c8h4/nixos-config
1
0
Fork 0
Code Issues Actions Activity
nixos-config/system/baremetal-server.nix
Christoph Heiss fe5310c72f
system: baremetal-server: don't load the kvm-intel module by default 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2024-01-26 20:58:34 +01:00

60 lines
1.6 KiB
Nix
Raw Blame History

{ config, ... }:
{
imports = [ ../common ../services/openssh.nix ../system/headless.nix ];
boot.loader.grub = {
efiInstallAsRemovable = true;
efiSupport = true;
enableCryptodisk = true;
device = "nodev";
};
boot.kernelParams = [ "panic=10" "mitigations=off" ];
boot.initrd = {
availableKernelModules = [ "sd_mod" "cryptd" ];
kernelModules = [ "md_mod" "raid0" "raid1" ];
# Manually start degraded arrays if needed, to still allow booting from them.
# See https://github.com/NixOS/nixpkgs/issues/72608
preLVMCommands = ''
for dev in /dev/md*; do
if [ -b "$dev" ]; then
mdadm --run "$dev"
fi
done
'';
network = {
enable = true;
ssh = {
enable = true;
authorizedKeys =
config.users.users.christoph.openssh.authorizedKeys.keys;
hostKeys = [ "/var/secrets/initrd/hostkey" ];
extraConfig = ''
PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
'';
};
udhcpc.enable = true;
postCommands = ''
echo 'importing all zpools ..'
/bin/zpool import -a
echo 'mdadm --detail /dev/md*; /bin/zpool status;' >>/root/.profile
echo '/bin/zfs load-key -r -a && /bin/cryptsetup-askpass && echo >/tmp/unlocked' >>/root/.profile
echo 'starting sshd ..'
'';
};
postDeviceCommands = ''
echo 'waiting for encrypted devices unlock ..'
mkfifo /tmp/unlocked
echo /tmp/unlocked
killall sshd
'';
};
hardware.rasdaemon.enable = true;
}
Reference in a new issue View git blame Copy permalink