2021-12-28 16:19:29 +01:00
|
|
|
{ config, pkgs, modulesPath, lib, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
hostName = "robi";
|
|
|
|
|
|
|
|
# apt install -y lshw
|
|
|
|
# lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
|
|
|
|
|
|
|
|
networkInterfaceModule = "r8169";
|
|
|
|
|
|
|
|
networkInterface = "enp3s0";
|
|
|
|
|
|
|
|
# From the Hetzner control panel
|
|
|
|
ipv4 = {
|
|
|
|
address = "144.76.13.147"; # the ip address
|
|
|
|
gateway = "144.76.13.129"; # the gateway ip address
|
|
|
|
netmask = "255.255.255.224"; # the netmask -- might not be the same for you!
|
|
|
|
prefixLength = 27; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
|
|
|
|
};
|
|
|
|
ipv6 = {
|
|
|
|
address = "2a01:4f8:190:9147::1"; # the ipv6 addres
|
|
|
|
gateway = "fe80::1"; # the ipv6 gateway
|
|
|
|
prefixLength = 64; # shown in the control panel
|
|
|
|
};
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
imports =
|
|
|
|
[
|
|
|
|
# Include the results of the hardware scan.
|
|
|
|
./hardware-configuration.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
# needed lvm for raid
|
|
|
|
boot.initrd.kernelModules = [
|
|
|
|
"dm-snapshot"
|
|
|
|
"dm_mirror"
|
|
|
|
"dm_raid"
|
|
|
|
"dm_region_hash"
|
|
|
|
];
|
|
|
|
|
|
|
|
# Use GRUB2 as the boot loader.
|
|
|
|
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
|
|
|
boot.loader.systemd-boot.enable = false;
|
|
|
|
boot.loader.grub = {
|
|
|
|
enable = true;
|
|
|
|
efiSupport = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
# This will mirror all UEFI files, kernels, grub menus and
|
|
|
|
# things needed to boot to the other drive.
|
|
|
|
boot.loader.grub.mirroredBoots = [
|
|
|
|
{ path = "/boot-1"; devices = [ "/dev/sda" ]; }
|
|
|
|
{ path = "/boot-2"; devices = [ "/dev/sdb" ]; }
|
|
|
|
];
|
|
|
|
|
|
|
|
# We want to still be able to boot without one of these
|
|
|
|
fileSystems."/boot-1".options = [ "nofail" ];
|
|
|
|
fileSystems."/boot-2".options = [ "nofail" ];
|
|
|
|
|
|
|
|
boot.initrd.luks.reusePassphrases = true;
|
|
|
|
boot.initrd.luks.devices = {
|
|
|
|
a_encrypted = {
|
|
|
|
device = "/dev/sda3";
|
|
|
|
preLVM = true;
|
|
|
|
};
|
|
|
|
b_encrypted = {
|
|
|
|
device = "/dev/sdb3";
|
|
|
|
preLVM = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.hostName = hostName;
|
|
|
|
|
|
|
|
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
|
|
|
|
networking.useDHCP = false;
|
|
|
|
networking.interfaces.${networkInterface} = {
|
|
|
|
ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
|
|
|
|
ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
|
|
|
|
};
|
|
|
|
networking.defaultGateway = ipv4.gateway;
|
|
|
|
networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
|
|
|
|
networking.nameservers = [ "8.8.8.8" ];
|
|
|
|
|
|
|
|
# Initial empty root password for easy login:
|
|
|
|
users.users.root.initialHashedPassword = "";
|
2023-07-01 17:34:23 +02:00
|
|
|
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
|
|
|
services.openssh.settings.PasswordAuthentication = false;
|
2021-12-28 16:19:29 +01:00
|
|
|
|
2022-02-07 19:13:27 +01:00
|
|
|
environment.systemPackages = [ pkgs.mosh ];
|
|
|
|
|
2021-12-28 16:19:29 +01:00
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
|
|
|
];
|
|
|
|
|
|
|
|
services.openssh.enable = true;
|
|
|
|
|
|
|
|
system.stateVersion = "21.05";
|
|
|
|
|
|
|
|
# enable ssh on init
|
|
|
|
# ------------------
|
|
|
|
|
|
|
|
boot.kernelParams = [
|
|
|
|
# See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
|
|
|
|
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
|
|
|
|
# The server ip refers to the NFS server -- we don't need it.
|
|
|
|
"ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
|
|
|
|
];
|
|
|
|
boot.initrd.availableKernelModules = [ networkInterfaceModule ];
|
|
|
|
boot.initrd.network.enable = true;
|
|
|
|
boot.initrd.network.ssh = {
|
|
|
|
enable = true;
|
|
|
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
|
|
port = 2222;
|
|
|
|
hostKeys = [
|
|
|
|
/etc/secrets/initrd/ssh_host_rsa_key
|
|
|
|
/etc/secrets/initrd/ssh_host_ed25519_key
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
}
|