about summary refs log tree commit diff
path: root/ops/nixos/camden/default.nix
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2020-02-11T15·41+0000
committerVincent Ambo <tazjin@google.com>2020-02-11T15·41+0000
commit3b88611336ad565c2130105411ec152ca20065f5 (patch)
treeed58e284f2752ab60380b8cd7d06a67466ab3d93 /ops/nixos/camden/default.nix
parenta8792f8372b7bad98af04f2cd1fa204429ad8bd7 (diff)
feat(ops/nixos): Add initial configuration for host camden r/534
Diffstat (limited to 'ops/nixos/camden/default.nix')
-rw-r--r--ops/nixos/camden/default.nix90
1 files changed, 90 insertions, 0 deletions
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
new file mode 100644
index 000000000000..9a960600db4d
--- /dev/null
+++ b/ops/nixos/camden/default.nix
@@ -0,0 +1,90 @@
+# This file configures camden.tazj.in, my homeserver.
+
+{ pkgs, lib, ... }:
+
+config: let
+  nixpkgs = import pkgs.third_party.nixpkgsSrc {
+    config.allowUnfree = true;
+  };
+in pkgs.lib.fix(self: {
+  # camden is intended to boot unattended, despite having an encrypted
+  # root partition.
+  #
+  # The below configuration uses an externally connected USB drive
+  # that contains a LUKS key file to unlock the disk automatically at
+  # boot.
+  #
+  # TODO(tazjin): Configure LUKS unlocking via SSH instead.
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"
+        "rtsx_usb_sdmmc" "r8169"
+      ];
+
+      kernelModules = [ "dm-snapshot" ];
+
+      luks.devices.camden-crypt = {
+        fallbackToPassword = true;
+        device = "/dev/disk/by-label/camden-crypt";
+        keyFile = "/dev/sdb";
+        keyFileSize = 4096;
+      };
+    };
+
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    cleanTmpDir = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/camden-root";
+      fsType = "ext4";
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-label/camden-home";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-label/BOOT";
+      fsType = "vfat";
+    };
+  };
+
+
+  # TODO(tazjin): audit these (from generated hardware-config)
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  networking = {
+    hostName = "camden";
+    interfaces.enp1s0.useDHCP = true;
+    firewall.allowedTCPPorts = [ 22 8080 80 443 ];
+  };
+
+  time.timeZone = "UTC";
+
+  # System-wide application setup
+  programs.fish.enable = true;
+  environment.systemPackages = with nixpkgs; [
+    curl emacs26-nox git gnupg pass pciutils
+  ];
+
+  # Services setup
+  services.openssh.enable = true;
+
+  users.users.tazjin = {
+    isNormalUser = true;
+    uid = 1000;
+    extraGroups = [ "wheel" ];
+    shell = nixpkgs.fish;
+  };
+
+  system.stateVersion = "19.09";
+})