]>
Commit | Line | Data |
---|---|---|
d3a40bd9 | 1 | { name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }: |
1a64deeb IB |
2 | let |
3 | # udev rules to be able to boot from qemu in a rescue | |
4 | udev-qemu-rules = | |
5 | let disks = config.disko.devices.disk; | |
6 | in builtins.concatStringsSep "\n" (lib.imap1 (i: d: '' | |
7 | SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}" | |
8 | SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}" | |
9 | '') (builtins.attrNames disks)); | |
10 | in | |
11 | { | |
d3a40bd9 IB |
12 | imports = [ |
13 | secrets.nixosModules.users-config-zoldene | |
14 | ./virtualisation.nix | |
15 | ./certificates.nix | |
9c0cd092 | 16 | ./synapse.nix |
d3a40bd9 IB |
17 | ]; |
18 | ||
c55a138e | 19 | programs.ssh.package = pkgs.openssh; |
1a64deeb IB |
20 | services.openssh = { |
21 | settings.KbdInteractiveAuthentication = false; | |
22 | hostKeys = [ | |
23 | { | |
24 | path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; | |
25 | type = "ed25519"; | |
26 | } | |
27 | { | |
28 | path = "/persist/zpool/etc/ssh/ssh_host_rsa_key"; | |
29 | type = "rsa"; | |
30 | bits = 4096; | |
31 | } | |
32 | ]; | |
33 | }; | |
34 | ||
35 | system.stateVersion = "23.05"; | |
36 | ||
37 | # Useful when booting from qemu in rescue | |
38 | console = { | |
39 | earlySetup = true; | |
40 | keyMap = "fr"; | |
41 | }; | |
42 | ||
43 | services.udev.extraRules = udev-qemu-rules; | |
44 | fileSystems."/persist/zfast".neededForBoot = true; | |
45 | boot = { | |
46 | zfs.forceImportAll = true; # needed for the first boot after | |
47 | # install, because nixos-anywhere | |
48 | # doesn't export filesystems properly | |
49 | # after install (only affects fs not | |
50 | # needed for boot, see fsNeededForBoot | |
51 | # in nixos/lib/utils.nix | |
52 | kernelParams = [ "boot.shell_on_fail" ]; | |
53 | loader.grub.devices = [ | |
54 | config.disko.devices.disk.sda.device | |
55 | config.disko.devices.disk.sdb.device | |
56 | ]; | |
57 | extraModulePackages = [ ]; | |
58 | kernelModules = [ "kvm-intel" ]; | |
59 | supportedFilesystems = [ "zfs" ]; | |
60 | kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; | |
61 | initrd = { | |
62 | postDeviceCommands = lib.mkAfter '' | |
63 | zfs rollback -r zfast/root@blank | |
64 | ''; | |
65 | services.udev.rules = udev-qemu-rules; | |
66 | availableKernelModules = [ "e1000e" "ahci" "sd_mod" ]; | |
67 | network = { | |
68 | enable = true; | |
69 | postCommands = "echo 'cryptsetup-askpass' >> /root/.profile"; | |
70 | flushBeforeStage2 = true; | |
71 | ssh = { | |
72 | enable = true; | |
73 | port = 2222; | |
74 | authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys; | |
75 | hostKeys = [ | |
76 | "/boot/initrdSecrets/ssh_host_rsa_key" | |
77 | "/boot/initrdSecrets/ssh_host_ed25519_key" | |
78 | ]; | |
79 | }; | |
80 | }; | |
81 | }; | |
82 | }; | |
83 | networking = { | |
84 | hostId = "6251d3d5"; | |
85 | firewall.enable = false; | |
86 | firewall.allowedUDPPorts = [ 43484 ]; | |
87 | # needed for initrd proper network setup too | |
88 | useDHCP = lib.mkDefault true; | |
5141a786 IB |
89 | interfaces."enp0s31f6".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList |
90 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
91 | config.hostEnv.ips); | |
92 | defaultGateway6 = { | |
93 | address = "fe80::1"; | |
94 | interface = "enp0s31f6"; | |
95 | }; | |
96 | nameservers = [ | |
97 | "185.12.64.1" | |
98 | "185.12.64.2" | |
99 | "2a01:4ff:ff00::add:1" | |
100 | "2a01:4ff:ff00::add:2" | |
101 | ]; | |
1a64deeb IB |
102 | |
103 | wireguard.interfaces.wg0 = { | |
104 | generatePrivateKeyFile = true; | |
105 | privateKeyFile = "/persist/zpool/etc/wireguard/wg0"; | |
106 | #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key"; | |
107 | listenPort = 43484; | |
108 | ||
109 | ips = [ | |
110 | "192.168.1.25/24" | |
111 | ]; | |
112 | peers = [ | |
113 | ]; | |
114 | }; | |
115 | }; | |
116 | ||
4098541d | 117 | powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; |
1a64deeb IB |
118 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; |
119 | hardware.enableRedistributableFirmware = lib.mkDefault true; | |
120 | system.activationScripts.createDatasets = { | |
121 | deps = [ ]; | |
122 | text = '' | |
123 | PATH=${pkgs.zfs}/bin:$PATH | |
124 | '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: '' | |
125 | if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then | |
126 | ${c._create { zpool = c._parent.name; }} | |
127 | fi | |
128 | '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets)); | |
129 | }; | |
130 | ||
131 | secrets.keys."wireguard/preshared_key/eldiron" = { | |
132 | permissions = "0400"; | |
133 | user = "root"; | |
134 | group = "root"; | |
135 | text = let | |
136 | key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]); | |
137 | in | |
138 | "{{ .wireguard.preshared_keys.${key} }}"; | |
139 | }; | |
140 | secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; | |
141 | # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age | |
142 | secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ]; | |
d3a40bd9 | 143 | |
5707d696 IB |
144 | system.activationScripts.wrappers = { |
145 | text = '' | |
146 | # wrappers was migrated to systemd, which happens before activation | |
147 | ''; | |
148 | }; | |
d3a40bd9 | 149 | |
5707d696 IB |
150 | nixpkgs.overlays = [ |
151 | (self: super: { | |
152 | postgresql_system = self.postgresql_16; | |
153 | }) | |
154 | ]; | |
1a64deeb | 155 | } |