{ pkgs, lib, config, ... }: let inherit (builtins.extraBuiltins) pass pass-to-file; inherit (config) networking; userPass = name: pass "${networking.domainBase}/${networking.hostName}/login/${name}"; in { imports = [ ]; boot.kernel = { sysctl = { "vm.swappiness" = 10; "vm.vfs_cache_pressure" = 50; }; }; boot.loader = { grub = { enable = true; version = 2; copyKernels = true; # efiSupport = true; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R" ]; /* mirroredBoots = [ { devices = [ "${disk_id}" ]; path = "/boot${bootnum}"; } ]; */ }; /* efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot/efi"; efiInstallAsRemovable = false; }; */ }; boot.initrd = { availableKernelModules = [ "ahci" "ehci_pci" "sd_mod" "uas" # Ethernet driver "igb" # Made the AES modules available at initrd, # to speedup the deciphering of the root. "aes_x86_64" "aesni_intel" "cryptd" ]; kernelModules = [ ]; network = { # This will use udhcp to get an ip address. # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`, # so your initrd can load it! # Static ip addresses might be configured using the ip argument in kernel command line: # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt enable = true; ssh = { enable = true; # To prevent ssh from freaking out because a different host key is used, # a different port for dropbear is useful (assuming the same host has also a normal sshd running) port = 2222; # dropbear uses key format different from openssh; can be generated by using: # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key" # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage. # Unfortunately pass cannot be used here because the key is not a valid Nix string. hostECDSAKey = ../../../.sec/dropbear/mermet.dropbear-ecdsa.key ; # public ssh key used for login authorizedKeys = [ (pass "members/julm/ssh.pub") ]; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue # The pkill zfs kills the zfs load-key from the console # allowing the boot to continue. postCommands = '' echo >>/root/.profile "zfs load-key -a && pkill zfs" ''; }; }; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; boot.kernelParams = [ # Always reboot on a kernel panic, # to not have to physically go power cycle the apu2e4. # Which happens if the wrong ZFS password is used # but the boot is manually forced to continue. # Using kernelParams instead of kernel.sysctl # sets this up as soon as the initrd. "panic=10" "gfxpayload=text" "console=tty0" "console=ttyS0,115200n8" # DEBUG: "boot.shell_on_fail" "zfs.zfs_arc_max=262144000" # 250Mo ]; fileSystems."/boot" = { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07"; fsType = "ext2"; }; fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/62E6-E65F"; fsType = "vfat"; }; swapDevices = [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b"; randomEncryption = { enable = true; cipher = "aes-xts-plain64"; source = "/dev/urandom"; }; } ]; nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; networking = { zones = { net = { iface = "enp1s0"; #ipv4 = ipv4; }; maint = { iface = "enp2s0"; #ipv4 = ipv4; #ipv6 = "fe80::1"; }; unused = { iface = "enp3s0"; #ipv4 = ipv4; #ipv6 = "fe80::1"; }; }; }; environment = { systemPackages = with pkgs; [ pciutils flashrom ]; }; }