{
imports = [
./modules.nix
+ ./defaults/predictable-interface-names.nix
];
config = {
nix = {
--- /dev/null
+# Use predictable interface names in stage-1 and stage-2.
+# DOC: https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
+#
+# Tip: names that can be given using ID_NET_NAME_* envvars
+# can be checked before hand with:
+# udevadm test-builtin net_id /sys/class/net/*
+
+{ pkgs, lib, config, ... }:
+let udevNetSetupLinkRules = pkgs.writeTextFile {
+ name = "80-net-setup-link.rules";
+ destination = "/etc/udev/rules.d/80-net-setup-link.rules";
+ text = ''
+ SUBSYSTEM!="net", GOTO="net_setup_link_end"
+
+ IMPORT{builtin}="path_id"
+
+ ACTION!="add", GOTO="net_setup_link_end"
+
+ # Load net_setup_link to setup the ID_NET_NAME_* envvars
+ IMPORT{builtin}="net_setup_link"
+
+ # Rename eth* using the "path" name policy (eg. enp1s0),
+ # Note that in stage-1 the envvar ID_NET_NAME is not set,
+ # hence not usable as in $${pkgs.systemd}/lib/udev/rules.d/80-net-setup-link.rules
+ # Because in stage-1 there is no /etc/systemd/network/*.link
+ # nor **/systemd/network/99-default.link
+ # to set NamePolicy= which is responsible to set ID_NET_NAME.
+ # Not sure if ATTR{type}=="1" and KERNEL=="eth*" are equivalent or not.
+ ATTR{type}=="1", KERNEL=="eth*", NAME="$env{ID_NET_NAME_PATH}"
+
+ LABEL="net_setup_link_end"
+ '';
+ };
+in
+{
+ networking = {
+ # Currently no-op.
+ # false would set boot.kernelParams = [ "net.ifnames=0" ];
+ # to disable NamePolicy= in *.link.
+ usePredictableInterfaceNames = true;
+ };
+
+ boot.initrd = {
+ extraUdevRulesCommands = ''
+ # Query hwdb to set some more ID_* in case someone need them for their rules.
+ cp -v ${pkgs.systemd}/lib/udev/rules.d/75-net-description.rules $out/
+
+ # The name set here in stage-1 by 80-net-setup-link.rules
+ # will stay in stage-2 (at least until the device is removed/added).
+ cp -v ${udevNetSetupLinkRules}/etc/udev/rules.d/80-net-setup-link.rules $out/
+ '';
+ };
+
+ services.udev.packages = [
+ # Only useful here in stage-2 if the device is removed and re-added
+ # (eg. the network module is rmmod-ed then modprobe-d).
+ # The stage-1 (or initrd) is only a pivot_root after all,
+ # it does not reload the kernel, hence passing to stage-2
+ # does not trigger ACTION=="add" for the net devices.
+ udevNetSetupLinkRules
+ ];
+
+ /* Useless block, only here for explanations.
+
+ # NixOS put this .link only in the root filesystem, not in the initrd
+ # hence it's only active in stage-2, not stage-1.
+ # And even in stage-2, the 80-net-setup-link.rules has priority.
+ # DOC: https://www.freedesktop.org/software/systemd/man/systemd.link.html
+ environment.etc."systemd/network/79-net-setup.link".text = ''
+ [Match]
+ OriginalName=*
+
+ [Link]
+ #NamePolicy=keep kernel database onboard slot path
+ NamePolicy=mac
+ MACAddressPolicy=persistent
+ '';
+ */
+}
};
defaults = {
- #imports = [ network/defaults.nix ];
+ #imports = [ nixos/defaults.nix ];
};
- #friot = import network/friot.nix;
- mermet = import network/mermet.nix;
+ #friot = import servers/friot.nix;
+ mermet = import servers/mermet.nix;
}
#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
NIXOPS_DEPLOYMENT := maintenance
mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' machine/sfdisk.txt)
-mermet_cipher :=
-#mermet_cipher := aes-128-gcm
+#mermet_cipher :=
+mermet_cipher := aes-128-gcm
mermet_autotrim :=
mermet_reservation := 40G
#mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
echo:
echo $(MAKEFILES)
-mermet-wipeout: mermet-umount
+wipeout: umount
sudo zpool labelclear -f $(mermet_disk)-part3 || true
sudo zpool labelclear -f $(mermet_disk)-part5 || true
sudo $$(which sgdisk) --zap-all $(mermet_disk)
