1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
{ name, config, lib, pkgs, secrets, ... }:
let
# udev rules to be able to boot from qemu in a rescue
udev-qemu-rules =
let disks = config.disko.devices.disk;
in builtins.concatStringsSep "\n" (lib.imap1 (i: d: ''
SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}"
SUBSYSTEM=="block", KERNEL=="sd*", ENV{DEVTYPE}=="partition", ENV{ID_MODEL}=="QEMU_HARDDISK", ENV{ID_SERIAL_SHORT}=="QM0000${builtins.toString i}", SYMLINK+="${lib.removePrefix "/dev/" disks."${d}".device}-part%E{PARTN}"
'') (builtins.attrNames disks));
in
{
services.openssh = {
settings.KbdInteractiveAuthentication = false;
hostKeys = [
{
path = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/zpool/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
system.stateVersion = "23.05";
# Useful when booting from qemu in rescue
console = {
earlySetup = true;
keyMap = "fr";
};
services.udev.extraRules = udev-qemu-rules;
fileSystems."/persist/zfast".neededForBoot = true;
boot = {
zfs.forceImportAll = true; # needed for the first boot after
# install, because nixos-anywhere
# doesn't export filesystems properly
# after install (only affects fs not
# needed for boot, see fsNeededForBoot
# in nixos/lib/utils.nix
kernelParams = [ "boot.shell_on_fail" ];
loader.grub.devices = [
config.disko.devices.disk.sda.device
config.disko.devices.disk.sdb.device
];
extraModulePackages = [ ];
kernelModules = [ "kvm-intel" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd = {
postDeviceCommands = lib.mkAfter ''
zfs rollback -r zfast/root@blank
'';
services.udev.rules = udev-qemu-rules;
availableKernelModules = [ "e1000e" "ahci" "sd_mod" ];
network = {
enable = true;
postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
flushBeforeStage2 = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = config.users.extraUsers.root.openssh.authorizedKeys.keys;
hostKeys = [
"/boot/initrdSecrets/ssh_host_rsa_key"
"/boot/initrdSecrets/ssh_host_ed25519_key"
];
};
};
};
};
networking = {
hostId = "6251d3d5";
firewall.enable = false;
firewall.allowedUDPPorts = [ 43484 ];
# needed for initrd proper network setup too
useDHCP = lib.mkDefault true;
wireguard.interfaces.wg0 = {
generatePrivateKeyFile = true;
privateKeyFile = "/persist/zpool/etc/wireguard/wg0";
#presharedKeyFile = config.secrets.fullPaths."wireguard/preshared_key";
listenPort = 43484;
ips = [
"192.168.1.25/24"
];
peers = [
];
};
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.enableRedistributableFirmware = lib.mkDefault true;
system.activationScripts.createDatasets = {
deps = [ ];
text = ''
PATH=${pkgs.zfs}/bin:$PATH
'' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: c: ''
if ! zfs list "${c._parent.name}/${name}" 2>/dev/null >/dev/null; then
${c._create { zpool = c._parent.name; }}
fi
'') (config.disko.devices.zpool.zfast.datasets // config.disko.devices.zpool.zpool.datasets));
};
secrets.keys."wireguard/preshared_key/eldiron" = {
permissions = "0400";
user = "root";
group = "root";
text = let
key = builtins.concatStringsSep "_" (builtins.sort builtins.lessThan [ name "eldiron" ]);
in
"{{ .wireguard.preshared_keys.${key} }}";
};
secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
# ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
}
|
