machines/profpatsch/mikiya.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

{ config, lib, pkgs, ... }:

let
  myLib  = import ./lib.nix  { inherit pkgs lib; };
  myPkgs = import ./pkgs.nix { inherit pkgs lib myLib; };

  mkDevice = category: num: uuid: {
    name = "mikiya-${category}-crypt-${toString num}";
    device = "/dev/disk/by-uuid/${uuid}";
    keyFile = "/root/raid.key";
  };

  systemDevice = "/dev/disk/by-id/ata-MKNSSDCR60GB-DX_MKN1140A0000025162";
  systemPartition = "/dev/disk/by-uuid/56910867-ed83-438a-b67c-c057e662c89e";
  rootDevice = "/dev/mapper/mikiya-root";

  raidDevices = lib.imap (mkDevice "raid") [
    "f0069e04-d058-40b3-8f13-92f11c4c2546"
  ];


in {
  imports = [ ./base-server.nix ];

  config = {

    boot = {
      loader.grub.device = systemDevice;
      kernelModules = [ "kvm-intel" ];
      kernelParams = [ "ip=192.168.0.5" ];

      initrd = {
        network = {
          enable = true;
          ssh.enable = true;
          ssh.authorizedKeys = myLib.authKeys;
          # we wait until the root device is unlocked (by ssh)
          postCommands = ''
            echo "Waiting for ssh unlock of ${rootDevice} (infinitely)"
            while [ ! -e ${rootDevice} ]; do sleep 1; done
          '';
        };
          availableKernelModules = [
            "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod"
          # used for ethernet device(s)
          "r8169"
          ];

        # decrypt root device
        luks.devices.mikiya-root.device = systemPartition;
      };

    };

    fileSystems."/" = {
      device = rootDevice;
      fsType = "ext4";
      options = [ "ssd" ];
    };
    fileSystems."/boot" = {
      device = "/dev/disk/by-uuid/9aa38aa7-652f-4762-a0c2-b70332b93f4d";
      fsType = "ext3";
    };

    nix.settings.max-jobs = 4;

    vuizvui.user.profpatsch.server.sshPort = 22;

    /*
    # decrypt RAID with key from root
    environment.etc.crypttab.text =
      let luksDevice = dev: "${dev.name} ${dev.device} ${dev.keyFile} luks";
      in concatMapStringsSep "\n" luksDevice raidDevices;

    powerManagement = {
      # spin down raid drives after 30 minutes
      powerUpCommand =
        let driveStandby = drive: "${pkgs.hdparm}/sbin/hdparm -S 241 ${drive.device}";
        in concatMapStringsSep "\n" driveStandby raidDevices;
    */

    users.users = { inherit (myLib) philip; };

  };

}