[perso/Immae/Config/Nix.git] / systems / zoldene / base.nix

{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
let
  # udev rules to be able to boot from qemu in a rescue
  udev-qemu-rules =
    let disks = config.disko.devices.disk;
    in builtins.concatStringsSep "\n" (lib.imap1 (i: d: ''
      SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}"
      SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}"
    '') (builtins.attrNames disks));
in
{
  imports = [
    secrets.nixosModules.users-config-zoldene
    ./virtualisation.nix
    ./certificates.nix
    ./synapse.nix
  ];

  services.openssh = {
    settings.KbdInteractiveAuthentication = false;
    hostKeys = [
      {
        path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/zpool/etc/ssh/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  system.stateVersion = "23.05";

  # Useful when booting from qemu in rescue
  console = {
    earlySetup = true;
    keyMap = "fr";
  };

  services.udev.extraRules = udev-qemu-rules;
  fileSystems."/persist/zfast".neededForBoot = true;
  boot = {
    zfs.forceImportAll = true; # needed for the first boot after
                               # install, because nixos-anywhere
                               # doesn't export filesystems properly
                               # after install (only affects fs not
                               # needed for boot, see fsNeededForBoot
                               # in nixos/lib/utils.nix
    kernelParams = [ "boot.shell_on_fail" ];
    loader.grub.devices = [
      config.disko.devices.disk.sda.device
      config.disko.devices.disk.sdb.device
    ];
    extraModulePackages = [ ];
    kernelModules = [ "kvm-intel" ];
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    initrd = {
      postDeviceCommands = lib.mkAfter ''
        zfs rollback -r zfast/root@blank
      '';
      services.udev.rules = udev-qemu-rules;
      availableKernelModules = [ "e1000e" "ahci" "sd_mod" ];
      network = {
        enable = true;
        postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
        flushBeforeStage2 = true;
        ssh = {
          enable = true;
          port = 2222;
          authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys;
          hostKeys = [
            "/boot/initrdSecrets/ssh_host_rsa_key"
            "/boot/initrdSecrets/ssh_host_ed25519_key"
          ];
        };
      };
    };
  };
  networking = {
    hostId = "6251d3d5";
    firewall.enable = false;
    firewall.allowedUDPPorts = [ 43484 ];
    # needed for initrd proper network setup too
    useDHCP = lib.mkDefault true;
    interfaces."enp0s31f6".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
      config.hostEnv.ips);
    defaultGateway6 = {
      address = "fe80::1";
      interface = "enp0s31f6";
    };
    nameservers = [
      "185.12.64.1"
      "185.12.64.2"
      "2a01:4ff:ff00::add:1"
      "2a01:4ff:ff00::add:2"
    ];

    wireguard.interfaces.wg0 = {
      generatePrivateKeyFile = true;
      privateKeyFile = "/persist/zpool/etc/wireguard/wg0";
      #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key";
      listenPort = 43484;

      ips = [
        "192.168.1.25/24"
      ];
      peers = [
      ];
    };
  };

  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.enableRedistributableFirmware = lib.mkDefault true;
  system.activationScripts.createDatasets = {
    deps = [ ];
    text = ''
      PATH=${pkgs.zfs}/bin:$PATH
    '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: ''
      if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then
        ${c._create { zpool = c._parent.name; }}
      fi
    '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets));
  };

  secrets.keys."wireguard/preshared_key/eldiron" = {
    permissions = "0400";
    user = "root";
    group = "root";
    text = let
      key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]);
    in
      "{{ .wireguard.preshared_keys.${key} }}";
  };
  secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
  # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
  secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];

  system.activationScripts.wrappers = {
    text = ''
      # wrappers was migrated to systemd, which happens before activation
    '';
  };

