boron: move to kernel 6.8 and re-image

The extremely modern hardware on this server appears to experience
kernel crashes with the default NixOS 23.11 kernel 6.1 and the default
NixOS 24.05 kernel 6.6. Empirical testing shows the server staying up on
Ubuntu 22's 6.2 and explicit NixOS kernel 6.8.

The server was wiped during this testing so now needs reimaging.

hosts/boron.cx.ts.hillion.co.uk/README.md

@@ -0,0 +1,7 @@
+# boron.cx.ts.hillion.co.uk
+
+Additional installation step for Clevis/Tang:
+
+    $ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
+    $ sudo chown root:root /mnt/data/disk_encryption.jwe
+    $ sudo chmod 0400 /mnt/data/disk_encryption.jwe

hosts/boron.cx.ts.hillion.co.uk/clevis_config.json

@@ -0,0 +1,13 @@
+{
+  "t": 1,
+  "pins": {
+    "tang": [
+      {
+        "url": "http://80.229.251.26:7654"
+      },
+      {
+        "url": "http://185.240.111.53:7654"
+      }
+    ]
+  }
+}

hosts/boron.cx.ts.hillion.co.uk/default.nix

@@ -22,14 +22,24 @@
         enable = true;
         useTang = true;
         devices = {
-          "disk0-crypt".secretFile = ./disk_encryption.jwe;
-          "disk1-crypt".secretFile = ./disk_encryption.jwe;
+          "disk0-crypt".secretFile = "/data/disk_encryption.jwe";
+          "disk1-crypt".secretFile = "/data/disk_encryption.jwe";
         };
       };
     };
 
     custom.defaults = true;
 
+    ## Kernel
+    ### Explicitly use the latest kernel at time of writing because the LTS
+    ### kernels available in NixOS do not seem to support this server's very
+    ### modern hardware.
+    boot.kernelPackages = pkgs.linuxPackages_6_8;
+
+    ## Enable btrfs compression
+    fileSystems."/data".options = [ "compress=zstd" ];
+    fileSystems."/nix".options = [ "compress=zstd" ];
+
     ## Impermanence
     custom.impermanence.enable = true;
 

hosts/boron.cx.ts.hillion.co.uk/disk_encryption.jwe

@@ -1 +0,0 @@
-eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoic3NzIiwic3NzIjp7Imp3ZSI6WyJleUpoYkdjaU9pSkZRMFJJTFVWVElpd2lZMnhsZG1seklqcDdJbkJwYmlJNkluUmhibWNpTENKMFlXNW5JanA3SW1Ga2RpSTZleUpyWlhseklqcGJleUpoYkdjaU9pSkZRMDFTSWl3aVkzSjJJam9pVUMwMU1qRWlMQ0pyWlhsZmIzQnpJanBiSW1SbGNtbDJaVXRsZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlpsZzJOVEkwYkVGQ2JsRlRNakpPTkRKSmNWSjBhRkJpV1VWVWJUaHlZbEJYUkdaVlFsY3pNbU5IVkdwM2IzRlBTRmhXZG1oVExYZDNhMmxQTkVSTFNtVm5hRUZMU0ZWNU5FMTNhREpxVFZSWFNWUlZjMlp0SWl3aWVTSTZJa0ZWUWs1MlJHWnVZbEZqWVVoYVoyVjRVRmw0UjNCTFRGQmZkVkZOVUhGUVdXSk5hRVZZVVZaak4xOTJZWEUwVTFCUWRUTmlUblZWYmtoalFtUmhOV3BwU21wcVFUUnRNbmQ2WW1scWRraE9YM296YnprdFdrSWlmU3g3SW1Gc1p5STZJa1ZUTlRFeUlpd2lZM0oySWpvaVVDMDFNakVpTENKclpYbGZiM0J6SWpwYkluWmxjbWxtZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlRrbHdTVFY0UVZOc1JtMTZlV042YlZOeVEyZDVWSFZmY0RCZlpWSnljRko2TVc1WFpXSkdTV0Z3ZVZOb2RDMUtWWFJTUjBwWGVVeGlPWGRoVGtaRVRucHdXVE5aYmtsVVIzVnNibmxsY0VzMlZUZFFUM1poSWl3aWVTSTZJa0ZqY0hGNE0xWllVVlJxYTBwSWRUSkJkelJHU1RneE1pMXBhMnBtT1hONlIxaE5kVzk2T0dseWJXRllibWt4YkdsNlUwWkZjSFY2Y21GNE9HMUhUSEkwU1dSRFpFcGFjRjlZVTNSME1XVktkRzFTY2taT1ZrWWlmVjE5TENKMWNtd2lPaUpvZEhSd09pOHZORFV1TVRNekxqRXlOeTQ1T0RvM05qVTBJbjE5TENKbGJtTWlPaUpCTWpVMlIwTk5JaXdpWlhCcklqcDdJbU55ZGlJNklsQXROVEl4SWl3aWEzUjVJam9pUlVNaUxDSjRJam9pUVU1NlRubE5TV2QwWlhNeVJVNXFVWGxVYURWRU5EaEtZV0YwWm5nNE0zaDVhVjkxVUVsQ2JGUk1kbFYxZW05UkxXVnZhM1UyY0d0MVRqbGFaRWRETTNaTVRIRkdkMTlQVkZZd1VsSk1TV3RQVG5GSlVIbzFOU0lzSW5raU9pSkJWa1JFUzBkYWNXOWxjemhMWm5SMlJrZGxURFEyYlV0c1JrUlpia3cxY0dWTmVVVm9jak4zWWpCTU4ybEdOVzUwZVhkcmVXTlBVbEpGV2xSTVFVUk5XVU0yVFhWdE9GSmhkbVUzZGtoclpubFdlWEpxYlhOaUluMHNJbXRwWkNJNklqRnVjMDV5VkdseGVqazRRUzF1VFhSbU1UbFhRbXgxVmpKeGNrTnpPVWswYWxwMWVVZG1jSGc1U1ZVaWZRLi5wLXl4ajNMcHN3aHAyWV9RLlZ4am5vQURjSW12d29oaDViMnJtYXlKcnhXU0xad0FDbVBjMm5NSllORS1SMUtNeWpOeFpsRFdwZWZzdk5jblR6OHFkbHhraWNTYXVjaFFSWTlnbmFRLkk0UTFaekR0QV83di10djhDV3ozV1EiLCJleUpoYkdjaU9pSkZRMFJJTFVWVElpd2lZMnhsZG1seklqcDdJbkJwYmlJNkluUmhibWNpTENKMFlXNW5JanA3SW1Ga2RpSTZleUpyWlhseklqcGJleUpoYkdjaU9pSkZVelV4TWlJc0ltTnlkaUk2SWxBdE5USXhJaXdpYTJWNVgyOXdjeUk2V3lKMlpYSnBabmtpWFN3aWEzUjVJam9pUlVNaUxDSjRJam9pUVdKVVQxbFdVVGt5UjB4M1RubFZkazFqU3pRM1Z6UTJOMFZwYmpKTGVsaDZUVzFFTkVzNU1HNXRiR0owWjBsd05YZFRTRU5GUlZKU01WUktaVnBITW1SZlN6VkNibXQxY0ZkUlFrRndiVkZsVm1aak9YQklSU0lzSW5raU9pSkJVRGxQTmpCTFJYQlJSRGR2UXpsSWEzTnRUaTFmTkUwMFZWcHFTWGQ2UW5SUGRFVlBZVFZtTTBoc05sZDVSVzUwVlUxMFdERXlVM293WmpVNVlrVlRjekZJYkZSWk1VbHZURWh0V2xsZlRrUjVNRmt3ZEVWbEluMHNleUpoYkdjaU9pSkZRMDFTSWl3aVkzSjJJam9pVUMwMU1qRWlMQ0pyWlhsZmIzQnpJanBiSW1SbGNtbDJaVXRsZVNKZExDSnJkSGtpT2lKRlF5SXNJbmdpT2lKQlNsZHhaMXBJVmxkaFZsWTFOblpSUTJoa2FqUkJNbEZKYjFGclluWllYelUzUkVScFRuQm5SVzFsTURrNFFrbGhibkEwV1hGRWNXUmZWMU56YkdGR1owOXVPVTF0ZGtOMVJWSlVSR0ZzTUhWR1dFeFVXV290SWl3aWVTSTZJa0ZEUTBNeE1qSXdYMjVpU0V4MVZGVkJWMUJJWXpFd1IyUXdXRE14U1ZsTU9EQjJWMFY1Y1ZwVWFpMXFSSGh5U1VWWVUwOU5MV2REZUdaZldIbE9kakJyTnkxV0xVaGFTakpaY0ZVMWNsWlNPV1IyTmpnNGVEQWlmVjE5TENKMWNtd2lPaUpvZEhSd09pOHZPREF1TWpJNUxqSTFNUzR5TmpvM05qVTBJbjE5TENKbGJtTWlPaUpCTWpVMlIwTk5JaXdpWlhCcklqcDdJbU55ZGlJNklsQXROVEl4SWl3aWEzUjVJam9pUlVNaUxDSjRJam9pUVdaek5rbHJXVVUwYlVSRE4yVnBWVWx1WDNCTFIxWjZZMGx5ZFVwa2NVVnZabFJOZUdsQlR5MUtOM2cwTW14dFlrNUhlRFJEVDBKQ01GRnBRelJNVTJkT016STNSbU40TmxOWFNHOWxkMEV6WXpCRWVtcE5NaUlzSW5raU9pSkJXVU4wV0Y5V1l6bFFWa3RMVDNwMlgwRlBVVTF6U1hSMlYzVlFlQzFqWDFkcGFsOXJWVVZHVjAwd1MxQTBYMU40ZW1WWE1YVmlYMlJ1Y1MxdFpUaFpSakJPYW1ocFRWbzFiVnBGVGtSeWRWRklPSEo1UkcxQkluMHNJbXRwWkNJNkltVnRkWHB4WjJsMWR6VmhPR0ZMVnpOWVpXdGtlVUozVFhSZlMyUTJOM2xwZW05amRVbDJhbkF6UzBVaWZRLi5EeGUxdUNsdkxtalViZTFoLnpZa3FnZTlQYW9pcmFFSUwxUmJYU0U3Nnh3VjUxcDdMaHZ4X2Q4el9nSkhETnYzZE1EVUp1V2d6QXNsSjlycE5HLVVjdy1idnlNTnZSU2lQZFlodzJ3LjhJMU9lSzItSXJFRU40bWhLYlVwRXciXSwicCI6IndNS0p4Umg0YXNheUpYcXd2Y2dCSHR4ZmZXdjJNUnJCSVItdFl4TF9tcU0iLCJ0IjoxfX0sImVuYyI6IkEyNTZHQ00ifQ..1mHqbL67asWyRGbE.5ParD6E7mfm9U6X6yMRbGZGMFfB-fSsN.9rNkfXjWBdxeZLiuwOVN9Q

hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix

@@ -9,7 +9,7 @@
       (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "ahci" ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
@@ -23,34 +23,34 @@
 
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-uuid/DCB2-4E87";
+      device = "/dev/disk/by-uuid/ED9C-4ABC";
       fsType = "vfat";
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
   fileSystems."/data" =
     {
-      device = "/dev/disk/by-uuid/81342423-ba98-44eb-8b84-6e106d1c86c2";
+      device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
       fsType = "btrfs";
       options = [ "subvol=data" ];
     };
 
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
   boot.initrd.luks.devices."disk0-crypt" = {
-    device = "/dev/disk/by-uuid/87fa328c-ab54-4ef0-8b9d-40c5869dbc78";
+    device = "/dev/disk/by-uuid/a68ead16-1bdc-4d26-9e55-62c2be11ceee";
     allowDiscards = true;
   };
   boot.initrd.luks.devices."disk1-crypt" = {
-    device = "/dev/disk/by-uuid/9e9ced9d-f1c5-4b4e-9974-93724a6d9112";
+    device = "/dev/disk/by-uuid/19bde205-bee4-430d-a4c1-52d635a23963";
     allowDiscards = true;
   };
 
-  fileSystems."/nix" =
-    {
-      device = "/dev/disk/by-uuid/81342423-ba98-44eb-8b84-6e106d1c86c2";
-      fsType = "btrfs";
-      options = [ "subvol=nix" ];
-    };
-
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -58,7 +58,7 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

modules/dns.nix

@@ -39,7 +39,7 @@ in
             hillion = {
               ts = {
                 cx = {
-                  boron = "100.112.54.25";
+                  boron = "100.113.188.46";
                   jorah = "100.96.143.138";
                 };
                 home = {
@@ -64,7 +64,7 @@ in
             hillion = {
               ts = {
                 cx = {
-                  boron = "fd7a:115c:a1e0::2a01:3619";
+                  boron = "fd7a:115c:a1e0::2a01:bc2f";
                   jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
                 };
                 home = {

modules/ssh/default.nix

@@ -38,7 +38,7 @@ in
       "ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
 
       # Tailscale hosts
-      "boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtQy+FGs/2cN82X15LUGJk8iAAxkttEffwpNnpmLXdg";
+      "boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5";
       "be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm";
       "dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
       "gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";

secrets/secrets.nix

@@ -13,7 +13,7 @@ let
         hillion = {
           ts = {
             cx = {
-              boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtQy+FGs/2cN82X15LUGJk8iAAxkttEffwpNnpmLXdg root@boron";
+              boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
               jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah";
             };
             home = {