diff --git a/hosts/boron.cx.ts.hillion.co.uk/README.md b/hosts/boron.cx.ts.hillion.co.uk/README.md new file mode 100644 index 0000000..9004d3f --- /dev/null +++ b/hosts/boron.cx.ts.hillion.co.uk/README.md @@ -0,0 +1,7 @@ +# boron.cx.ts.hillion.co.uk + +Additional installation step for Clevis/Tang: + + $ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe + $ sudo chown root:root /mnt/data/disk_encryption.jwe + $ sudo chmod 0400 /mnt/data/disk_encryption.jwe diff --git a/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json b/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json new file mode 100644 index 0000000..05799b6 --- /dev/null +++ b/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json @@ -0,0 +1,13 @@ +{ + "t": 1, + "pins": { + "tang": [ + { + "url": "http://80.229.251.26:7654" + }, + { + "url": "http://185.240.111.53:7654" + } + ] + } +} diff --git a/hosts/boron.cx.ts.hillion.co.uk/default.nix b/hosts/boron.cx.ts.hillion.co.uk/default.nix index cad4a7f..a336a45 100644 --- a/hosts/boron.cx.ts.hillion.co.uk/default.nix +++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix @@ -22,14 +22,24 @@ enable = true; useTang = true; devices = { - "disk0-crypt".secretFile = ./disk_encryption.jwe; - "disk1-crypt".secretFile = ./disk_encryption.jwe; + "disk0-crypt".secretFile = "/data/disk_encryption.jwe"; + "disk1-crypt".secretFile = "/data/disk_encryption.jwe"; }; }; }; custom.defaults = true; + ## Kernel + ### Explicitly use the latest kernel at time of writing because the LTS + ### kernels available in NixOS do not seem to support this server's very + ### modern hardware. + boot.kernelPackages = pkgs.linuxPackages_6_8; + + ## Enable btrfs compression + fileSystems."/data".options = [ "compress=zstd" ]; + fileSystems."/nix".options = [ "compress=zstd" ]; + ## Impermanence custom.impermanence.enable = true; diff --git a/hosts/boron.cx.ts.hillion.co.uk/disk_encryption.jwe b/hosts/boron.cx.ts.hillion.co.uk/disk_encryption.jwe deleted file mode 100644 index b53c2e0..0000000 --- a/hosts/boron.cx.ts.hillion.co.uk/disk_encryption.jwe +++ /dev/null @@ -1 +0,0 @@ -eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoic3NzIiwic3NzIjp7Imp3ZSI6WyJleUpoYkdjaU9pSkZRMFJJTFVWVElpd2lZMnhsZG1seklqcDdJbkJwYmlJNkluUmhibWNpTENKMFlXNW5JanA3SW1Ga2RpSTZleUpyWlhseklqcGJleUpoYkdjaU9pSkZRMDFTSWl3aVkzSjJJam9pVUMwMU1qRWlMQ0pyWlhsZmIzQnpJanBiSW1SbGNtbDJaVXRsZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlpsZzJOVEkwYkVGQ2JsRlRNakpPTkRKSmNWSjBhRkJpV1VWVWJUaHlZbEJYUkdaVlFsY3pNbU5IVkdwM2IzRlBTRmhXZG1oVExYZDNhMmxQTkVSTFNtVm5hRUZMU0ZWNU5FMTNhREpxVFZSWFNWUlZjMlp0SWl3aWVTSTZJa0ZWUWs1MlJHWnVZbEZqWVVoYVoyVjRVRmw0UjNCTFRGQmZkVkZOVUhGUVdXSk5hRVZZVVZaak4xOTJZWEUwVTFCUWRUTmlUblZWYmtoalFtUmhOV3BwU21wcVFUUnRNbmQ2WW1scWRraE9YM296YnprdFdrSWlmU3g3SW1Gc1p5STZJa1ZUTlRFeUlpd2lZM0oySWpvaVVDMDFNakVpTENKclpYbGZiM0J6SWpwYkluWmxjbWxtZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlRrbHdTVFY0UVZOc1JtMTZlV042YlZOeVEyZDVWSFZmY0RCZlpWSnljRko2TVc1WFpXSkdTV0Z3ZVZOb2RDMUtWWFJTUjBwWGVVeGlPWGRoVGtaRVRucHdXVE5aYmtsVVIzVnNibmxsY0VzMlZUZFFUM1poSWl3aWVTSTZJa0ZqY0hGNE0xWllVVlJxYTBwSWRUSkJkelJHU1RneE1pMXBhMnBtT1hONlIxaE5kVzk2T0dseWJXRllibWt4YkdsNlUwWkZjSFY2Y21GNE9HMUhUSEkwU1dSRFpFcGFjRjlZVTNSME1XVktkRzFTY2taT1ZrWWlmVjE5TENKMWNtd2lPaUpvZEhSd09pOHZORFV1TVRNekxqRXlOeTQ1T0RvM05qVTBJbjE5TENKbGJtTWlPaUpCTWpVMlIwTk5JaXdpWlhCcklqcDdJbU55ZGlJNklsQXROVEl4SWl3aWEzUjVJam9pUlVNaUxDSjRJam9pUVU1NlRubE5TV2QwWlhNeVJVNXFVWGxVYURWRU5EaEtZV0YwWm5nNE0zaDVhVjkxVUVsQ2JGUk1kbFYxZW05UkxXVnZhM1UyY0d0MVRqbGFaRWRETTNaTVRIRkdkMTlQVkZZd1VsSk1TV3RQVG5GSlVIbzFOU0lzSW5raU9pSkJWa1JFUzBkYWNXOWxjemhMWm5SMlJrZGxURFEyYlV0c1JrUlpia3cxY0dWTmVVVm9jak4zWWpCTU4ybEdOVzUwZVhkcmVXTlBVbEpGV2xSTVFVUk5XVU0yVFhWdE9GSmhkbVUzZGtoclpubFdlWEpxYlhOaUluMHNJbXRwWkNJNklqRnVjMDV5VkdseGVqazRRUzF1VFhSbU1UbFhRbXgxVmpKeGNrTnpPVWswYWxwMWVVZG1jSGc1U1ZVaWZRLi5wLXl4ajNMcHN3aHAyWV9RLlZ4am5vQURjSW12d29oaDViMnJtYXlKcnhXU0xad0FDbVBjMm5NSllORS1SMUtNeWpOeFpsRFdwZWZzdk5jblR6OHFkbHhraWNTYXVjaFFSWTlnbmFRLkk0UTFaekR0QV83di10djhDV3ozV1EiLCJleUpoYkdjaU9pSkZRMFJJTFVWVElpd2lZMnhsZG1seklqcDdJbkJwYmlJNkluUmhibWNpTENKMFlXNW5JanA3SW1Ga2RpSTZleUpyWlhseklqcGJleUpoYkdjaU9pSkZVelV4TWlJc0ltTnlkaUk2SWxBdE5USXhJaXdpYTJWNVgyOXdjeUk2V3lKMlpYSnBabmtpWFN3aWEzUjVJam9pUlVNaUxDSjRJam9pUVdKVVQxbFdVVGt5UjB4M1RubFZkazFqU3pRM1Z6UTJOMFZwYmpKTGVsaDZUVzFFTkVzNU1HNXRiR0owWjBsd05YZFRTRU5GUlZKU01WUktaVnBITW1SZlN6VkNibXQxY0ZkUlFrRndiVkZsVm1aak9YQklSU0lzSW5raU9pSkJVRGxQTmpCTFJYQlJSRGR2UXpsSWEzTnRUaTFmTkUwMFZWcHFTWGQ2UW5SUGRFVlBZVFZtTTBoc05sZDVSVzUwVlUxMFdERXlVM293WmpVNVlrVlRjekZJYkZSWk1VbHZURWh0V2xsZlRrUjVNRmt3ZEVWbEluMHNleUpoYkdjaU9pSkZRMDFTSWl3aVkzSjJJam9pVUMwMU1qRWlMQ0pyWlhsZmIzQnpJanBiSW1SbGNtbDJaVXRsZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlNsZHhaMXBJVmxkaFZsWTFOblpSUTJoa2FqUkJNbEZKYjFGclluWllYelUzUkVScFRuQm5SVzFsTURrNFFrbGhibkEwV1hGRWNXUmZWMU56YkdGR1owOXVPVTF0ZGtOMVJWSlVSR0ZzTUhWR1dFeFVXV290SWl3aWVTSTZJa0ZEUTBNeE1qSXdYMjVpU0V4MVZGVkJWMUJJWXpFd1IyUXdXRE14U1ZsTU9EQjJWMFY1Y1ZwVWFpMXFSSGh5U1VWWVUwOU5MV2REZUdaZldIbE9kakJyTnkxV0xVaGFTakpaY0ZVMWNsWlNPV1IyTmpnNGVEQWlmVjE5TENKMWNtd2lPaUpvZEhSd09pOHZPREF1TWpJNUxqSTFNUzR5TmpvM05qVTBJbjE5TENKbGJtTWlPaUpCTWpVMlIwTk5JaXdpWlhCcklqcDdJbU55ZGlJNklsQXROVEl4SWl3aWEzUjVJam9pUlVNaUxDSjRJam9pUVdaek5rbHJXVVUwYlVSRE4yVnBWVWx1WDNCTFIxWjZZMGx5ZFVwa2NVVnZabFJOZUdsQlR5MUtOM2cwTW14dFlrNUhlRFJEVDBKQ01GRnBRelJNVTJkT016STNSbU40TmxOWFNHOWxkMEV6WXpCRWVtcE5NaUlzSW5raU9pSkJXVU4wV0Y5V1l6bFFWa3RMVDNwMlgwRlBVVTF6U1hSMlYzVlFlQzFqWDFkcGFsOXJWVVZHVjAwd1MxQTBYMU40ZW1WWE1YVmlYMlJ1Y1MxdFpUaFpSakJPYW1ocFRWbzFiVnBGVGtSeWRWRklPSEo1UkcxQkluMHNJbXRwWkNJNkltVnRkWHB4WjJsMWR6VmhPR0ZMVnpOWVpXdGtlVUozVFhSZlMyUTJOM2xwZW05amRVbDJhbkF6UzBVaWZRLi5EeGUxdUNsdkxtalViZTFoLnpZa3FnZTlQYW9pcmFFSUwxUmJYU0U3Nnh3VjUxcDdMaHZ4X2Q4el9nSkhETnYzZE1EVUp1V2d6QXNsSjlycE5HLVVjdy1idnlNTnZSU2lQZFlodzJ3LjhJMU9lSzItSXJFRU40bWhLYlVwRXciXSwicCI6IndNS0p4Umg0YXNheUpYcXd2Y2dCSHR4ZmZXdjJNUnJCSVItdFl4TF9tcU0iLCJ0IjoxfX0sImVuYyI6IkEyNTZHQ00ifQ..1mHqbL67asWyRGbE.5ParD6E7mfm9U6X6yMRbGZGMFfB-fSsN.9rNkfXjWBdxeZLiuwOVN9Q \ No newline at end of file diff --git a/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix b/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix index fe82dc3..3d22afe 100644 --- a/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix +++ b/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix @@ -9,7 +9,7 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "nvme" "ahci" ]; + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; @@ -23,34 +23,34 @@ fileSystems."