servers/mermet/apu2e4.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins) toPath;
   3     inherit (builtins.extraBuiltins) pass pass-to-file;
   4 in
   5 {
   6   imports =
   7     [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
   8     ];
   9
  10   hardware.cpu.amd.updateMicrocode = true;
  11
  12   boot.kernel = {
  13     sysctl = {
  14       "vm.swappiness" = 10;
  15       "vm.vfs_cache_pressure" = 50;
  16     };
  17   };
  18
  19   boot.loader = {
  20     grub = {
  21       enable = true;
  22       version = 2;
  23       copyKernels = true;
  24       # efiSupport = true;
  25       devices = [
  26         "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
  27       ];
  28       /*
  29       mirroredBoots = [
  30         { devices = [ "${disk_id}" ];
  31           path    = "/boot${bootnum}";
  32         }
  33       ];
  34       */
  35     };
  36     /*
  37     efi = {
  38       canTouchEfiVariables = true;
  39       efiSysMountPoint = "/boot/efi";
  40       efiInstallAsRemovable = false;
  41     };
  42     */
  43   };
  44
  45   boot.initrd = {
  46     availableKernelModules = [
  47       "ahci"
  48       "ehci_pci"
  49       "sd_mod"
  50       "uas"
  51       # Ethernet driver
  52       "igb"
  53       # Made the AES modules available at initrd,
  54       # to speedup the deciphering of the root.
  55       "aes_x86_64"
  56       "aesni_intel"
  57       "cryptd"
  58     ];
  59     kernelModules = [ ];
  60     network = {
  61       enable = true;
  62       ssh = {
  63          enable = true;
  64          # To prevent ssh from freaking out because a different host key is used,
  65          # a different port for dropbear is useful
  66          # (assuming the same host has also a normal sshd running)
  67          port = 2222;
  68          # The initrd needs a cleartext key and is built on the host,
  69          # hence this key needs to be cleartext on the host.
  70          # Moreover building the initrd means that the key will go into the Nix store,
  71          # of the host, then of the target on deployment,
  72          # because GRUB does not support boot.initrd.secrets
  73          # (only systemd-boot does, but sticking to GRUB is more reassuring).
  74          # In any case, the initrd is sent to a non-encrypted /boot partition
  75          # to be able to start unattended, hence the key will be available
  76          # to anyone who has physically access to the disk where /boot is.
  77          # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
  78          #hostECDSAKey = "../../../sec/tmp/dropbear-ecdsa.key";
  79          hostECDSAKey = pass-to-file "servers/mermet/dropbear/ecdsa.key"
  80                                      (toPath ../../../sec + "/tmp/dropbear-ecdsa.key");
  81
  82          #hostECDSAKey = ../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
  83          authorizedKeys = [
  84            (pass "members/julm/ssh.pub")
  85          ];
  86       };
  87       # This will automatically load the zfs password prompt on login
  88       # and kill the other prompt so boot can continue
  89       # The pkill zfs kills the zfs load-key from the console
  90       # allowing the boot to continue.
  91       postCommands = ''
  92         echo >>/root/.profile "zfs load-key -a && pkill zfs"
  93       '';
  94     };
  95
  96   };
  97   boot.kernelModules = [ ];
  98   boot.extraModulePackages = [ ];
  99   boot.kernelParams = [
 100     # Always reboot on a kernel panic,
 101     # to not have to physically go power cycle the apu2e4.
 102     # Which happens if the wrong ZFS password is used
 103     # but the boot is manually forced to continue.
 104     # Using kernelParams instead of kernel.sysctl
 105     # sets this up as soon as the initrd.
 106     "panic=10"
 107     "gfxpayload=text"
 108     #"console=tty0"
 109     "console=ttyS0,115200n8"
 110     # DEBUG: "boot.shell_on_fail"
 111     "zfs.zfs_arc_max=262144000" # 250Mo
 112   ];
 113
 114   fileSystems."/boot" =
 115     { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
 116       fsType = "ext2";
 117     };
 118
 119   fileSystems."/boot/efi" =
 120     { device = "/dev/disk/by-uuid/62E6-E65F";
 121       fsType = "vfat";
 122     };
 123
 124   swapDevices =
 125     [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
 126         randomEncryption = {
 127           enable = true;
 128           cipher = "aes-xts-plain64";
 129           source = "/dev/urandom";
 130         };
 131       }
 132     ];
 133
 134   nix.maxJobs = lib.mkDefault 4;
 135   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 136
 137   environment = {
 138     systemPackages = with pkgs; [
 139       pciutils
 140       flashrom
 141     ];
 142   };
 143 }