{ pkgs, lib, config, ... }: let inherit (builtins) toPath; inherit (builtins.extraBuiltins) pass pass-to-file; in { imports = [ ]; hardware.cpu.amd.updateMicrocode = true; boot.kernel = { sysctl = { "vm.swappiness" = 10; "vm.vfs_cache_pressure" = 50; }; }; boot.loader = { grub = { enable = true; version = 2; copyKernels = true; # efiSupport = true; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R" ]; /* mirroredBoots = [ { devices = [ "${disk_id}" ]; path = "/boot${bootnum}"; } ]; */ }; /* efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot/efi"; efiInstallAsRemovable = false; }; */ }; boot.initrd = { availableKernelModules = [ "ahci" "ehci_pci" "sd_mod" "uas" # Ethernet driver "igb" # Made the AES modules available at initrd, # to speedup the deciphering of the root. "aes_x86_64" "aesni_intel" "cryptd" ]; kernelModules = [ ]; network = { enable = true; ssh = { enable = true; # To prevent ssh from freaking out because a different host key is used, # a different port for dropbear is useful # (assuming the same host has also a normal sshd running) port = 2222; # The initrd needs a cleartext key and is built on the host, # hence this key needs to be cleartext on the host. # Moreover building the initrd means that the key will go into the Nix store, # of the host, then of the target on deployment, # because GRUB does not support boot.initrd.secrets # (only systemd-boot does, but sticking to GRUB is more reassuring). # In any case, the initrd is sent to a non-encrypted /boot partition # to be able to start unattended, hence the key will be available # to anyone who has physically access to the disk where /boot is. # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key #hostECDSAKey = "../../../sec/tmp/dropbear-ecdsa.key"; hostECDSAKey = pass-to-file "servers/mermet/dropbear/ecdsa.key" (toPath ../../../sec + "/tmp/dropbear-ecdsa.key"); #hostECDSAKey = ../../.sec/dropbear/mermet.dropbear-ecdsa.key ; authorizedKeys = [ (pass "members/julm/ssh.pub") ]; }; # This will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue # The pkill zfs kills the zfs load-key from the console # allowing the boot to continue. postCommands = '' echo >>/root/.profile "zfs load-key -a && pkill zfs" ''; }; }; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; boot.kernelParams = [ # Always reboot on a kernel panic, # to not have to physically go power cycle the apu2e4. # Which happens if the wrong ZFS password is used # but the boot is manually forced to continue. # Using kernelParams instead of kernel.sysctl # sets this up as soon as the initrd. "panic=10" "gfxpayload=text" #"console=tty0" "console=ttyS0,115200n8" # DEBUG: "boot.shell_on_fail" "zfs.zfs_arc_max=262144000" # 250Mo ]; fileSystems."/boot" = { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07"; fsType = "ext2"; }; fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/62E6-E65F"; fsType = "vfat"; }; swapDevices = [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b"; randomEncryption = { enable = true; cipher = "aes-xts-plain64"; source = "/dev/urandom"; }; } ]; nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; environment = { systemPackages = with pkgs; [ pciutils flashrom ]; }; }