103 lines
3.4 KiB
Nix
103 lines
3.4 KiB
Nix
{ config, lib, pkgs, utils, ... }:
|
|
|
|
{
|
|
options.c3d2.baremetal = lib.mkEnableOption "baremetal";
|
|
|
|
config = let
|
|
initrdEd2219Key = "/etc/ssh/initrd/ssh_host_ed25519_key";
|
|
initrdRsaKey = "/etc/ssh/initrd/ssh_host_rsa_key";
|
|
in lib.mkIf config.c3d2.baremetal {
|
|
assertions = [
|
|
{
|
|
assertion = config.boot.initrd.network.ssh.enable -> (config.boot.initrd.availableKernelModules != []);
|
|
message = "boot.initrd.availableKernelModules must be set for initrd networking to reliably work!";
|
|
}
|
|
];
|
|
|
|
boot = {
|
|
initrd = {
|
|
# make sure to set availableKernelModules to the kernel module used by the connected interface(s) otherwise things will not work!
|
|
# the module can be found in a booted system by running `dmesg | rg "Link"` and looking at the first word after the date
|
|
availableKernelModules = [ "bridge" "bonding" "8021q" ];
|
|
network = {
|
|
ssh = {
|
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
hostKeys = [
|
|
initrdEd2219Key
|
|
initrdRsaKey
|
|
];
|
|
port = 4748;
|
|
};
|
|
postCommands = lib.mkIf (!config.boot.initrd.systemd.enable) ''
|
|
cat <<EOF > /root/.profile
|
|
cryptsetup-askpass
|
|
EOF
|
|
'';
|
|
};
|
|
systemd = {
|
|
enable = true;
|
|
inherit (config.systemd) network;
|
|
contents."/etc/profile".text = ''
|
|
systemd-tty-ask-password-agent
|
|
'';
|
|
services = lib.mkIf config.boot.zfs.enabled {
|
|
zfs-import-rpool = let
|
|
devices = map (name: "dev-mapper-${utils.escapeSystemdPath name}.device") (lib.attrNames config.boot.initrd.luks.devices);
|
|
in {
|
|
wants = devices;
|
|
after = devices;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
kernelParams = [
|
|
# "boot.shell_on_fail"
|
|
"zfs_force=1"
|
|
];
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
freeipmi
|
|
lshw
|
|
pciutils # lscpi
|
|
smartmontools # for smartctl
|
|
];
|
|
|
|
nix.settings.system-features = [
|
|
"kvm" "big-parallel" "nixos-test" "benchmark"
|
|
];
|
|
|
|
powerManagement.cpuFreqGovernor = "schedutil";
|
|
|
|
services = {
|
|
# just assume there are ssd's everywhere
|
|
fstrim.enable = true;
|
|
resolved.extraConfig = /* systemd */ ''
|
|
# don't cache NXDOMAIN which often happened for nix-cache.hq.c3d2.de after a restart
|
|
Cache=no-negative
|
|
'';
|
|
smartd.enable = true;
|
|
};
|
|
|
|
# this needs to be unconditional because the keys need to be inplace when activating the feature
|
|
system.activationScripts.generateInitrdOpensshHostKeys = let
|
|
sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
|
|
in lib.mkIf config.boot.initrd.network.enable ''
|
|
if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
|
|
echo "Generating initrd OpenSSH hostkeys..."
|
|
mkdir -m700 -p /etc/ssh/initrd/
|
|
${sshKeygen} -t ed25519 -N "" -f ${initrdEd2219Key}
|
|
${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
|
|
fi
|
|
|
|
if [[ -e ${initrdRsaKey} && $(${sshKeygen} -l -f ${initrdRsaKey} | ${pkgs.gawk}/bin/awk '{print $1}') == 3072 ]]; then
|
|
echo "Upgrading RSA initrd OpenSSH hostkey with only 3072 bit..."
|
|
rm -f ${initrdRsaKey} ${initrdRsaKey}.pub
|
|
${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
|
|
fi
|
|
'';
|
|
|
|
zramSwap.enable = true;
|
|
};
|
|
}
|