From 7956c03730e029f2c1cad4c7fa0c1420ac5c2724 Mon Sep 17 00:00:00 2001
From: Christoph Heiss <christoph@c8h4.io>
Date: Sat, 4 Nov 2023 23:43:37 +0100
Subject: [PATCH] machines: Add `back`

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
---
 default.nix                 |   5 ++-
 flake.nix                   |   5 ++-
 machines/back.nix           |  83 ++++++++++++++++++++++++++++++++++++
 secrets/machines/back.nix   | Bin 0 -> 96 bytes
 system/baremetal-server.nix |  16 +++++++
 5 files changed, 105 insertions(+), 4 deletions(-)
 create mode 100644 machines/back.nix
 create mode 100644 secrets/machines/back.nix
 create mode 100644 system/baremetal-server.nix

diff --git a/default.nix b/default.nix
index c672041..71b431d 100644
--- a/default.nix
+++ b/default.nix
@@ -15,8 +15,9 @@ let
     };
 
   machines = {
-    fort = { tags = [ "external" "vm" ]; };
-    serv = { tags = [ "homelab" "lxc" ]; };
+    back = { tags = [ "external" "server" "baremetal" ]; };
+    fort = { tags = [ "external" "server" "vm" ]; };
+    serv = { tags = [ "homelab" "server" "lxc" ]; };
     trek = { tags = [ "desktop" ]; };
     zero = { tags = [ "desktop" ]; };
   };
diff --git a/flake.nix b/flake.nix
index 7b17570..8865331 100644
--- a/flake.nix
+++ b/flake.nix
@@ -53,8 +53,9 @@
               switch -b bak
           '';
 
-        machines = [ "fort" "serv" "trek" "zero" ];
-        tags = [ "desktop" "external" "homelab" "lxc" "vm" ];
+        machines = [ "back" "fort" "serv" "trek" "zero" ];
+        tags =
+          [ "baremetal" "desktop" "external" "homelab" "lxc" "server" "vm" ];
       in {
         apps = (builtins.listToAttrs (map (name: {
           inherit name;
diff --git a/machines/back.nix b/machines/back.nix
new file mode 100644
index 0000000..bd66e1a
--- /dev/null
+++ b/machines/back.nix
@@ -0,0 +1,83 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../secrets/machines/back.nix
+    ../system/baremetal-server.nix
+    ../system/ucode-intel.nix
+  ];
+
+  system.stateVersion = "23.11";
+
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub = {
+    enable = true;
+    copyKernels = true;
+    efiInstallAsRemovable = true;
+    efiSupport = true;
+    fsIdentifier = "uuid";
+    enableCryptodisk = true;
+    device = "nodev";
+  };
+
+  boot.initrd = {
+    availableKernelModules = [ "hpsa" "sd_mod" "aesni_intel" "cryptd" ];
+    kernelModules = [ "md_mod" "raid0" "raid1" ];
+    luks.devices.nixos-root.device = "/dev/md1";
+
+    # Manually start degraded arrays if needed, to still allow booting from them.
+    # See https://github.com/NixOS/nixpkgs/issues/72608
+    preLVMCommands = ''
+      for dev in /dev/md*; do
+        if [ -b "$dev" ]; then
+          mdadm --run "$dev"
+        fi
+      done
+    '';
+  };
+
+  boot.swraid = {
+    enable = true;
+    mdadmConf = ''
+      DEVICE partitions
+      ARRAY /dev/md0 level=raid1 num-devices=2 metadata=1.0 name=nixos:0 UUID=8b85ad8d:07770d93:de437327:626744b3
+      ARRAY /dev/md1 level=raid1 num-devices=2 metadata=1.2 name=nixos:1 UUID=fa799b6d:76859754:7bf68be4:d184553c
+      PROGRAM ${pkgs.toybox}/bin/true
+    '';
+  };
+
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+
+  fileSystems."/" = {
+    device = "/dev/mapper/nixos-root";
+    fsType = "btrfs";
+    options = [ "noatime" "subvol=@" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/nixos-root";
+    fsType = "btrfs";
+    options = [ "subvol=@home" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/nixos-root";
+    fsType = "btrfs";
+    options = [ "noatime" "subvol=@nix" ];
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/mapper/nixos-root";
+    fsType = "btrfs";
+    options = [ "noatime" "compress=zstd" "subvol=@log" ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/md0";
+    fsType = "vfat";
+  };
+
+  services.zfs.autoScrub.enable = true;
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.trim.enable = true;
+}
diff --git a/secrets/machines/back.nix b/secrets/machines/back.nix
new file mode 100644
index 0000000000000000000000000000000000000000..c42a93335a9517370fd138d2ff87fcae4e152614
GIT binary patch
literal 96
zcmV-m0H6N=M@dveQdv+`07hQ!X&^m@TJ~lnbg|=>3@FK@sTtQmN!gH@&)TH{r7_Cw
zKZ-W9hok}39fHL<RPb>oWitYy)I<qQjQZPBW2>4iD@5I~tnY7k)!I?|+!<v{iyuG;
CXe`kH

literal 0
HcmV?d00001

diff --git a/system/baremetal-server.nix b/system/baremetal-server.nix
new file mode 100644
index 0000000..c1d4bc9
--- /dev/null
+++ b/system/baremetal-server.nix
@@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+
+{
+  imports = [ ../common ../services/openssh.nix ../system/headless.nix ];
+
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  boot.kernelParams = [ "panic=10" "mitigations=off" ];
+  boot.kernelModules = [ "kvm-intel" ];
+
+  environment.systemPackages = with pkgs; [
+    linuxPackages.cpupower
+    lm_sensors
+    powertop
+    smartmontools
+  ];
+}