60 lines
1.6 KiB
Nix
60 lines
1.6 KiB
Nix
{ config, ... }:
|
|
|
|
{
|
|
imports = [ ../common ../services/openssh.nix ../system/headless.nix ];
|
|
|
|
boot.loader.grub = {
|
|
efiInstallAsRemovable = true;
|
|
efiSupport = true;
|
|
enableCryptodisk = true;
|
|
device = "nodev";
|
|
};
|
|
|
|
boot.kernelParams = [ "panic=10" "mitigations=off" ];
|
|
|
|
boot.initrd = {
|
|
availableKernelModules = [ "sd_mod" "cryptd" ];
|
|
kernelModules = [ "md_mod" "raid0" "raid1" ];
|
|
|
|
# Manually start degraded arrays if needed, to still allow booting from them.
|
|
# See https://github.com/NixOS/nixpkgs/issues/72608
|
|
preLVMCommands = ''
|
|
for dev in /dev/md*; do
|
|
if [ -b "$dev" ]; then
|
|
mdadm --run "$dev"
|
|
fi
|
|
done
|
|
'';
|
|
|
|
network = {
|
|
enable = true;
|
|
ssh = {
|
|
enable = true;
|
|
authorizedKeys =
|
|
config.users.users.christoph.openssh.authorizedKeys.keys;
|
|
hostKeys = [ "/var/secrets/initrd/hostkey" ];
|
|
extraConfig = ''
|
|
PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
|
|
'';
|
|
};
|
|
udhcpc.enable = true;
|
|
postCommands = ''
|
|
echo 'importing all zpools ..'
|
|
/bin/zpool import -a
|
|
echo 'mdadm --detail /dev/md*; /bin/zpool status;' >>/root/.profile
|
|
echo '/bin/zfs load-key -r -a && /bin/cryptsetup-askpass && echo >/tmp/unlocked' >>/root/.profile
|
|
echo 'starting sshd ..'
|
|
'';
|
|
};
|
|
|
|
postDeviceCommands = ''
|
|
echo 'waiting for encrypted devices unlock ..'
|
|
mkfifo /tmp/unlocked
|
|
echo /tmp/unlocked
|
|
killall sshd
|
|
'';
|
|
};
|
|
|
|
hardware.rasdaemon.enable = true;
|
|
}
|