-mermet-partition:
+partition:
sudo modprobe zfs
sudo $$(which sfdisk) $(mermet_disk) <machine/sfdisk.txt
sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
sudo partprobe
-mermet-format:
+format:
# DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
sudo mkdir -p /mnt/mermet
blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
# Note: configured with a volatile key in mermet.nix
#blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
#sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
- #sudo cryptsetup luksOpen $(mermet_disk)-part4 mermet-swap
- #blkid -t TYPE=swap /dev/mapper/mermet--swap; test $$? != 2 || \
+ #sudo cryptsetup luksOpen $(mermet_disk)-part4 swap
+ #blkid -t TYPE=swap /dev/mapper/-swap; test $$? != 2 || \
#sudo mkswap --check --label swap
- #sudo cryptsetup luksClose $(mermet_disk)-part4 mermet-swap
+ #sudo cryptsetup luksClose $(mermet_disk)-part4 swap
# rpool
sudo zpool list rpool 2>/dev/null || \
sudo zpool create -o ashift=12 \
sync=disabled \
rpool/var/tmp
-mermet-mount:
+mount:
# scan needed zpools
#sudo zpool list bpool || \
#sudo zpool import -f bpool
done
sudo chmod 1777 /mnt/mermet/var/tmp
-mermet-bootstrap: mermet-mount
- sudo rm -rf /mnt/mermet/etc/nixos
+bootstrap: mount
#test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
# NOTE: nixos-install will install GRUB following mermet.nix
# BIOS
# --recheck \
# --no-floppy
- pass sourcephile/mermet/dropbear/host-ecdsa.key | \
+ pass servers/mermet/dropbear/host.key | \
sudo install -D -o root -g root -m 400 /dev/stdin \
- /mnt/mermet/etc/dropbear/host-ecdsa.key && \
- test -s /mnt/mermet/etc/dropbear/host-ecdsa.key
+ /mnt/mermet/etc/dropbear/host.key && \
+ test -s /mnt/mermet/etc/dropbear/host.key
#trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
sudo \
--no-root-passwd \
--show-trace
-mermet-umount:
+umount:
for p in \
boot/efi \
boot \
{
networking = {
interfaces.enp1s0.useDHCP = true;
- interfaces.enp2s0.useDHCP = true;
- interfaces.enp3s0.useDHCP = true;
+ #interfaces.enp2s0.useDHCP = true;
+ #interfaces.enp3s0.useDHCP = true;
};
}
{
networking = {
interfaces.enp1s0.useDHCP = true;
- interfaces.enp2s0.useDHCP = true;
- interfaces.enp3s0.useDHCP = true;
+ #interfaces.enp2s0.useDHCP = true;
+ #interfaces.enp3s0.useDHCP = true;
};
}
// lib.mkIf (builtins.hasAttr "mermet" nodes) {
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
+ boot.kernel = {
+ sysctl = {
+ # Always reboot on a kernel panic,
+ # to not have to physically go power cycle the apu2e4.
+ # Which happens if the wrong ZFS password is used
+ # but the boot is manually forced to continue.
+ "kernel.panic" = 20;
+
+ "vm.swappiness" = 10;
+ "vm.vfs_cache_pressure" = 50;
+ };
+ };
+
boot.loader = {
grub = {
enable = true;
"ehci_pci"
"sd_mod"
"uas"
+ # Ethernet driver
+ "igb"
# Made the AES modules available at initrd,
# to speedup the deciphering of the root.
"aes_x86_64"
"cryptd"
];
kernelModules = [ ];
+ network = {
+ # This will use udhcp to get an ip address.
+ # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
+ # so your initrd can load it!
+ # Static ip addresses might be configured using the ip argument in kernel command line:
+ # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+ enable = true;
+ ssh = {
+ enable = true;
+ # To prevent ssh from freaking out because a different host key is used,
+ # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
+ port = 2222;
+ # dropbear uses key format different from openssh; can be generated by using:
+ # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
+ # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
+ # Unfortunately pass cannot be used here because the key is not a valid Nix string.
