diff options
Diffstat (limited to 'systems/zoldene/base.nix')
-rw-r--r-- | systems/zoldene/base.nix | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix new file mode 100644 index 0000000..8ca5d52 --- /dev/null +++ b/systems/zoldene/base.nix | |||
@@ -0,0 +1,122 @@ | |||
1 | { name, config, lib, pkgs, secrets, ... }: | ||
2 | let | ||
3 | # udev rules to be able to boot from qemu in a rescue | ||
4 | udev-qemu-rules = | ||
5 | let disks = config.disko.devices.disk; | ||
6 | in builtins.concatStringsSep "\n" (lib.imap1 (i: d: '' | ||
7 | SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}" | ||
8 | SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}" | ||
9 | '') (builtins.attrNames disks)); | ||
10 | in | ||
11 | { | ||
12 | services.openssh = { | ||
13 | settings.KbdInteractiveAuthentication = false; | ||
14 | hostKeys = [ | ||
15 | { | ||
16 | path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; | ||
17 | type = "ed25519"; | ||
18 | } | ||
19 | { | ||
20 | path = "/persist/zpool/etc/ssh/ssh_host_rsa_key"; | ||
21 | type = "rsa"; | ||
22 | bits = 4096; | ||
23 | } | ||
24 | ]; | ||
25 | }; | ||
26 | |||
27 | system.stateVersion = "23.05"; | ||
28 | |||
29 | # Useful when booting from qemu in rescue | ||
30 | console = { | ||
31 | earlySetup = true; | ||
32 | keyMap = "fr"; | ||
33 | }; | ||
34 | |||
35 | services.udev.extraRules = udev-qemu-rules; | ||
36 | fileSystems."/persist/zfast".neededForBoot = true; | ||
37 | boot = { | ||
38 | zfs.forceImportAll = true; # needed for the first boot after | ||
39 | # install, because nixos-anywhere | ||
40 | # doesn't export filesystems properly | ||
41 | # after install (only affects fs not | ||
42 | # needed for boot, see fsNeededForBoot | ||
43 | # in nixos/lib/utils.nix | ||
44 | kernelParams = [ "boot.shell_on_fail" ]; | ||
45 | loader.grub.devices = [ | ||
46 | config.disko.devices.disk.sda.device | ||
47 | config.disko.devices.disk.sdb.device | ||
48 | ]; | ||
49 | extraModulePackages = [ ]; | ||
50 | kernelModules = [ "kvm-intel" ]; | ||
51 | supportedFilesystems = [ "zfs" ]; | ||
52 | kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; | ||
53 | initrd = { | ||
54 | postDeviceCommands = lib.mkAfter '' | ||
55 | zfs rollback -r zfast/root@blank | ||
56 | ''; | ||
57 | services.udev.rules = udev-qemu-rules; | ||
58 | availableKernelModules = [ "e1000e" "ahci" "sd_mod" ]; | ||
59 | network = { | ||
60 | enable = true; | ||
61 | postCommands = "echo 'cryptsetup-askpass' >> /root/.profile"; | ||
62 | flushBeforeStage2 = true; | ||
63 | ssh = { | ||
64 | enable = true; | ||
65 | port = 2222; | ||
66 | authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys; | ||
67 | hostKeys = [ | ||
68 | "/boot/initrdSecrets/ssh_host_rsa_key" | ||
69 | "/boot/initrdSecrets/ssh_host_ed25519_key" | ||
70 | ]; | ||
71 | }; | ||
72 | }; | ||
73 | }; | ||
74 | }; | ||
75 | networking = { | ||
76 | hostId = "6251d3d5"; | ||
77 | firewall.enable = false; | ||
78 | firewall.allowedUDPPorts = [ 43484 ]; | ||
79 | # needed for initrd proper network setup too | ||
80 | useDHCP = lib.mkDefault true; | ||
81 | |||
82 | wireguard.interfaces.wg0 = { | ||
83 | generatePrivateKeyFile = true; | ||
84 | privateKeyFile = "/persist/zpool/etc/wireguard/wg0"; | ||
85 | #presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key"; | ||
86 | listenPort = 43484; | ||
87 | |||
88 | ips = [ | ||
89 | "192.168.1.25/24" | ||
90 | ]; | ||
91 | peers = [ | ||
92 | ]; | ||
93 | }; | ||
94 | }; | ||
95 | |||
96 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; | ||
97 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; | ||
98 | hardware.enableRedistributableFirmware = lib.mkDefault true; | ||
99 | system.activationScripts.createDatasets = { | ||
100 | deps = [ ]; | ||
101 | text = '' | ||
102 | PATH=${pkgs.zfs}/bin:$PATH | ||
103 | '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: '' | ||
104 | if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then | ||
105 | ${c._create { zpool = c._parent.name; }} | ||
106 | fi | ||
107 | '') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets)); | ||
108 | }; | ||
109 | |||
110 | secrets.keys."wireguard/preshared_key/eldiron" = { | ||
111 | permissions = "0400"; | ||
112 | user = "root"; | ||
113 | group = "root"; | ||
114 | text = let | ||
115 | key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]); | ||
116 | in | ||
117 | "{{ .wireguard.preshared_keys.${key} }}"; | ||
118 | }; | ||
119 | secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; | ||
120 | # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age | ||
121 | secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ]; | ||
122 | } | ||