2023-09-13 17:20:18 +07:00
|
|
|
{ config
|
|
|
|
, lib
|
|
|
|
, router-config
|
2023-10-08 08:24:29 +07:00
|
|
|
, hardware
|
2023-09-13 17:20:18 +07:00
|
|
|
, ... }:
|
|
|
|
|
|
|
|
let
|
2023-11-25 02:37:10 +07:00
|
|
|
uuids.enc = "15945050-df48-418b-b736-827749b9262a";
|
2023-12-09 00:38:25 +07:00
|
|
|
uuids.swap = "5c7f9e4e-c245-4ccb-98a2-1211ea7008e8";
|
2023-11-25 02:37:10 +07:00
|
|
|
uuids.boot = "0603-5955";
|
|
|
|
uuids.bch0 = "9f10b9ac-3102-4816-8f2c-e0526c2aa65b";
|
|
|
|
uuids.bch1 = "4ffed814-057c-4f9f-9a12-9d8ac6331e62";
|
|
|
|
uuids.bch2 = "e761df86-35ce-4586-9349-2d646fcb1b2a";
|
|
|
|
uuids.bch = "088a3d70-b54c-4437-8e01-feda6bfb7236";
|
|
|
|
parts = builtins.mapAttrs (k: v: "/dev/disk/by-uuid/${v}") uuids;
|
2023-09-13 17:20:18 +07:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
../hardware/radxa-rock5a
|
2023-10-17 20:25:03 +07:00
|
|
|
../hosts/server
|
2023-10-08 08:24:29 +07:00
|
|
|
hardware.common-pc-ssd
|
|
|
|
];
|
|
|
|
|
|
|
|
boot.initrd.availableKernelModules = [
|
|
|
|
# network in initrd
|
|
|
|
"dwmac-rk"
|
|
|
|
# fde unlock in initrd
|
|
|
|
"dm_mod" "dm_crypt" "encrypted_keys"
|
2023-09-13 17:20:18 +07:00
|
|
|
];
|
|
|
|
|
2023-12-15 06:03:46 +07:00
|
|
|
systemd.enableEmergencyMode = false;
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.core.default_qdisc" = "fq";
|
|
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
|
|
};
|
|
|
|
|
2023-09-13 17:20:18 +07:00
|
|
|
networking.useDHCP = true;
|
2023-11-25 02:37:10 +07:00
|
|
|
/*
|
|
|
|
# as expected, systemd initrd and networking didn't work well, and i really cba to debug it
|
|
|
|
networking.useDHCP = false;
|
|
|
|
networking.useNetworkd = true;
|
|
|
|
systemd.network = {
|
|
|
|
enable = true;
|
|
|
|
links."10-mac" = {
|
|
|
|
matchConfig.OriginalName = "e*";
|
|
|
|
linkConfig = {
|
|
|
|
MACAddressPolicy = "none";
|
|
|
|
MACAddress = router-config.router-settings.serverMac;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
networks."10-dhcp" = {
|
|
|
|
DHCP = "yes";
|
|
|
|
name = "e*";
|
|
|
|
};
|
|
|
|
};*/
|
2023-09-13 17:20:18 +07:00
|
|
|
|
|
|
|
boot.initrd = {
|
2023-11-25 02:37:10 +07:00
|
|
|
/*systemd = {
|
|
|
|
enable = true;
|
|
|
|
network = {
|
|
|
|
enable = true;
|
|
|
|
links."10-mac" = {
|
|
|
|
matchConfig.OriginalName = "e*";
|
|
|
|
linkConfig = {
|
|
|
|
MACAddressPolicy = "none";
|
|
|
|
MACAddress = router-config.router-settings.serverInitrdMac;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
networks."10-dhcp" = {
|
|
|
|
DHCP = "yes";
|
|
|
|
name = "e*";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};*/
|
2024-01-27 03:57:21 +07:00
|
|
|
# eth0 on some kernels
|
|
|
|
# end0 on other kernels
|
|
|
|
# sometimes even version dependent
|
2023-09-13 17:20:18 +07:00
|
|
|
preLVMCommands = lib.mkOrder 499 ''
|
2024-01-27 03:57:21 +07:00
|
|
|