  nixpkgs.overlays = [
    (self: super: {
      postgresql_system = self.postgresql_16;
    })
  ];
}
Commit	Line	Data
d3a40bd9	1	{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
1a64deeb IB	2	let
	3	# udev rules to be able to boot from qemu in a rescue
	4	udev-qemu-rules =
	5	let disks = config.disko.devices.disk;
	6	in builtins.concatStringsSep "\n" (lib.imap1 (i: d: ''
	7	SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}"
	8	SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}"
	9	'') (builtins.attrNames disks));
	10	in
	11	{
d3a40bd9 IB	12	imports = [
	13	secrets.nixosModules.users-config-zoldene
	14	./virtualisation.nix
	15	./certificates.nix
9c0cd092	16	./synapse.nix
d3a40bd9 IB	17	];
d3a40bd9 IB	18
1a64deeb IB	19	services.openssh = {
	20	settings.KbdInteractiveAuthentication = false;
	21	hostKeys = [
	22	{
	23	path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
	24	type = "ed25519";
	25	}
	26	{
	27	path = "/persist/zpool/etc/ssh/ssh_host_rsa_key";
	28	type = "rsa";
	29	bits = 4096;
	30	}
	31	];
	32	};
	33
	34	system.stateVersion = "23.05";
	35
	36	# Useful when booting from qemu in rescue
	37	console = {
	38	earlySetup = true;
	39	keyMap = "fr";
	40	};
	41
	42	services.udev.extraRules = udev-qemu-rules;
	43	fileSystems."/persist/zfast".neededForBoot = true;
	44	boot = {
	45	zfs.forceImportAll = true; # needed for the first boot after
	46	# install, because nixos-anywhere
	47	# doesn't export filesystems properly
	48	# after install (only affects fs not
	49	# needed for boot, see fsNeededForBoot
	50	# in nixos/lib/utils.nix
	51	kernelParams = [ "boot.shell_on_fail" ];
	52	loader.grub.devices = [
	53	config.disko.devices.disk.sda.device
	54	config.disko.devices.disk.sdb.device
	55	];
	56	extraModulePackages = [ ];
	57	kernelModules = [ "kvm-intel" ];
	58	supportedFilesystems = [ "zfs" ];
	59	kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
	60	initrd = {
	61	postDeviceCommands = lib.mkAfter ''
	62	zfs rollback -r zfast/root@blank
	63	'';
	64	services.udev.rules = udev-qemu-rules;
	65	availableKernelModules = [ "e1000e" "ahci" "sd_mod" ];
	66	network = {
	67	enable = true;
	68	postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
	69	flushBeforeStage2 = true;
	70	ssh = {
	71	enable = true;
	72	port = 2222;
	73	authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys;
	74	hostKeys = [
	75	"/boot/initrdSecrets/ssh_host_rsa_key"
	76	"/boot/initrdSecrets/ssh_host_ed25519_key"
	77	];
	78	};
	79	};
	80	};
	81	};
	82	networking = {
83	hostId = "6251d3d5";
84	firewall.enable = false;
85	firewall.allowedUDPPorts = [ 43484 ];
86	# needed for initrd proper network setup too
87	useDHCP = lib.mkDefault true;
5141a786 IB	88	interfaces."enp0s31f6".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	89	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
	90	config.hostEnv.ips);
	91	defaultGateway6 = {
	92	address = "fe80::1";
	93	interface = "enp0s31f6";
	94	};
	95	nameservers = [
	96	"185.12.64.1"
	97	"185.12.64.2"
	98	"2a01:4ff:ff00::add:1"
	99	"2a01:4ff:ff00::add:2"
	100	];
1a64deeb IB	101
	102	wireguard.interfaces.wg0 = {
	103	generatePrivateKeyFile = true;
	104	privateKeyFile = "/persist/zpool/etc/wireguard/wg0";
	105	#presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key";
	106	listenPort = 43484;
	107
	108	ips = [
	109	"192.168.1.25/24"
	110	];
	111	peers = [
	112	];
	113	};
	114	};
	115
4098541d	116	powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
1a64deeb IB	117	hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
	118	hardware.enableRedistributableFirmware = lib.mkDefault true;
	119	system.activationScripts.createDatasets = {
	120	deps = [ ];
	121	text = ''
	122	PATH=${pkgs.zfs}/bin:$PATH
	123	'' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: ''
	124	if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then
	125	${c._create { zpool = c._parent.name; }}
	126	fi
	127	'') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets));
	128	};
	129
	130	secrets.keys."wireguard/preshared_key/eldiron" = {
	131	permissions = "0400";
	132	user = "root";
	133	group = "root";
	134	text = let
	135	key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]);
	136	in
	137	"{{ .wireguard.preshared_keys.${key} }}";
	138	};
	139	secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
	140	# ssh-keyscan zoldene \| nix-shell -p ssh-to-age --run ssh-to-age
	141	secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
d3a40bd9	142
5707d696 IB	143	system.activationScripts.wrappers = {
	144	text = ''
	145	# wrappers was migrated to systemd, which happens before activation
	146	'';
	147	};
d3a40bd9	148
5707d696 IB	149	nixpkgs.overlays = [
	150	(self: super: {
	151	postgresql_system = self.postgresql_16;
	152	})
	153	];
1a64deeb	154	}