feat(sterni/machines/ingeborg): boot-strap
Network configuration and initrd setup is basically the same as with edwin, but we are using md for Software RAID this time as well as LVM over two partitions with LUKS: - sda2 <-- RAID1 --> sdb2 (boot-raid) └ boot partition, ext4 (encrypted-container-raid) - sda3 <-- RAID1 --> sdb3 └ LUKS container └ Volume Group vgmain ├ Logical Volume vgmain/swap │ └ swap └ Logical Volume vgmain/root └ btrfs So we no longer rely on btrfs raid1 due to question marks over its reliability (I personally did not have any problems though). This also means that we have less LUKS containers we need to unlock when booting (kind of neglible improvement). The biggest improvement is that we have redundancy for the swap, so a disk failure shouldn't cause memory corruption/loss. Change-Id: I14f065b659857415917d9a60a7ec019e687f8d1c Reviewed-on: https://cl.tvl.fyi/c/depot/+/10127 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
parent
b91f4e89ab
commit
825b6ac65f
3 changed files with 153 additions and 0 deletions
15
users/sterni/machines/ingeborg/default.nix
Normal file
15
users/sterni/machines/ingeborg/default.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ config, lib, pkgs, depot, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
# Basic settings
|
||||
../../modules/common.nix
|
||||
# These modules touch things related to booting (filesystems, initrd network…)
|
||||
./hardware.nix
|
||||
./network.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "24.05";
|
||||
};
|
||||
}
|
76
users/sterni/machines/ingeborg/hardware.nix
Normal file
76
users/sterni/machines/ingeborg/hardware.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
{ config, lib, pkgs, depot, ... }:
|
||||
|
||||
{
|
||||
# Booting / Kernel
|
||||
boot = {
|
||||
loader.grub = {
|
||||
enable = true;
|
||||
devices = [
|
||||
"/dev/disk/by-id/wwn-0x5000c500a4859731"
|
||||
"/dev/disk/by-id/wwn-0x5000c500a485c1b5"
|
||||
];
|
||||
};
|
||||
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ahci"
|
||||
"btrfs"
|
||||
"sd_mod"
|
||||
"xhci_pci"
|
||||
"e1000e"
|
||||
];
|
||||
kernelModules = [
|
||||
"dm-snapshot"
|
||||
];
|
||||
};
|
||||
|
||||
swraid = {
|
||||
enable = true;
|
||||
mdadmConf = ''
|
||||
ARRAY /dev/md/boot-raid metadata=1.2 name=nixos:boot-raid UUID=13007b9d:ab7a1129:c45ec40f:3c9f2111
|
||||
ARRAY /dev/md/encrypted-container-raid metadata=1.2 name=nixos:encrypted-container-raid UUID=38dfa683:a6d30690:32a5de6f:fb7980fe
|
||||
'';
|
||||
};
|
||||
|
||||
kernelModules = [
|
||||
"kvm-intel"
|
||||
];
|
||||
};
|
||||
|
||||
# Filesystems
|
||||
services.lvm.enable = true;
|
||||
|
||||
boot.initrd.luks.devices."container" = {
|
||||
device = "/dev/md/encrypted-container-raid";
|
||||
preLVM = true;
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/mainvg/root";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-label/boot";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/mainvg/swap"; }
|
||||
];
|
||||
|
||||
# CPU
|
||||
hardware = {
|
||||
cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
enableRedistributableFirmware = true;
|
||||
};
|
||||
|
||||
nix.settings = {
|
||||
max-jobs = 2;
|
||||
cores = 4;
|
||||
};
|
||||
|
||||
powerManagement.cpuFreqGovernor = "performance";
|
||||
}
|
62
users/sterni/machines/ingeborg/network.nix
Normal file
62
users/sterni/machines/ingeborg/network.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ config, pkgs, lib, depot, ... }:
|
||||
|
||||
let
|
||||
ipv6 = "2a01:4f9:2a:1bc6::/64";
|
||||
|
||||
ipv4 = "95.216.27.158";
|
||||
gatewayv4 = "95.216.27.129";
|
||||
netmaskv4 = "255.255.255.192";
|
||||
in
|
||||
|
||||
{
|
||||
config = {
|
||||
boot = {
|
||||
kernelParams = [
|
||||
"ip=${ipv4}::${gatewayv4}:${netmaskv4}::eth0:none"
|
||||
];
|
||||
|
||||
initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
authorizedKeys = depot.users.sterni.keys.all;
|
||||
hostKeys = [
|
||||
"/etc/nixos/unlock_rsa_key_openssh"
|
||||
"/etc/nixos/unlock_ed25519_key_openssh"
|
||||
];
|
||||
};
|
||||
postCommands = ''
|
||||
echo 'cryptsetup-askpass' >> /root/.profile
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
usePredictableInterfaceNames = false;
|
||||
useDHCP = false;
|
||||
interfaces."eth0".useDHCP = false;
|
||||
|
||||
hostName = "ingeborg";
|
||||
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowPing = true;
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks."eth0".extraConfig = ''
|
||||
[Match]
|
||||
Name = eth0
|
||||
|
||||
[Network]
|
||||
Address = ${ipv6}
|
||||
Gateway = fe80::1
|
||||
Address = ${ipv4}/27
|
||||
Gateway = ${gatewayv4}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue