+ deployment = {
+ targetUser = "root";
+ targetHost = config.hostEnv.ips.main.ip4;
+ substituteOnDestination = true;
+ };
+ # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ];
+ boot = {
+ kernelModules = [ "kvm-intel" ];
+ blacklistedKernelModules = [ "nvidiafb" ];
+ loader.timeout = 1;
+ loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+ kernel.sysctl = {
+ # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ "net.ipv4.tcp_sack" = 0;
+ };
+ supportedFilesystems = [ "zfs" ];
+ kernelParams = ["zfs.zfs_arc_max=6442450944"];
+ kernelPackages = pkgs.linuxPackages_latest;
+ initrd.availableKernelModules = [ "ahci" "sd_mod" ];
+ initrd.secrets = {
+ "/boot/pass.key" = "/boot/pass.key";
+ };
+ };
+ services.udev.extraRules = ''
+ ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
+ '';
+ nix.maxJobs = 8;
+ powerManagement.cpuFreqGovernor = "powersave";
+ myEnv = import ../../../nixops/secrets/environment.nix;
+
+ fileSystems = {
+ # pools:
+ # zpool: ashift=12
+ # zfast: ashift=12
+ # zfs:
+ # zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
+ # zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
+ # zpool/root/var: atime=on
+ # zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
+ # zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
+ # zfast/root/etc: ø
+ # zfast/root/nix: ø
+ # zfast/root/tmp: async=disabled
+ # zfast/root/var: atime=on
+ # zfast/root/var/lib: ø
+ # zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata
+ # zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput
+ # zfast/root/var/lib/postgresql/11.0: ø
+ # zfast/root/var/lib/postgresql/11.0/pg_wal: ø
+ "/" = { fsType = "zfs"; device = "zpool/root"; };
+ "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
+ "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
+ "/nix" = { fsType = "zfs"; device = "zfast/root/nix"; };
+ "/tmp" = { fsType = "zfs"; device = "zfast/root/tmp"; };
+ "/var" = { fsType = "zfs"; device = "zpool/root/var"; };
+ "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; };
+ "/var/lib/postgresql" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; };
+ "/var/lib/postgresql/11.0" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; };
+ "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; };
+ };
+ swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
+ hardware.enableRedistributableFirmware = true;