From 3b88611336ad565c2130105411ec152ca20065f5 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Tue, 11 Feb 2020 15:41:00 +0000 Subject: feat(ops/nixos): Add initial configuration for host camden --- ops/nixos/camden/default.nix | 90 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 ops/nixos/camden/default.nix (limited to 'ops/nixos/camden') diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix new file mode 100644 index 000000000000..9a960600db4d --- /dev/null +++ b/ops/nixos/camden/default.nix @@ -0,0 +1,90 @@ +# This file configures camden.tazj.in, my homeserver. + +{ pkgs, lib, ... }: + +config: let + nixpkgs = import pkgs.third_party.nixpkgsSrc { + config.allowUnfree = true; + }; +in pkgs.lib.fix(self: { + # camden is intended to boot unattended, despite having an encrypted + # root partition. + # + # The below configuration uses an externally connected USB drive + # that contains a LUKS key file to unlock the disk automatically at + # boot. + # + # TODO(tazjin): Configure LUKS unlocking via SSH instead. + boot = { + initrd = { + availableKernelModules = [ + "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" + "rtsx_usb_sdmmc" "r8169" + ]; + + kernelModules = [ "dm-snapshot" ]; + + luks.devices.camden-crypt = { + fallbackToPassword = true; + device = "/dev/disk/by-label/camden-crypt"; + keyFile = "/dev/sdb"; + keyFileSize = 4096; + }; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + cleanTmpDir = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/camden-root"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/disk/by-label/camden-home"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + }; + + + # TODO(tazjin): audit these (from generated hardware-config) + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + networking = { + hostName = "camden"; + interfaces.enp1s0.useDHCP = true; + firewall.allowedTCPPorts = [ 22 8080 80 443 ]; + }; + + time.timeZone = "UTC"; + + # System-wide application setup + programs.fish.enable = true; + environment.systemPackages = with nixpkgs; [ + curl emacs26-nox git gnupg pass pciutils + ]; + + # Services setup + services.openssh.enable = true; + + users.users.tazjin = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" ]; + shell = nixpkgs.fish; + }; + + system.stateVersion = "19.09"; +}) -- cgit 1.4.1