issuer-aws.nix

{ name, lib, ... }: {
  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];

  # amazon-image.nix isn't quite aware of nvme-attached storage so give it a
  # little help configuring grub.
  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";

  ec2.hvm = true;
  boot.kernel.sysctl = { "vm.swappiness" = 1; };
  swapDevices = [ {
    device = "/var/swapfile";
    size = 1024; # megabytes
    randomEncryption = true;
  } ];

  # If we don't manually and explicitly early-load the loop module, crypt-swap
  # setup fails with the not very helpful message: "loop device with autoclear
  # flag is required"
  # See https://unix.stackexchange.com/a/554500/81275
  boot.kernelModules = [ "loop" ];

  # NixOS likes to fill up boot partitions with (by default) 100 old kernels.
  # Keep a (for us) more reasonable number around.
  boot.loader.grub.configurationLimit = 8;

  # Break the tie between AWS and morph for the hostname by forcing the
  # morph-supplied name.  See also
  # <https://github.com/DBCDK/morph/issues/146>.
  networking.hostName = name;

  # Mount a dedicated filesystem (ideally on a dedicated volume, but that's
  # beyond control of this particular part of the system) for the
  # PaymentServer voucher database.  This makes it easier to manage for
  # tasks like backup/recovery and encryption.
  services.private-storage-issuer.databaseFileSystem = {
    label = "zkapissuer-data";
  };

  # Clean up packages after a while
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };

  # Turn on automatic optimization of nix store
  # https://nixos.wiki/wiki/Storage_optimization
  nix.settings.auto-optimise-store = true;

  # Most of the time, we have ample free & usable memory, but when upgrading
  # software, we sometimes run out because of Nix.  This is supposed to help:
  zramSwap.enable = true;
}