{ config, lib, input, pkgs, ... }: let sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ]; maintainerKeys = [ ] ++ sefidelKeys; in { imports = [ ]; deployment = { targetHost = "kanata.bee-polaris.ts.net"; targetUser = "root"; }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "zfs" ]; networking.hostId = "31cc5527"; networking.hostName = "kanata"; # Erase your darlings boot.initrd.postDeviceCommands = lib.mkAfter '' zfs rollback -r rpool/local/root@blank ''; boot.kernelModules = [ "r8169" ]; boot.initrd.kernelModules = [ "r8169" ]; boot.initrd.network.enable = true; boot.initrd.network.ssh = { enable = true; # Using the same port as the actual SSH daemon will cause the clients to # throw errors related to host key mismatch. port = 2222; hostKeys = [ # XXX: This has to be manually generated during NixOS install. # The files are then copied to initrd secrets during activation. "/persist/initrd/ssh_host_rsa_key" "/persist/initrd/ssh_host_ed25519_key" ]; authorizedKeys = maintainerKeys; }; boot.initrd.network.postCommands = '' cat < /root/.profile if pgrep -x "zfs" > /dev/null then zfs load-key -a killall zfs else echo "ZFS is not running -- this could be a sign of failure." fi EOF ''; modules.tailscale-initrd = { enable = true; # XXX: This has to be manually generatd during NixOS install. # The files are then copied to initrd secrets during activation. tailscaleStatePath = "/persist/initrd/tailscale-initrd.state"; }; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; fileSystems."/persist".neededForBoot = true; services.openssh.hostKeys = [ { path = "/persist/ssh/ssh_host_ed25519_key"; type = "ed25519"; } { path = "/persist/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } ]; services.tailscale = { enable = true; useRoutingFeatures = "both"; }; environment.persistence."/persist".directories = [ "/var/lib/tailscale" ]; sops.defaultSopsFile = ./secrets/secrets.yaml; powerManagement.cpuFreqGovernor = "ondemand"; sops.secrets.zfs-smol-key = { }; # sops.secrets.nextcloud-admin-pass = { }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; networking.firewall.enable = true; networking.nat = { enable = true; internalInterfaces = [ "ve-+" ]; externalInterface = "enp3s0"; # Lazy IPv6 connectivity for the container enableIPv6 = true; }; modules = { services.blocky.enable = true; }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how # to actually do that. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "24.05"; # Did you read the comment? }