--- /dev/null
+{ name, config, lib, pkgs, secrets, ... }:
+let
+ # udev rules to be able to boot from qemu in a rescue
+ udev-qemu-rules =
+ let disks = config.disko.devices.disk;
+ in builtins.concatStringsSep "\n" (lib.imap1 (i: d: ''
+ SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}"
+ SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}"
+ '') (builtins.attrNames disks));
+in
+{
+ services.openssh = {
+ settings.KbdInteractiveAuthentication = false;
+ hostKeys = [
+ {
+ path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
+ type = "ed25519";
+ }
+ {
+ path = "/persist/zpool/etc/ssh/ssh_host_rsa_key";
+ type = "rsa";
+ bits = 4096;
+ }
+ ];
+ };
+
+ system.stateVersion = "23.05";
+
+ # Useful when booting from qemu in rescue
+ console = {
+ earlySetup = true;
+ keyMap = "fr";
+ };
+
+ services.udev.extraRules = udev-qemu-rules;
+ fileSystems."/persist/zfast".neededForBoot = true;
+ boot = {
+ zfs.forceImportAll = true; # needed for the first boot after
+ # install, because nixos-anywhere
+ # doesn't export filesystems properly
+ # after install (only affects fs not
+ # needed for boot, see fsNeededForBoot
+ # in nixos/lib/utils.nix
+ kernelParams = [ "boot.shell_on_fail" ];
+ loader.grub.devices = [
+ config.disko.devices.disk.sda.device
+ config.disko.devices.disk.sdb.device
+ ];
+ extraModulePackages = [ ];
+ kernelModules = [ "kvm-intel" ];
+ supportedFilesystems = [ "zfs" ];
+ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+ initrd = {
+ postDeviceCommands = lib.mkAfter ''
+ zfs rollback -r zfast/root@blank
+ '';
+ services.udev.rules = udev-qemu-rules;
+ availableKernelModules = [ "e1000e" "ahci" "sd_mod" ];
+ network = {
+ enable = true;
+ postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
+ flushBeforeStage2 = true;
+ ssh = {
+ enable = true;
+ port = 2222;
+ authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys;
+ hostKeys = [
+ "/boot/initrdSecrets/ssh_host_rsa_key"
+ "/boot/initrdSecrets/ssh_host_ed25519_key"
+ ];
+ };
+ };
+ };
+ };
+ networking = {
+ hostId = "6251d3d5";
+ firewall.enable = false;
+ firewall.allowedUDPPorts = [ 43484 ];
+ # needed for initrd proper network setup too
+ useDHCP = lib.mkDefault true;
+
+ wireguard.interfaces.wg0 = {
+ generatePrivateKeyFile = true;
+ privateKeyFile = "/persist/zpool/etc/wireguard/wg0";
+ #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key";
+ listenPort = 43484;
+
+ ips = [
+ "192.168.1.25/24"
+ ];
+ peers = [
+ ];
+ };
+ };
+
+ powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+ hardware.enableRedistributableFirmware = lib.mkDefault true;
+ system.activationScripts.createDatasets = {
+ deps = [ ];
+ text = ''
+ PATH=${pkgs.zfs}/bin:$PATH
+ '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: ''
+ if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then
+ ${c._create { zpool = c._parent.name; }}
+ fi
+ '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets));
+ };
+
+ secrets.keys."wireguard/preshared_key/eldiron" = {
+ permissions = "0400";
+ user = "root";
+ group = "root";
+ text = let
+ key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]);
+ in
+ "{{ .wireguard.preshared_keys.${key} }}";
+ };
+ secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
+ # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
+}