1 { name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
3 # udev rules to be able to boot from qemu in a rescue
5 let disks = config.disko.devices.disk;
6 in builtins.concatStringsSep "\n" (lib.imap1 (i: d: ''
7 SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}"
8 SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}"
9 '') (builtins.attrNames disks));
13 secrets.nixosModules.users-config-zoldene
19 programs.ssh.package = pkgs.openssh;
21 settings.KbdInteractiveAuthentication = false;
24 path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
28 path = "/persist/zpool/etc/ssh/ssh_host_rsa_key";
35 system.stateVersion = "23.05";
37 # Useful when booting from qemu in rescue
43 services.udev.extraRules = udev-qemu-rules;
44 fileSystems."/persist/zfast".neededForBoot = true;
46 zfs.forceImportAll = true; # needed for the first boot after
47 # install, because nixos-anywhere
48 # doesn't export filesystems properly
49 # after install (only affects fs not
50 # needed for boot, see fsNeededForBoot
51 # in nixos/lib/utils.nix
52 kernelParams = [ "boot.shell_on_fail" ];
53 loader.grub.devices = [
54 config.disko.devices.disk.sda.device
55 config.disko.devices.disk.sdb.device
57 extraModulePackages = [ ];
58 kernelModules = [ "kvm-intel" ];
59 supportedFilesystems = [ "zfs" ];
60 kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
62 postDeviceCommands = lib.mkAfter ''
63 zfs rollback -r zfast/root@blank
65 services.udev.rules = udev-qemu-rules;
66 availableKernelModules = [ "e1000e" "ahci" "sd_mod" ];
69 postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
70 flushBeforeStage2 = true;
74 authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys;
76 "/boot/initrdSecrets/ssh_host_rsa_key"
77 "/boot/initrdSecrets/ssh_host_ed25519_key"
85 firewall.enable = false;
86 firewall.allowedUDPPorts = [ 43484 ];
87 # needed for initrd proper network setup too
88 useDHCP = lib.mkDefault true;
89 interfaces."enp0s31f6".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
90 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
94 interface = "enp0s31f6";
99 "2a01:4ff:ff00::add:1"
100 "2a01:4ff:ff00::add:2"
103 wireguard.interfaces.wg0 = {
104 generatePrivateKeyFile = true;
105 privateKeyFile = "/persist/zpool/etc/wireguard/wg0";
106 #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key";
117 powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
118 hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
119 hardware.enableRedistributableFirmware = lib.mkDefault true;
120 system.activationScripts.createDatasets = {
123 PATH=${pkgs.zfs}/bin:$PATH
124 '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: ''
125 if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then
126 ${c._create { zpool = c._parent.name; }}
128 '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets));
131 secrets.keys."wireguard/preshared_key/eldiron" = {
132 permissions = "0400";
136 key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]);
138 "{{ .wireguard.preshared_keys.${key} }}";
140 secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
141 # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
142 secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
144 system.activationScripts.wrappers = {
146 # wrappers was migrated to systemd, which happens before activation
152 postgresql_system = self.postgresql_16;