issuer-aws.nix

{ name, lib, ... }: {
  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];

  # amazon-image.nix isn't quite aware of nvme-attached storage so give it a
  # little help configuring grub.
  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";

  ec2.hvm = true;
  boot.kernel.sysctl = { "vm.swappiness" = 0; };
  swapDevices = [ {
    device = "/var/swapfile";
    size = 4096; # megabytes
    randomEncryption = true;
  } ];

  # Break the tie between AWS and morph for the hostname by forcing the
  # morph-supplied name.  See also
  # <https://github.com/DBCDK/morph/issues/146>.
  networking.hostName = name;

  # Mount a dedicated filesystem (ideally on a dedicated volume, but that's
  # beyond control of this particular part of the system) for the
  # PaymentServer voucher database.  This makes it easier to manage for
  # tasks like backup/recovery and encryption.
  services.private-storage-issuer.databaseFileSystem = {
    label = "zkapissuer-data";
  };

  # Clean up packages after a while
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };
}