2023-09-13 17:20:18 +07:00
|
|
|
{ config
|
2024-07-16 02:09:35 +07:00
|
|
|
, lib
|
2024-07-13 06:05:08 +07:00
|
|
|
, pkgs
|
2023-09-13 17:20:18 +07:00
|
|
|
, router-config
|
2023-10-08 08:24:29 +07:00
|
|
|
, hardware
|
2024-07-13 06:05:08 +07:00
|
|
|
, ...
|
|
|
|
}:
|
2023-09-13 17:20:18 +07:00
|
|
|
|
|
|
|
let
|
2023-11-25 02:37:10 +07:00
|
|
|
uuids.enc = "15945050-df48-418b-b736-827749b9262a";
|
2023-12-09 00:38:25 +07:00
|
|
|
uuids.swap = "5c7f9e4e-c245-4ccb-98a2-1211ea7008e8";
|
2023-11-25 02:37:10 +07:00
|
|
|
uuids.boot = "0603-5955";
|
|
|
|
uuids.bch0 = "9f10b9ac-3102-4816-8f2c-e0526c2aa65b";
|
|
|
|
uuids.bch1 = "4ffed814-057c-4f9f-9a12-9d8ac6331e62";
|
|
|
|
uuids.bch2 = "e761df86-35ce-4586-9349-2d646fcb1b2a";
|
|
|
|
uuids.bch = "088a3d70-b54c-4437-8e01-feda6bfb7236";
|
|
|
|
parts = builtins.mapAttrs (k: v: "/dev/disk/by-uuid/${v}") uuids;
|
2023-09-13 17:20:18 +07:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
../hardware/radxa-rock5a
|
2023-10-17 20:25:03 +07:00
|
|
|
../hosts/server
|
2023-10-08 08:24:29 +07:00
|
|
|
hardware.common-pc-ssd
|
|
|
|
];
|
|
|
|
|
|
|
|
boot.initrd.availableKernelModules = [
|
|
|
|
# network in initrd
|
|
|
|
"dwmac-rk"
|
|
|
|
# fde unlock in initrd
|
|
|
|
"dm_mod" "dm_crypt" "encrypted_keys"
|
2023-09-13 17:20:18 +07:00
|
|
|
];
|
|
|
|
|
2023-12-15 06:03:46 +07:00
|
|
|
systemd.enableEmergencyMode = false;
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.core.default_qdisc" = "fq";
|
|
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
|
|
};
|
|
|
|
|
2024-07-13 06:43:05 +07:00
|
|
|
# as expected, systemd initrd didn't work well, and i really cba to debug it
|
2023-11-25 02:37:10 +07:00
|
|
|
networking.useDHCP = false;
|
|
|
|
networking.useNetworkd = true;
|
|
|
|
systemd.network = {
|
|
|
|
enable = true;
|
|
|
|
links."10-mac" = {
|
|
|
|
matchConfig.OriginalName = "e*";
|
|
|
|
linkConfig = {
|
|
|
|
MACAddressPolicy = "none";
|
|
|
|
MACAddress = router-config.router-settings.serverMac;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
networks."10-dhcp" = {
|
|
|
|
DHCP = "yes";
|
|
|
|
name = "e*";
|
2024-07-13 06:43:05 +07:00
|
|
|
networkConfig.IPv6AcceptRA = "yes";
|
2024-07-12 03:37:03 +07:00
|
|
|
dhcpV4Config = {
|
|
|
|
ClientIdentifier = "mac";
|
|
|
|
DUIDType = "link-layer";
|
|
|
|
};
|
2024-07-13 06:43:05 +07:00
|
|
|
dhcpV6Config.DUIDType = "link-layer";
|
2023-11-25 02:37:10 +07:00
|
|
|
};
|
2024-07-12 03:37:03 +07:00
|
|
|
};
|
2023-09-13 17:20:18 +07:00
|
|
|
|
|
|
|
boot.initrd = {
|
2024-07-13 06:05:08 +07:00
|
|
|
systemd = {
|
|
|
|
services.unlock-bcachefs-persist.enable = false;
|
|
|
|
enable = true;
|
|
|
|
network = {
|
|
|
|
enable = true;
|
|
|
|
links."10-mac" = {
|
|
|
|
matchConfig.OriginalName = "e*";
|
|
|
|
linkConfig = {
|
|
|
|
MACAddressPolicy = "none";
|
|
|
|
MACAddress = router-config.router-settings.serverInitrdMac;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
networks."10-dhcp" = {
|
|
|
|
DHCP = "yes";
|
|
|
|
name = "e*";
|
|
|
|
networkConfig = {
|
|
|
|
IPv6AcceptRA = "yes";
|
|
|
|
};
|
|
|
|
dhcpV4Config = {
|
|
|
|
ClientIdentifier = "mac";
|
|
|
|
DUIDType = "link-layer";
|
|
|
|
};
|
|
|
|
dhcpV6Config = {
|
|
|
|
