1 { name, config, lib, pkgs, secrets, ... }:
3 # udev rules to be able to boot from qemu in a rescue
5 let disks = config.disko.devices.disk;
6 in builtins.concatStringsSep "\n" (lib.imap1 (i: d: ''
7 SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}"
8 SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}"
9 '') (builtins.attrNames disks));
13 settings.KbdInteractiveAuthentication = false;
16 path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
20 path = "/persist/zpool/etc/ssh/ssh_host_rsa_key";
27 system.stateVersion = "23.05";
29 # Useful when booting from qemu in rescue
35 services.udev.extraRules = udev-qemu-rules;
36 fileSystems."/persist/zfast".neededForBoot = true;
38 zfs.forceImportAll = true; # needed for the first boot after
39 # install, because nixos-anywhere
40 # doesn't export filesystems properly
41 # after install (only affects fs not
42 # needed for boot, see fsNeededForBoot
43 # in nixos/lib/utils.nix
44 kernelParams = [ "boot.shell_on_fail" ];
45 loader.grub.devices = [
46 config.disko.devices.disk.sda.device
47 config.disko.devices.disk.sdb.device
49 extraModulePackages = [ ];
50 kernelModules = [ "kvm-intel" ];
51 supportedFilesystems = [ "zfs" ];
52 kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
54 postDeviceCommands = lib.mkAfter ''
55 zfs rollback -r zfast/root@blank
57 services.udev.rules = udev-qemu-rules;
58 availableKernelModules = [ "e1000e" "ahci" "sd_mod" ];
61 postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
62 flushBeforeStage2 = true;
66 authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys;
68 "/boot/initrdSecrets/ssh_host_rsa_key"
69 "/boot/initrdSecrets/ssh_host_ed25519_key"
77 firewall.enable = false;
78 firewall.allowedUDPPorts = [ 43484 ];
79 # needed for initrd proper network setup too
80 useDHCP = lib.mkDefault true;
82 wireguard.interfaces.wg0 = {
83 generatePrivateKeyFile = true;
84 privateKeyFile = "/persist/zpool/etc/wireguard/wg0";
85 #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key";
96 powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
97 hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
98 hardware.enableRedistributableFirmware = lib.mkDefault true;
99 system.activationScripts.createDatasets = {
102 PATH=${pkgs.zfs}/bin:$PATH
103 '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: ''
104 if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then
105 ${c._create { zpool = c._parent.name; }}
107 '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets));
110 secrets.keys."wireguard/preshared_key/eldiron" = {
111 permissions = "0400";
115 key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]);
117 "{{ .wireguard.preshared_keys.${key} }}";
119 secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
120 # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
121 secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
projects / perso / Immae / Config / Nix.git / blob