diff options
| author | sterni <sternenseemann@systemli.org> | 2023-11-25T19·04+0100 |
|---|---|---|
| committer | sterni <sternenseemann@systemli.org> | 2023-11-25T22·55+0000 |
| commit | 825b6ac65f69737bbcba99058433e0af3fcc33b7 (patch) | |
| tree | 895adc431d2a410561cb10737bcaf71083867a95 /users/sterni | |
| parent | b91f4e89ab7af350f775185d8c381d921b636d19 (diff) | |
feat(sterni/machines/ingeborg): boot-strap r/7069
Network configuration and initrd setup is basically the same as with
edwin, but we are using md for Software RAID this time as well as LVM
over two partitions with LUKS:
- sda2 <-- RAID1 --> sdb2 (boot-raid)
└ boot partition, ext4 (encrypted-container-raid)
- sda3 <-- RAID1 --> sdb3
└ LUKS container
└ Volume Group vgmain
├ Logical Volume vgmain/swap
│ └ swap
└ Logical Volume vgmain/root
└ btrfs
So we no longer rely on btrfs raid1 due to question marks over its
reliability (I personally did not have any problems though). This also
means that we have less LUKS containers we need to unlock when
booting (kind of neglible improvement). The biggest improvement is that
we have redundancy for the swap, so a disk failure shouldn't cause
memory corruption/loss.
Change-Id: I14f065b659857415917d9a60a7ec019e687f8d1c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10127
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Diffstat (limited to 'users/sterni')
| -rw-r--r-- | users/sterni/machines/ingeborg/default.nix | 15 | ||||
| -rw-r--r-- | users/sterni/machines/ingeborg/hardware.nix | 76 | ||||
| -rw-r--r-- | users/sterni/machines/ingeborg/network.nix | 62 |
3 files changed, 153 insertions, 0 deletions
diff --git a/users/sterni/machines/ingeborg/default.nix b/users/sterni/machines/ingeborg/default.nix new file mode 100644 index 0000000000..3012e5f4af --- /dev/null +++ b/users/sterni/machines/ingeborg/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, depot, ... }: + +{ + imports = [ + # Basic settings + ../../modules/common.nix + # These modules touch things related to booting (filesystems, initrd network…) + ./hardware.nix + ./network.nix + ]; + + config = { + system.stateVersion = "24.05"; + }; +} diff --git a/users/sterni/machines/ingeborg/hardware.nix b/users/sterni/machines/ingeborg/hardware.nix new file mode 100644 index 0000000000..982598131e --- /dev/null +++ b/users/sterni/machines/ingeborg/hardware.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, depot, ... }: + +{ + # Booting / Kernel + boot = { + loader.grub = { + enable = true; + devices = [ + "/dev/disk/by-id/wwn-0x5000c500a4859731" + "/dev/disk/by-id/wwn-0x5000c500a485c1b5" + ]; + }; + + initrd = { + availableKernelModules = [ + "ahci" + "btrfs" + "sd_mod" + "xhci_pci" + "e1000e" + ]; + kernelModules = [ + "dm-snapshot" + ]; + }; + + swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md/boot-raid metadata=1.2 name=nixos:boot-raid UUID=13007b9d:ab7a1129:c45ec40f:3c9f2111 + ARRAY /dev/md/encrypted-container-raid metadata=1.2 name=nixos:encrypted-container-raid UUID=38dfa683:a6d30690:32a5de6f:fb7980fe + ''; + }; + + kernelModules = [ + "kvm-intel" + ]; + }; + + # Filesystems + services.lvm.enable = true; + + boot.initrd.luks.devices."container" = { + device = "/dev/md/encrypted-container-raid"; + preLVM = true; + }; + + fileSystems = { + "/" = { + device = "/dev/mainvg/root"; + fsType = "btrfs"; + }; + + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + }; + + swapDevices = [ + { device = "/dev/mainvg/swap"; } + ]; + + # CPU + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + enableRedistributableFirmware = true; + }; + + nix.settings = { + max-jobs = 2; + cores = 4; + }; + + powerManagement.cpuFreqGovernor = "performance"; +} diff --git a/users/sterni/machines/ingeborg/network.nix b/users/sterni/machines/ingeborg/network.nix new file mode 100644 index 0000000000..fceb530d55 --- /dev/null +++ b/users/sterni/machines/ingeborg/network.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, depot, ... }: + +let + ipv6 = "2a01:4f9:2a:1bc6::/64"; + + ipv4 = "95.216.27.158"; + gatewayv4 = "95.216.27.129"; + netmaskv4 = "255.255.255.192"; +in + +{ + config = { + boot = { + kernelParams = [ + "ip=${ipv4}::${gatewayv4}:${netmaskv4}::eth0:none" + ]; + + initrd.network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = depot.users.sterni.keys.all; + hostKeys = [ + "/etc/nixos/unlock_rsa_key_openssh" + "/etc/nixos/unlock_ed25519_key_openssh" + ]; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + }; + + networking = { + usePredictableInterfaceNames = false; + useDHCP = false; + interfaces."eth0".useDHCP = false; + + hostName = "ingeborg"; + + firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ 22 ]; + }; + }; + + systemd.network = { + enable = true; + networks."eth0".extraConfig = '' + [Match] + Name = eth0 + + [Network] + Address = ${ipv6} + Gateway = fe80::1 + Address = ${ipv4}/27 + Gateway = ${gatewayv4} + ''; + }; + }; +} |