boron.cx: add new dedicated server

flake.lock

@@ -86,6 +86,26 @@
         "type": "github"
       }
     },
+    "home-manager-unstable": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1713818326,
+        "narHash": "sha256-aw3xbVPJauLk/bbrlakIYxKpeuMWzA2feGrkIpIuXd8=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "67de98ae6eed5ad6f91b1142356d71a87ba97f21",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "impermanence": {
       "locked": {
         "lastModified": 1708968331,
@@ -139,6 +159,7 @@
         "agenix": "agenix",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
+        "home-manager-unstable": "home-manager-unstable",
         "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable"

flake.nix

@@ -11,13 +11,15 @@
 
     home-manager.url = "github:nix-community/home-manager/release-23.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    home-manager-unstable.url = "github:nix-community/home-manager";
+    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     impermanence.url = "github:nix-community/impermanence/master";
   };
 
   description = "Hillion Nix flake";
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, impermanence, ... }@inputs: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
     nixosConfigurations =
       let
         fqdns = builtins.attrNames (builtins.readDir ./hosts);
@@ -27,9 +29,12 @@
           })
         ];
         mkHost = fqdn:
-          let system = builtins.readFile ./hosts/${fqdn}/system;
+          let
+            system = builtins.readFile ./hosts/${fqdn}/system;
+            func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
+            home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
           in
-          nixpkgs.lib.nixosSystem {
+          func {
             inherit system;
             specialArgs = inputs;
             modules = [
@@ -39,7 +44,7 @@
               agenix.nixosModules.default
               impermanence.nixosModules.impermanence
 
-              home-manager.nixosModules.default
+              home-manager-pick.nixosModules.default
               {
                 home-manager.sharedModules = [
                   impermanence.nixosModules.home-manager.impermanence
@@ -47,7 +52,6 @@
               }
 
               ({ config, ... }: {
-                nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs
                 system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
                 nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
               })

hosts/boron.cx.ts.hillion.co.uk/default.nix

@@ -0,0 +1,108 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ../../modules/common/default.nix
+    ./hardware-configuration.nix
+  ];
+
+  config = {
+    system.stateVersion = "23.11";
+
+    networking.hostName = "boron";
+    networking.domain = "cx.ts.hillion.co.uk";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    boot.kernelParams = [ "ip=dhcp" ];
+    boot.initrd = {
+      availableKernelModules = [ "igb" ];
+      network.enable = true;
+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          "disk0-crypt".secretFile = ./disk_encryption.jwe;
+          "disk1-crypt".secretFile = ./disk_encryption.jwe;
+        };
+      };
+    };
+
+    ## Impermanence
+    custom.impermanence.enable = true;
+
+    ## Custom Services
+    custom = {
+      locations.autoServe = true;
+    };
+
+    services.foldingathome = {
+      enable = true;
+      user = "JakeH"; # https://stats.foldingathome.org/donor/id/357021
+      daemonNiceLevel = 19;
+    };
+
+    ## Enable ZRAM to help with root on tmpfs
+    zramSwap = {
+      enable = true;
+      memoryPercent = 200;
+      algorithm = "zstd";
+    };
+
+    ## Filesystems
+    services.btrfs.autoScrub = {
+      enable = true;
+      interval = "Tue, 02:00";
+      # By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
+      fileSystems = [ "/data" ];
+    };
+
+    ## Networking
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+    };
+
+    networking = {
+      useDHCP = false;
+      interfaces = {
+        enp6s0 = {
+          name = "eth0";
+          useDHCP = true;
+          ipv6.addresses = [{
+            address = "2a01:4f8:173:23d2::2";
+            prefixLength = 64;
+          }];
+        };
+      };
+      defaultGateway6 = {
+        address = "fe80::1";
+        interface = "eth0";
+      };
+    };
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = lib.mkForce [ ];
+      allowedUDPPorts = lib.mkForce [ ];
+      interfaces = {
+        eth0 = {
+          allowedTCPPorts = lib.mkForce [
+          ];
+          allowedUDPPorts = lib.mkForce [
+          ];
+        };
+      };
+    };
+
+    ## Tailscale
+    age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
+      ipv4Addr = "100.112.54.25";
+      ipv6Addr = "fd7a:115c:a1e0::2a01:3619";
+    };
+  };
+}

