Added limina

config/hardware/limina.nix

@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+  boot = {
+    initrd = {
+      availableKernelModules =
+        [ "ahci" "xhci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-label/BOOT";
+      fsType = "vfat";
+    };
+
+    "/" = {
+      device = "zroot/transient/root";
+      fsType = "zfs";
+    };
+
+    "/nix" = {
+      device = "zroot/transient/nix";
+      fsType = "zfs";
+    };
+
+    "/var/log" = {
+      device = "zroot/transient/logs";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+
+    "/home" = {
+      device = "zroot/persistent/home";
+      fsType = "zfs";
+    };
+
+    "/state" = {
+      device = "zroot/persistent/state";
+      fsType = "zfs";
+    };
+  };
+
+  services.zfs.autoScrub.enable = true;
+
+  swapDevices = [{ device = "/dev/disk/by-label/swap"; }];
+
+  nix.maxJobs = lib.mkDefault 4;
+
+  hardware.bluetooth.enable = false;
+
+  networking = {
+    hostId = substring 0 8 (fileContents /state/etc/machine-id);
+
+    macvlans = {
+      extif0 = {
+        interface = "enp1s0";
+        mode = "bridge";
+      };
+      intif0 = {
+        interface = "enp2s0";
+        mode = "bridge";
+      };
+      intif1 = {
+        interface = "enp3s0";
+        mode = "bridge";
+      };
+      intif2 = {
+        interface = "enp4s0";
+        mode = "bridge";
+      };
+    };
+
+    interfaces = {
+      enp1s0.useDHCP = false;
+      enp2s0.useDHCP = false;
+      enp3s0.useDHCP = false;
+      enp4s0.useDHCP = false;
+      
+      # output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+      extif0 = {
+        macAddress = "02:fd:79:94:a2:a8";
+        useDHCP = true;
+      };
+
+      intif0 = {
+        macAddress = "02:dc:59:b4:a7:8c";
+      };
+
+      intif1 = {
+        macAddress = "02:df:43:1d:8a:63";
+      };
+
+      intif2 = {
+        macAddress = "02:55:d9:05:23:36";
+      };
+    };
+  };
+}

config/hosts/limina.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+with lib; {
+  config = {
+  
+    # TODO: remove?
+    nixpkgs.config.permittedInsecurePackages = [
+      "openssh-with-gssapi-8.4p1" # CVE-2021-28041
+    ];
+  
+    environment.etc = {
+      nixos.source = "/state/nixos";
+      adjtime.source = "/state/etc/adjtime";
+      NIXOS.source = "/state/etc/NIXOS";
+      machine-id.source = "/state/etc/machine-id";
+      "host-config.nix".source = "/state/etc/host-config.nix";
+    };
+
+    system.stateVersion = "20.09";
+
+    boot.initrd.postDeviceCommands = lib.mkAfter ''
+      ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
+    '';
+
+    security.sudo.extraConfig = ''
+      # rollback results in sudo lectures after each reboot
+      Defaults lecture = never
+    '';
+
+    systemd.tmpfiles.rules = [
+      "L /root/.gnupg - - - - /state/root/gnupg"
+      "L /root/.emacs.d - - - - /state/root/emacs.d"
+      "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
+      "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
+      "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
+      "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
+      "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
+    ];
+
+    services = {
+      openssh = {
+        hostKeys = [
+          {
+            path = "/state/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+          {
+            path = "/state/ssh/ssh_host_rsa_key";
+            type = "rsa";
+            bits = 4096;
+          }
+        ];
+      };
+    };
+  };
+}

config/networks/sea.fudo.org.nix

@@ -67,6 +67,10 @@ in {
   };
 
   hosts = {
+    limina = {
+      ip-address = "10.0.0.6";
+      mac-address = "02:fd:79:94:a2:a8";
+    };    
     nostromo = {
       ip-address = "10.0.0.1";
       mac-address = "46:54:76:06:f1:10";

config/profiles/server.nix

@@ -4,10 +4,6 @@ with lib;
 let
   serverPackages = with pkgs; [
     emacs-nox
-    ldns
-    ldns.examples
-    jdk14_headless
-    racket-minimal
     reboot-if-necessary
     test-config
   ];
@@ -55,8 +51,6 @@ in {
   config = {
     environment = {
       systemPackages = serverPackages;
-
-      # noXlibs = lib.mkForce true;
     };
 
     system.autoUpgrade.enable = false;