servers/mermet/machine/apu2e4.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins.extraBuiltins) pass pass-to-file;
   3     inherit (config) networking;
   4     userPass = name: pass "${networking.domainBase}/${networking.hostName}/login/${name}";
   5 in
   6 {
   7   imports =
   8     [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
   9     ];
  10
  11   boot.kernel = {
  12     sysctl = {
  13       "vm.swappiness" = 10;
  14       "vm.vfs_cache_pressure" = 50;
  15     };
  16   };
  17
  18   boot.loader = {
  19     grub = {
  20       enable = true;
  21       version = 2;
  22       copyKernels = true;
  23       # efiSupport = true;
  24       devices = [
  25         "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R"
  26       ];
  27       /*
  28       mirroredBoots = [
  29         { devices = [ "${disk_id}" ];
  30           path    = "/boot${bootnum}";
  31         }
  32       ];
  33       */
  34     };
  35     /*
  36     efi = {
  37       canTouchEfiVariables = true;
  38       efiSysMountPoint = "/boot/efi";
  39       efiInstallAsRemovable = false;
  40     };
  41     */
  42   };
  43
  44   boot.initrd = {
  45     availableKernelModules = [
  46       "ahci"
  47       "ehci_pci"
  48       "sd_mod"
  49       "uas"
  50       # Ethernet driver
  51       "igb"
  52       # Made the AES modules available at initrd,
  53       # to speedup the deciphering of the root.
  54       "aes_x86_64"
  55       "aesni_intel"
  56       "cryptd"
  57     ];
  58     kernelModules = [ ];
  59     network = {
  60       # This will use udhcp to get an ip address.
  61       # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
  62       # so your initrd can load it!
  63       # Static ip addresses might be configured using the ip argument in kernel command line:
  64       # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
  65       enable = true;
  66       ssh = {
  67          enable = true;
  68          # To prevent ssh from freaking out because a different host key is used,
  69          # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
  70          port = 2222;
  71          # dropbear uses key format different from openssh; can be generated by using:
  72          # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
  73          # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
  74          # Unfortunately pass cannot be used here because the key is not a valid Nix string.
  75          hostECDSAKey = ../../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
  76          # public ssh key used for login
  77          authorizedKeys = [
  78            (pass "members/julm/ssh.pub")
  79          ];
  80       };
  81       # this will automatically load the zfs password prompt on login
  82       # and kill the other prompt so boot can continue
  83       # The pkill zfs kills the zfs load-key from the console
  84       # allowing the boot to continue.
  85       postCommands = ''
  86         echo >>/root/.profile "zfs load-key -a && pkill zfs"
  87       '';
  88     };
  89
  90   };
  91   boot.kernelModules = [ ];
  92   boot.extraModulePackages = [ ];
  93   boot.kernelParams = [
  94     # Always reboot on a kernel panic,
  95     # to not have to physically go power cycle the apu2e4.
  96     # Which happens if the wrong ZFS password is used
  97     # but the boot is manually forced to continue.
  98     # Using kernelParams instead of kernel.sysctl
  99     # sets this up as soon as the initrd.
 100     "panic=10"
 101     "gfxpayload=text"
 102     "console=tty0"
 103     "console=ttyS0,115200n8"
 104     # DEBUG: "boot.shell_on_fail"
 105     "zfs.zfs_arc_max=262144000" # 250Mo
 106   ];
 107
 108   fileSystems."/boot" =
 109     { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
 110       fsType = "ext2";
 111     };
 112
 113   fileSystems."/boot/efi" =
 114     { device = "/dev/disk/by-uuid/62E6-E65F";
 115       fsType = "vfat";
 116     };
 117
 118   swapDevices =
 119     [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b";
 120         randomEncryption = {
 121           enable = true;
 122           cipher = "aes-xts-plain64";
 123           source = "/dev/urandom";
 124         };
 125       }
 126     ];
 127
 128   nix.maxJobs = lib.mkDefault 4;
 129   powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 130
 131   networking = {
 132     zones = {
 133       net = {
 134         iface = "enp1s0";
 135         #ipv4  = ipv4;
 136       };
 137       maint = {
 138         iface = "enp2s0";
 139         #ipv4  = ipv4;
 140         #ipv6  = "fe80::1";
 141       };
 142       unused = {
 143         iface = "enp3s0";
 144         #ipv4  = ipv4;
 145         #ipv6  = "fe80::1";
 146       };
 147     };
 148   };
 149
 150   environment = {
 151     systemPackages = with pkgs; [
 152       pciutils
 153       flashrom
 154     ];
 155   };
 156 }