/boot" = { - device = "/dev/disk/by-uuid/DCB2-4E87"; + device = "/dev/disk/by-uuid/ED9C-4ABC"; fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" ]; }; fileSystems."/data" = { - device = "/dev/disk/by-uuid/81342423-ba98-44eb-8b84-6e106d1c86c2"; + device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad"; fsType = "btrfs"; options = [ "subvol=data" ]; }; - boot.initrd.luks.devices."disk0-crypt" = { - device = "/dev/disk/by-uuid/87fa328c-ab54-4ef0-8b9d-40c5869dbc78"; - allowDiscards = true; - }; - boot.initrd.luks.devices."disk1-crypt" = { - device = "/dev/disk/by-uuid/9e9ced9d-f1c5-4b4e-9974-93724a6d9112"; - allowDiscards = true; - }; - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/81342423-ba98-44eb-8b84-6e106d1c86c2"; + device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad"; fsType = "btrfs"; options = [ "subvol=nix" ]; }; + boot.initrd.luks.devices."disk0-crypt" = { + device = "/dev/disk/by-uuid/a68ead16-1bdc-4d26-9e55-62c2be11ceee"; + allowDiscards = true; + }; + boot.initrd.luks.devices."disk1-crypt" = { + device = "/dev/disk/by-uuid/19bde205-bee4-430d-a4c1-52d635a23963"; + allowDiscards = true; + }; + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking @@ -58,7 +58,7 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/modules/dns.nix b/modules/dns.nix index aaf8164..9a886b0 100644 --- a/modules/dns.nix +++ b/modules/dns.nix @@ -39,7 +39,7 @@ in hillion = { ts = { cx = { - boron = "100.112.54.25"; + boron = "100.113.188.46"; jorah = "100.96.143.138"; }; home = { @@ -64,7 +64,7 @@ in hillion = { ts = { cx = { - boron = "fd7a:115c:a1e0::2a01:3619"; + boron = "fd7a:115c:a1e0::2a01:bc2f"; jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a"; }; home = { diff --git a/modules/ssh/default.nix b/modules/ssh/default.nix index 7669a2f..96f5bda 100644 --- a/modules/ssh/default.nix +++ b/modules/ssh/default.nix @@ -38,7 +38,7 @@ in "ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ=="; # Tailscale hosts - "boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtQy+FGs/2cN82X15LUGJk8iAAxkttEffwpNnpmLXdg"; + "boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5"; "be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm"; "dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY"; "gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e005b1e..e1b4b63 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,7 +13,7 @@ let hillion = { ts = { cx = { - boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtQy+FGs/2cN82X15LUGJk8iAAxkttEffwpNnpmLXdg root@boron"; + boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron"; jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah"; }; home = { diff --git a/secrets/tailscale/boron.cx.ts.hillion.co.uk.age b/secrets/tailscale/boron.cx.ts.hillion.co.uk.age index ec65678..6519ae5 100644 Binary files a/secrets/tailscale/boron.cx.ts.hillion.co.uk.age and b/secrets/tailscale/boron.cx.ts.hillion.co.uk.age differ