jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configuration/hosts/iron/configuration.nix
Jakob Lechner 239fbf70e0 Use file to unlock LUKS from usb media
2025-04-09 10:20:44 +02:00

246 lines
6.2 KiB
Nix
Raw Blame History

{ inputs, config, pkgs, lib, ... }:
let
interfaces = import ./interfaces.nix;
disks = {
slot1 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K";
slot2 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A";
slot3 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N";
slot4 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H";
slot5 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y";
};
removableEfi = true;
devNodes = "/dev/disk/by-id/";
datasets = {
"bpool/nixos/root" = "/boot";
"rpool/filebitch" = "/filebitch";
"rpool/navidrome" = "/var/lib/private/navidrome";
"rpool/navidrome/music" = "/var/lib/navidrome/music";
"rpool/nixos/home" = "/home";
"rpool/nixos/root" = "/";
"rpool/nixos/var/lib" = "/var/lib";
"rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent";
"rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads";
"rpool/nixos/var/log" = "/var/log";
};
partitionScheme = {
efiBoot = "-part1";
bootPool = "-part2";
luksDev = "-part3";
biosBoot = "-part4";
};
efiSystemPartitions = (map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks));
in
with lib; {
imports = [
../../users/jalr
./services
];
config = {
system.stateVersion = "23.11";
security.sudo.wheelNeedsPassword = false;
networking = {
hostName = "iron";
hostId = "b141e72f";
useDHCP = false;
networkmanager.enable = false;
bridges = {
"${interfaces.lan}" = {
interfaces = [ "enp2s4" "enp3s5" ];
};
};
vlans = {
iot = {
id = 20;
interface = interfaces.lan;
};
};
interfaces = {
"${interfaces.lan}".ipv4.addresses = [{
address = "192.168.42.1";
prefixLength = 24;
}];
iot.ipv4.addresses = [{
address = "10.20.0.1";
prefixLength = 20;
}];
"${interfaces.wan}" = {
useDHCP = true;
};
};
nat = {
enable = true;
externalInterface = interfaces.wan;
internalInterfaces = [
interfaces.lan
"virbr0"
];
};
firewall = {
allowedTCPPorts = [ 5201 ];
extraForwardRules = ''
tcp flags syn tcp option maxseg size set rt mtu
'';
interfaces.virbr0 = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 ];
};
};
};
services.radvd = {
enable = true;
config = ''
interface ${interfaces.lan} {
AdvSendAdvert on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
'';
};
networking.dhcpcd.extraConfig = ''
noipv6rs
waitip 6
interface ${interfaces.wan}
ipv6rs
ia_na 1
ia_pd 1/::/64 ${interfaces.lan}/0/64
'';
jalr.luksUsbUnlock = {
enable = true;
devices = builtins.mapAttrs
(name: dev:
{
keyPath = "iron.key";
usbDevice = "by-label/RAM_USB";
waitForDevice = 10;
}
)
disks;
};
boot = {
kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
};
initrd = {
availableKernelModules = [
"ahci"
"ehci_pci"
"sd_mod"
"sdhci_pci"
"usb_storage"
"xhci_pci"
];
systemd.enable = true;
luks.devices = builtins.mapAttrs
(name: dev:
{
device = "${devNodes}${dev}${partitionScheme.luksDev}";
allowDiscards = true;
}
)
disks;
};
supportedFilesystems = [ "zfs" ];
zfs = {
devNodes = devNodes;
forceImportRoot = false;
};
loader = {
efi = {
canTouchEfiVariables = (if removableEfi then false else true);
efiSysMountPoint = ("/boot/efis/" + (head (lib.attrValues disks))
+ partitionScheme.efiBoot);
};
generationsDir.copyKernels = true;
grub = {
enable = true;
devices = (map (diskName: devNodes + diskName) (attrValues disks));
efiInstallAsRemovable = removableEfi;
copyKernels = true;
efiSupport = true;
zfsSupport = true;
extraConfig = ''
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
terminal_input --append serial
terminal_output --append serial
'';
extraInstallCommands = (toString (map
(diskName: ''
${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot}
'')
(tail (attrValues disks))));
};
};
kernelParams = [
"console=ttyS0,115200"
"console=tty1"
];
};
fileSystems = mkMerge
(mapAttrsToList
(dataset: mountpoint: {
"${mountpoint}" = {
device = "${dataset}";
fsType = "zfs";
options = [ "X-mount.mkdir" "noatime" ];
neededForBoot = true;
};
})
datasets ++ map
(esp: {
"/boot/efis/${esp}" = {
device = "${devNodes}/${esp}";
fsType = "vfat";
options = [
"x-systemd.idle-timeout=1min"
"x-systemd.automount"
"noauto"
"nofail"
"noatime"
"X-mount.mkdir"
];
};
})
efiSystemPartitions) // {
"/proc" = {
device = "/proc";
options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
};
};
hardware.enableRedistributableFirmware = true;
virtualisation.containers.storage.settings = {
storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
options.zfs.fsname = "rpool/nixos/podman";
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 60;
priority = 1;
};
services.zfs = {
trim.enable = false;
};
};
}
Reference in a new issue View git blame Copy permalink