{ config, pkgs, modulesPath, lib, ... }: let # in rescue shell # --------------- # apt install -y lshw # lshw -C network | grep -Poh 'driver=[[:alnum:]]+' networkInterfaceModule = "e1000e"; # ip addr networkInterface = "enp0s31f6"; # From the Hetzner control panel ipv4 = { address = "95.216.66.212"; # the ip address gateway = "95.216.66.193"; # the gateway ip address netmask = "255.255.255.192"; # the netmask -- might not be the same for you! prefixLength = 26; # must match the netmask, see }; ipv6 = { address = "2a01:4f9:2b:326::2"; # the ipv6 addres gateway = "fe80::1"; # the ipv6 gateway prefixLength = 64; # shown in the control panel }; in { system.stateVersion = "23.11"; imports = [ ./disko-config.nix ./hardware-configuration.nix ]; # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. boot.loader.grub = { enable = true; efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines. }; # Initial empty root password for easy login: users.users.root.initialHashedPassword = ""; services.openssh.settings.PermitRootLogin = "prohibit-password"; services.openssh.settings.PasswordAuthentication = false; # todo : move this to the flake, this is always true users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==" ]; services.openssh.enable = true; services.sshguard.enable = true; boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!) boot.supportedFilesystems = [ "zfs" ]; # head -c4 /dev/urandom | od -A none -t x4 networking.hostId = "5bb982a6"; systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address; boot.initrd.kernelModules = [ networkInterfaceModule ]; boot.initrd.network = { enable = true; ssh = { enable = true; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; port = 2222; hostKeys = [ # make sure you use --copy-host-keys during nixos-anywhere # (you can create ne ssh keys later, again) /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ed25519_key ]; }; }; # enable ssh on init # ================== # No SystemD at boot # ------------------ #boot.kernelParams = [ # # See for docs on this # # ip=::::::::: # # The server ip refers to the NFS server -- we don't need it. # "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" #]; #boot.initrd.systemd.enable = false; #boot.kernelParams = [ "ip=dhcp" ]; #boot.initrd.network.ssh.shell = "/bin/cryptsetup-askpass"; #boot.initrd.luks.reusePassphrases = true; # SystemD at boot # --------------- boot.initrd.systemd.enable = true; #boot.initrd.systemd.services.openssh.enable = true; boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink"; }