tywin: enable clevis/tang for boot

hosts/boron.cx.ts.hillion.co.uk/README.md

@@ -2,6 +2,6 @@
 
 Additional installation step for Clevis/Tang:
 
-    $ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
+    $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
     $ sudo chown root:root /mnt/data/disk_encryption.jwe
     $ sudo chmod 0400 /mnt/data/disk_encryption.jwe

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -205,6 +205,7 @@
                   { hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
                   { hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
                   { hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
+                  { hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
                 ];
               }
               {

hosts/sodium.pop.ts.hillion.co.uk/default.nix

@@ -64,6 +64,7 @@
       interfaces = {
         eth0 = {
           allowedTCPPorts = lib.mkForce [
+            7654 # Tang
           ];
           allowedUDPPorts = lib.mkForce [
           ];

hosts/tywin.storage.ts.hillion.co.uk/README.md

@@ -0,0 +1,7 @@
+# tywin.storage.ts.hillion.co.uk
+
+Additional installation step for Clevis/Tang:
+
+    $ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
+    $ sudo chown root:root /mnt/disk_encryption.jwe
+    $ sudo chmod 0400 /mnt/disk_encryption.jwe

hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json

@@ -0,0 +1,14 @@
+{
+  "t": 1,
+  "pins": {
+    "tang": [
+      {
+        "url": "http://10.64.50.21:7654"
+      },
+      {
+        "url": "http://10.64.50.25:7654"
+      }
+    ]
+  }
+}
+

hosts/tywin.storage.ts.hillion.co.uk/default.nix

@@ -15,6 +15,20 @@
     boot.loader.systemd-boot.enable = true;
     boot.loader.efi.canTouchEfiVariables = true;
 
+    boot.kernelParams = [
+      "ip=dhcp"
+      "zfs.zfs_arc_max=25769803776"
+    ];
+    boot.initrd = {
+      availableKernelModules = [ "r8169" ];
+      network.enable = true;
+      clevis = {
+        enable = true;
+        useTang = true;
+        devices."root".secretFile = "/disk_encryption.jwe";
+      };
+    };
+
     custom.locations.autoServe = true;
     custom.defaults = true;
 
@@ -40,7 +54,6 @@
       forceImportRoot = false;
       extraPools = [ "data" ];
     };
-    boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
 
     services.btrfs.autoScrub = {
       enable = true;

modules/impermanence.nix

@@ -50,7 +50,8 @@ in
       (listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
       (listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
       (listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
-      (listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
+      (listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]) ++
+      (listIf config.services.tang.enable [ "/var/lib/private/tang" ]);
     };
 
     home-manager.users =

modules/locations.nix

@@ -28,6 +28,7 @@ in
           tang = [
             "li.pop.ts.hillion.co.uk"
             "microserver.home.ts.hillion.co.uk"
+            "sodium.pop.ts.hillion.co.uk"
           ];
           unifi = "boron.cx.ts.hillion.co.uk";
           version_tracker = [ "boron.cx.ts.hillion.co.uk" ];

modules/services/tang.nix

@@ -13,6 +13,7 @@ in
       enable = true;
       ipAddressAllow = [
         "138.201.252.214/32"
+        "10.64.50.20/32"
       ];
     };
   };