projects / perso / Immae / Config / Nix.git / blame
| Commit | Line | Data |
|---|---|---|
| d3a40bd9 | 1 | { name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }: |
| 1a64deeb IB |
2 | let |
| 3 | # udev rules to be able to boot from qemu in a rescue | |
| 4 | udev-qemu-rules = | |
| 5 | let disks = config.disko.devices.disk; | |
| 6 | in builtins.concatStringsSep "\n" (lib.imap1 (i: d: '' | |
| 7 | SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}" | |
| 8 | SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}" | |
| 9 | '') (builtins.attrNames disks)); | |
| 10 | in | |
| 11 | { | |
| d3a40bd9 IB |
12 | imports = [ |
| 13 | secrets.nixosModules.users-config-zoldene | |
| 14 | ./virtualisation.nix | |
| 15 | ./certificates.nix | |
| 16 | ]; | |
| 17 | ||
| 1a64deeb IB |
18 | services.openssh = { |
| 19 | settings.KbdInteractiveAuthentication = false; | |
| 20 | hostKeys = [ | |
| 21 | { | |
| 22 | path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; | |
| 23 | type = "ed25519"; | |
| 24 | } | |
| 25 | { | |
| 26 | path = "/persist/zpool/etc/ssh/ssh_host_rsa_key"; | |
| 27 | type = "rsa"; | |
| 28 | bits = 4096; | |
| 29 | } | |
| 30 | ]; | |
| 31 | }; | |
| 32 | ||
| 33 | system.stateVersion = "23.05"; | |
| 34 | ||
| 35 | # Useful when booting from qemu in rescue | |
| 36 | console = { | |
| 37 | earlySetup = true; | |
| 38 | keyMap = "fr"; | |
| 39 | }; | |
| 40 | ||
| 41 | services.udev.extraRules = udev-qemu-rules; | |
| 42 | fileSystems."/persist/zfast".neededForBoot = true; | |
| 43 | boot = { | |
| 44 | zfs.forceImportAll = true; # needed for the first boot after | |
| 45 | # install, because nixos-anywhere | |
| 46 | # doesn't export filesystems properly | |
| 47 | # after install (only affects fs not | |
| 48 | # needed for boot, see fsNeededForBoot | |
| 49 | # in nixos/lib/utils.nix | |
| 50 | kernelParams = [ "boot.shell_on_fail" ]; | |
| 51 | loader.grub.devices = [ | |
| 52 | config.disko.devices.disk.sda.device | |
| 53 | config.disko.devices.disk.sdb.device | |
| 54 | ]; | |
| 55 | extraModulePackages = [ ]; | |
| 56 | kernelModules = [ "kvm-intel" ]; | |
| 57 | supportedFilesystems = [ "zfs" ]; | |
| 58 | kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; | |
| 59 | initrd = { | |
| 60 | postDeviceCommands = lib.mkAfter '' | |
| 61 | zfs rollback -r zfast/root@blank | |
| 62 | ''; | |
| 63 | services.udev.rules = udev-qemu-rules; | |
| 64 | availableKernelModules = [ "e1000e" "ahci" "sd_mod" ]; | |
| 65 | network = { | |
| 66 | enable = true; | |
| 67 | postCommands = "echo 'cryptsetup-askpass' >> /root/.profile"; | |
| 68 | flushBeforeStage2 = true; | |
| 69 | ssh = { | |
| 70 | enable = true; | |
| 71 | port = 2222; | |
| 72 | authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys; | |
| 73 | hostKeys = [ | |
| 74 | "/boot/initrdSecrets/ssh_host_rsa_key" | |
| 75 | "/boot/initrdSecrets/ssh_host_ed25519_key" | |
| 76 | ]; | |
| 77 | }; | |
| 78 | }; | |
| 79 | }; | |
| 80 | }; | |
| 81 | networking = { | |
| 82 | hostId = "6251d3d5"; | |
| 83 | firewall.enable = false; | |
| 84 | firewall.allowedUDPPorts = [ 43484 ]; | |
| 85 | # needed for initrd proper network setup too | |
| 86 | useDHCP = lib.mkDefault true; | |
| 87 | ||
| 88 | wireguard.interfaces.wg0 = { | |
| 89 | generatePrivateKeyFile = true; | |
| 90 | privateKeyFile = "/persist/zpool/etc/wireguard/wg0"; | |
| 91 | #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key"; | |
| 92 | listenPort = 43484; | |
| 93 | ||
| 94 | ips = [ | |
| 95 | "192.168.1.25/24" | |
| 96 | ]; | |
| 97 | peers = [ | |
| 98 | ]; | |
| 99 | }; | |
| 100 | }; | |
| 101 | ||
| 102 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; | |
| 103 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; | |
| 104 | hardware.enableRedistributableFirmware = lib.mkDefault true; | |
| 105 | system.activationScripts.createDatasets = { | |
| 106 | deps = [ ]; | |
| 107 | text = '' | |
| 108 | PATH=${pkgs.zfs}/bin:$PATH | |
| 109 | '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: '' | |
| 110 | if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then | |
| 111 | ${c._create { zpool = c._parent.name; }} | |
| 112 | fi | |
| 113 | '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets)); | |
| 114 | }; | |
| 115 | ||
| 116 | secrets.keys."wireguard/preshared_key/eldiron" = { | |
| 117 | permissions = "0400"; | |
| 118 | user = "root"; | |
| 119 | group = "root"; | |
| 120 | text = let | |
| 121 | key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]); | |
| 122 | in | |
| 123 | "{{ .wireguard.preshared_keys.${key} }}"; | |
| 124 | }; | |
| 125 | secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; | |
| 126 | # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age | |
| 127 | secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ]; | |
| d3a40bd9 IB |
128 | |
| 129 | ||
| 1a64deeb | 130 | } |