hosts/boron.cx.ts.hillion.co.uk/disk_encryption.jwe

@@ -0,0 +1 @@
+eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoic3NzIiwic3NzIjp7Imp3ZSI6WyJleUpoYkdjaU9pSkZRMFJJTFVWVElpd2lZMnhsZG1seklqcDdJbkJwYmlJNkluUmhibWNpTENKMFlXNW5JanA3SW1Ga2RpSTZleUpyWlhseklqcGJleUpoYkdjaU9pSkZRMDFTSWl3aVkzSjJJam9pVUMwMU1qRWlMQ0pyWlhsZmIzQnpJanBiSW1SbGNtbDJaVXRsZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlpsZzJOVEkwYkVGQ2JsRlRNakpPTkRKSmNWSjBhRkJpV1VWVWJUaHlZbEJYUkdaVlFsY3pNbU5IVkdwM2IzRlBTRmhXZG1oVExYZDNhMmxQTkVSTFNtVm5hRUZMU0ZWNU5FMTNhREpxVFZSWFNWUlZjMlp0SWl3aWVTSTZJa0ZWUWs1MlJHWnVZbEZqWVVoYVoyVjRVRmw0UjNCTFRGQmZkVkZOVUhGUVdXSk5hRVZZVVZaak4xOTJZWEUwVTFCUWRUTmlUblZWYmtoalFtUmhOV3BwU21wcVFUUnRNbmQ2WW1scWRraE9YM296YnprdFdrSWlmU3g3SW1Gc1p5STZJa1ZUTlRFeUlpd2lZM0oySWpvaVVDMDFNakVpTENKclpYbGZiM0J6SWpwYkluWmxjbWxtZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlRrbHdTVFY0UVZOc1JtMTZlV042YlZOeVEyZDVWSFZmY0RCZlpWSnljRko2TVc1WFpXSkdTV0Z3ZVZOb2RDMUtWWFJTUjBwWGVVeGlPWGRoVGtaRVRucHdXVE5aYmtsVVIzVnNibmxsY0VzMlZUZFFUM1poSWl3aWVTSTZJa0ZqY0hGNE0xWllVVlJxYTBwSWRUSkJkelJHU1RneE1pMXBhMnBtT1hONlIxaE5kVzk2T0dseWJXRllibWt4YkdsNlUwWkZjSFY2Y21GNE9HMUhUSEkwU1dSRFpFcGFjRjlZVTNSME1XVktkRzFTY2taT1ZrWWlmVjE5TENKMWNtd2lPaUpvZEhSd09pOHZORFV1TVRNekxqRXlOeTQ1T0RvM05qVTBJbjE5TENKbGJtTWlPaUpCTWpVMlIwTk5JaXdpWlhCcklqcDdJbU55ZGlJNklsQXROVEl4SWl3aWEzUjVJam9pUlVNaUxDSjRJam9pUVU1NlRubE5TV2QwWlhNeVJVNXFVWGxVYURWRU5EaEtZV0YwWm5nNE0zaDVhVjkxVUVsQ2JGUk1kbFYxZW05UkxXVnZhM1UyY0d0MVRqbGFaRWRETTNaTVRIRkdkMTlQVkZZd1VsSk1TV3RQVG5GSlVIbzFOU0lzSW5raU9pSkJWa1JFUzBkYWNXOWxjemhMWm5SMlJrZGxURFEyYlV0c1JrUlpia3cxY0dWTmVVVm9jak4zWWpCTU4ybEdOVzUwZVhkcmVXTlBVbEpGV2xSTVFVUk5XVU0yVFhWdE9GSmhkbVUzZGtoclpubFdlWEpxYlhOaUluMHNJbXRwWkNJNklqRnVjMDV5VkdseGVqazRRUzF1VFhSbU1UbFhRbXgxVmpKeGNrTnpPVWswYWxwMWVVZG1jSGc1U1ZVaWZRLi5wLXl4ajNMcHN3aHAyWV9RLlZ4am5vQURjSW12d29oaDViMnJtYXlKcnhXU0xad0FDbVBjMm5NSllORS1SMUtNeWpOeFpsRFdwZWZzdk5jblR6OHFkbHhraWNTYXVjaFFSWTlnbmFRLkk0UTFaekR0QV83di10djhDV3ozV1EiLCJleUpoYkdjaU9pSkZRMFJJTFVWVElpd2lZMnhsZG1seklqcDdJbkJwYmlJNkluUmhibWNpTENKMFlXNW5JanA3SW1Ga2RpSTZleUpyWlhseklqcGJleUpoYkdjaU9pSkZVelV4TWlJc0ltTnlkaUk2SWxBdE5USXhJaXdpYTJWNVgyOXdjeUk2V3lKMlpYSnBabmtpWFN3aWEzUjVJam9pUlVNaUxDSjRJam9pUVdKVVQxbFdVVGt5UjB4M1RubFZkazFqU3pRM1Z6UTJOMFZwYmpKTGVsaDZUVzFFTkVzNU1HNXRiR0owWjBsd05YZFRTRU5GUlZKU01WUktaVnBITW1SZlN6VkNibXQxY0ZkUlFrRndiVkZsVm1aak9YQklSU0lzSW5raU9pSkJVRGxQTmpCTFJYQlJSRGR2UXpsSWEzTnRUaTFmTkUwMFZWcHFTWGQ2UW5SUGRFVlBZVFZtTTBoc05sZDVSVzUwVlUxMFdERXlVM293WmpVNVlrVlRjekZJYkZSWk1VbHZURWh0V2xsZlRrUjVNRmt3ZEVWbEluMHNleUpoYkdjaU9pSkZRMDFTSWl3aVkzSjJJam9pVUMwMU1qRWlMQ0pyWlhsZmIzQnpJanBiSW1SbGNtbDJaVXRsZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlNsZHhaMXBJVmxkaFZsWTFOblpSUTJoa2FqUkJNbEZKYjFGclluWllYelUzUkVScFRuQm5SVzFsTURrNFFrbGhibkEwV1hGRWNXUmZWMU56YkdGR1owOXVPVTF0ZGtOMVJWSlVSR0ZzTUhWR1dFeFVXV290SWl3aWVTSTZJa0ZEUTBNeE1qSXdYMjVpU0V4MVZGVkJWMUJJWXpFd1IyUXdXRE14U1ZsTU9EQjJWMFY1Y1ZwVWFpMXFSSGh5U1VWWVUwOU5MV2REZUdaZldIbE9kakJyTnkxV0xVaGFTakpaY0ZVMWNsWlNPV1IyTmpnNGVEQWlmVjE5TENKMWNtd2lPaUpvZEhSd09pOHZPREF1TWpJNUxqSTFNUzR5TmpvM05qVTBJbjE5TENKbGJtTWlPaUpCTWpVMlIwTk5JaXdpWlhCcklqcDdJbU55ZGlJNklsQXROVEl4SWl3aWEzUjVJam9pUlVNaUxDSjRJam9pUVdaek5rbHJXVVUwYlVSRE4yVnBWVWx1WDNCTFIxWjZZMGx5ZFVwa2NVVnZabFJOZUdsQlR5MUtOM2cwTW14dFlrNUhlRFJEVDBKQ01GRnBRelJNVTJkT016STNSbU40TmxOWFNHOWxkMEV6WXpCRWVtcE5NaUlzSW5raU9pSkJXVU4wV0Y5V1l6bFFWa3RMVDNwMlgwRlBVVTF6U1hSMlYzVlFlQzFqWDFkcGFsOXJWVVZHVjAwd1MxQTBYMU40ZW1WWE1YVmlYMlJ1Y1MxdFpUaFpSakJPYW1ocFRWbzFiVnBGVGtSeWRWRklPSEo1UkcxQkluMHNJbXRwWkNJNkltVnRkWHB4WjJsMWR6VmhPR0ZMVnpOWVpXdGtlVUozVFhSZlMyUTJOM2xwZW05amRVbDJhbkF6UzBVaWZRLi5EeGUxdUNsdkxtalViZTFoLnpZa3FnZTlQYW9pcmFFSUwxUmJYU0U3Nnh3VjUxcDdMaHZ4X2Q4el9nSkhETnYzZE1EVUp1V2d6QXNsSjlycE5HLVVjdy1idnlNTnZSU2lQZFlodzJ3LjhJMU9lSzItSXJFRU40bWhLYlVwRXciXSwicCI6IndNS0p4Umg0YXNheUpYcXd2Y2dCSHR4ZmZXdjJNUnJCSVItdFl4TF9tcU0iLCJ0IjoxfX0sImVuYyI6IkEyNTZHQ00ifQ..1mHqbL67asWyRGbE.5ParD6E7mfm9U6X6yMRbGZGMFfB-fSsN.9rNkfXjWBdxeZLiuwOVN9Q

hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix

@@ -0,0 +1,65 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "ahci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [ "mode=0755" ];
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/DCB2-4E87";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/data" =
+    {
+      device = "/dev/disk/by-uuid/81342423-ba98-44eb-8b84-6e106d1c86c2";
+      fsType = "btrfs";
+      options = [ "subvol=data" ];
+    };
+
+  boot.initrd.luks.devices."disk0-crypt" = {
+    device = "/dev/disk/by-uuid/87fa328c-ab54-4ef0-8b9d-40c5869dbc78";
+    allowDiscards = true;
+  };
+  boot.initrd.luks.devices."disk1-crypt" = {
+    device = "/dev/disk/by-uuid/9e9ced9d-f1c5-4b4e-9974-93724a6d9112";
+    allowDiscards = true;
+  };
+
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-uuid/81342423-ba98-44eb-8b84-6e106d1c86c2";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/boron.cx.ts.hillion.co.uk/system

@@ -0,0 +1 @@
+x86_64-linux

hosts/li.pop.ts.hillion.co.uk/default.nix

@@ -13,6 +13,9 @@
     networking.hostName = "li";
     networking.domain = "pop.ts.hillion.co.uk";
 
+    ## Custom Services
+    custom.locations.autoServe = true;
+
     # Networking
     ## Tailscale
     age.secrets."tailscale/li.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/li.pop.ts.hillion.co.uk.age;
@@ -33,6 +36,14 @@
     ## Run a persistent iperf3 server
     services.iperf3.enable = true;
     services.iperf3.openFirewall = true;
+
+    networking.firewall.interfaces = {
+      "end0" = {
+        allowedTCPPorts = [
+          7654 # Tang
+        ];
+      };
+    };
   };
 }
 

hosts/microserver.home.ts.hillion.co.uk/default.nix

@@ -53,6 +53,7 @@
           5353 # HomeKit
         ];
         allowedTCPPorts = [
+          7654 # Tang
           21063 # HomeKit
         ];
       };

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -105,14 +105,8 @@
               ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
 
               ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
-              ip daddr 10.64.50.20 tcp dport 28967 counter accept comment "zfs.tywin.storj"
-              ip daddr 10.64.50.20 udp dport 28967 counter accept comment "zfs.tywin.storj"
-              ip daddr 10.64.50.20 tcp dport 28968 counter accept comment "d0.tywin.storj"
-              ip daddr 10.64.50.20 udp dport 28968 counter accept comment "d0.tywin.storj"
-              ip daddr 10.64.50.20 tcp dport 28969 counter accept comment "d1.tywin.storj"
-              ip daddr 10.64.50.20 udp dport 28969 counter accept comment "d1.tywin.storj"
-              ip daddr 10.64.50.20 tcp dport 28970 counter accept comment "d2.tywin.storj"
-              ip daddr 10.64.50.20 udp dport 28970 counter accept comment "d2.tywin.storj"
+
+              ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
             }
           }
 
