRjmHf1q+V7wENXT/TKXuuahN8NnJShX3Qf9hwNEIU46SOENsrRFQ5eYahAmqUIK4GbsERS2KRDxbvSOl7rKh2sauBxyKfkW/gxQ4LAyywxuumpI0pO7XmdINCGWdXS9gD216lcGuH/TC0KboiOVExh65eRIOeEFTec0VJQEqqnFul7u8YNPmbBpLnM+SQ3TAkdQmfasKgPIazFNCAnC8I9hKlGYpLk/Dgi/sVbwFeoOUQcaTBRnWKUCedX4v4kmPIHuHSNPV2C/0770gH2iJ1N1XEO3YDGiixuHHiLlCV8Ko950CoTh1PwDNCd3Qy/jR/QhE2waVPliFwl2+H6IkIxkUO8A9ktLCJUeaZJN3snoV+9hvpT1E2TrEccsTVx5BaGAJCUkvO2XYlEsNceIIitkrbhidjZvfZ4/czGUKoN1wSSpMw== GnuPG pub=F2E027182397AC0775714F2AD15AF7F467E8299B sub=7819E44BAEEDE91683811BB00E1AAADBE227DDAA"
87 ];
88 };
89 # this will automatically load the zfs password prompt on login
90 # and kill the other prompt so boot can continue
91 postCommands = ''
92 #zpool import rpool
93 #/bin/ash
94 echo "zfs load-key -a; killall zfs" >> /root/.profile
95 '';
96 };
97
98 };
99 boot.kernelModules = [ ];
100 boot.extraModulePackages = [ ];
101 boot.kernelParams = [
102 "gfxpayload=text"
103 "console=tty0"
104 "console=ttyS0,115200n8"
105 # DEBUG: "boot.shell_on_fail"
106 "zfs.zfs_arc_max=262144000" # 250Mo
107 ];
108
109 fileSystems."/boot" =
110 { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
111 fsType = "ext2";
112 };
113
114 fileSystems."/boot/efi" =
115 { device = "/dev/disk/by-uuid/62E6-E65F";
116 fsType = "vfat";
117 };
118
119 swapDevices =
120 [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
121 randomEncryption = {
122 enable = true;
123 cipher = "aes-xts-plain64";
124 source = "/dev/urandom";
125 };
126 }
127 ];
128
129 nix.maxJobs = lib.mkDefault 4;
130 powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
131
132 environment = {
133 systemPackages = with pkgs; [
134 pciutils
135 flashrom
136 ];
137 };
138 }