ip link set end0 address ${router-config.router-settings.serverInitrdMac} || ip link set eth0 address ${router-config.router-settings.serverInitrdMac} || true
|
2023-09-13 17:20:18 +07:00
|
|
|
'';
|
|
|
|
postMountCommands = ''
|
2024-01-27 03:57:21 +07:00
|
|
|
ip link set end0 address ${router-config.router-settings.serverMac} || ip link set eth0 address ${router-config.router-settings.serverInitrdMac} || true
|
2023-09-13 17:20:18 +07:00
|
|
|
'';
|
|
|
|
network.enable = true;
|
2024-06-12 23:54:42 +07:00
|
|
|
network.udhcpc.extraArgs = [ "-t100" ];
|
2023-09-13 17:20:18 +07:00
|
|
|
network.ssh = {
|
|
|
|
enable = true;
|
|
|
|
port = 22;
|
|
|
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
|
|
hostKeys = [
|
|
|
|
"/secrets/initrd/ssh_host_rsa_key"
|
|
|
|
"/secrets/initrd/ssh_host_ed25519_key"
|
|
|
|
];
|
|
|
|
# shell = "/bin/cryptsetup-askpass";
|
|
|
|
};
|
2023-11-25 02:37:10 +07:00
|
|
|
luks.devices.cryptroot = {
|
|
|
|
device = parts.enc;
|
2023-09-13 17:20:18 +07:00
|
|
|
# idk whether this is needed but it works
|
|
|
|
preLVM = true;
|
|
|
|
# see https://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html before enabling
|
|
|
|
allowDiscards = true;
|
|
|
|
# improve SSD performance
|
|
|
|
bypassWorkqueues = true;
|
|
|
|
};
|
2023-11-25 02:37:10 +07:00
|
|
|
luks.devices.bch0 = { device = parts.bch0; preLVM = true; allowDiscards = true; bypassWorkqueues = true; };
|
|
|
|
luks.devices.bch1 = { device = parts.bch1; preLVM = true; allowDiscards = true; bypassWorkqueues = true; };
|
|
|
|
luks.devices.bch2 = { device = parts.bch2; preLVM = true; allowDiscards = true; bypassWorkqueues = true; };
|
2023-09-13 17:20:18 +07:00
|
|
|
};
|
|
|
|
|
2023-11-21 04:46:52 +07:00
|
|
|
boot.supportedFilesystems = [ "bcachefs" ];
|
|
|
|
|
2023-10-17 23:12:08 +07:00
|
|
|
fileSystems = let
|
|
|
|
neededForBoot = true;
|
|
|
|
in {
|
2023-12-18 08:48:49 +07:00
|
|
|
"/" = { device = "none"; fsType = "tmpfs"; inherit neededForBoot;
|
|
|
|
options = [ "defaults" "size=2G" "mode=755" ]; };
|
2023-09-13 17:20:18 +07:00
|
|
|
"/persist" =
|
2023-11-25 02:37:10 +07:00
|
|
|
{ device = "UUID=${uuids.bch}"; fsType = "bcachefs"; inherit neededForBoot;
|
|
|
|
options = [ "errors=ro" ]; };
|
|
|
|
"/boot" = { device = parts.boot; fsType = "vfat"; inherit neededForBoot; };
|
2023-09-13 17:20:18 +07:00
|
|
|
};
|
|
|
|
|
2023-12-09 00:38:25 +07:00
|
|
|
swapDevices = [ { device = parts.swap; } ];
|
2023-10-17 23:12:08 +07:00
|
|
|
|
2023-12-09 00:38:25 +07:00
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"vm.swappiness" = 10;
|
|
|
|
};
|
2023-10-17 23:12:08 +07:00
|
|
|
|
2023-09-13 17:20:18 +07:00
|
|
|
impermanence = {
|
|
|
|
enable = true;
|
|
|
|
path = /persist;
|
|
|
|
directories = [
|
|
|
|
{ directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
|
|
|
|
{ directory = /root; mode = "0700"; }
|
|
|
|
{ directory = /nix; }
|
|
|
|
];
|
|
|
|
};
|
|
|
|
}
|