servers/mermet/machine/apu2e4.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins.extraBuiltins) pass pass-to-file;
   3     inherit (config) networking;
   4     userPass = name: pass "${networking.domainBase}/${networking.hostName}/login/${name}";
   5 in
   6 {
   7   imports =
   8     [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
   9     ];
  10
  11   boot.kernel = {
  12     sysctl = {
  13       "vm.swappiness" = 10;
  14       "vm.vfs_cache_pressure" = 50;
  15     };
  16   };
  17
  18   boot.loader = {
  19     grub = {
  20       enable = true;
  21       version = 2;
  22       copyKernels = true;
  23       # efiSupport = true;
  24       devices = [
  25         "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
  26       ];
  27       /*
  28       mirroredBoots = [
  29         { devices = [ "${disk_id}" ];
  30           path    = "/boot${bootnum}";
  31         }
  32       ];
  33       */
  34     };
  35     /*
  36     efi = {
  37       canTouchEfiVariables = true;
  38       efiSysMountPoint = "/boot/efi";
  39       efiInstallAsRemovable = false;
  40     };
  41     */
  42   };
  43
  44   boot.initrd = {
  45     availableKernelModules = [
  46       "ahci"
  47       "ehci_pci"
  48       "sd_mod"
  49       "uas"
  50       # Ethernet driver
  51       "igb"
  52       # Made the AES modules available at initrd,
  53       # to speedup the deciphering of the root.
  54       "aes_x86_64"
  55       "aesni_intel"
  56       "cryptd"
  57     ];
  58     kernelModules = [ ];
  59     network = {
  60       # This will use udhcp to get an ip address.
  61       # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
  62       # so your initrd can load it!
  63       # Static ip addresses might be configured using the ip argument in kernel command line:
  64       # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
  65       enable = true;
  66       ssh = {
  67          enable = true;
  68          # To prevent ssh from freaking out because a different host key is used,
  69          # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
  70          port = 2222;
  71          # dropbear uses key format different from openssh; can be generated by using:
  72          # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
  73          # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
  74          # Unfortunately pass cannot be used here because the key is not a valid Nix string.
  75          hostECDSAKey = ../../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
  76          # public ssh key used for login
  77          authorizedKeys = [
  78            # julm
  79            # readFile ../../../.pub/ssh/julm.ssh-rsa.pub
  80            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD5FtR++UPEg/5wFeyb2JSS09idTaDb4tMIRf1yxCsyIJEp5LQMif/fIptDeHoYc55lwy8vnWWN9PJpb6PS8YSaLLFV5tn8esR8Ml+evNCAD52Tdu1kPRXGLCSF5kSVnbAMoxqiNi8vRRKXwAzGgXmIUzDAE4QTsq3EwZM6cBnDx5O79wBIZ9va2TObL52qv+Vpi+QyINuslKKc+Osu92pdwceIGZUcwA6Y8aH6lavaTyDUQdSjMRMTAiXSPRjmHf1q+V7wENXT/TKXuuahN8NnJShX3Qf9hwNEIU46SOENsrRFQ5eYahAmqUIK4GbsERS2KRDxbvSOl7rKh2sauBxyKfkW/gxQ4LAyywxuumpI0pO7XmdINCGWdXS9gD216lcGuH/TC0KboiOVExh65eRIOeEFTec0VJQEqqnFul7u8YNPmbBpLnM+SQ3TAkdQmfasKgPIazFNCAnC8I9hKlGYpLk/Dgi/sVbwFeoOUQcaTBRnWKUCedX4v4kmPIHuHSNPV2C/0770gH2iJ1N1XEO3YDGiixuHHiLlCV8Ko950CoTh1PwDNCd3Qy/jR/QhE2waVPliFwl2+H6IkIxkUO8A9ktLCJUeaZJN3snoV+9hvpT1E2TrEccsTVx5BaGAJCUkvO2XYlEsNceIIitkrbhidjZvfZ4/czGUKoN1wSSpMw== GnuPG pub=F2E027182397AC0775714F2AD15AF7F467E8299B sub=7819E44BAEEDE91683811BB00E1AAADBE227DDAA"
  81          ];
  82       };
  83       # this will automatically load the zfs password prompt on login
  84       # and kill the other prompt so boot can continue
  85       # The pkill zfs kills the zfs load-key from the console
  86       # allowing the boot to continue.
  87       postCommands = ''
  88         #zpool import rpool
  89         #/bin/ash
  90         echo "zfs load-key -a && pkill zfs" >> /root/.profile
  91       '';
  92     };
  93
  94   };
  95   boot.kernelModules = [ ];
  96   boot.extraModulePackages = [ ];
  97   boot.kernelParams = [
  98     # Always reboot on a kernel panic,
  99     # to not have to physically go power cycle the apu2e4.
 100     # Which happens if the wrong ZFS password is used
 101     # but the boot is manually forced to continue.
 102     # Using kernelParams instead of kernel.sysctl
 103     # sets this up as soon as the initrd.
 104     "panic=10"
 105     "gfxpayload=text"
 106     "console=tty0"
 107     "console=ttyS0,115200n8"
 108     # DEBUG: "boot.shell_on_fail"
 109     "zfs.zfs_arc_max=262144000" # 250Mo
 110   ];
 111
 112   fileSystems."/boot" =
 113     { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
 114       fsType = "ext2";
 115     };
 116
 117   fileSystems."/boot/efi" =
 118     { device = "/dev/disk/by-uuid/62E6-E65F";
 119       fsType = "vfat";
 120     };
 121
 122   swapDevices =
 123     [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
 124         randomEncryption = {
 125           enable = true;
 126           cipher = "aes-xts-plain64";
 127           source = "/dev/urandom";
 128         };
 129       }
 130     ];
 131
 132   nix.maxJobs = lib.mkDefault 4;
 133   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 134
 135   environment = {
 136     systemPackages = with pkgs; [
 137       pciutils
 138       flashrom
 139     ];
 140   };
 141 }