@@ -123,14 +117,8 @@
               iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
 
               iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
-              iifname eth0 tcp dport 28967 counter dnat to 10.64.50.20
-              iifname eth0 udp dport 28967 counter dnat to 10.64.50.20
-              iifname eth0 tcp dport 28968 counter dnat to 10.64.50.20
-              iifname eth0 udp dport 28968 counter dnat to 10.64.50.20
-              iifname eth0 tcp dport 28969 counter dnat to 10.64.50.20
-              iifname eth0 udp dport 28969 counter dnat to 10.64.50.20
-              iifname eth0 tcp dport 28970 counter dnat to 10.64.50.20
-              iifname eth0 udp dport 28970 counter dnat to 10.64.50.20
+
+              iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
             }
 
             chain postrouting {
@@ -189,6 +177,12 @@
                     ip-address = "10.64.50.22";
                     hostname = "syncbox";
                   }
+                  {
+                    # microserver.home.ts.hillion.co.uk
+                    hw-address = "e4:5f:01:b4:58:95";
+                    ip-address = "10.64.50.21";
+                    hostname = "microserver";
+                  }
                 ];
               }
               {

modules/common/ssh.nix

@@ -28,6 +28,7 @@
     "ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
 
     # Tailscale hosts
+    "boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtQy+FGs/2cN82X15LUGJk8iAAxkttEffwpNnpmLXdg";
     "be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm";
     "dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
     "gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";

modules/locations.nix

@@ -18,6 +18,10 @@ in
           homeassistant = "microserver.home.ts.hillion.co.uk";
           mastodon = "";
           matrix = "jorah.cx.ts.hillion.co.uk";
+          tang = [
+            "li.pop.ts.hillion.co.uk"
+            "microserver.home.ts.hillion.co.uk"
+          ];
           unifi = "jorah.cx.ts.hillion.co.uk";
         };
       };
@@ -30,6 +34,7 @@ in
     custom.services.homeassistant.enable = cfg.locations.services.homeassistant == config.networking.fqdn;
     custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
     custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
+    custom.services.tang.enable = builtins.elem config.networking.fqdn cfg.locations.services.tang;
     custom.services.unifi.enable = cfg.locations.services.unifi == config.networking.fqdn;
   };
 }

modules/resilio.nix

@@ -4,9 +4,6 @@ let
   cfg = config.custom.resilio;
 in
 {
-  imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
-  disabledModules = [ "services/networking/resilio.nix" ];
-
   options.custom.resilio = {
     enable = lib.mkEnableOption "resilio";
 

modules/services/default.nix

@@ -7,6 +7,7 @@
     ./homeassistant.nix
     ./mastodon/default.nix
     ./matrix.nix
+    ./tang.nix
     ./unifi.nix
     ./version_tracker.nix
     ./zigbee2mqtt.nix

modules/services/tang.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.custom.services.tang;
+in
+{
+  options.custom.services.tang = {
+    enable = lib.mkEnableOption "tang";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.tang = {
+      enable = true;
+      ipAddressAllow = [
+        "138.201.252.214/32"
+      ];
+    };
+  };
+}

secrets/secrets.nix

@@ -12,7 +12,10 @@ let
       co = {
         hillion = {
           ts = {
-            cx = { jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah"; };
+            cx = {
+              boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtQy+FGs/2cN82X15LUGJk8iAAxkttEffwpNnpmLXdg root@boron";
+              jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah";
+            };
             home = {
               microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
               router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
@@ -43,6 +46,7 @@ in
 
   # Tailscale Pre-Auth Keys
   "tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
+  "tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
   "tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
   "tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
   "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];