DUIDType = "link-layer";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
network.enable = false;
|
2024-07-12 03:37:03 +07:00
|
|
|
network.flushBeforeStage2 = true;
|
2024-07-13 06:05:08 +07:00
|
|
|
systemd.initrdBin = [ pkgs.iproute2 pkgs.vim pkgs.bashInteractive pkgs.util-linux ];
|
|
|
|
systemd.storePaths = [ pkgs.vim pkgs.busybox ];
|
|
|
|
systemd.users.root.shell = "/bin/bash";
|
2023-09-13 17:20:18 +07:00
|
|
|
network.ssh = {
|
|
|
|
enable = true;
|
|
|
|
port = 22;
|
|
|
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
|
|
hostKeys = [
|
|
|
|
"/secrets/initrd/ssh_host_rsa_key"
|
|
|
|
"/secrets/initrd/ssh_host_ed25519_key"
|
|
|
|
];
|
|
|
|
};
|
2023-11-25 02:37:10 +07:00
|
|
|
luks.devices.cryptroot = {
|
|
|
|
device = parts.enc;
|
2023-09-13 17:20:18 +07:00
|
|
|
# idk whether this is needed but it works
|
|
|
|
preLVM = true;
|
|
|
|
# see https://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html before enabling
|
|
|
|
allowDiscards = true;
|
|
|
|
# improve SSD performance
|
|
|
|
bypassWorkqueues = true;
|
|
|
|
};
|
2023-11-25 02:37:10 +07:00
|
|
|
luks.devices.bch0 = { device = parts.bch0; preLVM = true; allowDiscards = true; bypassWorkqueues = true; };
|
|
|
|
luks.devices.bch1 = { device = parts.bch1; preLVM = true; allowDiscards = true; bypassWorkqueues = true; };
|
|
|
|
luks.devices.bch2 = { device = parts.bch2; preLVM = true; allowDiscards = true; bypassWorkqueues = true; };
|
2023-09-13 17:20:18 +07:00
|
|
|
};
|
|
|
|
|
2023-11-21 04:46:52 +07:00
|
|
|
boot.supportedFilesystems = [ "bcachefs" ];
|
|
|
|
|
2023-10-17 23:12:08 +07:00
|
|
|
fileSystems = let
|
|
|
|
neededForBoot = true;
|
|
|
|
in {
|
2023-12-18 08:48:49 +07:00
|
|
|
"/" = { device = "none"; fsType = "tmpfs"; inherit neededForBoot;
|
|
|
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
2023-09-13 17:20:18 +07:00
|
|
|
"/persist" =
|
2023-11-25 02:37:10 +07:00
|
|
|
{ device = "UUID=${uuids.bch}"; fsType = "bcachefs"; inherit neededForBoot;
|
2024-07-16 02:09:35 +07:00
|
|
|
# TODO: remove the if when systemd >= 257
|
|
|
|
options = let
|
|
|
|
dep = if lib.versionAtLeast config.boot.initrd.systemd.package.version "257" then "wants" else "requires";
|
|
|
|
in [
|
2024-07-15 02:31:35 +07:00
|
|
|
"degraded"
|
2024-07-13 06:05:08 +07:00
|
|
|
"errors=ro"
|
|
|
|
"x-systemd.device-timeout=0"
|
2024-07-16 02:09:35 +07:00
|
|
|
"x-systemd.${dep}=dev-mapper-bch0.device"
|
|
|
|
"x-systemd.${dep}=dev-mapper-bch1.device"
|
|
|
|
"x-systemd.${dep}=dev-mapper-bch2.device"
|
2024-07-13 06:05:08 +07:00
|
|
|
]; };
|
2023-11-25 02:37:10 +07:00
|
|
|
"/boot" = { device = parts.boot; fsType = "vfat"; inherit neededForBoot; };
|
2023-09-13 17:20:18 +07:00
|
|
|
};
|
|
|
|
|
2023-12-09 00:38:25 +07:00
|
|
|
swapDevices = [ { device = parts.swap; } ];
|
2023-10-17 23:12:08 +07:00
|
|
|
|
2023-12-09 00:38:25 +07:00
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"vm.swappiness" = 10;
|
|
|
|
};
|
2023-10-17 23:12:08 +07:00
|
|
|
|
2023-09-13 17:20:18 +07:00
|
|
|
impermanence = {
|
|
|
|
enable = true;
|
|
|
|
path = /persist;
|
|
|
|
directories = [
|
|
|
|
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
|
|
|
|
{ directory = /root; mode = "0700"; }
|
|
|
|
{ directory = /nix; }
|
|
|
|
];
|
|
|
|
};
|
|
|
|
}
|