+ hostECDSAKey = ../../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
+ # public ssh key used for login
+ authorizedKeys = [
+ # julm
+ # readFile ../../../.pub/ssh/julm.ssh-rsa.pub
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD5FtR++UPEg/5wFeyb2JSS09idTaDb4tMIRf1yxCsyIJEp5LQMif/fIptDeHoYc55lwy8vnWWN9PJpb6PS8YSaLLFV5tn8esR8Ml+evNCAD52Tdu1kPRXGLCSF5kSVnbAMoxqiNi8vRRKXwAzGgXmIUzDAE4QTsq3EwZM6cBnDx5O79wBIZ9va2TObL52qv+Vpi+QyINuslKKc+Osu92pdwceIGZUcwA6Y8aH6lavaTyDUQdSjMRMTAiXSPRjmHf1q+V7wENXT/TKXuuahN8NnJShX3Qf9hwNEIU46SOENsrRFQ5eYahAmqUIK4GbsERS2KRDxbvSOl7rKh2sauBxyKfkW/gxQ4LAyywxuumpI0pO7XmdINCGWdXS9gD216lcGuH/TC0KboiOVExh65eRIOeEFTec0VJQEqqnFul7u8YNPmbBpLnM+SQ3TAkdQmfasKgPIazFNCAnC8I9hKlGYpLk/Dgi/sVbwFeoOUQcaTBRnWKUCedX4v4kmPIHuHSNPV2C/0770gH2iJ1N1XEO3YDGiixuHHiLlCV8Ko950CoTh1PwDNCd3Qy/jR/QhE2waVPliFwl2+H6IkIxkUO8A9ktLCJUeaZJN3snoV+9hvpT1E2TrEccsTVx5BaGAJCUkvO2XYlEsNceIIitkrbhidjZvfZ4/czGUKoN1wSSpMw== GnuPG pub=F2E027182397AC0775714F2AD15AF7F467E8299B sub=7819E44BAEEDE91683811BB00E1AAADBE227DDAA"
+ ];
+ };
+ # this will automatically load the zfs password prompt on login
+ # and kill the other prompt so boot can continue
+ postCommands = ''
+ #zpool import rpool
+ #/bin/ash
+ echo "zfs load-key -a; killall zfs" >> /root/.profile
+ '';
+ };
+
};
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# DEBUG: "boot.shell_on_fail"
"zfs.zfs_arc_max=262144000" # 250Mo
];
- boot.kernel = {
- sysctl = {
- "vm.swappiness" = 10;
- "vm.vfs_cache_pressure" = 50;
- };
- };
-
- boot.initrd.network = {
- # This will use udhcp to get an ip address.
- # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
- # so your initrd can load it!
- # Static ip addresses might be configured using the ip argument in kernel command line:
- # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
- enable = true;
- ssh = {
- enable = true;
- # To prevent ssh from freaking out because a different host key is used,
- # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
- port = 2222;
- # dropbear uses key format different from openssh; can be generated by using:
- # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
- # WARNING: this key will be in the NixOS store and the initrd and thus maybe on cleartext storage.
- # Unfortunately pass cannot be used here because the key is not a valid Nix string.
- hostECDSAKey = ../../../.sec/dropbear/mermet.dropbear-ecdsa.key ;
- # public ssh key used for login
- authorizedKeys = [
- # julm
- # readFile ../../../.pub/ssh/julm.ssh-rsa.pub
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD5FtR++UPEg/5wFeyb2JSS09idTaDb4tMIRf1yxCsyIJEp5LQMif/fIptDeHoYc55lwy8vnWWN9PJpb6PS8YSaLLFV5tn8esR8Ml+evNCAD52Tdu1kPRXGLCSF5kSVnbAMoxqiNi8vRRKXwAzGgXmIUzDAE4QTsq3EwZM6cBnDx5O79wBIZ9va2TObL52qv+Vpi+QyINuslKKc+Osu92pdwceIGZUcwA6Y8aH6lavaTyDUQdSjMRMTAiXSPRjmHf1q+V7wENXT/TKXuuahN8NnJShX3Qf9hwNEIU46SOENsrRFQ5eYahAmqUIK4GbsERS2KRDxbvSOl7rKh2sauBxyKfkW/gxQ4LAyywxuumpI0pO7XmdINCGWdXS9gD216lcGuH/TC0KboiOVExh65eRIOeEFTec0VJQEqqnFul7u8YNPmbBpLnM+SQ3TAkdQmfasKgPIazFNCAnC8I9hKlGYpLk/Dgi/sVbwFeoOUQcaTBRnWKUCedX4v4kmPIHuHSNPV2C/0770gH2iJ1N1XEO3YDGiixuHHiLlCV8Ko950CoTh1PwDNCd3Qy/jR/QhE2waVPliFwl2+H6IkIxkUO8A9ktLCJUeaZJN3snoV+9hvpT1E2TrEccsTVx5BaGAJCUkvO2XYlEsNceIIitkrbhidjZvfZ4/czGUKoN1wSSpMw== GnuPG pub=F2E027182397AC0775714F2AD15AF7F467E8299B sub=7819E44BAEEDE91683811BB00E1AAADBE227DDAA"
- ];
- };
- # this will automatically load the zfs password prompt on login
- # and kill the other prompt so boot can continue
- postCommands = ''
- #zpool import rpool
- echo "zfs load-key -a; killall zfs" >> /root/.profile
- '';
- };
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07";
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+
+ environment = {
+ systemPackages = with pkgs; [
+ pciutils
+ ];
+ };
}
sourcephile / git / sourcephile-nix.git / commitdiff